-----BEGIN PGP SIGNED MESSAGE-----
On 22/09/16 16:06, debbie10t wrote:
> On 22/09/16 14:40, Jan Just Keijser wrote:
>> On 22/09/16 15:07, debbie10t wrote:
>>> posting in devel because I am asking for clarification of what
>>> the source code really does.
>>> Re: https://forums.openvpn.net/viewtopic.php?f=30&t=22485
>>> Config: |--- server *normal stuff* log-append /tmp/openvpn.log
>>> I have just tried with Ubuntu1604 myself and observe that: (My
>>> basic config I added: --log /tmp/client1.log)
>>> 1. $ sudo systemctl start openvpn@client1 = log file *not*
>>> created 2. $ sudo openvpn client1.conf = log file created
>>> normally in /tmp
>>> Obviously, systemctl start openvpn@client1 appends more options
>>> when starting openvpn (in my hand written service the only
>>> addition is --daemon client1) So I presume that by daemonizing
>>> something changes with regard to writing the log file to /tmp
>>> Also note, in the forum post --daemon is used within the config
>>> I did grep -E "/tmp" src/openvpn/* and found some code in
>>> init.c (line 664) but it's all C, foo, bar to me (Sea food bar
>>> ;-) )
>>> Anyhoo, can anybody provide a brief and simple explanation ?
>>> Many thanks
>> most likely this , from 'man systemd.exec'
>> PrivateTmp= Takes a boolean argument. If true, sets up a new file
>> system namespace for the executed processes and mounts private
>> /tmp and /var/tmp directories inside it, that are not shared by
>> processes outside of the namespace. This is useful to secure
>> access to temporary files of the process, but makes sharing
>> between processes via /tmp or /var/tmp impossible. All temporary
>> data created by service will be removed after service is
>> stopped. Defaults to false.
>> thus, the output *is* logged to /tmp/openvpn.log but the problem
>> is that it's not in the /tmp you'd expect. There's nothing
>> OpenVPN can do about this, it's one of those weird idiosyncracies
>> of systemd.
> Thanks JJK, this was *exactly* the problem .. I removed
> PrivateTmp=True from the unit file, (which I had over looked)
> systemctl daemon-reload and systemctl start openvpn@client1 and the
> file appeared at /tmp/client1.log
Please do note thate PrivateTmp is considered *security hardening*.
So removing this feature is actually not making things better. It is
generally far better to put log files where they belong, into /var/log.
OpenVPN Technologies, Inc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
-----END PGP SIGNATURE-----
Openvpn-devel mailing list