FS#49499 - [openvpn] Update 2.3.10-1 -> 2.3.11-1 completely breaks openvpn (for chroot only ?)

Attached to Project: Arch Linux
Opened by Björn Wiedenmann (rtfm3514) - Saturday, 28 May 2016, 18:23 GMT
Last edited by Christian Hesse (eworm) - Wednesday, 22 June 2016, 20:58 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Thomas Bächler (brain0)
Christian Hesse (eworm)
Bartłomiej Piotrowski (Barthalion)
Architecture x86_64
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Update openvpn 2.3.10-1 -> 2.3.11-1 completely breaks openvpn for me as it doesn't start properly anymore (systemctl and journalctl also report unit as failed, but do not give any more useful information beyond that).

I am running openvpn chrooted under the openvpn:openvpn uid:gid with a jail at /etc/openvpn/jail. Logs go to /var/log/openvpn/.

I am fairly certain the culprit is somewhere with these recent changes to the systemd unit file:
diff --git a/trunk/openvpn@.service b/trunk/openvpn@.service
index 94ba026..75da227 100644
--- a/trunk/openvpn@.service
+++ b/trunk/openvpn@.service
@@ -2,9 +2,14 @@
Description=OpenVPN connection to %i

[Service]
+PrivateTmp=true
Type=forking
-ExecStart=/usr/bin/openvpn --cd /etc/openvpn --config /etc/openvpn/%i.conf --daemon openvpn@%i --writepid /run/openvpn@%i.pid
+ExecStart=/usr/bin/openvpn --cd /etc/openvpn --config /etc/openvpn/%i.conf --daemon openvpn@%i --writepid /run/openvpn@%i.pid --status-version 2
PIDFile=/run/openvpn@%i.pid
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
+LimitNPROC=10
+DeviceAllow=/dev/null rw
+DeviceAllow=/dev/net/tun rw

[Install]
WantedBy=multi-user.target

My error log shows this:
Options error: --status fails with '/var/log/openvpn/openvpn-status.log': Permission denied
Options error: Temporary directory (--tmp-dir) fails with '/etc/openvpn/jail//tmp': Permission denied
Options error: Please correct these errors.

I am actually not sure, if it's one or two problems (one with the /tmp dir and another with the status log, as the Exec-Command also changed). Maybe the capability set specified is too restrictive for chroot operation? Unfortunately, I don't really know how to debug this properly.

As a check and temporary workaround I installed the previous systemd unit file as an override in /etc/systemd/system and now openvpn works again.
This task depends upon

Closed by  Christian Hesse (eworm)
Wednesday, 22 June 2016, 20:58 GMT
Reason for closing:  Works for me
Additional comments about closing:  Reporter found settings that suit his situation.
Comment by Christian Hesse (eworm) - Monday, 30 May 2016, 20:31 GMT
Trying to reproduce this... Can you provide your config?
Comment by Björn Wiedenmann (rtfm3514) - Tuesday, 31 May 2016, 09:25 GMT
There you go ... I wonder, maybe it's also gotta do with the "persist-*" options. I read up on them and I think I kinda need them to have the privilege downgrade work across a rekey.

Thanks a lot for looking into this :)
Comment by Christian Hesse (eworm) - Tuesday, 31 May 2016, 10:33 GMT
I do not have a server around to test with, so tried with a client.
Using a chroot works for me. I just had to make sure that a directory 'tmp' exists in jail ('/etc/openvpn/jail/tmp' in your case) and /var/log/openvpn/ exists with write permissions.
Openvpn opens log and status files before chrooting, so writing to host's /var/log/ should work perfectly fine.
Comment by Christian Hesse (eworm) - Tuesday, 31 May 2016, 10:47 GMT
Ah, just some extra notes... As we use private tmp using /tmp for jail is just fine.
And to workaround the missing subdir just give tmp-dir /. This works for me out of the box:

chroot /tmp
tmp-dir /
Comment by Björn Wiedenmann (rtfm3514) - Thursday, 02 June 2016, 20:40 GMT
Hi Christian,

thank you very much for the speedy response and sorry for the late reply. I only had time just now to follow up on your suggestions.

I added your chroot and tmp-dir options, they did take care of one of the two problems, even though I don't know why it would make a difference (the perms were correct before on the jail and the tmp subdir already existed, I double-checked).

The other problem was still causing problems though. I had to disable the status log in order to make OpenVPN start, but I don't care much, as I never used it anyway (no idea why it was switched on in the first place.).

My overall observation is that there definitely seems to be a general issue with these log files and the chrooting, since after the above changes OpenVPN did start but the normal log also wouldn't log at all anymore, it just disappeared. This final problem I worked around by deleting the log-append option, and my log is not going to a dedicated file now, but rather to syslog.

So, to summerize, do I really know what was going on here, not really. But am I happy now, well kind of. My problem is fixed for the time being, I am using a current version of the systemd unit file again.

You may close this bug if you wish now. I leave the choice to you. Should you wanna investigate further however, I would still offer my help, as the whole issue is a little naggy.

I did actually go back to my original idea of checking the capabilities of the OpenVPN process, but it seems it might have dropped all of them (which could actually be the problem).

In any case, thanks again for your help.
Comment by Christian Hesse (eworm) - Wednesday, 22 June 2016, 20:57 GMT
Closing for now, looks like everybody is happy as-is.
Feel free to drop me a note with your exact file and directory permissions. I will take a look when I have some spare time.

Loading...