Package: openvpn Version: 2.3.7-1 Severity: important Dear Maintainer,
the systemd service file should use `KillMode=mixed` (or "process"). Without this, the down-root plugin fails to communicate with its forked process. This is likely to also affect other plugins, which use the same mechanism. This requires to also add the PIDFile option, and use `--writepid` in the `ExecStart` command. See https://community.openvpn.net/openvpn/ticket/581 for the initial report, and https://github.com/OpenVPN/openvpn/pull/28 for a suggested fix. While at it, other options from the upstream systemd file could be used, namely `PrivateTmp` and `LimitNPROC`. It might look like this then: [Service] PrivateTmp=true KillMode=mixed Type=forking PIDFile=/run/openvpn-%i.pid ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn-%i.pid ExecReload=/bin/kill -HUP $MAINPID WorkingDirectory=/etc/openvpn ProtectSystem=yes CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw The diff: --- /tmp/openvpn-2.3.7/debian/openvpn@.service 2015-07-07 11:54:33.000000000 +0200 +++ /lib/systemd/system/openvpn@.service 2015-07-20 01:26:46.955070918 +0200 @@ -7,12 +7,16 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] +PrivateTmp=true +KillMode=mixed Type=forking -ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf +PIDFile=/run/openvpn-%i.pid +ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn-%i.pid ExecReload=/bin/kill -HUP $MAINPID WorkingDirectory=/etc/openvpn ProtectSystem=yes CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH +LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw -- System Information: Debian Release: jessie/sid APT prefers vivid-updates APT policy: (500, 'vivid-updates'), (500, 'vivid-security'), (500, 'vivid'), (500, 'trusty-updates'), (500, 'trusty'), (150, 'testing'), (100, 'vivid-backports'), (100, 'trusty-backports'), (90, 'wily'), (50, 'oldoldstable'), (50, 'experimental'), (50, 'unstable'), (50, 'stable'), (50, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.19.0-22-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openvpn depends on: ii debconf [debconf-2.0] 1.5.55ubuntu2 ii init-system-helpers 1.22ubuntu11 ii initscripts 2.88dsf-53.2ubuntu12 ii iproute2 3.16.0-2ubuntu1 ii libc6 2.21-0ubuntu4 ii liblzo2-2 2.08-1.2 ii libpam0g 1.1.8-3.1ubuntu3 ii libpkcs11-helper1 1.11-2 ii libssl1.0.0 1.0.1f-1ubuntu11.4 ii libsystemd0 219-7ubuntu6 Versions of packages openvpn recommends: pn easy-rsa <none> Versions of packages openvpn suggests: ii openssl 1.0.1f-1ubuntu11.4 ii resolvconf 1.76ubuntu1 -- Configuration Files: /etc/default/openvpn changed [not included] -- debconf information excluded -- debsums errors found: debsums: changed file /lib/systemd/system/openvpn@.service (from openvpn package) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
