Am 10.10.2017 um 15:31 schrieb David Sommerseth: Hi David,
> I did introduce LimitNPROC=10 to avoid a scenario where a faulty plug-in > or script hook would spawn too many processes and overload the system in > various ways. There are many reasons why this could happen, it could be > a local issue or something triggered user input (username, password) or > in some really dark corner cases even certificate details could be > abused to. > > The intention was to have this limit to on a per unit file basis. But I > clearly have overlooked that using the same username in multiple OpenVPN > configuration files can cause challenges, as that limit is shared among > all config clients. I think another downside is that this limit is not enforced for processes running as root, which is probably the majority of cases. > > I can acknowledge that 10 processes might be too little. But I do think > the potential DoS protection is valuable; and even Lennart Poettering > does not recommend removing it [1]. So I think it can be increased, and > then it should be documented better how to increase this manually by > using 'systemctl edit openvpn-server@.service' and modifying this > setting this way. > > Would a default of 30 or 50 processes be sufficient? I'm still not sure how setting ulimit -u on a systemd service that run as root, but might start several processes as non-root actually works. ulimit -u seems to be a per-process thing, but counts processes globally. The only thing I can think of that if process A has LimitNPROC=10, every time this process (directly or through a child) tries to create a new process with i.e. UID 1000, the system checks whether the total number of processes with UID 1000 on the whole system exceeds 10. If yes, that fork is denied. If another process had LimitNPROC=20 it would only be denied if more than 20 processes ran. To me this knob seems useless. It does not protect against a misbehaving plugin running as root, and it's failure mode is quite surprising, since it depends on the UID this particular binary will be executed and what other processes (totally unrelated to OpenVPN) are currently running on the same UID. I think what we actually want is TasksMax=N Specify the maximum number of tasks that may be created in the unit. This ensures that the number of tasks accounted for the unit (see above) stays below a specific limit. This either takes an absolute number of tasks or a percentage value that is taken relative to the configured maximum number of tasks on the system. If assigned the special value "infinity", no tasks limit is applied. This controls the "pids.max" control group attribute. For details about this control group attribute, see pids.txt[6]. Implies "TasksAccounting=true". The system default for this setting may be controlled with DefaultTasksMax= in systemd- system.conf(5). I'm not sure about the consequences of TasksAccounting and there are only very few uses of it (https://codesearch.debian.net/search?q=TasksMax%3D&perpkg=1), but this looks like the thing we actually want. Bernhard