I'm not sure there's even any point to adding the '+': an error will occur
either way, whether it's in kill or in OpenVPN. At least when it appears
from kill it's obvious something went wrong (even if it's not obvious
what...).
Personally I think removing reload is the right call going forward - having
perused the man page more thoroughly, neither SIGHUP nor SIGUSR1 accomplish
what I would call a 'reload'. But that's just my opinion.
On Tue, May 26, 2020, 14:00 Lucas Kanashiro <1868...@bugs.launchpad.net>
wrote:
> Executing the ExecReload= command with full privileges (adding '+')
> indeed fixes the reload failure (I ran my tests in a Bionic and Focal
> VMs but it should apply to the other releases):
>
> May 26 10:01:41 openvpn-reload kill[1764]: kill: (1738): Operation not
> permitted
>
> I mean the command 'systemctl reload openvpn@<server>' does not fail
> (returns 0). However, after checking the journal log I found the
> following error messages:
>
> May 26 10:30:57 openvpn-reload ovpn-server[10626]: SIGHUP[hard,] received,
> process restarting
> May 26 10:30:57 openvpn-reload ovpn-server[10626]: Options error: --dh
> fails with 'dh.pem': Permission denied (errno=13)
> May 26 10:30:57 openvpn-reload ovpn-server[10626]: Options error: --ca
> fails with 'ca.crt': Permission denied (errno=13)
> May 26 10:30:57 openvpn-reload ovpn-server[10626]: Options error: --cert
> fails with 'server.crt': Permission denied (errno=13)
> May 26 10:30:57 openvpn-reload ovpn-server[10626]: Options error: --key
> fails with 'server.key': Permission denied (errno=13)
> May 26 10:30:57 openvpn-reload ovpn-server[10626]: Options error:
> --tls-auth fails with 'ta.key': Permission denied (errno=13)
> May 26 10:30:57 openvpn-reload ovpn-server[10626]: Options error:
> --writepid fails with '/run/openvpn/server.pid': Permission denied
> (errno=13)
> May 26 10:30:57 openvpn-reload ovpn-server[10626]: Options error: --status
> fails with '/var/log/openvpn/openvpn-status.log': Permission denied
> (errno=13)
> May 26 10:30:57 openvpn-reload ovpn-server[10626]: Options error: Please
> correct these errors.
> May 26 10:30:57 openvpn-reload ovpn-server[10626]: Use --help for more
> information.
>
> As discussed above I am not quite sure about the practical difference
> between restarting the service and sending the SIGHUP signal to the
> process. The upstream message when handling this signal is "process
> restarting". Since defining a reload command is optional and the
> difference between restart and reload is not clear, we may want to
> remove the ExecReload= from this unit file. Maybe run the ExecReload=
> with full privileges ('+') in the supported releases to not remove this
> feature and avoid the failure, and remove the ExecReload= from the
> development release (stop supporting reload)?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1868127
>
> Title:
> OpenVPN will not reload due to misconfigured .service file
>
> Status in openvpn package in Ubuntu:
> Triaged
> Status in openvpn source package in Bionic:
> Triaged
> Status in openvpn source package in Eoan:
> Triaged
> Status in openvpn source package in Focal:
> Triaged
>
> Bug description:
> OpenVPN will not reload due to misconfigured .service file
>
> You remove CAP_KILL (by not listing it in CapabilityBoundingSet).
> OpenVPN should be configured to drop privileges, which means that it
> will no longer be running as root, while kill is running with root,
> which means CAP_KILL is required to send a signal. It either needs to
> be listed in CapabilityBoundingSet, or (preferably)
> "ExecReload=/bin/kill -HUP $MAINPID" needs to become
> "ExecReload=+/bin/kill -HUP $MAINPID"
>
> ProblemType: Bug
> DistroRelease: Ubuntu 18.04
> Package: openvpn 2.4.4-2ubuntu1.3
> ProcVersionSignature: Ubuntu 4.15.0-91.92-generic 4.15.18
> Uname: Linux 4.15.0-91-generic x86_64
> ApportVersion: 2.20.9-0ubuntu7.12
> Architecture: amd64
> Date: Thu Mar 19 10:48:18 2020
> InstallationDate: Installed on 2018-05-02 (686 days ago)
> InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64
> (20180426)
> ProcEnviron:
> TERM=xterm-256color
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: openvpn
> UpgradeStatus: No upgrade log present (probably fresh install)
> modified.conffile..etc.openvpn.update-resolv-conf: [deleted]
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1868127/+subscriptions
>
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868127
Title:
OpenVPN will not reload due to misconfigured .service file
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1868127/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
