Re: [Openvpn-devel] Using --mlock and --user makes openvpn "run out of memory"

2012-10-11 Thread Eric Crist 
If this is of importance to you, there are two courses of action.  First, 
please create a ticket on the OpenVPN community trac.  Please be as detailed as 
possible.  Another option is to fix this in the source tree, based of 
git-master, and submit a working patch.  This second option is going to be the 
quickest way to get a resolution.

Cheers
-
Eric F Crist



On Oct 11, 2012, at 10:21:35, Alberto Gonzalez Iniesta  wrote:

> Hi,
> 
> There's an open bug in Debian [1] since 2007, that seems to be quite
> documented right now. To sum up, when you run openvpn with --mlock and
> --user, the daemon will die with "out of memory", possibly due to
> mlock(2):
> 
> BUGS
> Since  kernel  2.6.9, if a privileged process calls mlockall(MCL_FUTURE)
> and later drops privileges (loses the CAP_IPC_LOCK capability by, for
> example,  setting  its effective  UID  to  a  nonzero  value),  then
> subsequent memory allocations (e.g., mmap(2), brk(2)) will fail if the
> RLIMIT_MEMLOCK resource limit is encountered.
> 
> The bug report contains a workaround (editing PAM limits) and a plea to
> document this behaviour. I guess it's better to document this (after
> verification of the facts) in OpenVPN's man page rather than just
> Debian's package.
> 
> Regards,
> 
> Alberto
> 
> 
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=406895
> -- 
> Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico
> agi@(inittab.org|debian.org)| en GNU/Linux y software libre
> Encrypted mail preferred| http://inittab.com
> 
> Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3
> 
> --
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Using --mlock and --user makes openvpn "run out of memory"

2012-10-11 Thread Alberto Gonzalez Iniesta 
Hi,

There's an open bug in Debian [1] since 2007, that seems to be quite
documented right now. To sum up, when you run openvpn with --mlock and
--user, the daemon will die with "out of memory", possibly due to
mlock(2):

BUGS
Since  kernel  2.6.9, if a privileged process calls mlockall(MCL_FUTURE)
and later drops privileges (loses the CAP_IPC_LOCK capability by, for
example,  setting  its effective  UID  to  a  nonzero  value),  then
subsequent memory allocations (e.g., mmap(2), brk(2)) will fail if the
RLIMIT_MEMLOCK resource limit is encountered.

The bug report contains a workaround (editing PAM limits) and a plea to
document this behaviour. I guess it's better to document this (after
verification of the facts) in OpenVPN's man page rather than just
Debian's package.

Regards,

Alberto


[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=406895
-- 
Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred| http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3