On 10/10/17 04:02 PM, Bernhard Schmidt wrote: > I think what we actually want is > > TasksMax=N > Specify the maximum number of tasks that may be created in the > unit. This ensures that the number of tasks accounted for the > unit (see above) stays below a specific limit. This either > takes an absolute number of tasks or a percentage value that is > taken relative to the configured maximum number of tasks on the > system. If assigned the special value "infinity", no tasks > limit is applied. This controls the "pids.max" control group > attribute. For details about this control group attribute, see > pids.txt[6]. > > Implies "TasksAccounting=true". The system default for this > setting may be controlled with DefaultTasksMax= in systemd- > system.conf(5).
I've decided to jump and uploaded this change for the Debian native openvpn@.service with 2.6.0~git20221222-1 . I think this so much better fits the actual threat model, and since this is supposed to be a real limit per instance thing we should safely be able to revert back to the original limit of 10 processes. I plan to have this tested in the native debian unit first, and then approach upstream again or patch the upstream units or revert the change, depending on the outcome. https://salsa.debian.org/debian/openvpn/-/commit/9be1339d15aec767796dd5d524f14e4be7b01aa7 Bernhard