Opened 9 months ago

Last modified 9 months ago

#945 accepted Bug / Defect

systemd: LimitNPROC too low, wrong knob

Reported by: berni Owned by: David Sommerseth
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.4.4 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

This has been originally reported to Debian at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861923. There is a way to reproduce this inside the bugreport. Basically you need to start several instances that run code as non-root

Since the very first version of the systemd unit it contains the setting

LimitNPROC=10

according to systemd.exec this translates to "ulimit -u".

Even if set in the systemd unit this seems to translate to a generic "limit the number of processes per UID on the whole system" thing, which is certainly not the thing the author had in mind.

https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1631104
https://github.com/systemd/systemd/issues/6011#issuecomment-304617744

Change History (3)

comment:1 Changed 9 months ago by tincantech

CC for systemd

comment:2 Changed 9 months ago by Gert Döring

Owner: set to David Sommerseth
Status: newassigned

comment:3 Changed 9 months ago by David Sommerseth

Status: assignedaccepted

I've chimed into the Debian bug tracker with some background information on why we added LimitNPROC=.

This needs to be improved, but I don't think removing it is the right approach (it is the quickest workaround though, which does sacrifice some security aspects). So my current proposal is to increase the LimitNPROC= somewhat (somewhere between 30-50 processes) but with improved documentation on how to further adjust this value via systemctl edit openvpn-{client,server}@.service.

Note: See TracTickets for help on using tickets.