Opened 9 years ago
Last modified 7 years ago
#479 new Bug / Defect
Ensure documentation recommends using /var/run for --status files — at Version 4
| Reported by: | David Sommerseth | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | release 2.4 |
| Component: | Documentation | Version: | OpenVPN 2.3.2 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | selinux documentation |
| Cc: |
Description (last modified by )
Update: this should be /var/run, not /var/log. See comments.
There are several misconfigurations which makes openvpn fail due to --status /etc/openvpn/openvpn-status.log being used instead of /var/log/openvpn-status.log. This happens especially on systems with SELinux enabled, as most SELinux policies does not grant the openvpn process write privileges in /etc.
As the --status file is more like a log file (most examples even use .log extension), placing it in /var/log makes more sense and matches most SELinux policies as well. I suggest using /var/log/openvpn-status.log in all examples.
# semanage fcontext --list | grep openvpn-status /var/log/openvpn-status\.log.* regular file system_u:object_r:openvpn_status_t:s0
More reports on this issue in Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=1002240
https://bugzilla.redhat.com/show_bug.cgi?id=1134967
Change History (4)
comment:1 Changed 9 years ago by
comment:2 Changed 9 years ago by
After some quick IRC discussions, we should strongly consider using /var/run (or /run) as the preferred location for the status file. The status file isn't really a log file, and the status file is re-written completely on updates, while log files generally are appended to.
Fedora 19+ and RHEL7 uses /run, newer Debian seems to use /run too. RHEL6 and older does only have /var/run available, as I most likely all other non-systemd distros.
In addition, the systemd unit files we ship should also be updated accordingly, enabling --status by default in the unit file for server configurations.
The documentation should use /var/run/openvpn/$FILENAME.log consequently in all examples.
For systemd based distros, I suggest using /run/openvpn/$FILENAME.log (when starting via unit files). This is aligned with current practices in Debian.
Some co-ordination with SELinux upstream will be required with this suggestion, to get these new guidelines covered in the default policy.
comment:3 Changed 9 years ago by
Patch updating the systemd unit file(s) to also implement these suggestions have been sent to the mailing list:
http://article.gmane.org/gmane.network.openvpn.devel/9222/
comment:4 Changed 7 years ago by
| Description: | modified (diff) |
|---|---|
| Summary: | Ensure documentation recommends using /var/log for --status files → Ensure documentation recommends using /var/run for --status files |
Updated ticket title and description to avoid confusion. (It confused me at first.)
Debian (and Ubuntu) use /var/run for status files.