Bug#763411: systemctl reload openvpn.service fails under systemd
On Tue, Sep 30, 2014 at 01:46:43PM +0200, Alberto Gonzalez Iniesta wrote: On Tue, Sep 30, 2014 at 01:16:07PM +0200, Michael Biebl wrote: Am 30.09.2014 um 13:00 schrieb Alberto Gonzalez Iniesta: On Tue, Sep 30, 2014 at 02:18:54AM +0200, Michael Biebl wrote: Sep 30 02:17:30 pluto systemd[1]: openvpn@mypi.service: main process exited, code=exited, status=1/FAILURE Sep 30 02:17:30 pluto systemd[1]: Unit openvpn@mypi.service entered failed state. So maybe openvpn@.service doesn't actually support reload and should be removed there? If not, this failure on reload should probably be tracked as a separate issue. It's working for me now. Maybe you are using --user without --persistent-foo and the reload fails? I tested with some of my configs (not using --user) and it works fine. user nobody group nogroup # http://openvpn.net/howto.html#mitm remote-cert-tls server Any relevant entry in the logs? Hi Michael, As I suspected the use of --user is the cause of your reload problems. In my tests I had to change the ownership of /run/openvpn to nobody (in order for openvpn to be able to write the status file). You can make that change permanent in /usr/lib/tmpfiles.d/openvpn.conf. You may also need persist-local-ip and persist-remote-ip, plus verify nobody user has access to the key file. I'm closing this bug (reload of openvpn service due to missing ExecReload with the upload of the fixed package). Feel free to open a different one for this other issue if you want. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#763411: systemctl reload openvpn.service fails under systemd
On Tue, Sep 30, 2014 at 02:18:54AM +0200, Michael Biebl wrote: # systemctl reload openvpn.service Failed to reload openvpn.service: Job type reload is not applicable for unit openvpn.service. The problem here is, that ExecReload= needs to be set explicitly for services which support that. [Service] Type=oneshot RemainAfterExit=yes ExecStart=/bin/true ExecReload=/bin/true With that change, I can run systemctl reload openvpn.service and my instanced services are reloaded. Hi Michael, Thanks for the report. I have changed the service file as you suggested. But here I've stumbled into another issue: A systemctl reload openvpn@foo.service kills the service: # systemctl status openvpn@mypi.service ● openvpn@mypi.service - OpenVPN connection to mypi Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled) Active: active (running) since Di 2014-09-30 02:16:53 CEST; 5s ago Process: 31269 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) Process: 31544 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf (code=exited, status=0/SUCCESS) Main PID: 31545 (openvpn) CGroup: /system.slice/system-openvpn.slice/openvpn@mypi.service └─31545 /usr/sbin/openvpn --daemon ovpn-mypi --status /run/openvpn/mypi.status 10 --cd /etc/openvpn --config /etc/openvpn/mypi.conf # systemctl reload openvpn@mypi.service # systemctl status openvpn@mypi.service ● openvpn@mypi.service - OpenVPN connection to mypi Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled) Active: failed (Result: exit-code) since Di 2014-09-30 02:17:30 CEST; 2s ago Process: 31652 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) Process: 31544 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf (code=exited, status=0/SUCCESS) Main PID: 31545 (code=exited, status=1/FAILURE) Sep 30 02:17:30 pluto systemd[1]: openvpn@mypi.service: main process exited, code=exited, status=1/FAILURE Sep 30 02:17:30 pluto systemd[1]: Unit openvpn@mypi.service entered failed state. So maybe openvpn@.service doesn't actually support reload and should be removed there? If not, this failure on reload should probably be tracked as a separate issue. It's working for me now. Maybe you are using --user without --persistent-foo and the reload fails? I tested with some of my configs (not using --user) and it works fine. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#763411: systemctl reload openvpn.service fails under systemd
Am 30.09.2014 um 13:00 schrieb Alberto Gonzalez Iniesta: On Tue, Sep 30, 2014 at 02:18:54AM +0200, Michael Biebl wrote: Sep 30 02:17:30 pluto systemd[1]: openvpn@mypi.service: main process exited, code=exited, status=1/FAILURE Sep 30 02:17:30 pluto systemd[1]: Unit openvpn@mypi.service entered failed state. So maybe openvpn@.service doesn't actually support reload and should be removed there? If not, this failure on reload should probably be tracked as a separate issue. It's working for me now. Maybe you are using --user without --persistent-foo and the reload fails? I tested with some of my configs (not using --user) and it works fine. client remote foo.bar.com ca /path/to/ca.crt cert /path/to/client.crt key /path/to/client.key comp-lzo yes dev tap proto udp nobind auth-nocache script-security 2 persist-key persist-tun user nobody group nogroup # http://openvpn.net/howto.html#mitm remote-cert-tls server This is the openvpn config I use which fails. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#763411: systemctl reload openvpn.service fails under systemd
On Tue, Sep 30, 2014 at 01:16:07PM +0200, Michael Biebl wrote: Am 30.09.2014 um 13:00 schrieb Alberto Gonzalez Iniesta: On Tue, Sep 30, 2014 at 02:18:54AM +0200, Michael Biebl wrote: Sep 30 02:17:30 pluto systemd[1]: openvpn@mypi.service: main process exited, code=exited, status=1/FAILURE Sep 30 02:17:30 pluto systemd[1]: Unit openvpn@mypi.service entered failed state. So maybe openvpn@.service doesn't actually support reload and should be removed there? If not, this failure on reload should probably be tracked as a separate issue. It's working for me now. Maybe you are using --user without --persistent-foo and the reload fails? I tested with some of my configs (not using --user) and it works fine. client remote foo.bar.com ca /path/to/ca.crt cert /path/to/client.crt key /path/to/client.key comp-lzo yes dev tap proto udp nobind auth-nocache script-security 2 persist-key persist-tun user nobody group nogroup # http://openvpn.net/howto.html#mitm remote-cert-tls server Any relevant entry in the logs? -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico mailto/sip: a...@inittab.org | en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#763411: systemctl reload openvpn.service fails under systemd
Package: openvpn Version: 2.3.4-1 Severity: normal Hi, /lib/systemd/system/openvpn.service contains [Service] Type=oneshot RemainAfterExit=yes ExecStart=/bin/true ExecStop=/bin/true When I try to reload openvpn.service, I get: # systemctl reload openvpn.service Failed to reload openvpn.service: Job type reload is not applicable for unit openvpn.service. The problem here is, that ExecReload= needs to be set explicitly for services which support that. I noticed, that openvpn.service is only a helper service to restart/reload the openvpn@.service instances, which do support Reload. Also, the ExecStop= line is not actually necessary, as this will be defined by defined and only needs to be overwritten if the stop action needs to do something special (which is not the case here). So maybe what you want instead is something like this: [Service] Type=oneshot RemainAfterExit=yes ExecStart=/bin/true ExecReload=/bin/true With that change, I can run systemctl reload openvpn.service and my instanced services are reloaded. But here I've stumbled into another issue: A systemctl reload openvpn@foo.service kills the service: # systemctl status openvpn@mypi.service ● openvpn@mypi.service - OpenVPN connection to mypi Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled) Active: active (running) since Di 2014-09-30 02:16:53 CEST; 5s ago Process: 31269 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) Process: 31544 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf (code=exited, status=0/SUCCESS) Main PID: 31545 (openvpn) CGroup: /system.slice/system-openvpn.slice/openvpn@mypi.service └─31545 /usr/sbin/openvpn --daemon ovpn-mypi --status /run/openvpn/mypi.status 10 --cd /etc/openvpn --config /etc/openvpn/mypi.conf # systemctl reload openvpn@mypi.service # systemctl status openvpn@mypi.service ● openvpn@mypi.service - OpenVPN connection to mypi Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled) Active: failed (Result: exit-code) since Di 2014-09-30 02:17:30 CEST; 2s ago Process: 31652 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) Process: 31544 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf (code=exited, status=0/SUCCESS) Main PID: 31545 (code=exited, status=1/FAILURE) Sep 30 02:17:30 pluto systemd[1]: openvpn@mypi.service: main process exited, code=exited, status=1/FAILURE Sep 30 02:17:30 pluto systemd[1]: Unit openvpn@mypi.service entered failed state. So maybe openvpn@.service doesn't actually support reload and should be removed there? If not, this failure on reload should probably be tracked as a separate issue. Cheers, Michael -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openvpn depends on: ii debconf [debconf-2.0] 1.5.53 ii initscripts2.88dsf-53.4 ii iproute2 3.16.0-2 ii libc6 2.19-11 ii liblzo2-2 2.08-1 ii libpam0g 1.1.8-3.1 ii libpkcs11-helper1 1.11-2 ii libssl1.0.01.0.1i-2 Versions of packages openvpn recommends: pn easy-rsa none Versions of packages openvpn suggests: ii openssl 1.0.1i-2 pn resolvconf none -- Configuration Files: /etc/default/openvpn changed [not included] -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org