Unbound is always unhealthy - watchdog nagios check_dns issue?

DocFraggle What’s the output if you use dig from inside the container? Should look like this:

Yes the content I posted in the original message is from within the watchdog container. dig works fine. check_dns gives the segfault error.

[root@delta watchdog]# docker compose exec watchdog-mailcow /bin/bash

fc042ba8c1d5:/# dig @127.0.0.11 stackoverflow.com

; <<>> DiG 9.18.19 <<>> @127.0.0.11 stackoverflow.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11654
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;stackoverflow.com. IN A

;; ANSWER SECTION:
stackoverflow.com. 300 IN A 172.64.155.249
stackoverflow.com. 300 IN A 104.18.32.7

;; Query time: 28 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Wed Apr 17 16:44:40 PDT 2024
;; MSG SIZE rcvd: 78

fc042ba8c1d5:/# /usr/lib/nagios/plugins/check_dns -H stackoverflow.com
Segmentation fault (core dumped)

I’m testing the keycloak functionality which is why I’m using the nightly rather than the release versions. I’m not seeing any differences between the nightly and 2024-04 branches with regards to the watchdog image or scripts. And the nagios tool doesn’t seem to create a log or have any debug or verbose output option, so I’m at a loss for how to troubleshoot it.

DocFraggle

No it’s x86

# inxi -Sz
System:
Kernel: 5.14.0-362.24.1.el9_3.0.1.x86_64
arch: x86_64 bits: 64
Console: pty pts/0 Distro: Rocky Linux
9.3 (Blue Onyx)

DocFraggle

Yeah looks like the same issue. Also, mailcow/mailcow-dockerizedissues/5121. Seems they all gave up since nagios has no way to debug it, but while I did comment out the check in the script for now so it’s not constantly restarting the unbound container, I don’t like to give up. Lol.

Nothing really special about the setup except that I’m using the Keycloak functionality. The server itself has nothing significant installed, not even firewalls. It’s a pretty ordinary KVM based VPS. Clean install of docker and mailcow. I do have IPv6 in use, but I see someone else mentioned they had the issue with it disabled. No real customizations added yet.

DocFraggle

It does respond fine to the -h and -V options. And the version is the same as you posted. I also verified that the Dockerfile is the same between the latest nightly branch commit and the 2024-04 tag. So the actual docker images should be basically identical.

And I ran nslookup since I read that the dns_check is just calling that tool and it returns expected values.

fc042ba8c1d5:/# /usr/lib/nagios/plugins/check_dns -V
check_dns v (nagios-plugins 2.4.5)
fc042ba8c1d5:/# apk info nagios-plugins-dns
nagios-plugins-dns-2.4.5-r2 description:
Nagios plugin check_dns
nagios-plugins-dns-2.4.5-r2 webpage:
https://nagios-plugins.org/
nagios-plugins-dns-2.4.5-r2 installed size:
80 KiB
fc042ba8c1d5:/# nslookup stackexchange.com
Server: 127.0.0.11
Address: 127.0.0.11#53
Non-authoritative answer:
Name: stackexchange.com
Address: 172.64.144.30
Name: stackexchange.com
Address: 104.18.43.226

DocFraggle
Yes, I tried various combinations of servers and hosts. Everything I’ve tried causes the segfault so far.

DocFraggle

It’s a totally fresh install of Rocky Linux 9.3. selinux is enabled but in permissive state. Just for the heck of it I disabled it totally and restarted. But no change.