Issues setting up dnstap logging

Patrik Lundin patrik at sigterm.se
Mon Dec 28 11:51:34 UTC 2020 

On Sun, Dec 27, 2020 at 08:54:24PM -0500, Robert Edmonds wrote:
> 
> Looking into this a bit more, it's because I'm running fstrm_capture
> under systemd, which by default causes SIGPIPE to be ignored:
> 
>     IgnoreSIGPIPE=
>         Takes a boolean argument. If true, causes SIGPIPE to be ignored
>         in the executed process. Defaults to true because SIGPIPE
>         generally is useful only in shell pipelines.
> 

Nice catch! I was not aware systemd makes executed processes ignore SIGPIPE by
default. Indeed, I added a systemd service file for fstrm_capture (feedback
appreciated, of course the -d flags would be removed for normal operation)
```
[Unit]
Description=fstrm_capture service
Wants=unbound.service
Before=unbound.service
RequiresMountsFor=/var/lib/unbound

[Service]
Type=simple
User=unbound
Group=unbound
ExecStart=/usr/bin/fstrm_capture -ddddd -t protobuf:dnstap.Dnstap -u /var/lib/unbound/dnstap.sock -w /var/log/dnstap/dnstap-%%F-%%T.fstrm -s 3600 --gmtime

[Install]
WantedBy=multi-user.target
```

And now I also see a message that the SIGPIPE is ignored when stopping unbound:
```
Dec 28 12:16:31 linux-amd64-t01 fstrm_capture[4227]: fstrm_capture: connection fd 8: reading control frame (12 bytes): "\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x03"
Dec 28 12:16:31 linux-amd64-t01 fstrm_capture[4227]: fstrm_capture: connection fd 8: received FSTRM_CONTROL_STOP (3)
Dec 28 12:16:31 linux-amd64-t01 fstrm_capture[4227]: fstrm_capture: connection fd 8: sending FSTRM_CONTROL_FINISH (5)
Dec 28 12:16:31 linux-amd64-t01 fstrm_capture[4227]: fstrm_capture: connection fd 8: writing frame (12) bytes: "\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x05"
Dec 28 12:16:31 linux-amd64-t01 fstrm_capture[4227]: fstrm_capture: connection fd 8: libevent error: Broken pipe (32)
Dec 28 12:16:31 linux-amd64-t01 fstrm_capture[4227]: fstrm_capture: connection fd 8: closing (read 0 frames, 0 bytes)
```

... with the process still running, so this is a functional workaround for the time being:
```
unbound   4227  0.0  0.0   4900   888 ?        Ss   12:15   0:00 /usr/bin/fstrm_capture -ddddd -t protobuf:dnstap.Dnstap -u /var/lib/unbound/dnstap.sock -w /var/log/dnstap/dnstap-%F-%T.fstrm -s 3600 --gmtime
```

I see you have already gone ahead and opened a pull request:
https://github.com/farsightsec/fstrm/pull/65

Thanks for the help :)

Regards,
Patrik Lundin

More information about the Unbound-users mailing list