Opened 5 years ago

Last modified 3 years ago

#479 new Bug / Defect

Ensure documentation recommends using /var/run for --status files

Reported by: David Sommerseth Owned by:
Priority: minor Milestone: release 2.4
Component: Documentation Version: OpenVPN 2.3.2 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: selinux documentation

Description (last modified by Steffan Karger)

Update: this should be /var/run, not /var/log. See comments.

There are several misconfigurations which makes openvpn fail due to --status /etc/openvpn/openvpn-status.log being used instead of /var/log/openvpn-status.log. This happens especially on systems with SELinux enabled, as most SELinux policies does not grant the openvpn process write privileges in /etc.

As the --status file is more like a log file (most examples even use .log extension), placing it in /var/log makes more sense and matches most SELinux policies as well. I suggest using /var/log/openvpn-status.log in all examples.

# semanage fcontext --list | grep openvpn-status
/var/log/openvpn-status\.log.*    regular file    system_u:object_r:openvpn_status_t:s0 

More reports on this issue in Fedora:

Change History (5)

comment:1 Changed 5 years ago by plaisthos

Debian (and Ubuntu) use /var/run for status files.

comment:2 Changed 5 years ago by David Sommerseth

After some quick IRC discussions, we should strongly consider using /var/run (or /run) as the preferred location for the status file. The status file isn't really a log file, and the status file is re-written completely on updates, while log files generally are appended to.

Fedora 19+ and RHEL7 uses /run, newer Debian seems to use /run too. RHEL6 and older does only have /var/run available, as I most likely all other non-systemd distros.

In addition, the systemd unit files we ship should also be updated accordingly, enabling --status by default in the unit file for server configurations.

The documentation should use /var/run/openvpn/$FILENAME.log consequently in all examples.
For systemd based distros, I suggest using /run/openvpn/$FILENAME.log (when starting via unit files). This is aligned with current practices in Debian.

Some co-ordination with SELinux upstream will be required with this suggestion, to get these new guidelines covered in the default policy.

comment:3 Changed 5 years ago by David Sommerseth

Patch updating the systemd unit file(s) to also implement these suggestions have been sent to the mailing list:

comment:4 Changed 3 years ago by Steffan Karger

Description: modified (diff)
Summary: Ensure documentation recommends using /var/log for --status filesEnsure documentation recommends using /var/run for --status files

Updated ticket title and description to avoid confusion. (It confused me at first.)

comment:5 Changed 3 years ago by Steffan Karger

Just looked into the 'documentation', but the only references I could find were in sample-configs/server.conf, which has:

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
;log         openvpn.log
;log-append  openvpn.log

We can change those to /var/run and /var/log respectively, but those paths won't work on Windows anymore. The current practice of not using a path works on all OS'es. I'm not sure what to do with this.

Note: See TracTickets for help on using tickets.