-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fatal glibc error: cannot get entropy for arc4random #147
Comments
I have the exact same issue. DSM 7.1.1-42962 Update 6.... |
Same here on Linux Kernel 3.10.108 #42962 :/ Is there a possibilty to remove the usage of getentropy(). like here? |
Hi everyone, I have the same problem (I think). The logs of unbound say: With nslookup I always get a "timed out" My unbound.conf file: server:
remote-control: |
My problem has been solved, I have used the 1.18 version. |
The current unbound version 1.19.3 also works on older devices. Your error occurs with devices up to model year xx16. So that the error does not lead to any problems, you just do not have to mount the /unbound folder, but the files themselves. For unbound in hyperlocal-mode, I only need the unbound.conf ;). The whole thing runs on a 1513+ without any problems. Maybe the "best practice" guide is not the best yet ;) If you are using an older version, this can only help you in the short term. The problem is not solved by this! |
@nillebor With the Image from madnuttah it's possible to mount folders too on older Synology devices: |
Not every docker image is the same. Not every DiskStation has the same software (DSM) and kernel. |
@nillebor Yes, and a possible solution is here: |
Your link is about an older version, so the statement is no longer true or is included in the current version (latest) of mvance. |
You are absolutely right, the problem is only postponed, not solved. The file unbound.conf is located in the "unbound" folder, how do you mean that I should mount the file myself? |
Do not specify the folder "unbound" in the container, but the config directly. Rights do not have to be adapted or released to "everyone". You can see an example here:
If you need several ports, files or subfolders, please adjust accordingly. The latest version works without any problems and can be easily updated automatically with Watchtower at my place. My Synology installation:
I use default unbound.conf, but commented out: Corresponding files can of course be adapted or added. However, this is not necessary for my queries to the root servers. Maybe it is still necessary to disable IPv6 (if not available)? Test hyperlocal-mode: (see your own external IP) My Synology-unbound-files: I hope it helps you. :) |
Great, thank you very much, I will test this tonight and give you feedback. |
Describe the bug
I tried to setup Unbound in Docker on Synology NAS with Portainer. After using a docker compose file I got the error "Fatal glibc error: cannot get entropy for arc4random" in the logs.
To Reproduce
Steps to reproduce the behavior:
Docker compose in Portainer:
`version: "3"
services:
unbound:
container_name: unbound
image: mvance/unbound:latest
network_mode: "host"
restart: always
volumes:
Using this config file:
`server:
do-ip6: no
local-zone: ip6.arpa. refuse
prefer-ip6: no
cache-max-ttl: 86400
cache-min-ttl: 300
directory: "/opt/unbound/etc/unbound"
aggressive-nsec: yes
harden-dnssec-stripped: yes
edns-buffer-size: 1232
rrset-roundrobin: yes
interface: 127.0.0.1@5355
delay-close: 10000
neg-cache-size: 4M
deny-any: yes
access-control: 127.0.0.1/32 allow
access-control: 192.168.0.0/16 allow
access-control: 172.16.0.0/12 allow
access-control: 10.0.0.0/8 allow
access-control: 169.254.0.0/16 allow
access-control: fc00::/7 allow
access-control: ::1/128 allow
access-control: fd00::/8 allow
access-control: fe80::/10 allow
auto-trust-anchor-file: "var/root.key"
chroot: "/opt/unbound/etc/unbound"
harden-algo-downgrade: yes
harden-large-queries: yes
hide-http-user-agent: no
hide-identity: yes
hide-version: yes
http-user-agent: "DNS"
identity: "DNS"
These private network addresses are not allowed to be returned for public
internet names. Any occurrence of such addresses are removed from DNS
answers. Additionally, the DNSSEC validator may mark the answers bogus.
This protects against DNS Rebinding
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: ::ffff:0:0/96
ratelimit: 1000
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
unwanted-reply-threshold: 10000
use-caps-for-id: no
###########################################################################
PERFORMANCE SETTINGS
###########################################################################
infra-cache-slabs: 2
key-cache-slabs: 2
msg-cache-size: 100M
msg-cache-slabs: 2
num-queries-per-thread: 4096
num-threads: 2
outgoing-range: 8192
rrset-cache-size: 200M
rrset-cache-slabs: 2
prefetch: yes
prefetch-key: yes
serve-expired: yes
root-hints: "/opt/unbound/etc/unbound/root.hints"
###########################################################################
LOCAL ZONE
###########################################################################
include: /opt/unbound/etc/unbound/a-records.conf
include: /opt/unbound/etc/unbound/srv-records.conf
###########################################################################
FORWARD ZONE
###########################################################################
include: /opt/unbound/etc/unbound/forward-records.conf
auth-zone:
name: "."
master: "b.root-servers.net"
master: "c.root-servers.net"
master: "d.root-servers.net"
master: "f.root-servers.net"
master: "g.root-servers.net"
master: "k.root-servers.net"
url: https://www.internic.net/domain/root.zone
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: "/opt/unbound/etc/unbound/auth-zone/root.zone"
#forward-zone:
#name: "."
#forward-tls-upstream: yes
SecureDNS.eu
#forward-addr: 146.185.167.43@853#dot.securedns.eu
#forward-addr: 2a03:b0c0:0:1010:e9a:3001@853#dot.securedns.eu
Quad9
#forward-addr: 9.9.9.9@853#dns.quad9.net
#forward-addr: 149.112.112.112@853#dns.quad9.net
#forward-addr: 2620:fe::fe@853#dns.quad9.net
#forward-addr: 2620:fe::9@853#dns.quad9.net
remote-control:
control-enable: no`
Expected behavior
No error message
Error messages
Fatal glibc error: cannot get entropy for arc4random
Additional context
OS: DSM 7.2.1 (Synology)
Kernel version: Linux NAS 3.10.108 #64570 -> With FreeFileSync Docker I had also a problem with entropy that the kernel was too old (jlesage/docker-freefilesync#8), but I'm not fully sure if this is here also the case.
The text was updated successfully, but these errors were encountered: