Re: [Openvpn-devel] [PATCH 1/1] do not race on RuntimeDirectory

Mon, 26 Dec 2016 08:15:18 -0800 

debbie10t <debbie...@gmail.com> on Sat, 2016/12/24 11:10:
> On 16/12/16 22:00, Christian Hesse wrote:
> > From: Christian Hesse <m...@eworm.de>
> >
> > Different unit instances create and destroy the same RuntimeDirectory.
> > This leads to running instances where the status file (and possibly
> > more runtime data) is no longer accessible.
> >
> > So do not handle this in unit files but provide a tmpfiles.d
> > configuration and let systemd-tmpfiles do the work.
> > Nobody will (unintentionally) delete the directories and its content.
> > As /run is volatile we do not have to care about cleanup.
> >
> > Signed-off-by: Christian Hesse <m...@eworm.de>
> > ---
> >  distro/systemd/openvpn-client@.service | 2 --
> >  distro/systemd/openvpn-server@.service | 2 --
> >  distro/systemd/openvpn.conf            | 2 ++
> >  3 files changed, 2 insertions(+), 4 deletions(-)
> >  create mode 100644 distro/systemd/openvpn.conf
> >
> > diff --git a/distro/systemd/openvpn-client@.service
> > b/distro/systemd/openvpn-client@.service index 5618af3..1187ee8 100644
> > --- a/distro/systemd/openvpn-client@.service
> > +++ b/distro/systemd/openvpn-client@.service
> > @@ -9,8 +9,6 @@
> > Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service]
> >  Type=notify
> >  PrivateTmp=true
> > -RuntimeDirectory=openvpn-client
> > -RuntimeDirectoryMode=0710
> >  WorkingDirectory=/etc/openvpn/client
> >  ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config
> > %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW
> > CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE diff --git
> > a/distro/systemd/openvpn-server@.service
> > b/distro/systemd/openvpn-server@.service index b9b4dba..25a6bb7 100644
> > --- a/distro/systemd/openvpn-server@.service +++
> > b/distro/systemd/openvpn-server@.service @@ -9,8 +9,6 @@
> > Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service]
> >  Type=notify
> >  PrivateTmp=true
> > -RuntimeDirectory=openvpn-server
> > -RuntimeDirectoryMode=0710
> >  WorkingDirectory=/etc/openvpn/server
> >  ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log
> > --status-version 2 --suppress-timestamps --config %i.conf
> > CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE
> > CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE diff
> > --git a/distro/systemd/openvpn.conf b/distro/systemd/openvpn.conf new
> > file mode 100644 index 0000000..bb79671 --- /dev/null
> > +++ b/distro/systemd/openvpn.conf
> > @@ -0,0 +1,2 @@
> > +d /run/openvpn-client 0710 root root -
> > +d /run/openvpn-server 0710 root root -
> >  
> 
> ACK
> 
> This works as expected from debian8/systemd 215 to arch/systemd 232

Great! Thanks for testing!

But I think this will not make its way into 2.4.0? Will we see this in
release/2.4 for a bugfix release?
-- 
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Best regards             my address:    */=0;b=c[a++];)
putchar(b-1/(/*    Chris            cc -ox -xc - && ./x    */b/42*2-3)*42);}

Attachment: pgpVpD5pqwYEy.pgp
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to