Bug 1435831 - openvpn@.service uses --daemon and --writepid
Summary: openvpn@.service uses --daemon and --writepid
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openvpn
Version: 26
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: David Sommerseth
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1436541 (view as bug list)
Depends On: 1435036
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-24 23:10 UTC by David Sommerseth
Modified: 2017-04-08 23:20 UTC (History)
13 users (show)

Fixed In Version: openvpn-2.4.1-2.fc25 openvpn-2.4.1-3.fc26 openvpn-2.4.1-2.el7
Doc Type: Enhancement
Doc Text:
Clone Of: 1435036
: 1436035 (view as bug list)
Environment:
Last Closed: 2017-04-08 23:20:34 UTC


Attachments (Terms of Use)

Description David Sommerseth 2017-03-24 23:10:32 UTC
+++ This bug was initially created as a clone of Bug #1435036 +++

--- Additional comment from nucleo on 2017-03-24 15:02:19 EDT ---

Missing path for /var/run/openvpn in tmpfiles config:

# cat /usr/lib/tmpfiles.d/openvpn.conf
d /run/openvpn-client 0710 root root -
d /run/openvpn-server 0710 root root -

So openvpn@.service can't start because of it 
ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf

Options error: --writepid fails with '/var/run/openvpn/server.pid': No such file or directory


--- Additional comment from David Sommerseth on 2017-03-24 19:08:47 EDT ---

(In reply to nucleo from comment #15)
> Missing path for /var/run/openvpn in tmpfiles config:
> 
> # cat /usr/lib/tmpfiles.d/openvpn.conf
> d /run/openvpn-client 0710 root root -
> d /run/openvpn-server 0710 root root -
> 
> So openvpn@.service can't start because of it 
> ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd
> /etc/openvpn/ --config %i.conf
> 
> Options error: --writepid fails with '/var/run/openvpn/server.pid': No such
> file or directory

I will actually claim that the unit file is faulty here.  I did not review Fedora specific unit file, but rather want to encourage you to try using either openvpn-server@.service or openvpn-client@.service.  I will add a new README.systemd file to document this better as well, see here for the current one in Rawhide:
http://pkgs.fedoraproject.org/cgit/rpms/openvpn.git/tree/README.systemd

I will however update the unit file for F26 and F25.  There is no reason to use --daemon and --writepid with systemd; systemd seems to do the Type=simple (systemd default) far better.

Comment 1 Scott Shambarger 2017-03-26 21:49:01 UTC
The missing tmpfiles entry does break exiting configurations on upgrade (it did mine), and as long as openvpn@.service is shipped, the directory for the pidfile should be created.

Comment 2 David Sommerseth 2017-03-26 22:20:42 UTC
(In reply to Scott Shambarger from comment #1)
> The missing tmpfiles entry does break exiting configurations on upgrade (it
> did mine), and as long as openvpn@.service is shipped, the directory for the
> pidfile should be created.

With all due respect, that is the wrong solution.  The openvpn@.service is doing things the wrong way.  So instead openvpn@.service must be fixed to do things correctly.

I have a scratch build ready which needs testing before final build can be sent to bodhi. This build should fix this issue in the proper way.
https://koji.fedoraproject.org/koji/taskinfo?taskID=18582382

With that said, openvpn@.service is deprecated and will be removed in Fedora 27, as the newer openvpn-client@.service and openvpn-server@.service provides far better hardening and control of VPN tunnels.  And these two new unit files are being maintained by the upstream community and being included in other systemd based Linux distributions as well.  This helps all OpenVPN users to have the same behaviour and usage, regardless of Linux distribution.  Further, people in the OpenVPN community are already discussing the next steps to further harden running OpenVPN processes.

Comment 3 Scott Shambarger 2017-03-26 22:28:21 UTC
Feel free to do things the "right way" in openvpn@, but breaking existing VPN setups during a release cycle is not very considerate.  I'm changing my setup to use openvpn-server now, but I need to disable/enable services, and move/edit configurations... I expect to do this when upgrading system releases (F25->F26), but not just when upgrading a program that generally has to be done for security fixes :)

Changing to remove --daemon or use the new tmpfile location etc can be done as long as the config is still referenced in /etc/openvpn (not /etc/openvpn/server).  Currently, the openvpn@.service shipped fails to start because of the missing tmpfile...

Comment 4 David Sommerseth 2017-03-26 22:43:02 UTC
(In reply to Scott Shambarger from comment #3)
> Feel free to do things the "right way" in openvpn@, but breaking existing
> VPN setups during a release cycle is not very considerate. 

Fair point!  And this breakage was a glitch which was not intended.  But as I pointed out, there is a proper fix in the pipe.  It just needs to be better tested before being pushed out.

Comment 5 nucleo 2017-03-26 22:50:35 UTC
I already switched to new units, so now can't test old unit.
New units works fine except nice option which requires missing CAP_SYS_NICE in CapabilityBoundingSet.

Comment 6 David Sommerseth 2017-03-26 22:56:24 UTC
(In reply to nucleo from comment #5)
> I already switched to new units, so now can't test old unit.
> New units works fine except nice option which requires missing CAP_SYS_NICE
> in CapabilityBoundingSet.

Great feedback!  I will ensure CAP_SYS_NICE gets included upstream and added to Fedora repos in the meantime.

Comment 7 David Sommerseth 2017-03-28 09:33:12 UTC
*** Bug 1436541 has been marked as a duplicate of this bug. ***

Comment 8 Tom Shield 2017-03-28 17:12:55 UTC
I tried switching to openvpn-server@.service and it fails because

WorkingDirectory=/etc/openvpn/server

directory does not exist (and that is also not were my config files are).

openvpn-2.4.1-1.fc25.x86_64 is what I have installed.

I've copied /lib/systemd/system/openvpn@.service to /etc/systemd/system

and edited the lines

PIDFile=/var/run/openvpn-server/%i.pid
ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn-server/%i.pid --cd /etc/openvpn/ --config %i.conf

to add -server to the /var/run paths to get things working for now.

Seems like there are several things to straighten out here.  You are forcing config changes no matter which way you try to run it.

Comment 9 David Sommerseth 2017-03-28 19:04:12 UTC
(In reply to Tom Shield from comment #8)
> I tried switching to openvpn-server@.service and it fails because
> 
> WorkingDirectory=/etc/openvpn/server
> 
> directory does not exist (and that is also not were my config files are).

If that directory does not exist, that's an error in the packaging.  I do have a clean-up of the .spec file in the pipe already to ensure the package sanity is better.

The openvpn-server@.serivce expects configurations to reside in /etc/openvpn/server for a purpose, as there are setups where the box is both an openvpn server and an openvpn client ... and the requirements for servers and clients are somewhat different when starting to harden the services.  So to avoid users from starting a server configuration through the openvpn-client@.service or vice versa, it was decided to move configuration files into separate directories.

For more information, see the README.systemd file which will arrive in a later update ... http://pkgs.fedoraproject.org/cgit/rpms/openvpn.git/tree/README.systemd

> openvpn-2.4.1-1.fc25.x86_64 is what I have installed.
> 
> I've copied /lib/systemd/system/openvpn@.service to /etc/systemd/system
> 
> and edited the lines
> 
> PIDFile=/var/run/openvpn-server/%i.pid
> ExecStart=/usr/sbin/openvpn --daemon --writepid
> /var/run/openvpn-server/%i.pid --cd /etc/openvpn/ --config %i.conf

Do NOT add --writepid and PIDFile= with OpenVPN v2.4.  That can definitely give you even more headaches.  OpenVPN v2.4 is designed to use Type=notify which enables sd_notify() [0] under the hood, where OpenVPN messages systemd directly about its state.  In such a configuration, --daemon is even ignored.

[0] https://www.freedesktop.org/software/systemd/man/sd_notify.html

We are currently in the phase of cleaning up the systemd integration mess which was caused when distro package maintainers in their best efforts did some quick decisions without getting in touch with OpenVPN upstream in the early days of the systemd introduction  ... so even though there will be some turbulence now while we're cleaning up things, I do expect things to be far better once all that is settled.

I am truly sorry that all these issues appeared ... but it just shows what can happen when distro package maintainers don't talk to their upstream project when 
doing the packaging job.  It's a road filled with traps, so when even upstream does several steps to improve the situation across all systemd distributions and these efforts are not taken into consideration, things tend to crash badly at some point.  I am active in the upstream OpenVPN project (have been for many years) and I do intend to really sort this out ASAP.  Hence the scratch build to really test out these last adjustments to bring the Fedora package in-sync with the upstream project expectations ... 
https://koji.fedoraproject.org/koji/taskinfo?taskID=18582382 ... I really hope to get those fixes pushed out within this week at latest.

Unfortunately, this won't be the last round, we need to see what else comes up with.  OpenVPN is extremely flexible with a bit over 240 options.  There will be some option combinations I have not predicted, which we need to sort out as they appear.  And in addition, I try to be in touch with the NetworkManager as well, to ensure OpenVPN don't clash too much there too.

If users have issues ... I strongly encourage you to join the openvpn-user [1] mailing-list or join the #openvpn channel at Freenode; I am dazo there and do try to help out as long as I'm online plus there's a lot of other users who can be helpful there too.

[1] https://sourceforge.net/p/openvpn/mailman/

Comment 10 Fedora Update System 2017-03-28 22:15:50 UTC
openvpn-2.4.1-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c07a04251a

Comment 11 Fedora Update System 2017-03-28 22:16:07 UTC
openvpn-2.4.1-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0ffb8246fa

Comment 12 Fedora Update System 2017-03-29 17:49:37 UTC
openvpn-2.4.1-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c07a04251a

Comment 13 Fedora Update System 2017-03-29 19:20:05 UTC
openvpn-2.4.1-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0ffb8246fa

Comment 14 Fedora Update System 2017-03-30 09:38:49 UTC
openvpn-2.4.1-3.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c07a04251a

Comment 15 Fedora Update System 2017-03-30 18:52:30 UTC
openvpn-2.4.1-3.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c07a04251a

Comment 16 Fedora Update System 2017-03-31 02:23:06 UTC
openvpn-2.4.1-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2017-04-03 13:25:53 UTC
openvpn-2.4.1-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5c642f8063

Comment 18 Fedora Update System 2017-04-03 13:26:34 UTC
openvpn-2.4.1-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5c642f8063

Comment 19 Fedora Update System 2017-04-03 16:08:29 UTC
openvpn-2.4.1-3.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2017-04-03 23:19:54 UTC
openvpn-2.4.1-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5c642f8063

Comment 21 Fedora Update System 2017-04-08 23:20:34 UTC
openvpn-2.4.1-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.