Opened 10 years ago
Last modified 8 years ago
#479 new Bug / Defect
Ensure documentation recommends using /var/run for --status files
Reported by: | David Sommerseth | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | release 2.4 |
Component: | Documentation | Version: | OpenVPN 2.3.2 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | selinux documentation |
Cc: |
Description (last modified by )
Update: this should be /var/run, not /var/log. See comments.
There are several misconfigurations which makes openvpn fail due to --status /etc/openvpn/openvpn-status.log being used instead of /var/log/openvpn-status.log. This happens especially on systems with SELinux enabled, as most SELinux policies does not grant the openvpn process write privileges in /etc.
As the --status file is more like a log file (most examples even use .log extension), placing it in /var/log makes more sense and matches most SELinux policies as well. I suggest using /var/log/openvpn-status.log in all examples.
# semanage fcontext --list | grep openvpn-status /var/log/openvpn-status\.log.* regular file system_u:object_r:openvpn_status_t:s0
More reports on this issue in Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=1002240
https://bugzilla.redhat.com/show_bug.cgi?id=1134967
Change History (5)
comment:1 Changed 10 years ago by
comment:2 Changed 10 years ago by
After some quick IRC discussions, we should strongly consider using /var/run (or /run) as the preferred location for the status file. The status file isn't really a log file, and the status file is re-written completely on updates, while log files generally are appended to.
Fedora 19+ and RHEL7 uses /run, newer Debian seems to use /run too. RHEL6 and older does only have /var/run available, as I most likely all other non-systemd distros.
In addition, the systemd unit files we ship should also be updated accordingly, enabling --status by default in the unit file for server configurations.
The documentation should use /var/run/openvpn/$FILENAME.log consequently in all examples.
For systemd based distros, I suggest using /run/openvpn/$FILENAME.log (when starting via unit files). This is aligned with current practices in Debian.
Some co-ordination with SELinux upstream will be required with this suggestion, to get these new guidelines covered in the default policy.
comment:3 Changed 10 years ago by
Patch updating the systemd unit file(s) to also implement these suggestions have been sent to the mailing list:
http://article.gmane.org/gmane.network.openvpn.devel/9222/
comment:4 Changed 8 years ago by
Description: | modified (diff) |
---|---|
Summary: | Ensure documentation recommends using /var/log for --status files → Ensure documentation recommends using /var/run for --status files |
Updated ticket title and description to avoid confusion. (It confused me at first.)
comment:5 Changed 8 years ago by
Just looked into the 'documentation', but the only references I could find were in sample-configs/server.conf, which has:
# Output a short status file showing # current connections, truncated # and rewritten every minute. status openvpn-status.log # By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory). # Use log or log-append to override this default. # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. Use one # or the other (but not both). ;log openvpn.log ;log-append openvpn.log
We can change those to /var/run and /var/log respectively, but those paths won't work on Windows anymore. The current practice of not using a path works on all OS'es. I'm not sure what to do with this.
Debian (and Ubuntu) use /var/run for status files.