Opened 5 years ago

Last modified 4 months ago

#945 accepted Bug / Defect

systemd: LimitNPROC too low, wrong knob

Reported by: berni Owned by: David Sommerseth
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.4.4 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

This has been originally reported to Debian at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861923. There is a way to reproduce this inside the bugreport. Basically you need to start several instances that run code as non-root

Since the very first version of the systemd unit it contains the setting

LimitNPROC=10

according to systemd.exec this translates to "ulimit -u".

Even if set in the systemd unit this seems to translate to a generic "limit the number of processes per UID on the whole system" thing, which is certainly not the thing the author had in mind.

https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1631104
https://github.com/systemd/systemd/issues/6011#issuecomment-304617744

Change History (4)

comment:1 Changed 5 years ago by tct

CC for systemd

comment:2 Changed 5 years ago by Gert Döring

Owner: set to David Sommerseth
Status: newassigned

comment:3 Changed 5 years ago by David Sommerseth

Status: assignedaccepted

I've chimed into the Debian bug tracker with some background information on why we added LimitNPROC=.

This needs to be improved, but I don't think removing it is the right approach (it is the quickest workaround though, which does sacrifice some security aspects). So my current proposal is to increase the LimitNPROC= somewhat (somewhere between 30-50 processes) but with improved documentation on how to further adjust this value via systemctl edit openvpn-{client,server}@.service.

comment:4 Changed 4 months ago by berni

I think the better, more native knob would be TasksMax?

https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#TasksMax=N

This option has been introduced in systemd 227 in October 2015.

        * Support for the "pids" cgroup controller has been added.  It
          allows accounting the number of tasks in a cgroup and
          enforcing limits on it. This adds two new setting
          TasksAccounting= and TasksMax= to each unit, as well as a
          global option DefaultTasksAccounting=.
Note: See TracTickets for help on using tickets.