Error installing unbound on new PI 4

This is my first foray into the world of RPI so forgive me if the post is in the wrong section.

Picked up a PI 4 4Gb for the purpose of running PiHole and unbound. PiHole has installed fine and running. I’ve tried to get unbound installed many times and it just keeps throwing an error. Any advice would be most welcome. I’ve added as much info as I can, if more is needed please let me know where to look

Expected Behaviour:

unbound installing

Actual Behaviour:

unbound fails during install procedure

Debug Token:

Raspbian Version Info

root@radiberry1:/home/pi# cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

sudo apt install unbound output

pi@radiberry1:~ $ sudo apt-get install unbound
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  libunbound8 unbound-anchor
The following NEW packages will be installed:
  libunbound8 unbound unbound-anchor
0 upgraded, 3 newly installed, 0 to remove and 2 not upgraded.
Need to get 0 B/1,217 kB of archives.
After this operation, 4,783 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Selecting previously unselected package libunbound8:armhf.
(Reading database ... 101515 files and directories currently installed.)
Preparing to unpack .../libunbound8_1.9.0-2+deb10u1_armhf.deb ...
Unpacking libunbound8:armhf (1.9.0-2+deb10u1) ...
Selecting previously unselected package unbound-anchor.
Preparing to unpack .../unbound-anchor_1.9.0-2+deb10u1_armhf.deb ...
Unpacking unbound-anchor (1.9.0-2+deb10u1) ...
Selecting previously unselected package unbound.
Preparing to unpack .../unbound_1.9.0-2+deb10u1_armhf.deb ...
Unpacking unbound (1.9.0-2+deb10u1) ...
Setting up libunbound8:armhf (1.9.0-2+deb10u1) ...
Setting up unbound-anchor (1.9.0-2+deb10u1) ...
Setting up unbound (1.9.0-2+deb10u1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/unbound.service → /lib/systemd/system/unbound.service.
Created symlink /etc/systemd/system/unbound.service.wants/unbound-resolvconf.service → /lib/systemd/system/unbound-resolvconf.service.
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xe" for details.
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xe" for details.
invoke-rc.d: initscript unbound, action "start" failed.
● unbound.service - Unbound DNS server
   Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Mon 2019-11-04 14:45:35 +08; 41ms ago
     Docs: man:unbound(8)
  Process: 14795 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
  Process: 14799 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
  Process: 14805 ExecStart=/usr/sbin/unbound -d $DAEMON_OPTS (code=exited, status=1/FAILURE)
 Main PID: 14805 (code=exited, status=1/FAILURE)
Processing triggers for systemd (241-7~deb10u1+rpi1) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.28-10+rpi1) ...

systemctl status unbound.service

pi@radiberry1:~ $ systemctl status unbound.service
● unbound.service - Unbound DNS server
   Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2019-11-04 14:45:40 +08; 13s ago
     Docs: man:unbound(8)
  Process: 15120 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
  Process: 15123 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
  Process: 15127 ExecStart=/usr/sbin/unbound -d $DAEMON_OPTS (code=exited, status=1/FAILURE)
 Main PID: 15127 (code=exited, status=1/FAILURE)

Nov 04 14:45:40 radiberry1 systemd[1]: unbound.service: Service RestartSec=100ms expired, scheduling restart.
Nov 04 14:45:40 radiberry1 systemd[1]: unbound.service: Scheduled restart job, restart counter is at 9.
Nov 04 14:45:40 radiberry1 systemd[1]: Stopped Unbound DNS server.
Nov 04 14:45:40 radiberry1 systemd[1]: unbound.service: Start request repeated too quickly.
Nov 04 14:45:40 radiberry1 systemd[1]: unbound.service: Failed with result 'exit-code'.
Nov 04 14:45:40 radiberry1 systemd[1]: Failed to start Unbound DNS server.

journalctl -xe

pi@radiberry1:~ $ journalctl -xe
-- The unit unbound-resolvconf.service has successfully entered the 'dead' state.
Nov 04 14:45:40 radiberry1 systemd[1]: Stopped Unbound DNS server via resolvconf.
-- Subject: A stop job for unit unbound-resolvconf.service has finished
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A stop job for unit unbound-resolvconf.service has finished.
--
-- The job identifier is 6248 and the job result is done.
Nov 04 14:45:40 radiberry1 systemd[1]: Stopped Unbound DNS server.
-- Subject: A stop job for unit unbound.service has finished
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A stop job for unit unbound.service has finished.
--
-- The job identifier is 6184 and the job result is done.
Nov 04 14:45:40 radiberry1 systemd[1]: unbound.service: Start request repeated too quickly.
Nov 04 14:45:40 radiberry1 systemd[1]: unbound.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- The unit unbound.service has entered the 'failed' state with result 'exit-code'.
Nov 04 14:45:40 radiberry1 systemd[1]: Failed to start Unbound DNS server.
-- Subject: A start job for unit unbound.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A start job for unit unbound.service has finished with a failure.
--
-- The job identifier is 6184 and the job result is failed.
Nov 04 14:45:40 radiberry1 systemd[1]: unbound-resolvconf.service: Start request repeated too quickly.
Nov 04 14:45:40 radiberry1 systemd[1]: unbound-resolvconf.service: Failed with result 'start-limit-hit'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- The unit unbound-resolvconf.service has entered the 'failed' state with result 'start-limit-hit'.
Nov 04 14:45:40 radiberry1 systemd[1]: Failed to start Unbound DNS server via resolvconf.
-- Subject: A start job for unit unbound-resolvconf.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A start job for unit unbound-resolvconf.service has finished with a failure.
--
-- The job identifier is 6248 and the job result is failed.

/etc/unbound/unbound.conf.d/pi-hole.conf


server:
# If no logfile is specified, syslog is used
# logfile: “/var/log/unbound/unbound.log”
verbosity: 0
port: 5353
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: yes
# Use this only when you downloaded the list of primary root servers!
root-hints: “/var/lib/unbound/root.hints”
# Trust glue only if it is within the servers authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don’t use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
1 Like

After the installation, even if it reports errors, does Unbound start* with

sudo systemctl stop unbound
sudo systemctl start unbound

then

sudo systemctl status unbound

(*with your posted /etc/unbound/unbound.conf.d/pi-hole.conf)

No, it still fails

pi@radiberry1:~ $ sudo systemctl stop unbound
pi@radiberry1:~ $ sudo systemctl start unbound
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xe" for details.
pi@radiberry1:~ $ sudo systemctl status unbound
● unbound.service - Unbound DNS server
   Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2019-11-04 15:26:35 +08; 4s ago
     Docs: man:unbound(8)
  Process: 18067 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
  Process: 18070 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
  Process: 18075 ExecStart=/usr/sbin/unbound -d $DAEMON_OPTS (code=exited, status=1/FAILURE)
 Main PID: 18075 (code=exited, status=1/FAILURE)

Nov 04 15:26:35 radiberry1 systemd[1]: unbound.service: Service RestartSec=100ms expired, scheduling restart.
Nov 04 15:26:35 radiberry1 systemd[1]: unbound.service: Scheduled restart job, restart counter is at 5.
Nov 04 15:26:35 radiberry1 systemd[1]: Stopped Unbound DNS server.
Nov 04 15:26:35 radiberry1 systemd[1]: unbound.service: Start request repeated too quickly.
Nov 04 15:26:35 radiberry1 systemd[1]: unbound.service: Failed with result 'exit-code'.
Nov 04 15:26:35 radiberry1 systemd[1]: Failed to start Unbound DNS server.

Can you set

logfile: “/var/log/unbound/unbound.log”
verbosity: 1

in /etc/unbound/unbound.conf.d/pi-hole.conf and try a Unbound restart again?
Any useful information in /var/log/unbound/unbound.log then?

I’m an real beginner in the *nix world so apologies if I’m missing obvious steps.

Tried the above but no log file created:

pi@radiberry1:/ $ cat /etc/unbound/unbound.conf.d/pi-hole.conf

server:
# If no logfile is specified, syslog is used
logfile: “/var/log/unbound/unbound.log”
verbosity: 1

stop and start unbound

pi@radiberry1:/etc/unbound/unbound.conf.d $ sudo systemctl stop unbound
pi@radiberry1:/etc/unbound/unbound.conf.d $ sudo systemctl start unbound
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xe" for details.

there is no unbound directory in /var/log

pi@radiberry1:/var/log $ ls
alternatives.log  boot.log       cups        dpkg.log        kern.log  lighttpd  pihole-FTL.log    pihole.log.1  syslog.1  Xorg.0.log
apt               bootstrap.log  daemon.log  faillog         lastlog   messages  pihole-FTL.log.1  private       user.log  Xorg.0.log.old
auth.log          btmp           debug       fontconfig.log  lightdm   pihole    pihole.log        syslog        wtmp

Re-try it with

logfile: “/var/log/unbound.log”

Still no log file

pi@radiberry1:/var/log $ cat /etc/unbound/unbound.conf.d/pi-hole.conf

server:
# If no logfile is specified, syslog is used
logfile: “/var/log/unbound.log”
verbosity: 1

pi@radiberry1:/var/log $ sudo systemctl stop unbound
pi@radiberry1:/var/log $ sudo systemctl start unbound
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xe" for details.

pi@radiberry1:/var/log $ cat /var/log/unbound.log
cat: /var/log/unbound.log: No such file or directory

pi@radiberry1:/var/log $ ls /var/log/
alternatives.log  boot.log       cups        dpkg.log        kern.log  lighttpd  pihole-FTL.log    pihole.log.1  syslog.1  Xorg.0.log
apt               bootstrap.log  daemon.log  faillog         lastlog   messages  pihole-FTL.log.1  private       user.log  Xorg.0.log.old
auth.log          btmp           debug       fontconfig.log  lightdm   pihole    pihole.log        syslog        wtmp

similar discussion here.

I don’t use the Raspbian package (compiling unbound from source) but the advise given in the above discussion would indicate chroot is active.

When chroot is active, unbound cannot access anything outside /etc/unbound.
This means that your config should NOT refer anything outside /etc/unbound.

so, when using chroot, the way to define a logfile would be:

 logfile: "/unbound.log"

Try to modify your unbound.conf, with logfile as above.
Your logfile would than (hopefully) appear in /etc/unbound/unbound.log

If this is confirmed, you have two options:

  1. all filename must be relative to /etc/unbound, and of course, the files must be there.
  2. disable chroot (not tested - but according to the above mentioned article - verify chroot.conf exists before actually doing this):

cat << EOF > /etc/unbound/unbound.conf.d/chroot.conf
server:
chroot: “”
EOF
service unbound restart

I added

logfile: "/unbound.log"

in /etc/unbound/unbound.conf.d/pi-hole.conf
Stopped and started the unbound service, failed again, no log created

I then added the same logfile setting to /etc/unbound/unbound.conf and added the verbosity: 1
Stopped and started the unbound service, failed again, no log created

I haven’t tried disabling chroot as the previous instructions failed to produce what was expected.

FWIW this RPI 4 is brand new. I unboxed it, put it together, started NOOBS, installed Rasbian etc then followed these instructions to get PiHole (successful) and unbound(no luck) installed.

During the last couple of days I’ve uninstalled and reinstalled unbound with no luck, even uninstalled PiHole and started again, PiHole installed fine, unbound still has errors. Really not sure where to go from her.

you can’t have the same directive in different conf files

run

sudo /usr/sbin/unbound-checkconf

or wherever unbound-checkconf is located on your system.

tl;dr - “ !== " - copying and pasting from websites resulted in the wrong quote mark being used. Corrected those and unbound seems to be running now.

I put it in unbound.conf after the first attempt just to see what would happen.

It’s removed from unbound.conf now.

pi-hoile.conf and unbound.conf

pi@radiberry1:~ $ sudo cat /etc/unbound/unbound.conf.d/pi-hole.conf

server:
# If no logfile is specified, syslog is used
logfile: “/unbound.log”
verbosity: 1

pi@radiberry1:~ $ sudo cat /etc/unbound/unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.

include: "/etc/unbound/unbound.conf.d/*.conf"

unbound-checkconf output

pi@radiberry1:~ $ sudo /usr/sbin/unbound-checkconf
/etc/unbound/“: No such file or directory
[1572860189] unbound-checkconf[25207:0] fatal error: logfile directory does not exist

I noticed the error message had to be somewhere in the logfile line in the conf. As I was cutting and pasting from a webpage, I was using “ instead of ". Not obvious here but in nano the they were curved. Replaced them with " and I stopped getting the error:

pi@radiberry1:~ $ sudo /usr/sbin/unbound-checkconf
unbound-checkconf: no errors in /etc/unbound/unbound.conf

stop and start produced no errors

pi@radiberry1:~ $ sudo systemctl stop unbound
pi@radiberry1:~ $ sudo systemctl start unbound

but there is no logfile created which seems odd.

but now it looks like it’s up and running

pi@radiberry1:~ $ sudo systemctl status unbound
● unbound.service - Unbound DNS server
   Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2019-11-04 17:45:31 +08; 4min 50s ago
     Docs: man:unbound(8)
  Process: 25910 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
  Process: 25914 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
 Main PID: 25919 (unbound)
    Tasks: 1 (limit: 4915)
   Memory: 4.9M
   CGroup: /system.slice/unbound.service
           └─25919 /usr/sbin/unbound -d

Nov 04 17:45:30 radiberry1 systemd[1]: Starting Unbound DNS server...
Nov 04 17:45:31 radiberry1 package-helper[25914]: /var/lib/unbound/root.key has content
Nov 04 17:45:31 radiberry1 package-helper[25914]: success: the anchor is ok
Nov 04 17:45:31 radiberry1 unbound[25919]: [1572860731] unbound[25919:0] error: Could not open logfile /var/log/unbound.log: Permission denied
Nov 04 17:45:31 radiberry1 unbound[25919]: [1572860731] unbound[25919:0] notice: init module 0: subnet
Nov 04 17:45:31 radiberry1 unbound[25919]: [1572860731] unbound[25919:0] notice: init module 1: validator
Nov 04 17:45:31 radiberry1 unbound[25919]: [1572860731] unbound[25919:0] notice: init module 2: iterator
Nov 04 17:45:31 radiberry1 unbound[25919]: [1572860731] unbound[25919:0] info: start of service (unbound 1.9.0).
Nov 04 17:45:31 radiberry1 systemd[1]: Started Unbound DNS server.

this file tells unbound to process for configuration files in /etc/unbound/unbound.conf.d/*.conf. You should never change that file (don’t change /etc/unbound/unbound.conf).

this error says it cannot access /var/log/unbound.log , so your /etc/unbound/unbound.conf.d/pi-hole.conf doesn’t appear to have any effect. dump (delete) that file. Look for a logfile configuration directive in the other files (usually /etc/unbound/unbound.conf.d/unbound.conf) and modify the location to something that works.

1 Like

Thanks. I didn’t notice that error.

Couldn’t find a place where the service could create a logfile, so I manually created one in /var/log/ and chmod’d it to 777 and restarted the unbound service. It now seems to be logging fine:

1572862950] unbound[29458:0] notice: init module 0: subnet
[1572862950] unbound[29458:0] notice: init module 1: validator
[1572862950] unbound[29458:0] notice: init module 2: iterator
[1572862950] unbound[29458:0] info: start of service (unbound 1.9.0).
[1572862952] unbound[29458:0] info: generate keytag query _ta-4f66. NULL IN

An tip when troubleshooting Unbound if it does not start.

sudo unbound -d -vv

Secondly there developments to update the example config file because this one is a bit outdated.

Update: added a “-d” between unbound and -vvvvv