Bug#763411: systemctl reload openvpn.service fails under systemd

[Alberto Gonzalez Iniesta]

On Tue, Sep 30, 2014 at 01:46:43PM +0200, Alberto Gonzalez Iniesta wrote:
 On Tue, Sep 30, 2014 at 01:16:07PM +0200, Michael Biebl wrote:
  Am 30.09.2014 um 13:00 schrieb Alberto Gonzalez Iniesta:
   On Tue, Sep 30, 2014 at 02:18:54AM +0200, Michael Biebl wrote:
  
   Sep 30 02:17:30 pluto systemd[1]: openvpn@mypi.service: main process 
   exited, code=exited, status=1/FAILURE
   Sep 30 02:17:30 pluto systemd[1]: Unit openvpn@mypi.service entered 
   failed state.
  
   So maybe openvpn@.service doesn't actually support reload and should be
   removed there? If not, this failure on reload should probably be tracked
   as a separate issue.
   
   It's working for me now. Maybe you are using --user without
   --persistent-foo and the reload fails? I tested with some of my configs
   (not using --user) and it works fine.
  
  
  user nobody
  group nogroup
  # http://openvpn.net/howto.html#mitm
  remote-cert-tls server
 
 Any relevant entry in the logs?

Hi Michael,

As I suspected the use of --user is the cause of your reload problems.
In my tests I had to change the ownership of /run/openvpn to nobody (in
order for openvpn to be able to write the status file). You can make
that change permanent in /usr/lib/tmpfiles.d/openvpn.conf. You may also
need persist-local-ip and persist-remote-ip, plus verify nobody user
has access to the key file. I'm closing this bug (reload of openvpn
service due to missing ExecReload with the upload of the fixed package).
Feel free to open a different one for this other issue if you want.

Regards,

Alberto

-- 
Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico
mailto/sip: a...@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred| http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#763411: systemctl reload openvpn.service fails under systemd

[Alberto Gonzalez Iniesta]

On Tue, Sep 30, 2014 at 02:18:54AM +0200, Michael Biebl wrote:
 # systemctl reload openvpn.service 
 Failed to reload openvpn.service: Job type reload is not applicable for
 unit openvpn.service.
 
 The problem here is, that ExecReload= needs to be set explicitly for
 services which support that.

 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/bin/true
 ExecReload=/bin/true
 
 With that change, I can run systemctl reload openvpn.service and my
 instanced services are reloaded.

Hi Michael,

Thanks for the report. I have changed the service file as you suggested.

 But here I've stumbled into another issue: A systemctl reload
 openvpn@foo.service kills the service:
 
 # systemctl status openvpn@mypi.service
 ● openvpn@mypi.service - OpenVPN connection to mypi
Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled)
Active: active (running) since Di 2014-09-30 02:16:53 CEST; 5s ago
   Process: 31269 ExecReload=/bin/kill -HUP $MAINPID (code=exited, 
 status=0/SUCCESS)
   Process: 31544 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status 
 /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf 
 (code=exited, status=0/SUCCESS)
  Main PID: 31545 (openvpn)
CGroup: /system.slice/system-openvpn.slice/openvpn@mypi.service
└─31545 /usr/sbin/openvpn --daemon ovpn-mypi --status 
 /run/openvpn/mypi.status 10 --cd /etc/openvpn --config /etc/openvpn/mypi.conf
 
 # systemctl reload openvpn@mypi.service
 # systemctl status openvpn@mypi.service
 ● openvpn@mypi.service - OpenVPN connection to mypi
Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled)
Active: failed (Result: exit-code) since Di 2014-09-30 02:17:30 CEST; 2s 
 ago
   Process: 31652 ExecReload=/bin/kill -HUP $MAINPID (code=exited, 
 status=0/SUCCESS)
   Process: 31544 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status 
 /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf 
 (code=exited, status=0/SUCCESS)
  Main PID: 31545 (code=exited, status=1/FAILURE)
 
 Sep 30 02:17:30 pluto systemd[1]: openvpn@mypi.service: main process exited, 
 code=exited, status=1/FAILURE
 Sep 30 02:17:30 pluto systemd[1]: Unit openvpn@mypi.service entered failed 
 state.
 
 So maybe openvpn@.service doesn't actually support reload and should be
 removed there? If not, this failure on reload should probably be tracked
 as a separate issue.

It's working for me now. Maybe you are using --user without
--persistent-foo and the reload fails? I tested with some of my configs
(not using --user) and it works fine.

Regards,

Alberto

-- 
Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico
mailto/sip: a...@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred| http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#763411: systemctl reload openvpn.service fails under systemd

[Michael Biebl]

Am 30.09.2014 um 13:00 schrieb Alberto Gonzalez Iniesta:
 On Tue, Sep 30, 2014 at 02:18:54AM +0200, Michael Biebl wrote:

 Sep 30 02:17:30 pluto systemd[1]: openvpn@mypi.service: main process exited, 
 code=exited, status=1/FAILURE
 Sep 30 02:17:30 pluto systemd[1]: Unit openvpn@mypi.service entered failed 
 state.

 So maybe openvpn@.service doesn't actually support reload and should be
 removed there? If not, this failure on reload should probably be tracked
 as a separate issue.
 
 It's working for me now. Maybe you are using --user without
 --persistent-foo and the reload fails? I tested with some of my configs
 (not using --user) and it works fine.


client
remote foo.bar.com
ca /path/to/ca.crt
cert /path/to/client.crt
key /path/to/client.key
comp-lzo yes
dev tap
proto udp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nogroup
# http://openvpn.net/howto.html#mitm
remote-cert-tls server


This is the openvpn config I use which fails.


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Bug#763411: systemctl reload openvpn.service fails under systemd

[Alberto Gonzalez Iniesta]

On Tue, Sep 30, 2014 at 01:16:07PM +0200, Michael Biebl wrote:
 Am 30.09.2014 um 13:00 schrieb Alberto Gonzalez Iniesta:
  On Tue, Sep 30, 2014 at 02:18:54AM +0200, Michael Biebl wrote:
 
  Sep 30 02:17:30 pluto systemd[1]: openvpn@mypi.service: main process 
  exited, code=exited, status=1/FAILURE
  Sep 30 02:17:30 pluto systemd[1]: Unit openvpn@mypi.service entered failed 
  state.
 
  So maybe openvpn@.service doesn't actually support reload and should be
  removed there? If not, this failure on reload should probably be tracked
  as a separate issue.
  
  It's working for me now. Maybe you are using --user without
  --persistent-foo and the reload fails? I tested with some of my configs
  (not using --user) and it works fine.
 
 
 client
 remote foo.bar.com
 ca /path/to/ca.crt
 cert /path/to/client.crt
 key /path/to/client.key
 comp-lzo yes
 dev tap
 proto udp
 nobind
 auth-nocache
 script-security 2
 persist-key
 persist-tun
 user nobody
 group nogroup
 # http://openvpn.net/howto.html#mitm
 remote-cert-tls server

Any relevant entry in the logs?



-- 
Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico
mailto/sip: a...@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred| http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#763411: systemctl reload openvpn.service fails under systemd

[Michael Biebl]

Package: openvpn
Version: 2.3.4-1
Severity: normal

Hi,

/lib/systemd/system/openvpn.service contains
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
ExecStop=/bin/true

When I try to reload openvpn.service, I get:

# systemctl reload openvpn.service 
Failed to reload openvpn.service: Job type reload is not applicable for
unit openvpn.service.

The problem here is, that ExecReload= needs to be set explicitly for
services which support that.

I noticed, that openvpn.service is only a helper service to
restart/reload the openvpn@.service instances, which do support Reload.

Also, the ExecStop= line is not actually necessary, as this will be
defined by defined and only needs to be overwritten if the stop action
needs to do something special (which is not the case here).
So maybe what you want instead is something like this:

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
ExecReload=/bin/true

With that change, I can run systemctl reload openvpn.service and my
instanced services are reloaded.

But here I've stumbled into another issue: A systemctl reload
openvpn@foo.service kills the service:

# systemctl status openvpn@mypi.service
● openvpn@mypi.service - OpenVPN connection to mypi
   Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled)
   Active: active (running) since Di 2014-09-30 02:16:53 CEST; 5s ago
  Process: 31269 ExecReload=/bin/kill -HUP $MAINPID (code=exited, 
status=0/SUCCESS)
  Process: 31544 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status 
/run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf 
(code=exited, status=0/SUCCESS)
 Main PID: 31545 (openvpn)
   CGroup: /system.slice/system-openvpn.slice/openvpn@mypi.service
   └─31545 /usr/sbin/openvpn --daemon ovpn-mypi --status 
/run/openvpn/mypi.status 10 --cd /etc/openvpn --config /etc/openvpn/mypi.conf

# systemctl reload openvpn@mypi.service
# systemctl status openvpn@mypi.service
● openvpn@mypi.service - OpenVPN connection to mypi
   Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled)
   Active: failed (Result: exit-code) since Di 2014-09-30 02:17:30 CEST; 2s ago
  Process: 31652 ExecReload=/bin/kill -HUP $MAINPID (code=exited, 
status=0/SUCCESS)
  Process: 31544 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status 
/run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf 
(code=exited, status=0/SUCCESS)
 Main PID: 31545 (code=exited, status=1/FAILURE)

Sep 30 02:17:30 pluto systemd[1]: openvpn@mypi.service: main process exited, 
code=exited, status=1/FAILURE
Sep 30 02:17:30 pluto systemd[1]: Unit openvpn@mypi.service entered failed 
state.

So maybe openvpn@.service doesn't actually support reload and should be
removed there? If not, this failure on reload should probably be tracked
as a separate issue.

Cheers,
Michael


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openvpn depends on:
ii  debconf [debconf-2.0]  1.5.53
ii  initscripts2.88dsf-53.4
ii  iproute2   3.16.0-2
ii  libc6  2.19-11
ii  liblzo2-2  2.08-1
ii  libpam0g   1.1.8-3.1
ii  libpkcs11-helper1  1.11-2
ii  libssl1.0.01.0.1i-2

Versions of packages openvpn recommends:
pn  easy-rsa  none

Versions of packages openvpn suggests:
ii  openssl 1.0.1i-2
pn  resolvconf  none

-- Configuration Files:
/etc/default/openvpn changed [not included]

-- debconf information excluded


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org