On 2017-10-10 09:31 AM, David Sommerseth wrote: > On Mon, 9 Oct 2017 23:31:40 +0200 Bernhard Schmidt <be...@debian.org> wrote: > [...snip...] >> >> for i in `seq 1 20`; do echo -e "dev tun\nifconfig 10.0.$i.1 >> 10.0.$i.2\nsecret static.key\nport 200$i\nscript-security 2\nup >> '/usr/local/bin/sleep-5.sh'\n" > server$i.conf; systemctl >> restart openvpn@server$i; done >> >> with /usr/local/bin/sleep-5.sh >> >> === >> /bin/su -c "/bin/sleep 5" -s /bin/sh nobody >> === >> >> Doing this 3 of the OpenVPN instances start, the others fail. >> >> Replacing nobody with root makes all start, so you are probably right >> about the limit being system-wide and only for non-root commands. >> Removing the "unreproducible" tag. >> >> I also do see several reports about this >> >> https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1631104 >> https://github.com/systemd/systemd/issues/6011#issuecomment-304617744 >> >> I'm actually not sure what LimitNPROC is really limiting (the Lennart >> comment about this counting processes on other containers really made me >> think that this might have been the wrong knob from the beginning). > Hi, > > So I'm the one who introduced the unit files to the OpenVPN project, and > have been active in the maintenance of them. > > I did introduce LimitNPROC=10 to avoid a scenario where a faulty plug-in > or script hook would spawn too many processes and overload the system in > various ways. There are many reasons why this could happen, it could be > a local issue or something triggered user input (username, password) or > in some really dark corner cases even certificate details could be > abused to. > > The intention was to have this limit to on a per unit file basis. But I > clearly have overlooked that using the same username in multiple OpenVPN > configuration files can cause challenges, as that limit is shared among > all config clients. > > I can acknowledge that 10 processes might be too little. But I do think > the potential DoS protection is valuable; and even Lennart Poettering > does not recommend removing it [1]. So I think it can be increased, and > then it should be documented better how to increase this manually by > using 'systemctl edit openvpn-server@.service' and modifying this > setting this way.
Another way would be to recommend and document how to use a different low privilege user for each instances. Here, I use "ovpn-$foo" and it works well. Regards, Simon
signature.asc
Description: OpenPGP digital signature
