Re: [Mageia-dev] OpenVPN missing PID dir
'Twas brillig, and Richard Couture at 23/11/12 20:44 did gyre and gimble: While teaching a class in OpenVPN today I noted that urpmi does NOT create the /var/run/openvpn directory which openvpn uses to write it's PID This causes openvpn sufficient grief that it refuses to start... My system uses MGA 2 with all updates applied This should be done with with systemd-tmpfiles these days (as mga3 is moving to /var/run and /var/lock on tmpfs) and IIRC the openvpn package in mga2 does this already. Looking more closely however, I can see a few packaging bugs: 1. systemd-tmpfiles --create is not run in the %post (before add-service helper) (note that on cauldron the command must be: systemd-tmpfiles --create openvpn.conf). This means that you'll need a reboot before openvpn will work on mga2 after installing it. 2. The tmpfile.d snippet is included in /etc/tmpfiles.d. This is wrong. It should be in /usr/lib/tmpfiles.d/ (/etc is for admin overrides)) With the fix in 1. or a simple reboot, it should be working fine. I'll see about adding the fix to an update package. Col -- Colin Guthrie colin(at)mageia.org http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/
Re: [Mageia-dev] OpenVPN missing PID dir
'Twas brillig, and Colin Guthrie at 25/11/12 11:44 did gyre and gimble: 'Twas brillig, and Richard Couture at 23/11/12 20:44 did gyre and gimble: While teaching a class in OpenVPN today I noted that urpmi does NOT create the /var/run/openvpn directory which openvpn uses to write it's PID This causes openvpn sufficient grief that it refuses to start... My system uses MGA 2 with all updates applied This should be done with with systemd-tmpfiles these days (as mga3 is moving to /var/run and /var/lock on tmpfs) and IIRC the openvpn package in mga2 does this already. Looking more closely however, I can see a few packaging bugs: 1. systemd-tmpfiles --create is not run in the %post (before add-service helper) (note that on cauldron the command must be: systemd-tmpfiles --create openvpn.conf). This means that you'll need a reboot before openvpn will work on mga2 after installing it. 2. The tmpfile.d snippet is included in /etc/tmpfiles.d. This is wrong. It should be in /usr/lib/tmpfiles.d/ (/etc is for admin overrides)) With the fix in 1. or a simple reboot, it should be working fine. I'll see about adding the fix to an update package. Please track this issue via: https://bugs.mageia.org/show_bug.cgi?id=8200 Col -- Colin Guthrie colin(at)mageia.org http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/
Re: [Mageia-dev] OpenVPN missing PID dir
Colin Guthrie mag...@colin.guthr.ie writes: 1. systemd-tmpfiles --create is not run in the %post (before add-service helper) (note that on cauldron the command must be: systemd-tmpfiles --create openvpn.conf). This means that you'll need a reboot before openvpn will work on mga2 after installing it. Hi, Shouldn't this be done through a rpm filetrigger? -- Olivier Blin - blino
Re: [Mageia-dev] OpenVPN missing PID dir
'Twas brillig, and Olivier Blin at 25/11/12 15:19 did gyre and gimble: Colin Guthrie mag...@colin.guthr.ie writes: 1. systemd-tmpfiles --create is not run in the %post (before add-service helper) (note that on cauldron the command must be: systemd-tmpfiles --create openvpn.conf). This means that you'll need a reboot before openvpn will work on mga2 after installing it. Hi, Shouldn't this be done through a rpm filetrigger? I don't think there is a way to specify which files triggered the file trigger is there? Basically we'd need to know the basename of the file that changed, also there are times when it has to be excluded (e.g. some files should not be run except at boot). For now I've been adding the relevant calls to the rpms that need them. It's pretty simple, but would be nice it it wasn't needed. It could, in most cases, be combined with %_post_service, but again, I'm not sure it's worth the hassle as there will always be cases where it needs to happen outside of this structure too. Col -- Colin Guthrie colin(at)mageia.org http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/
Re: [Mageia-dev] OpenVPN missing PID dir
Colin Guthrie mag...@colin.guthr.ie writes: 'Twas brillig, and Olivier Blin at 25/11/12 15:19 did gyre and gimble: Colin Guthrie mag...@colin.guthr.ie writes: 1. systemd-tmpfiles --create is not run in the %post (before add-service helper) (note that on cauldron the command must be: systemd-tmpfiles --create openvpn.conf). This means that you'll need a reboot before openvpn will work on mga2 after installing it. Hi, Shouldn't this be done through a rpm filetrigger? I don't think there is a way to specify which files triggered the file trigger is there? Basically we'd need to know the basename of the file that changed, also there are times when it has to be excluded (e.g. some files should not be run except at boot). Looks like this list is available to the script from stdin, see /var/lib/rpm/filetriggers/httpd.script or /var/lib/rpm/filetriggers/pear.script -- Olivier Blin - blino
Re: [Mageia-dev] OpenVPN missing PID dir
'Twas brillig, and Olivier Blin at 25/11/12 23:31 did gyre and gimble: Colin Guthrie mag...@colin.guthr.ie writes: 'Twas brillig, and Olivier Blin at 25/11/12 15:19 did gyre and gimble: Colin Guthrie mag...@colin.guthr.ie writes: 1. systemd-tmpfiles --create is not run in the %post (before add-service helper) (note that on cauldron the command must be: systemd-tmpfiles --create openvpn.conf). This means that you'll need a reboot before openvpn will work on mga2 after installing it. Hi, Shouldn't this be done through a rpm filetrigger? I don't think there is a way to specify which files triggered the file trigger is there? Basically we'd need to know the basename of the file that changed, also there are times when it has to be excluded (e.g. some files should not be run except at boot). Looks like this list is available to the script from stdin, see /var/lib/rpm/filetriggers/httpd.script or /var/lib/rpm/filetriggers/pear.script OK good to know. Sadly the ordering is still wrong as this needs to be run after %pre but before any calls to %_post_service (i.e. in %post). As a result I don't think it's really possible to automate this. It could be added to a filetrigger for safety and baked into %_post_service but it still doesn't cover several corner cases, and I don't think it's really worth the bother personally. Col -- Colin Guthrie colin(at)mageia.org http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/
Re: [Mageia-dev] OpenVPN missing PID dir
I didn't mean to open a can of worms, but since it's open ... with script-security 2 added to the client.conf, openvpn starts just fine with the command systemctl restart openvpn@client.service UNTIL you add the parameter auth-user-pass to the client.conf Once that param is added, openvpn refuses to start via systemD though it starts just fine via sys5 [root@pwyr openvpn]# cd /etc/init.d/ [root@pwyr init.d]# ./openvpn restart Shutting down openvpn: [ OK ] Starting openvpn: Enter Auth Username:rrc Enter Auth Password: [ OK ] Since were looking at openvpn, hopefully we can figure out what this is all about as this param is EXTREMELY important to harden the security of openvpn Thanks Richard On 11/25/2012 06:18 PM, Colin Guthrie wrote: 'Twas brillig, and Olivier Blin at 25/11/12 23:31 did gyre and gimble: Colin Guthriemag...@colin.guthr.ie writes: 'Twas brillig, and Olivier Blin at 25/11/12 15:19 did gyre and gimble: Colin Guthriemag...@colin.guthr.ie writes: 1. systemd-tmpfiles --create is not run in the %post (before add-service helper) (note that on cauldron the command must be: systemd-tmpfiles --create openvpn.conf). This means that you'll need a reboot before openvpn will work on mga2 after installing it. Hi, Shouldn't this be done through a rpm filetrigger? I don't think there is a way to specify which files triggered the file trigger is there? Basically we'd need to know the basename of the file that changed, also there are times when it has to be excluded (e.g. some files should not be run except at boot). Looks like this list is available to the script from stdin, see /var/lib/rpm/filetriggers/httpd.script or /var/lib/rpm/filetriggers/pear.script OK good to know. Sadly the ordering is still wrong as this needs to be run after %pre but before any calls to %_post_service (i.e. in %post). As a result I don't think it's really possible to automate this. It could be added to a filetrigger for safety and baked into %_post_service but it still doesn't cover several corner cases, and I don't think it's really worth the bother personally. Col -- LinuxCabal Asociación Civil Ing. Richard Couture Novell CNE, ECNE, MCNE HP/Compaq ASE Tel.: (+52) (333) 145-2638 Cel.: (+52) (044) 333 377-7505 Cel.: (+52) (044) 333 377-7506 Web: http://www.LinuxCabal.org E-Mail: r...@linuxcabal.org Hosted en la nube Cloud Sigma - www.CloudSigma.com AVISO DE CONFIDENCIALIDAD: Este correo electrónico, incluyendo en su caso, los archivos adjuntos al mismo, pueden contener información de carácter confidencial y/o privilegiada, y se envían a la atención única y exclusivamente de la persona y/o entidad a quien va dirigido. La copia, revisión, uso, revelación y/o distribución de dicha información confidencial sin la autorización por escrito de LinuxCabal está prohibida. Si usted no es el destinatario a quien se dirige el presente correo, favor de contactar al remitente respondiendo al presente correo y eliminar el correo original incluyendo sus archivos, así como cualesquiera copia del mismo. Mediante la recepción del presente correo usted reconoce y acepta que en caso de incumplimiento de su parte y/o de sus representantes a los términos antes mencionados, LinuxCabal tendrá derecho a los daños y perjuicios que esto le cause.
[Mageia-dev] OpenVPN missing PID dir
While teaching a class in OpenVPN today I noted that urpmi does NOT create the /var/run/openvpn directory which openvpn uses to write it's PID This causes openvpn sufficient grief that it refuses to start... My system uses MGA 2 with all updates applied Richard -- LinuxCabal Asociación Civil Ing. Richard Couture Novell CNE, ECNE, MCNE HP/Compaq ASE Tel.: (+52) (333) 145-2638 Cel.: (+52) (044) 333 377-7505 Cel.: (+52) (044) 333 377-7506 Web: http://www.LinuxCabal.org E-Mail: r...@linuxcabal.org Hosted en la nube Cloud Sigma - www.CloudSigma.com AVISO DE CONFIDENCIALIDAD: Este correo electrónico, incluyendo en su caso, los archivos adjuntos al mismo, pueden contener información de carácter confidencial y/o privilegiada, y se envían a la atención única y exclusivamente de la persona y/o entidad a quien va dirigido. La copia, revisión, uso, revelación y/o distribución de dicha información confidencial sin la autorización por escrito de LinuxCabal está prohibida. Si usted no es el destinatario a quien se dirige el presente correo, favor de contactar al remitente respondiendo al presente correo y eliminar el correo original incluyendo sus archivos, así como cualesquiera copia del mismo. Mediante la recepción del presente correo usted reconoce y acepta que en caso de incumplimiento de su parte y/o de sus representantes a los términos antes mencionados, LinuxCabal tendrá derecho a los daños y perjuicios que esto le cause.