Package: openvpn
Version: 2.7.0-1
Currently openvpn has this code in the postinst
if pidof -c /usr/sbin/openvpn >/dev/null; then
echo "A reboot is required to replace the running openvpn." >&2
echo "Please reboot the system as soon as possible." >&2
fi
This seems wildly wrong. openvpn should be able to be restarted by
systemd without problems. This was introduced in 2.4.9-3
openvpn (2.4.9-3) unstable; urgency=medium
[ Jörg Frings-Fürst ]
* Fix the bug that occurs during the update (Closes: #959464):
"ERROR: Cannot ioctl TUNSETIFF tunX: Device or resource busy (errno=16)"
- debian/rules: Change dh_installsystemd from "--restart-after-upgrade" to
"--no-restart-after-upgrade -r".
- Remove restart from debian/postinst.
- Add hint to reboot if openvpn is running.
- Add new chapter into debian/NEWS.
[...]
NEWS.Debian says
"To ensure the functionality of OpenVPN connections during an update,
OpenVPN is not restarted after the update since this version."
While there is certainly an argument to be made to not kill VPN connections
during upgrades (in case the upgrade happens via this connection) the advice
to reboot the machine seems very much overreach. The only reason to reboot
would be to get a new version of ovpn from a new kernel but then the kernel
will ask for the reboot. And systemd will already tell the user that the
restart was "deferred". So I would suggest to at least remove this message
from the postinst.
I would also argue that the deferral is not actually required. But it is
not exactly clear to me what the bug was that caused these problems. I
can't find any direct references to it in OpenVPN itself, but it looks
like the actual problem was outside of openvpn in that for some reason
it wasn't correctly killed during the restart (problem in systemd
integration?). Anyway, removing the deferral would obviously be a much
more invasive change.
Thanks,
--
Frank Lichtenheld
(OpenVPN upstream developer)
