Monit to restart Unbound

Started by ciaduck, March 30, 2026, 08:01:33 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 30, 2026, 08:01:33 AM
I'm trying to write a set of monit instructions to restart unbound if I start to see "SERVFAIL".
This condition seems to happen in my environment when there are WAN issues or there is a Multi-WAN failover.

It appears that "custom" creates a program service checker, but I'm unable to use the "content" keyword to check the output. The "content" rule type is giving an error that the service is not of type "file".

Monit docs say "content" is supported by the "program" service.
https://mmonit.com/monit/documentation/monit.html#PROGRAM-OUTPUT-CONTENT-TEST

In monit, I have a "service" called "dns_resolve_failure" that has the following config:
Code Select
Type   Custom
Path   "/usr/bin/drill google.com"
Start  "/usr/local/sbin/configctl unbound start"
Stop   "/usr/local/sbin/configctl unbound stop"
Tests  "Nothing Selected"
I have a "service test" called "DNS_SERVFAIL" that looks like this:
Code Select
Condition:  content = "SERVFAIL"
Action:     Restart
The services works fine, I can see the output of drill, but I'm unable to assign a "content" test to it.

I'm running OPNsense 25.7.11_9 currently.

I guess I could set up an "advanced" script in "/usr/local/etc/monit.opnsense.d/", but I was hoping I could do it through the GUI.
March 30, 2026, 09:10:52 AM #1 Last Edit: March 30, 2026, 09:26:50 AM by OPNenthu
Quote from: ciaduck on March 30, 2026, 08:01:33 AMThe services works fine, I can see the output of drill, but I'm unable to assign a "content" test to it.

Not sure I fully understand the issue, but you can assign tests to a service by editing the service.  There's a 'Tests' field with a dropdown box where you can select one or more tests.

Is the issue that the tests aren't being listed?

EDIT: Now I get it.  I tried adding a 'content' type test to a 'custom' service and I see an error message from input validation: "Test <name> with type File Content not allowed for this service type."  It might be a GUI limitation or bug, if the Monit docs say it should be allowed.  You could try submitting a ticket to https://github.com/opnsense/core/issues
N5105 | 8/250GB | 4xi226-V | Community
March 30, 2026, 04:18:26 PM #2 Last Edit: March 30, 2026, 04:21:42 PM by ciaduck

https://imgur.com/a/opnsense-test-content-not-allowed-RrRdwPn
When clicking "save" I get the error on the field. "Test DNS_SERVFAIL with type File Content not allowed for this service type"
March 31, 2026, 04:54:49 AM #3
I haven't opened a bug ticket, but I took the time to write a custom monit rule file. It wasn't difficult. This suffices for now.

Code Select
root@OPNsense:~ # cat /usr/local/etc/monit.opnsense.d/unbound.conf
check program unbound_servfail with path "/usr/bin/drill google.com" timeout 60 seconds
        start program = "/usr/local/sbin/configctl unbound start" with timeout 30 seconds
        stop program = "/usr/local/sbin/configctl unbound stop"
        if content = "SERVFAIL" then alert
        if content = "SERVFAIL" then restart
        if 5 restarts within 5 cycles then unmonitor
Thanks!
March 31, 2026, 05:52:27 AM #4
Awesome :)

I tend to shy away from custom files because they aren't carried over in a config restore and can get lost, but when you need them you need them...
N5105 | 8/250GB | 4xi226-V | Community
Print
Go Up Pages1
User actions