Browse code
systemd: Do not race on RuntimeDirectory
Different unit instances create and destroy the same RuntimeDirectory.
This leads to running instances where the status file (and possibly
more runtime data) is no longer accessible.
So do not handle this in unit files but provide a tmpfiles.d
configuration and let systemd-tmpfiles do the work.
Nobody will (unintentionally) delete the directories and its content.
As /run is volatile we do not have to care about cleanup.
Signed-off-by: Christian Hesse <mail@eworm.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170124143947.27385-2-list@eworm.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13939.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
Christian Hesse authored on 2017/01/24 23:39:47Showing 5 changed files
- configure.ac
- distro/systemd/Makefile.am
- distro/systemd/openvpn-client@.service.in
- distro/systemd/openvpn-server@.service.in
- distro/systemd/tmpfiles-openvpn.conf
| ... | ... |
@@ -379,6 +379,7 @@ AC_ARG_VAR([MAN2HTML], [path to man2html utility]) |
| 379 | 379 |
AC_ARG_VAR([GIT], [path to git utility]) |
| 380 | 380 |
AC_ARG_VAR([SYSTEMD_ASK_PASSWORD], [path to systemd-ask-password utility]) |
| 381 | 381 |
AC_ARG_VAR([SYSTEMD_UNIT_DIR], [Path of systemd unit directory @<:@default=LIBDIR/systemd/system@:>@]) |
| 382 |
+AC_ARG_VAR([TMPFILES_DIR], [Path of tmpfiles directory @<:@default=LIBDIR/tmpfiles.d@:>@]) |
|
| 382 | 383 |
AC_PATH_PROGS([IFCONFIG], [ifconfig],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) |
| 383 | 384 |
AC_PATH_PROGS([ROUTE], [route],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) |
| 384 | 385 |
AC_PATH_PROGS([IPROUTE], [ip],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin]) |
| ... | ... |
@@ -1106,6 +1107,12 @@ if test "$enable_systemd" = "yes" ; then |
| 1106 | 1106 |
else |
| 1107 | 1107 |
systemdunitdir="\${libdir}/systemd/system"
|
| 1108 | 1108 |
fi |
| 1109 |
+ |
|
| 1110 |
+ if test -n "${TMPFILES_DIR}"; then
|
|
| 1111 |
+ tmpfilesdir="${TMPFILES_DIR}"
|
|
| 1112 |
+ else |
|
| 1113 |
+ tmpfilesdir="\${libdir}/tmpfiles.d"
|
|
| 1114 |
+ fi |
|
| 1109 | 1115 |
fi |
| 1110 | 1116 |
|
| 1111 | 1117 |
|
| ... | ... |
@@ -1283,6 +1290,7 @@ AC_SUBST([plugindir]) |
| 1283 | 1283 |
AC_SUBST([sampledir]) |
| 1284 | 1284 |
|
| 1285 | 1285 |
AC_SUBST([systemdunitdir]) |
| 1286 |
+AC_SUBST([tmpfilesdir]) |
|
| 1286 | 1287 |
|
| 1287 | 1288 |
VENDOR_SRC_ROOT="\$(abs_top_srcdir)/vendor/" |
| 1288 | 1289 |
VENDOR_DIST_ROOT="\$(abs_top_builddir)/vendor/dist" |
| ... | ... |
@@ -13,6 +13,7 @@ |
| 13 | 13 |
$< > $@.tmp && mv $@.tmp $@ |
| 14 | 14 |
|
| 15 | 15 |
EXTRA_DIST = \ |
| 16 |
+ tmpfiles-openvpn.conf \ |
|
| 16 | 17 |
openvpn-client@.service.in \ |
| 17 | 18 |
openvpn-server@.service.in |
| 18 | 19 |
|
| ... | ... |
@@ -20,6 +21,11 @@ if ENABLE_SYSTEMD |
| 20 | 20 |
systemdunit_DATA = \ |
| 21 | 21 |
openvpn-client@.service \ |
| 22 | 22 |
openvpn-server@.service |
| 23 |
+tmpfiles_DATA = \ |
|
| 24 |
+ tmpfiles-openvpn.conf |
|
| 25 |
+ |
|
| 26 |
+install-data-hook: |
|
| 27 |
+ mv $(DESTDIR)$(tmpfilesdir)/tmpfiles-openvpn.conf $(DESTDIR)$(tmpfilesdir)/openvpn.conf |
|
| 23 | 28 |
endif |
| 24 | 29 |
|
| 25 | 30 |
MAINTAINERCLEANFILES = \ |
| ... | ... |
@@ -9,8 +9,6 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO |
| 9 | 9 |
[Service] |
| 10 | 10 |
Type=notify |
| 11 | 11 |
PrivateTmp=true |
| 12 |
-RuntimeDirectory=openvpn-client |
|
| 13 |
-RuntimeDirectoryMode=0710 |
|
| 14 | 12 |
WorkingDirectory=/etc/openvpn/client |
| 15 | 13 |
ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf |
| 16 | 14 |
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE |
| ... | ... |
@@ -9,8 +9,6 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO |
| 9 | 9 |
[Service] |
| 10 | 10 |
Type=notify |
| 11 | 11 |
PrivateTmp=true |
| 12 |
-RuntimeDirectory=openvpn-server |
|
| 13 |
-RuntimeDirectoryMode=0710 |
|
| 14 | 12 |
WorkingDirectory=/etc/openvpn/server |
| 15 | 13 |
ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf |
| 16 | 14 |
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE |