Bug 1281807 - openvpn: openvpn-plugin-down-root.so always fails to run configured command
openvpn: openvpn-plugin-down-root.so always fails to run configured command
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: openvpn (Show other bugs)
26
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: David Sommerseth
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-13 08:18 EST by Tomas Hoger
Modified: 2017-09-06 19:58 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-09-06 19:58:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2015-11-13 08:18:35 EST
Description of problem:

openvpn client configured with:

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so /etc/openvpn/client.down

where client.down is a copy of packaged /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.down, fails on 'systemctl stop openvpn@foo.service' with:

PLUGIN_CALL: plugin function PLUGIN_DOWN failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so
ERROR: up/down plugin call failed
Exiting due to fatal error

which causes old resolv.conf to not get restored.

Searching for this error led me to the following upstream bug and a proposed fix:

https://community.openvpn.net/openvpn/ticket/581
https://github.com/OpenVPN/openvpn/pull/28

Using KillMode=mixed in openvpn@.service unit fixed the problem for me.
Comment 1 Tomas Hoger 2016-01-20 04:31:36 EST
As systemd allows extending/modifying unit files without completely overriding them, the following should be a fairly non-invasive workaround:

# cat /etc/systemd/system/openvpn@.service.d/kill-mode.conf 
[Service]
KillMode=mixed

# systemctl daemon-reload
Comment 2 Fedora End Of Life 2016-07-19 14:28:00 EDT
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 3 Fedora End Of Life 2016-11-24 08:23:01 EST
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 4 Fedora End Of Life 2016-12-20 10:49:33 EST
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 5 Tomas Hoger 2017-08-25 04:33:42 EDT
Still a problem in openvpn-2.4.3-1.fc26.x86_64, I still need to keep using the workaround noted in comment 1.
Comment 6 David Sommerseth 2017-08-28 07:33:16 EDT
Are you using openvpn-client@.service or openvpn@.service?  The former is the recommended, the latter is being deprecated.

I'm torn if KillMode=mixed is the proper approach.  I'm wondering if KillMode=process would be somewhat better, but need to retest this more carefully locally again.
Comment 7 David Sommerseth 2017-08-28 07:43:24 EDT
I had to refresh my memory a bit by looking into the GitHub PR#28 [1].  I'll add this again to my todo list, and re-visit the KillMode= challenge.  It seems the changes applied to F-26 still doesn't cover this scenario.


[1] https://github.com/OpenVPN/openvpn/pull/28
Comment 8 Tomas Hoger 2017-09-04 03:25:39 EDT
I'm still using openvpn@.service, which was the only thing that existed at the time this bug was reported.  I noticed the new openvpn-client@.service, but haven't got to play with it yet.  I'll give it a try some time soon.
Comment 9 David Sommerseth 2017-09-04 07:04:35 EDT
I have managed to reproduce this issue with openvpn-client@.service as well.  I will send a patch upstream and this will be fixed with a coming upstream release.  For Fedora 25 and 26 the openvpn@.service will be updated accordingly.  In Fedora 27, openvpn@.service will no longer be present (as it is deprecated).
Comment 10 David Sommerseth 2017-09-06 19:58:17 EDT
Patch have been sent for review to the openvpn-devel mailing list.

https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15369.html

This is also tracked in the upstream OpenVPN bug tracker
https://community.openvpn.net/openvpn/ticket/918

Closing this as UPSTREAM, as this will be handled by upstream and will arrive in a coming OpenVPN release.

Note You need to log in before you can comment on or make changes to this bug.