Opened 7 years ago
Last modified 2 years ago
#945 accepted Bug / Defect
systemd: LimitNPROC too low, wrong knob
Reported by: | berni | Owned by: | David Sommerseth |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.4.4 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
This has been originally reported to Debian at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861923. There is a way to reproduce this inside the bugreport. Basically you need to start several instances that run code as non-root
Since the very first version of the systemd unit it contains the setting
LimitNPROC=10
according to systemd.exec this translates to "ulimit -u".
Even if set in the systemd unit this seems to translate to a generic "limit the number of processes per UID on the whole system" thing, which is certainly not the thing the author had in mind.
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1631104
https://github.com/systemd/systemd/issues/6011#issuecomment-304617744
Change History (4)
comment:1 Changed 7 years ago by
comment:2 Changed 7 years ago by
Owner: | set to David Sommerseth |
---|---|
Status: | new → assigned |
comment:3 Changed 7 years ago by
Status: | assigned → accepted |
---|
I've chimed into the Debian bug tracker with some background information on why we added LimitNPROC=.
This needs to be improved, but I don't think removing it is the right approach (it is the quickest workaround though, which does sacrifice some security aspects). So my current proposal is to increase the LimitNPROC= somewhat (somewhere between 30-50 processes) but with improved documentation on how to further adjust this value via systemctl edit openvpn-{client,server}@.service
.
comment:4 Changed 2 years ago by
I think the better, more native knob would be TasksMax?
https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#TasksMax=N
This option has been introduced in systemd 227 in October 2015.
* Support for the "pids" cgroup controller has been added. It allows accounting the number of tasks in a cgroup and enforcing limits on it. This adds two new setting TasksAccounting= and TasksMax= to each unit, as well as a global option DefaultTasksAccounting=.
CC for systemd