Should I be using Unbound Python mode? Is it stable?
@keyser said in Should I be using Unbound Python mode? Is it stable?:
...I would love to if we can make this problem go away...
I agree.
I have a similar problem with my SG-5100. I changed from Unbound to Unbound Python mode about 3 weeks ago and my disk usage (ufs) has steadily increased from about 45% to 75% currently.
Nothing fancy in my setup: about 30 - 35 clients, a few VLANs, VPN server, and minimal packages (avahi, nut, pfBlockerng-devel, snort, traffic stats).
I am considering changing back to non-Python mode.
@azdeltawye said in Should I be using Unbound Python mode? Is it stable?:
@keyser said in Should I be using Unbound Python mode? Is it stable?:
...I would love to if we can make this problem go away...
I agree.
I have a similar problem with my SG-5100. I changed from Unbound to Unbound Python mode about 3 weeks ago and my disk usage (ufs) has steadily increased from about 45% to 75% currently.
Nothing fancy in my setup: about 30 - 35 clients, a few VLANs, VPN server, and minimal packages (avahi, nut, pfBlockerng-devel, snort, traffic stats).
I am considering changing back to non-Python mode.
Yeah, that’s the disk filling issue with pfBlockerNG. I have that as well.
There is definitely something fishy with the python script and how it handles data. The filling issue in my case is related to doing “DNS Reply Logging” in Unbound Python Mode.
When Unbound is under moderate DNS resolution load, the python script fails to respect the default 20.000 linies max setting for the DNS_reply log, and once its passed the 20.000 lines limit, it no longer attempts to delete the old entries, and the log file just keeps growing. Mine had some 900.000+ lines in it when my disk was almost full. Stopping pfBlockerNG and starting it again causes the script to truncate the logfile again (and regain your lost diskspace). But in my case it’s only a matter of time before DNS resultion load causes the script to miss truncation again, and you are on your way to a full disk.Disabling DNS reply logging has so far prevented me from seeing the disk running full again. But who knows if it can happen to some of the other logfiles?
As a little followup on my investigations, I have taken measures to “quiet” down my zabbix server so it does not flood my Unbound resolver.
Doing that had a pretty big impact on the sustained write rate which now dropped to somewhere around 150 KB/s (from around 380 KB/s).So there is no doubt the issue is somewhat related to DNS lookup activity in Unbound. The thing is - I have disabled DNS Reply logging, DNSBL block logging and so forth, and none of my logfiles are growing now. What is the Python script doing that touches/writes so much to disk when it’s not logging?
I suspect there is some temporary storing of DNS lookup data going on inside the script.
What DNSBL configuration could cause my script/python integration to store temporary data, that most other installations do not?@ 150KB/s I’m looking at 4TB write IO/Year to my 8Gb eMMc - that will wear through its endurance in about 3 years. Still too fast in my opinion.
@keyser said in Should I be using Unbound Python mode? Is it stable?:
Stopping pfBlockerNG and starting it again causes the script to truncate the logfile again (and regain your lost diskspace).
My experience is not the same.
I had set every log file to "40 000".
I changed it to the default "20 000" lines for all of them - and saved at the bottom of the page.
Just to be sure, I checked one of the concerned files : dns_reply.log, and counted the number of lines ::[2.5.2-RELEASE][]/var/unbound/var/log/pfblockerng: wc -l dns_reply.log 41443 dns_reply.log
That's just a bit more then 40 000, the number I was using before.
I execute a manual Force -> reload.
Again :[2.5.2-RELEASE][]/var/unbound/var/log/pfblockerng: wc -l dns_reply.log 20066 dns_reply.log
So, for me ok, the file was reset to "20 000" and some new lines (66) were already added.
Next test :
I asked the CRON task to execute every hour (you should normally not do this !!!) :
I waited.At 11h00 AM local time, the cron executed.
I tested the file size again, at 11h00 so 10 minutes passed :[2.5.2-RELEASE][]/var/unbound/var/log/pfblockerng: wc -l dns_reply.log 20826 dns_reply.log
That's a bit more then 20 000 - the 826 lines were added after 11h00.
So, for me, it works.
But : true, I can image that these files can get pretty big after "24 hours".
Keep track of the files the old fashioned way : manually, and adapt the CRON timing accordingly.I'll set back my pfBlockerNg CRON timer to ones a day, and my log file size back to "40 000", and report back in a day or two.
@gertjan Yeah, you could work the issue that way as well.
You missed my main question however: Are you using RAMdisk for /tmp and /var in your config? Because that might explain why you are not seeing sustained writeIO to your SSD.
Just out of curiosity, what is your average write IO load over time in your installation? (iostat -x)
@keyser said in Should I be using Unbound Python mode? Is it stable?:
Are you using RAMdisk for /tmp and /var in your config?
No way.
Just classic hard disks - The ones I removed from desktop devices after a 4 years live span.
I'll 'burn them up' in my pfSense as a retirement plan.
Btw : I'm using a completely stripped down PC device, consuming 60 Watt/hour.
easy to maintain, and I have a pile load of spare parts.@keyser said in Should I be using Unbound Python mode? Is it stable?:
(iostat -x)
[2.5.2-RELEASE][]/root: iostat -x extended device statistics device r/s w/s kr/s kw/s ms/r ms/w ms/o ms/t qlen %b md0 0 0 0.0 0.0 0 0 0 0 0 0 ada0 0 9 0.2 205.9 5 1 0 1 0 0 cd0 0 0 0.0 0.0 0 0 0 0 0 0 pass0 0 0 0.0 0.0 3 0 6 4 0 0 pass1 0 0 0.0 0.0 0 0 0 0 0 0
Do you use zfs? Maybe it is somehow related to this topic. Or maybe it is something that you can see while having both pfblocker and zfs? I haven't checked it so I'm just guessing.
@gertjan said in Should I be using Unbound Python mode? Is it stable?:
@keyser said in Should I be using Unbound Python mode? Is it stable?:
Are you using RAMdisk for /tmp and /var in your config?
No way.
Just classic hard disks - The ones I removed from desktop devices after a 4 years live span.
I'll 'burn them up' in my pfSense as a retirement plan.
Btw : I'm using a completely stripped down PC device, consuming 60 Watt/hour.
easy to maintain, and I have a pile load of spare parts.@keyser said in Should I be using Unbound Python mode? Is it stable?:
(iostat -x)
[2.5.2-RELEASE][]/root: iostat -x extended device statistics device r/s w/s kr/s kw/s ms/r ms/w ms/o ms/t qlen %b md0 0 0 0.0 0.0 0 0 0 0 0 0 ada0 0 9 0.2 205.9 5 1 0 1 0 0 cd0 0 0 0.0 0.0 0 0 0 0 0 0 pass0 0 0 0.0 0.0 3 0 6 4 0 0 pass1 0 0 0.0 0.0 0 0 0 0 0 0
Thanks for showing that. I see your box averages 200KB/s writes or about 5.5TB/year, so if you where on a 8GB eMMC, you too would suffer a dead card after a couple of years.
Unless you have something else doing some “heavy” logging, you seem to be suffering the issue as well. Can you confirm that Unbound is NOT your top sustained writer in “top -m io”? You have stated before that you are not having the issue.
PS: 60w sustained…. OUCH…. I’m doing 4.8W on my SG-2100. Your’e obviously not living in denmark - with our electricity prices that would be 200$/year in running costs alone.
@tomashk said in Should I be using Unbound Python mode? Is it stable?:
Do you use zfs? Maybe it is somehow related to this topic. Or maybe it is something that you can see while having both pfblocker and zfs? I haven't checked it so I'm just guessing.
Thanks, but that has already been covered earlier. ZFS is not in use here.
@keyser said in Should I be using Unbound Python mode? Is it stable?:
so if you where on a 8GB eMMC, you too would suffer a dead card
That's why I mentioned that I use classic solid plate disks, the ancient ones.
No "fancy" SSD or such drives for me for my pfSense application.
I can do so because I have the place for them = big box solution, also called "old PC".
( And the electricity bill isn't an issue neither. )As I showed above, the log files are purged, so I don't have any space issues. The pfBlockerNG do grow, but are pruned by the daily pfBlockerNG cron task.
@keyser said in Should I be using Unbound Python mode? Is it stable?:
Unless you have something else doing some “heavy” logging
I do.
pfSense logs (not pfBlockerNG) are syslogged to a local NAS.@keyser said in Should I be using Unbound Python mode? Is it stable?:
“top -m io”
and then 'm' :
Ones in a while unbound is on top of charts.
@keyser said in Should I be using Unbound Python mode? Is it stable?:
60w sustained…. OUCH….
We had a choice.
Plan A : giving away our solar over production "to the community".
Plan B : don't throw away our old equipment, and give it a second live as a firewall.Plan B won.
Btw : I'm talking about pfSense @work. @home it runs out of a VM, so when I'm not there == 0 Watt.
Last night I changed my pfB config from Unbound Python mode back to Unbound and immediately saw my disk usage (ufs) drop from 76% to 46%. This would appear to confirm that pfB Python mode was responsible for the excessive disk usage and that it is not ready for prime time yet... I don't have the time to be a Beta tester right now so I will have to wait this one out.
Unfortunately, with pfB Unbound mode, I'm back to no logging on the DNSBL count: 0 log entries logged since changing back to Unbound mode (Firewall/pfBlockerNG/Alerts/DNSBL Block). I started a thread about this a few months ago:
[](link url)Hopefully in the next few months we will see a new version of pfBlockerng-devel that will address these issues.
@azdeltawye said in Should I be using Unbound Python mode? Is it stable?:
Last night I changed my pfB config from Unbound Python mode back to Unbound and immediately saw my disk usage (ufs) drop from 76% to 46%. This would appear to confirm that pfB Python mode was responsible for the excessive disk usage and that it is not ready for prime time yet... I don't have the time to be a Beta tester right now so I will have to wait this one out.
Unfortunately, with pfB Unbound mode, I'm back to no logging on the DNSBL count: 0 log entries logged since changing back to Unbound mode (Firewall/pfBlockerNG/Alerts/DNSBL Block). I started a thread about this a few months ago:
[](link url)Hopefully in the next few months we will see a new version of pfBlockerng-devel that will address these issues.
Yeah, that issue certainly needs a fix - as does the sustained temporary writing to disk.
It would be such a shame if pfBlockerNG got a reputation for killing the small SG-xxxx boxes with very small eMMC’s and SSD’s because of wear.I hope @BBcan177 will return at some point and have a look at this tread. I’d be happy to help/provide additional data in identifying the source of the problem.
The reason why "Python mode" was invented, is spread out all over the forum, but the basic explanation is : people want more details, faster details, and more DNSBL control.
Also : faster unbound restart.The classic unbound log capabilities are not enough.
Even if you crank this one up to level 5 :The needed info wouldn't be there.
But, just for fun, do it for yourself, activate level 5 unbound logging.
And keep an eye on this file /var/log/resolver.log
It will EAT your disk space - and as said, the needed info still sin't there.Also : log file parsing is slow. The python mode uses 'pre complied' code and is thus much faster.
Another major advantage is that unbound doesn't need to load in these mega byte size DNSBL feeds at restart. The python scripts parses these files now.The bottom line is : want DNSBL ? Throw resources on it. Or trim it down (use less feeds). And if you have less head room, keep watching for that ceiling.
@gertjan said in Should I be using Unbound Python mode? Is it stable?:
The bottom line is : want DNSBL ? Throw resources on it. Or trim it down (use less feeds). And if you have less head room, keep watching for that ceiling.
I do not disagree, And it does just that.
But you cannot argue that it should just fill the disk consistently (with no usable and asked for data) and it needs manual intervention, to regain your diskspace.
Also, you cannot argue there is a point in sustained writing to the disk with 100KB - 400KB/s when it’s data that is not stored for a reason (and asked for). That kind of dataflow should be kept in memory - if not for keeping the flash disk alive, then at least for the added speed and less use of ressources.
@keyser said in Should I be using Unbound Python mode? Is it stable?:
But you cannot argue that it should just fill the disk consistently (with no usable and asked for data) and it needs manual intervention, to regain your diskspace.
I showed above how "the data" is limited in size.
See here.
Conclusion : I don't have to do things manually.You work with RAM drives, right ?
Do you mean the log files aren't shortened in size by itself ?My files in /var/unbound/var/log/pfblockerng/ do grow also - of course.
Up until a certain point in time.
En when this event (the CRON delay) arrives, they are clipped to 40000 lines each.So, these log files do not grow indefinitely.
Yours do ? Maybe a bug when RAM disks are used ?The files are not useless, they are used to build charts like these :
( which I tend to find a bit useless, I agree ^^ )
@keyser said in Should I be using Unbound Python mode? Is it stable?:
Also, you cannot argue there is a point in sustained writing to the disk with 100KB - 400KB/s when it’s data that is not stored for a reason (and asked for). That kind of data flow should be kept in memory - if not for keeping the flash disk alive, then at least for the added speed and less use of resources.
I got your point of view.
My hardware choice includes, amongs others, the storage aspect.Although my latest "Office PC" has only SSD drives, and it will (should ?!) last for some 4 to 5 years, and this is "Windows 10 Pro" driving it with a lot more as "100KB - 400KB/s".
The writing is not data that is put into the various log files to make up charts and what not. It’s not data that is used anywhere - it’s not persistent. None of my logfiles are growing - nor recieving new data (since I disabled all logging possible). I got the writing down to 150KB/s by removing a lot of DNS requests to Unbound. The 13Gb data currently written pr day by Unbound is not logged ANYWHERE - my 8Gb eMMC is 28% allocated consistently, and the logfiles contains way old data since nothing new is added to them.And no, my logfiles - with one exception - are not growing indefinitely, they are truncated just fine around the 20.000 lines marker as configured. The one Log file that has been growing indefinitely on me a few times (when logging was enabled) is the DNS_reply.log, and it’s by no means consistens. It seems it takes som kind of event to make it “skip” truncation, after which it starts growing. Then it grows and grows until the drive is full - the CRON job does not truncate it either.
I’m not using RAM drives - I was asking if you did because you did not see the same writing (which I no longer believe is the case, after you posted your system doing 200KB/s on average).
I agree that 200Kb/s is not an issue with a large SSD or a HDD. It’s only on small <32Gb eMMC/SDD drives it will become an issue. But there it will become a MAJOR issue.
@keyser said in Should I be using Unbound Python mode? Is it stable?:
(which I no longer believe is the case, after you posted your system doing 200KB/s on average).
I've another - non unbound related - log file, created by the FreeRadius packaga.
As I'm having a lot of captive portal users right now - and I'm using Freeadius for authentication and accounting,I'm doing some SQL logging.
This file, 438 Mega right now, grows to several Gbytes each week.
I maintain this file myself.And I use of course unbound+pfblockerng+python and do some minimal DNSBL filtering, and that logs also a bit.
[2.5.2-RELEASE][]/var/log: ls -alt total 123912 -rw------- 1 freeradius freeradius 966333577 Aug 26 09:23 radius.log.old -rw-r--r-- 1 root wheel 438136155 Aug 26 09:23 sqltrace.sql -rw------- 1 root wheel 10211784 Aug 26 09:23 routing.log -rw------- 1 root wheel 7683335 Aug 26 09:23 filter.log -rw------- 1 root wheel 867277 Aug 26 09:23 auth.log -rw------- 1 root wheel 6300375 Aug 26 09:23 nginx.log -rw------- 1 root wheel 264584 Aug 26 09:23 system.log -rw------- 1 root wheel 230106 Aug 26 09:22 utx.log -rw-r--r-- 1 root wheel 591 Aug 26 09:22 utx.lastlogin -rw------- 1 root wheel 7118905 Aug 26 09:22 dhcpd.log -rw------- 1 root wheel 228 Aug 26 09:22 openvpn.status -rw------- 1 freeradius freeradius 16128 Aug 26 09:21 radutmp -rw------- 1 root wheel 840027 Aug 26 08:57 portalauth.log -rw------- 1 root wheel 66114 Aug 26 07:57 openvpn.log
@keyser said in Should I be using Unbound Python mode? Is it stable?:
It seems it takes som kind of event to make it “skip” truncation, after which it starts growing.
So, this part fails ( ? ) :
/usr/local/pkg/pfblockerng/ : line 623 : function pfb_logger($log, $logtype)For every file, with the tail command, the last "number of lines" (20 000 or whatever you selected) are taken and streamed into a newly created 'temp' file.
This temp file is moved (== renamed) to the original file, like dns_reply.log
De temporary file is deleted => ?????? ( this is awkward - if you rename a.log to b.log, and you delete then a.log, this should be a no op as a.log doesn't exist any more ).This function gets executed every pfblockerNG 'CRON' time.
What about placing some 'log' info into it - so it logs to "/var/log/pfblockerng/pfblockerng.log", with some info about what log file it found (the for each loop) like the file being handled etc.
See also (here : short cut ) :the CRON job did get executed regularly ?
I have given up running the setup that suffers the "filling disk issue".
My Internet needs to be up, and I need to spend a little less troubleshooting time on pfBolckerNG.I have also probably used 90% of my eMMC's advertised endurance on very heavy sustained writing from pfBlockerNG
@keyser Hi! I hear you. I am suffering also from some weird behaviour of pfblockerng and I also made a post about it. I don't see bbcann177 anywhere for some time now. I hope he has not abandoned the project.
The main issues I have with it are that reliability of unbound seem to drop when pfblockerng is enabled. Also the disable dynamic hostname registration when pfblockerng is enabled in python mode is getting a little long in the tooth...would've expected a fix by now. I still use pfblockerng for ip blocking and I have setup an Aduard home server for my DNSBL needs. I suggest you do the same :). -
SG-1100 24% of 7.0GiB - ufs
I try Undound Mode overnight:Unbound [21.05.1-RELEASE][xxx]/root: iostat -x extended device statistics device r/s w/s kr/s kw/s ms/r ms/w ms/o ms/t qlen %b flash/sp 0 0 0.0 0.0 2 0 0 2 0 0 mmcsd0 0 2 7.0 75.0 4 10 0 9 0 1 mmcsd0bo 0 0 0.0 0.0 0 0 0 0 0 0 mmcsd0bo 0 0 0.0 0.0 0 0 0 0 0 0 md0 0 0 0.0 0.0 0 0 0 0 0 0 Unbound python mode [21.05.1-RELEASE][xxx]/root: iostat -x extended device statistics device r/s w/s kr/s kw/s ms/r ms/w ms/o ms/t qlen %b flash/sp 0 0 0.0 0.0 2 0 0 2 0 0 mmcsd0 0 1 3.0 31.1 2 8 0 7 0 0 mmcsd0bo 0 0 0.0 0.0 0 0 0 0 0 0 mmcsd0bo 0 0 0.0 0.0 0 0 0 0 0 0 md0 0 0 0.0 0.0 0 0 0 0 0 0
It writes some more to the disk, so i got back to python mode this morning.