On 07/09/17 23:02, fragmentux wrote: i, > > all your comment are totally valid from a sys-admin point of view but > from an openvpn POV, the only responsibility is to provide a secure VPN. > > Use all of systemd's functions to maximize openvpn's process *security* > But *forcing* restart as an almost unconditional default is nonsense.
We are in the position to promote sane and good defaults. This behaviour is considered sane and good by many sys-admins. So when these two view-points intersects, I see no harm of us actually promoting this change. > How would you do this for non-systemd systems ? Isn't that obvious? systemd unit files are for systemd. Non-systemd systems doesn't have systemd unit files, thus there is very little we can do about them. > I disagree with making this change to the default > openvpn-server@.service unit file. Your opposition have been noted. > If you really want to include them then how about: > > Either: > openvpn-server@.service (responsible for start/stop etc actions) > openvpn-server-auto-restart@.service (speaks for itself) NAK. This is not how the design around systemd unit files is intended to be used. Plus: it already exists a Debian bug ticket where there are comments about us adding 2 more unit files. If adding even more, I can already sense the heat increasing on that ticket. > Or rather > include extra .service files in ./contrib. as samples or such. NAK. I rather have a document simply describing how to change the defaults using 'systemctl edit'. Which is exactly how systemd is designed to be used. But we should have a baseline of recommended defaults, and sys-admins can choose to opt-out of these defaults through standard mechanisms, not by adding complexity through more unit files to scan through. Just image a system which actively uses both openvpn-server@ and openvpn-server-autorestart@. Unless we also split up /etc/openvpn/server ... it will be even more confusing when investigating a server in 2 years why something is misbehaving. "Did this config run through this or that unit file?". openvpn-server@ is clear and specific, it handles server configurations. Period. If you want a specific configuration or all openvpn-server@ OpenVPN configurations to behave differently from the recommended defaults, then you do that through 'systemctl edit', where it is very visible if this specific configuration have some additional tweaks not - through 'systemctl status'. This way sys-admins won't have remember or research which 'sub-unit file' of openvpn-server@ to achieve a specific behaviour. -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel