[Openvpn-users] ERROR: setrlimit() failed: Operation not permitted (errno=1)

Sat, 20 Mar 2021 08:57:59 -0700 

Hi,

--mlock does not seem to work for me..


Same server as below, started without --mlock works normally.


Same Server using --mlock fails.

Using latest git/master/openvpn:
2021-03-20 15:27:03 us=127228 OpenVPN 2.6_git [git:master/476990d41ad78ac4+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 17 2021 

Linux-Mint 20 Cinnamon - Kernel 5.4.0-67-generic

root@home:/etc/openvpn# ulimit
unlimited

Log snip:
2021-03-20 15:27:03 us=127228 OpenVPN 2.6_git [git:master/476990d41ad78ac4+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 17 2021 2021-03-20 15:27:03 us=127251 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10 
2021-03-20 15:27:03 us=127595 mlock: MEMLOCK limit: soft=64 KB, hard=64 KB
2021-03-20 15:27:03 us=127614 mlock: RLIMIT_MEMLOCK < 100 MB, increase limit
2021-03-20 15:27:03 us=127630 ERROR: setrlimit() failed: Operation not permitted (errno=1) 
2021-03-20 15:27:03 us=127642 Exiting due to fatal error


Systemd:
root@home:/etc/openvpn# systemd --version
systemd 245 (245.4-4ubuntu3.5)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid 

Custom unit:
# openvpn

[Unit]
Description=OpenVPN service for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=notify
#PrivateTmp=true
WorkingDirectory=/etc/openvpn
ExecStart=/home/tct/openvpn/master/src/openvpn/openvpn --status /etc/openvpn/tuns_12666u/temp/tuns_12666u_cpf_s3.sts --config /etc/openvpn/%i.conf 
#My CAP set:
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE 
# Openvpn distro unit CAP set:
#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE 
 CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
#ProtectSystem=true
#ProtectHome=true
KillMode=process
RestartSec=5s
Restart=on-failure

[Install]
WantedBy=multi-user.target



_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to