Re: [Openvpn-devel] [PATCH v2 2/2] Refuse to daemonize when running from systemd

2016-12-02 Thread David Sommerseth
On 02/12/16 02:45, debbie10t wrote:
[...snip...]
> My east.conf file:
> 
> # cat server/east.conf
> 
> ### TESTS
> #
> ## systemd enhancements: failed as expect
> ;bad-opt
> 
> ## daemon: Did *not* fail when run from systemd service
> daemon vpn-srv-east

This is just as expected.  Having --daemon in the config should not
cause any failure.  It should just drop trying to daemonize if it is
detected that OpenVPN is started via systemd.

Look at init.c:930, possibly_become_daemon()

If sd_notify() returns a value > 0, then OpenVPN is started via
systemctl - as sd_notify() have a communication channel with the service
manager, and it will not try to daemonize.

If sd_notify() returns 0, it means it don't know how to communicate with
the service manager.  And < 0, it means something bad happened.  In both
these cases, openvpn will daemonize as if it was not managed by systemd
at all.

So your test showed that this worked just as expected :)


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH v2 2/2] Refuse to daemonize when running from systemd

2016-12-01 Thread debbie10t
Gutted ..

I have to step in here NOW and say that this did not work for me.

I applied to the current (as of this email) git master:

* Use systemd service manager notification
* The patch below
* No others.

-

then
$ autoreconf -ivf
$ ./configure --enable-systemd
$ make
# make uninstall
# make install

I then used the systemd unit from
b/src/distro/systemd/openvpn-server@.service
copied and renamed to my conf file as
/etc/systemd/system/openvpn-server@east.service

systemctl'd to the correct unit file:

# ls -l /etc/systemd/system/multi-user.target.wants
total ..
lrwxrwxrwx 1 root root 47 Dec  1 15:56 openvpn-server@east.service -> 
/etc/systemd/system/openvpn-server@east.service


changed the unit file as below:


# cat /etc/systemd/system/openvpn-server@east.service
[Unit]
Description=OpenVPN service for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=notify
PrivateTmp=true
RuntimeDirectory=openvpn-server
RuntimeDirectoryMode=0710
WorkingDirectory=/etc/openvpn/server

# Not using 2.3.x
#ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log 
--status-version 2 --suppress-timestamps --config %i.conf
# Do not like --supress-timestamps
#ExecStart=/usr/local/sbin/openvpn --status 
%t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps 
--config %i.conf
# Using this
ExecStart=/usr/local/sbin/openvpn --status 
%t/openvpn-server/status-%i.log --status-version 2 --config %i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw

[Install]
WantedBy=multi-user.target

My east.conf file:

# cat server/east.conf

### TESTS
#
## systemd enhancements: failed as expect
;bad-opt

## daemon: Did *not* fail when run from systemd service
daemon vpn-srv-east

  server 10.25.25.0 255.255.255.248
  server-ipv6 12fc:1918::10:25:25:0:0/112

push "setenv-safe PUSH_east arch"

keepalive 10 30
push "comp-lzo no"
   comp-lzo no
push "explicit-exit-notify 3"
client-config-dir /etc/openvpn/server/east/ccd
ccd-exclusive

log /etc/openvpn/server/east/temp/east.log
verb 4

management 127.0.0.1 10025
dev tun25s
port 10025
cipher AES-256-CBC
auth RSA-SHA512

# cert/key stuff
...


Then:
# systemctl daemon-reload
# systemctl start openvpn-server@east

** Openvpn started but should have failed **


Just for the hell of it

# nano b/src/openvpn/init.c

/*
  * Should we become a daemon?
  * Return true if we did it.
  */
bool
possibly_become_daemon (const struct options *options)
{
   bool ret = false;

#ifdef ENABLE_SYSTEMD
   /* return without forking if we are running from systemd */
   if (sd_notify(0, "READY=0") > 0)
 return ret;
#endif

   if (options->daemon)
 {
   ASSERT (!options->inetd);
   /* Don't chdir immediately, but the end of the init sequence, if 
needed */
   if (daemon (1, options->log) < 0)
 msg (M_ERR, "daemon() failed or unsupported");
   restore_signal_state ();
   if (options->log)
 [ line 921/4014 (22%), col 1/3 (33%), 
char 22889/106307 (21%) ]

-

I have probably done something wrong but could not sleep without letting 
someone know!

Regards




On 01/12/16 21:31, Christian Hesse wrote:
> From: Christian Hesse 
>
> We start with systemd Type=notify, so refuse to daemonize. This does not
> affect starting openvpn from script or command line.
>
> v2: Update commit message about script and command line.
>
> Signed-off-by: Christian Hesse 
> ---
>  distro/systemd/openvpn-client@.service | 1 -
>  distro/systemd/openvpn-server@.service | 1 -
>  src/openvpn/init.c | 7 +++
>  3 files changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/distro/systemd/openvpn-client@.service 
> b/distro/systemd/openvpn-client@.service
> index f64a239..5618af3 100644
> --- a/distro/systemd/openvpn-client@.service
> +++ b/distro/systemd/openvpn-client@.service
> @@ -12,7 +12,6 @@ PrivateTmp=true
>  RuntimeDirectory=openvpn-client
>  RuntimeDirectoryMode=0710
>  WorkingDirectory=/etc/openvpn/client
> -ExecStartPre=/bin/sh -c 'grep -q -E ^daemon %i.conf || exit 0 && 
> /usr/bin/echo "OpenVPN configuration cannot contain --daemon when being 
> managed by systemd" ; exit 1'
>  ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf
>  CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID 
> CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
>  LimitNPROC=10
> diff --git a/distro/systemd/openvpn-server@.service 
> b/distro/systemd/openvpn-server@.service
> index 890e6a9..b9b4dba 100644
> --- a/distro/systemd/openvpn-server@.service
> +++