On Mon, 9 Oct 2017 23:31:40 +0200 Bernhard Schmidt <be...@debian.org> wrote: [...snip...] > > for i in `seq 1 20`; do echo -e "dev tun\nifconfig 10.0.$i.1 > 10.0.$i.2\nsecret static.key\nport 200$i\nscript-security 2\nup > '/usr/local/bin/sleep-5.sh'\n" > server$i.conf; systemctl > restart openvpn@server$i; done > > with /usr/local/bin/sleep-5.sh > > === > /bin/su -c "/bin/sleep 5" -s /bin/sh nobody > === > > Doing this 3 of the OpenVPN instances start, the others fail. > > Replacing nobody with root makes all start, so you are probably right > about the limit being system-wide and only for non-root commands. > Removing the "unreproducible" tag. > > I also do see several reports about this > > https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1631104 > https://github.com/systemd/systemd/issues/6011#issuecomment-304617744 > > I'm actually not sure what LimitNPROC is really limiting (the Lennart > comment about this counting processes on other containers really made me > think that this might have been the wrong knob from the beginning). Hi,
So I'm the one who introduced the unit files to the OpenVPN project, and
have been active in the maintenance of them.
I did introduce LimitNPROC=10 to avoid a scenario where a faulty plug-in
or script hook would spawn too many processes and overload the system in
various ways. There are many reasons why this could happen, it could be
a local issue or something triggered user input (username, password) or
in some really dark corner cases even certificate details could be
abused to.
The intention was to have this limit to on a per unit file basis. But I
clearly have overlooked that using the same username in multiple OpenVPN
configuration files can cause challenges, as that limit is shared among
all config clients.
I can acknowledge that 10 processes might be too little. But I do think
the potential DoS protection is valuable; and even Lennart Poettering
does not recommend removing it [1]. So I think it can be increased, and
then it should be documented better how to increase this manually by
using 'systemctl edit openvpn-server@.service' and modifying this
setting this way.
Would a default of 30 or 50 processes be sufficient?
And I would prefer that we fix this issue upstream OpenVPN first of all,
which all other distributions (including Debian) picks up - as this
ensures a more known and familiar behaviour across all systemd based
distributions.
[1] "Disabling LimitNPROC= in all your unit files [...] [d]oesn't remove
the DoS vulnerability, and in fact makes the system a whole lot
unsafe, but is a cheap way out."
<https://github.com/systemd/systemd/issues/6011#issuecomment-304617744>
--
kind regards,
David Sommerseth
OpenVPN, Inc
signature.asc
Description: OpenPGP digital signature
