Thanks, Mike. I tried /etc/systemd/system/ocserv.socket.d/port.conf trick, looks like it adds port to listen, but didn't replace the ports defined in /lib/systemd/system/ocserv.socket:
$ sudo systemctl status ocserv.socket ● ocserv.socket - OpenConnect SSL VPN server Socket Loaded: loaded (/lib/systemd/system/ocserv.socket; enabled; vendor preset: enabled) Drop-In: /etc/systemd/system/ocserv.socket.d └─port.conf Active: failed (Result: resources) since Thu 2016-09-15 12:38:10 PDT; 49s ago Listen: [::]:443 (Stream) [::]:443 (Datagram) [::]:12345 (Stream) [::]:12345 (Datagram) Sep 15 11:30:46 Simpson systemd[1]: Listening on OpenConnect SSL VPN server Socket. Sep 15 12:38:10 Simpson systemd[1]: Closed OpenConnect SSL VPN server Socket. Sep 15 12:38:22 Simpson systemd[1]: ocserv.socket: Failed to listen on sockets: Address already in use Sep 15 12:38:22 Simpson systemd[1]: Failed to listen on OpenConnect SSL VPN server Socket. Sep 15 12:38:22 Simpson systemd[1]: ocserv.socket: Unit entered failed state. Sep 15 12:38:22 Simpson systemd[1]: ocserv.socket: Failed to listen on sockets: Address already in use Sep 15 12:38:22 Simpson systemd[1]: Failed to listen on OpenConnect SSL VPN server Socket. On Thu, Sep 15, 2016 at 12:24 PM Mike Miller <mtmil...@debian.org> wrote: > On Thu, Sep 15, 2016 at 11:37:24 -0700, Yuxuan Wang wrote: > > The currect packed ocserv uses socket-activated systemd config[1] from > > upstream. > > > > These config hardcoded the port number (443), ignoring the port number > > configured in /etc/ocserv/ocserv.conf, and will be overwritten every > > time the package upgrades. So if the user manually changed the port > > number, and have another service occupied port 443, upgrade will fail. > > > > Upstream also provided another systemd config, standalone[2], which > > doesn't have this problem and will honor the port defined in > > /etc/ocserv/ocserv.conf > > > > I think this package should use the standalone version of systemd config > > instead. > > On the contarary, customizing the port number used in the > socket-activated configuration is much easier and less error-prone. > > Instead of editing the file /etc/ocserv/ocserv.conf, just create a file > /etc/systemd/system/ocserv.socket.d/port.conf with the contents > > [Socket] > ListenStream=12345 > ListenDatagram=12345 > > This file will not be overwritten or replaced, and the custom port > number will be preserved across upgrades. > > This technique is common to any socket-activated service, but may not be > explicitly docummented in the ocserv package itself. > > -- > mike > -- fishy