Re: [Openvpn-devel] [PATCH v2 2/2] Refuse to daemonize when running from systemd
On 02/12/16 02:45, debbie10t wrote: [...snip...] > My east.conf file: > > # cat server/east.conf > > ### TESTS > # > ## systemd enhancements: failed as expect > ;bad-opt > > ## daemon: Did *not* fail when run from systemd service > daemon vpn-srv-east This is just as expected. Having --daemon in the config should not cause any failure. It should just drop trying to daemonize if it is detected that OpenVPN is started via systemd. Look at init.c:930, possibly_become_daemon() If sd_notify() returns a value > 0, then OpenVPN is started via systemctl - as sd_notify() have a communication channel with the service manager, and it will not try to daemonize. If sd_notify() returns 0, it means it don't know how to communicate with the service manager. And < 0, it means something bad happened. In both these cases, openvpn will daemonize as if it was not managed by systemd at all. So your test showed that this worked just as expected :) -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 2/2] Refuse to daemonize when running from systemd
Gutted .. I have to step in here NOW and say that this did not work for me. I applied to the current (as of this email) git master: * Use systemd service manager notification * The patch below * No others. - then $ autoreconf -ivf $ ./configure --enable-systemd $ make # make uninstall # make install I then used the systemd unit from b/src/distro/systemd/openvpn-server@.service copied and renamed to my conf file as /etc/systemd/system/openvpn-server@east.service systemctl'd to the correct unit file: # ls -l /etc/systemd/system/multi-user.target.wants total .. lrwxrwxrwx 1 root root 47 Dec 1 15:56 openvpn-server@east.service -> /etc/systemd/system/openvpn-server@east.service changed the unit file as below: # cat /etc/systemd/system/openvpn-server@east.service [Unit] Description=OpenVPN service for %I After=syslog.target network-online.target Wants=network-online.target Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] Type=notify PrivateTmp=true RuntimeDirectory=openvpn-server RuntimeDirectoryMode=0710 WorkingDirectory=/etc/openvpn/server # Not using 2.3.x #ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf # Do not like --supress-timestamps #ExecStart=/usr/local/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf # Using this ExecStart=/usr/local/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw [Install] WantedBy=multi-user.target My east.conf file: # cat server/east.conf ### TESTS # ## systemd enhancements: failed as expect ;bad-opt ## daemon: Did *not* fail when run from systemd service daemon vpn-srv-east server 10.25.25.0 255.255.255.248 server-ipv6 12fc:1918::10:25:25:0:0/112 push "setenv-safe PUSH_east arch" keepalive 10 30 push "comp-lzo no" comp-lzo no push "explicit-exit-notify 3" client-config-dir /etc/openvpn/server/east/ccd ccd-exclusive log /etc/openvpn/server/east/temp/east.log verb 4 management 127.0.0.1 10025 dev tun25s port 10025 cipher AES-256-CBC auth RSA-SHA512 # cert/key stuff ... Then: # systemctl daemon-reload # systemctl start openvpn-server@east ** Openvpn started but should have failed ** Just for the hell of it # nano b/src/openvpn/init.c /* * Should we become a daemon? * Return true if we did it. */ bool possibly_become_daemon (const struct options *options) { bool ret = false; #ifdef ENABLE_SYSTEMD /* return without forking if we are running from systemd */ if (sd_notify(0, "READY=0") > 0) return ret; #endif if (options->daemon) { ASSERT (!options->inetd); /* Don't chdir immediately, but the end of the init sequence, if needed */ if (daemon (1, options->log) < 0) msg (M_ERR, "daemon() failed or unsupported"); restore_signal_state (); if (options->log) [ line 921/4014 (22%), col 1/3 (33%), char 22889/106307 (21%) ] - I have probably done something wrong but could not sleep without letting someone know! Regards On 01/12/16 21:31, Christian Hesse wrote: > From: Christian Hesse> > We start with systemd Type=notify, so refuse to daemonize. This does not > affect starting openvpn from script or command line. > > v2: Update commit message about script and command line. > > Signed-off-by: Christian Hesse > --- > distro/systemd/openvpn-client@.service | 1 - > distro/systemd/openvpn-server@.service | 1 - > src/openvpn/init.c | 7 +++ > 3 files changed, 7 insertions(+), 2 deletions(-) > > diff --git a/distro/systemd/openvpn-client@.service > b/distro/systemd/openvpn-client@.service > index f64a239..5618af3 100644 > --- a/distro/systemd/openvpn-client@.service > +++ b/distro/systemd/openvpn-client@.service > @@ -12,7 +12,6 @@ PrivateTmp=true > RuntimeDirectory=openvpn-client > RuntimeDirectoryMode=0710 > WorkingDirectory=/etc/openvpn/client > -ExecStartPre=/bin/sh -c 'grep -q -E ^daemon %i.conf || exit 0 && > /usr/bin/echo "OpenVPN configuration cannot contain --daemon when being > managed by systemd" ; exit 1' > ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf > CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID > CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE > LimitNPROC=10 > diff --git a/distro/systemd/openvpn-server@.service > b/distro/systemd/openvpn-server@.service > index 890e6a9..b9b4dba 100644 > --- a/distro/systemd/openvpn-server@.service > +++
[Openvpn-devel] [PATCH v2 2/2] Refuse to daemonize when running from systemd
From: Christian HesseWe start with systemd Type=notify, so refuse to daemonize. This does not affect starting openvpn from script or command line. v2: Update commit message about script and command line. Signed-off-by: Christian Hesse --- distro/systemd/openvpn-client@.service | 1 - distro/systemd/openvpn-server@.service | 1 - src/openvpn/init.c | 7 +++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/distro/systemd/openvpn-client@.service b/distro/systemd/openvpn-client@.service index f64a239..5618af3 100644 --- a/distro/systemd/openvpn-client@.service +++ b/distro/systemd/openvpn-client@.service @@ -12,7 +12,6 @@ PrivateTmp=true RuntimeDirectory=openvpn-client RuntimeDirectoryMode=0710 WorkingDirectory=/etc/openvpn/client -ExecStartPre=/bin/sh -c 'grep -q -E ^daemon %i.conf || exit 0 && /usr/bin/echo "OpenVPN configuration cannot contain --daemon when being managed by systemd" ; exit 1' ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 diff --git a/distro/systemd/openvpn-server@.service b/distro/systemd/openvpn-server@.service index 890e6a9..b9b4dba 100644 --- a/distro/systemd/openvpn-server@.service +++ b/distro/systemd/openvpn-server@.service @@ -12,7 +12,6 @@ PrivateTmp=true RuntimeDirectory=openvpn-server RuntimeDirectoryMode=0710 WorkingDirectory=/etc/openvpn/server -ExecStartPre=/bin/sh -c 'grep -q -E ^daemon %i.conf || exit 0 && /usr/bin/echo "OpenVPN configuration cannot contain --daemon when being managed by systemd" ; exit 1' ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 diff --git a/src/openvpn/init.c b/src/openvpn/init.c index f99c934..74f1139 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -930,6 +930,13 @@ bool possibly_become_daemon (const struct options *options) { bool ret = false; + +#ifdef ENABLE_SYSTEMD + /* return without forking if we are running from systemd */ + if (sd_notify(0, "READY=0") > 0) +return ret; +#endif + if (options->daemon) { ASSERT (!options->inetd); -- 2.10.2 -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2 2/2] Refuse to daemonize when running from systemd
From: Christian HesseWe start with systemd Type=notify, so refuse to daemonize. This does not affect starting openvpn from script or command line. Signed-off-by: Christian Hesse --- distro/systemd/openvpn-client@.service | 1 - distro/systemd/openvpn-server@.service | 1 - src/openvpn/init.c | 7 +++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/distro/systemd/openvpn-client@.service b/distro/systemd/openvpn-client@.service index f64a239..5618af3 100644 --- a/distro/systemd/openvpn-client@.service +++ b/distro/systemd/openvpn-client@.service @@ -12,7 +12,6 @@ PrivateTmp=true RuntimeDirectory=openvpn-client RuntimeDirectoryMode=0710 WorkingDirectory=/etc/openvpn/client -ExecStartPre=/bin/sh -c 'grep -q -E ^daemon %i.conf || exit 0 && /usr/bin/echo "OpenVPN configuration cannot contain --daemon when being managed by systemd" ; exit 1' ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 diff --git a/distro/systemd/openvpn-server@.service b/distro/systemd/openvpn-server@.service index 890e6a9..b9b4dba 100644 --- a/distro/systemd/openvpn-server@.service +++ b/distro/systemd/openvpn-server@.service @@ -12,7 +12,6 @@ PrivateTmp=true RuntimeDirectory=openvpn-server RuntimeDirectoryMode=0710 WorkingDirectory=/etc/openvpn/server -ExecStartPre=/bin/sh -c 'grep -q -E ^daemon %i.conf || exit 0 && /usr/bin/echo "OpenVPN configuration cannot contain --daemon when being managed by systemd" ; exit 1' ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 diff --git a/src/openvpn/init.c b/src/openvpn/init.c index aea3590..63a5fee 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -926,6 +926,13 @@ bool possibly_become_daemon (const struct options *options) { bool ret = false; + +#ifdef ENABLE_SYSTEMD + /* return without forking if we are running from systemd */ + if (sd_notify(0, "READY=0") > 0) +return ret; +#endif + if (options->daemon) { ASSERT (!options->inetd); -- 2.10.2 -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel