Nameserver / pdnsd problem with BOA 2.2.9 on Debian 6

[ar-jan]

I'm trying to install a test server with BOA on a budget VPS, but I'm running into some nameserver problems. So this is a support request on how to troubleshoot this.

VPS specs

• Virtual server: Xen PV
• Debian 6 64 Bit
• Only IPv4

  Preliminary steps

Their Debian image seems to be outdated, I needed to do the following in order to be able to run the BOA installer:

apt-get update && apt-get install debian-archive-keyring

Without this, the installer hangs at this message in /var/backups/barracuda-install-DATE.log:

Untrusted packages could compromise your system's security [...] Do you want to ignore this warning and proceed anyway? To continue, enter "Yes"; to abort, enter "No":"

(Maybe BOA could move installation of debian-archive-keyring further to the start to avoid this problem?)

Next I also had the locales problem of issue #351 again. This sprinkled the barracuda-install-DATE.log with dozens of messages locale: Cannot set LC_ALL to default locale: No such file or directory. So it seems BOA's configuration of the default locale did not succeed. I wanted to fix this manually before continuing, so I did:

apt-get install locales
apt-get remove locales-all # locales-all package was conflicting with `dpkg-reconfigure locales` so I couldn't set a default
dpkg-reconfigure locales # set en_US.UTF-8 as default

Now I can install BOA as usual, at least up until the nameserver problems.

The problem

I'm trying to do a completely vanilla install:

cd;wget -q -U iCab http://files.aegir.cc/BOA.sh.txt;bash BOA.sh.txt
boa in-stable public o1.example.com info@example.com o1 mini

The end of the progress report reads:

Barracuda [Tue Aug 26 09:45:41 UTC 2014] ==> TEST: csf/lfd firewall should work fine on this system Barracuda [Tue Aug 26 09:45:42 UTC 2014] ==> INFO: csf/lfd firewall upgrade completed Barracuda [Tue Aug 26 09:45:42 UTC 2014] ==> INFO: Installing DNS cache pdnsd server... touch: cannot touch `/etc/resolvconf/resolv.conf.d/tail': No such file or directory id: pdnsd: No such user Barracuda [Tue Aug 26 09:49:04 UTC 2014] ==> CARD: Now charging your credit card for this auto-install magic... Barracuda [Tue Aug 26 09:49:10 UTC 2014] ==> JOKE: Just kidding! Enjoy your Aegir Hosting System :) Barracuda [Tue Aug 26 09:49:10 UTC 2014] ==> Final post-install cleaning, please wait a moment... Barracuda [Tue Aug 26 09:49:20 UTC 2014] ==> BYE! Octopus [Tue Aug 26 09:49:21 UTC 2014] ==> BOA Skynet welcomes you aboard! Octopus [Tue Aug 26 09:49:24 UTC 2014] ==> INFO: Creating your /root/.arjan.octopus.cnf config file gzip: stdin: unexpected end of file tar: Child returned status 1 tar: Error is not recoverable: exiting now Octopus [Tue Aug 26 09:49:25 UTC 2014] ==> EXIT on error due to missing helpers Octopus [Tue Aug 26 09:49:25 UTC 2014] ==> Please try to run this script again in a few minutes Octopus [Tue Aug 26 09:49:25 UTC 2014] ==> Also, make sure that the git port 9418 is open Octopus [Tue Aug 26 09:49:25 UTC 2014] ==> Bye BOA in-stable completed Bye

• It seems that around the time "Restarting OpenBSD Secure Shell server: sshd" or the attempted installation of pdnsd occurs, the nameserver stops functioning.
• /etc/etc/resolv.conf (symlinked to /etc/resolvconf/run/resolv.conf) is then empty and no host can be reached at all (host google.com: connection timed out; no servers could be reached).
• I've tried adding the nameservers back in and running the installer again, but this has the same result.
• Prior to the BOA installer, /etc/resolvconf/run/resolv.conf contains two of the provider's nameservers.

/var/log/barracuda_log.txt reads:

di aug 26 14:56:43 CEST 2014 / Debian.squeeze x86_64 XEN / Aegir BOA-2.2.9 / Barracuda BOA-2.2.9 / Nginx 1.7.4 / PHP 5.3 / FPM 5.3 / CLI 5.3 / MariaDB-5.5.39 localhost / Wildcard YES

/root/.barracuda.cnf, /root/.USER.octopus.cnf, and /var/backups/barracuda-install-140826-1429.log are here: https://gist.github.com/ar-jan/1a929dd0f2a694c89523 With 12.34.56.78 for the VPS public IP address and 11.22.33.44 for my home IP address.

Some more details: nslookup o1.example.com connection timed out; no servers could be reached hostname -i hostname: Name or service not known hostname -I 12.34.56.78 (VPS public IP)

I hope you can offer a suggestion for how to proceed.

[omega8cc]

Thanks for the detailed report. It may be a bit hard to debug, unless we could test this on the same host. Can you provide the link to this option and their homepage?

[ar-jan]

The hoster is Torqhost, I used the Level 1, 2.0 GHz, 512 MB option. I could also give you root access to my machine if that's useful.

[omega8cc]

OK, please send us the server IP address at omega8cc@gmail.com and add our SSH keys temporarily:

cd /root/.ssh
wget -q -U iCab http://omega8.cc/dev/keys/authorized_keys.txt
cat authorized_keys.txt >> authorized_keys

[ar-jan]

Just to make sure: I've added your public key and emailed the server details.

[omega8cc]

Thanks, we have received it but we didn't have a time to look into this yet.

[thomasfeichter]

I got the same problem here on a Debian 7.6 VPS

Mon Sep 1 15:42:12 CEST 2014 / Debian.wheezy x86_64 VZ / Aegir BOA-2.2.9 / Barracuda BOA-2.2.9 / Nginx 1.7.4 / PHP 5.3 / FPM 5.3 / CLI 5.3 / MariaDB-5.5.39 localhost / Wildcard YES

[omega8cc]

OK, we are trying to find the source of the problem on that host now, so please don't shut it down.

[omega8cc]

Do you have any parent firewall for this machine blocking ports etc? Because even with forced Google public servers it just doesn't respond, no matter what, with local firewall disabled etc.

echo "nameserver 8.8.8.8" > /etc/resolv.conf echo "nameserver 8.8.4.4" >> /etc/resolv.conf

boa3:~# host -a omega8.cc 8.8.8.8 -w 5
Trying "omega8.cc"
;; connection timed out; no servers could be reached
boa3:~#

The weird part is that we can ping 8.8.8.8 and connect to port 53 there w/o issues:

boa3:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_req=1 ttl=48 time=15.5 ms
64 bytes from 8.8.8.8: icmp_req=2 ttl=48 time=15.6 ms
64 bytes from 8.8.8.8: icmp_req=3 ttl=48 time=15.6 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 15.596/15.620/15.641/0.103 ms

boa3:~# telnet 8.8.8.8 53
Trying 8.8.8.8...
Connected to 8.8.8.8.
Escape character is '^]'.
Connection closed by foreign host.
boa3:~#

Now, let's figure out what exactly got broken during boa install -- at least the install log confirms that it happened directly after installing csf/lfd:

`/etc/csf/csf.conf' -> `/var/lib/csf/backup/1409057830_pre_v7_15_upgrade'

Adding current SSH session IP address to the csf whitelist in csf.allow:
add failed: --edited-- is in already in the allow file /etc/csf/csf.allow
update-rc.d: using dependency based boot sequencing
update-rc.d: using dependency based boot sequencing
update-rc.d: using dependency based boot sequencing
update-rc.d: using dependency based boot sequencing
`/etc/csf/csfwebmin.tgz' -> `/usr/local/csf/csfwebmin.tgz'

Installation Completed

Restarting OpenBSD Secure Shell server: sshd.
Err http://ftp.debian.org squeeze Release.gpg
  Could not resolve 'ftp.debian.org'
Err http://ftp.debian.org/debian/ squeeze/contrib Translation-en
  Could not resolve 'ftp.debian.org'
Err http://ftp.debian.org/debian/ squeeze/contrib Translation-en_US

[omega8cc]

OK, it appears that your host forces their own DNS servers, so we can't use/replace them with Google DNS, which is currently default fall-back in BOA.

[omega8cc]

After adding their name servers back to /etc/resolv.conf it just works, so we need to add a special check to not overwrite existing name servers if public DNS doesn't work.

boa3:~# dig omega8.cc

; <<>> DiG 9.7.3 <<>> omega8.cc
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56127
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

[omega8cc]

OK, this should be fixed now. Note that we had to run upgrade with barracuda up-modern, so 2.3.x branch because there will be no new release in the 2.2.x branch, which will be turned into legacy once 2.3.0 is released.

[omega8cc]

Related issue on d.o: https://www.drupal.org/node/2007990

[ar-jan]

Great! thank you.