Control: tags -1 - unreproducible On 09.10.2017 22:45, Michael Stone wrote:
Hi Michael, > On Mon, Oct 09, 2017 at 09:47:49PM +0200, Bernhard Schmidt wrote: >> I'm not exactly sure why it was chosen this low, but I cannot reproduce >> your issue. I think LimitNPROC=10 is _per_ _instance_. I could start >> 20 server >> instances just fine > > Could you run scripts? IIRC, it's not the startup that's the problem, > it's actually using them once they're running. Probably also requires > running as a non-root user (I don't think nproc applies to root). So the > processes start fine as root, then setuid something else, then can not > fork subsequently. Okay, I could reproduce it this way for i in `seq 1 20`; do echo -e "dev tun\nifconfig 10.0.$i.1 10.0.$i.2\nsecret static.key\nport 200$i\nscript-security 2\nup '/usr/local/bin/sleep-5.sh'\n" > server$i.conf; systemctl restart openvpn@server$i; done with /usr/local/bin/sleep-5.sh === /bin/su -c "/bin/sleep 5" -s /bin/sh nobody === Doing this 3 of the OpenVPN instances start, the others fail. Replacing nobody with root makes all start, so you are probably right about the limit being system-wide and only for non-root commands. Removing the "unreproducible" tag. I also do see several reports about this https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1631104 https://github.com/systemd/systemd/issues/6011#issuecomment-304617744 I'm actually not sure what LimitNPROC is really limiting (the Lennart comment about this counting processes on other containers really made me think that this might have been the wrong knob from the beginning). Bernhard
