dnsdist: add opt-in fatal bind failures for console and webserver

Introduce opt-in fatal behavior when binding the webserver socket or
the control socket fails, to make startup failures visible to service
managers like systemd.
Expose the feature in both configuration styles:
- Lua: setConsoleBindFatal(bool), setWebserverBindFatal(bool)
- YAML: console.bind_fatal, webserver.bind_fatal

When enabled, dnsdist now exits with failure on bind exceptions for:
- control socket listeners
- webserver listeners

Wire the new settings through runtime configuration loading, Lua
configuration items, and YAML parsing, and add console completion
entries for both setters.
Update documentation with new config functions and behavior notes.

Add regression tests in test_BindFatal.py for Lua and YAML, validating:
- default/not set: bind failures are non-fatal
- explicit false: bind failures are non-fatal
- explicit true: bind failures are fatal at startup

Signed-off-by: b.courtois <b.courtois@criteo.com>

Author: Annih

pdns/dnsdistdist/dnsdist-configuration-yaml.cc

@@ -915,6 +915,7 @@ static void loadWebServer(const Context& context, const dnsdist::rust::settings:
     dnsdist::webserver::setMaxConcurrentConnections(webConfig.max_concurrent_connections);
     config.d_apiConfigDirectory = std::string(webConfig.api_configuration_directory);
     config.d_apiReadWrite = webConfig.api_read_write;
+    config.d_webserverBindFatal = webConfig.bind_fatal;
   });
 }
 
@@ -1037,6 +1038,7 @@ static void handleConsoleConfiguration(const dnsdist::rust::settings::ConsoleCon
         config.d_consoleACL.addMask(std::string(aclEntry));
       }
       B64Decode(std::string(consoleConf.key), config.d_consoleKey);
+      config.d_consoleBindFatal = consoleConf.bind_fatal;
     });
   }
 }

pdns/dnsdistdist/dnsdist-configuration.hh

@@ -181,6 +181,8 @@ struct RuntimeConfiguration
   bool d_allowEmptyResponse{false};
   bool d_dropEmptyQueries{false};
   bool d_consoleEnabled{false};
+  bool d_consoleBindFatal{false};
+  bool d_webserverBindFatal{false};
   bool d_logConsoleConnections{true};
   bool d_addEDNSToSelfGeneratedResponses{true};
   bool d_applyACLToProxiedClients{false};

pdns/dnsdistdist/dnsdist-console-completion.cc

@@ -239,6 +239,7 @@ static std::vector<dnsdist::console::completion::ConsoleKeyword> s_consoleKeywor
   {"setCacheCleaningPercentage", true, "num", "Set the percentage of the cache that the cache cleaning algorithm will try to free by removing expired entries. By default (100), all expired entries are remove"},
   {"setConsistentHashingBalancingFactor", true, "factor", "Set the balancing factor for bounded-load consistent hashing"},
   {"setConsoleACL", true, "{netmask, netmask}", "replace the console ACL set with these netmasks"},
+  {"setConsoleBindFatal", true, "enable", "whether a failure to bind the console control socket is fatal"},
   {"setConsoleConnectionsLogging", true, "enabled", "whether to log the opening and closing of console connections"},
   {"setConsoleMaximumConcurrentConnections", true, "max", "Set the maximum number of concurrent console connections"},
   {"setConsoleOutputMaxMsgSize", true, "messageSize", "set console message maximum size in bytes, default is 10 MB"},
@@ -309,6 +310,7 @@ static std::vector<dnsdist::console::completion::ConsoleKeyword> s_consoleKeywor
   {"setVerbose", true, "bool", "set whether log messages at the verbose level will be logged"},
   {"setVerboseHealthChecks", true, "bool", "set whether health check errors will be logged"},
   {"setVerboseLogDestination", true, "destination file", "Set a destination file to write the 'verbose' log messages to, instead of sending them to syslog and/or the standard output"},
+  {"setWebserverBindFatal", true, "enable", "whether a failure to bind a web server socket is fatal"},
   {"setWebserverConfig", true, "[{password=string, apiKey=string, customHeaders, statsRequireAuthentication, prometheusAddInstanceLabel=bool}]", "Updates webserver configuration"},
   {"setWeightedBalancingFactor", true, "factor", "Set the balancing factor for bounded-load weighted policies (whashed, wrandom)"},
   {"setWHashedPerturbation", true, "value", "Set the hash perturbation value to be used in the whashed policy instead of a random one, allowing to have consistent whashed results on different instance"},

pdns/dnsdistdist/dnsdist-lua-configuration-items.cc

@@ -75,7 +75,9 @@ static const std::map<std::string, BooleanConfigurationItems> s_booleanConfigIte
   {"setRoundRobinFailOnNoServer", {[](dnsdist::configuration::RuntimeConfiguration& config, bool newValue) { config.d_roundrobinFailOnNoServer = newValue; }}},
   {"setDropEmptyQueries", {[](dnsdist::configuration::RuntimeConfiguration& config, bool newValue) { config.d_dropEmptyQueries = newValue; }}},
   {"setAllowEmptyResponse", {[](dnsdist::configuration::RuntimeConfiguration& config, bool newValue) { config.d_allowEmptyResponse = newValue; }}},
+  {"setConsoleBindFatal", {[](dnsdist::configuration::RuntimeConfiguration& config, bool newValue) { config.d_consoleBindFatal = newValue; }}},
   {"setConsoleConnectionsLogging", {[](dnsdist::configuration::RuntimeConfiguration& config, bool newValue) { config.d_logConsoleConnections = newValue; }}},
+  {"setWebserverBindFatal", {[](dnsdist::configuration::RuntimeConfiguration& config, bool newValue) { config.d_webserverBindFatal = newValue; }}},
   {"setProxyProtocolApplyACLToProxiedClients", {[](dnsdist::configuration::RuntimeConfiguration& config, bool newValue) { config.d_applyACLToProxiedClients = newValue; }}},
   {"setAddEDNSToSelfGeneratedResponses", {[](dnsdist::configuration::RuntimeConfiguration& config, bool newValue) { config.d_addEDNSToSelfGeneratedResponses = newValue; }}},
 };

pdns/dnsdistdist/dnsdist-lua.cc

@@ -1123,6 +1123,9 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck)
         g_outputBuffer = "Unable to bind to webserver socket on " + local.toStringWithPort() + ": " + e.what();
         SLOG(errlog("Unable to bind to webserver socket on %s: %s", local.toStringWithPort(), e.what()),
              getLogger("webserver")->error(Logr::Error, e.what(), "Error while trying to bind the web server socket", "network.local.address", Logging::Loggable(local)));
+        if (dnsdist::configuration::getCurrentRuntimeConfiguration().d_webserverBindFatal) {
+          _exit(EXIT_FAILURE);
+        }
       }
     }
   });
@@ -1243,6 +1246,9 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck)
         g_outputBuffer = "Unable to bind to control socket on " + local.toStringWithPort() + ": " + exp.what();
         SLOG(errlog("Unable to bind to control socket on %s: %s", local.toStringWithPort(), exp.what()),
              getLogger("controlSocket")->error(Logr::Error, exp.what(), "Unable to bind to console's control socket", "network.local.address", Logging::Loggable(local)));
+        if (dnsdist::configuration::getCurrentRuntimeConfiguration().d_consoleBindFatal) {
+          _exit(EXIT_FAILURE);
+        }
       }
     }
   });

pdns/dnsdistdist/dnsdist-settings-definitions.yml

@@ -466,6 +466,13 @@ webserver:
       type: "bool"
       default: "false"
       description: "Allow modifications via the API. Optionally saving these changes to disk. Modifications done via the API will not be written to the configuration by default and will not persist after a reload"
+    - name: "bind_fatal"
+      type: "bool"
+      default: "false"
+      lua-name: "setWebserverBindFatal"
+      internal-field-name: "d_webserverBindFatal"
+      runtime-configurable: true
+      description: "Whether a failure to bind a web server socket should be fatal"
 
 console:
   description: "Console-related settings"
@@ -503,6 +510,13 @@ console:
       internal-field-name: "d_consoleMaxConcurrentConnections"
       runtime-configurable: false
       description: "Set the maximum number of concurrent console connection"
+    - name: "bind_fatal"
+      type: "bool"
+      default: "false"
+      lua-name: "setConsoleBindFatal"
+      internal-field-name: "d_consoleBindFatal"
+      runtime-configurable: true
+      description: "Whether a failure to bind the console control socket should be fatal"
 
 ebpf_map:
   description: "An ``eBPF`` map that is used to share data with kernel-land ``AF_XDP``/``XSK``, ``socket filter`` or ``XDP`` programs. Maps can be pinned to a filesystem path, which makes their content persistent across restarts and allows external programs to read their content and to add new entries. :program:`dnsdist` will try to load maps that are pinned to a filesystem path on startups, inheriting any existing entries, and fall back to creating them if they do not exist yet. Note that the user :program`dnsdist` is running under must have the right privileges to read and write to the given file, and to go through all the directories in the path leading to that file. The pinned path must be on a filesystem of type ``BPF``, usually below ``/sys/fs/bpf/``"

pdns/dnsdistdist/dnsdist.cc

@@ -3553,6 +3553,9 @@ static ListeningSockets initListeningSockets()
     catch (const std::exception& exp) {
       SLOG(errlog("Unable to bind to control socket on %s: %s", local.toStringWithPort(), exp.what()),
            dnsdist::logging::getTopLogger("setup")->error(Logr::Error, exp.what(), "Unable to bind to console control socket", "network.local.address", Logging::Loggable(local)));
+      if (currentConfig.d_consoleBindFatal) {
+        _exit(EXIT_FAILURE);
+      }
     }
   }
 
@@ -3566,6 +3569,9 @@ static ListeningSockets initListeningSockets()
     catch (const std::exception& exp) {
       SLOG(errlog("Unable to bind to web server socket on %s: %s", local.toStringWithPort(), exp.what()),
            dnsdist::logging::getTopLogger("setup")->error(Logr::Error, exp.what(), "Unable to bind to web server socket", "network.local.address", Logging::Loggable(local)));
+      if (currentConfig.d_webserverBindFatal) {
+        _exit(EXIT_FAILURE);
+      }
     }
   }
 

pdns/dnsdistdist/docs/reference/config.rst

@@ -361,6 +361,14 @@ Control Socket, Console and Webserver
 
   Generate and print an encryption key.
 
+.. function:: setConsoleBindFatal(enable)
+
+  .. versionadded:: 2.2.0
+
+  Whether a failure to bind a console control socket is fatal.
+
+  :param bool enabled: Default to false.
+
 .. function:: setConsoleConnectionsLogging(enabled)
 
   Whether to log the opening and closing of console connections.
@@ -458,6 +466,14 @@ Webserver configuration
   :param bool allow: Set to true to allow modification through the API
   :param str dir: A valid directory where the configuration files will be written by the API.
 
+.. function:: setWebserverBindFatal(enable)
+
+  .. versionadded:: 2.2.0
+
+  Whether a failure to bind a web server socket is fatal.
+
+  :param bool enabled: Default to false.
+
 .. function:: setWebserverConfig(options)
 
   .. versionchanged:: 1.5.0