[Bug 781106] New: openvpn needs HUP upon resume
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c0
Summary: openvpn needs HUP upon resume
Classification: openSUSE
Product: openSUSE Factory
Version: 12.3 Milestone 0
Platform: Other
OS/Version: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Network
AssignedTo: mt@suse.com
ReportedBy: jslaby@suse.com
QAContact: qa-bugs@suse.de
Found By: ---
Blocker: ---
openvpn used to work fine with respect to suspend/resume. The link was usable
afterwards. Now, this is no longer the case. The link, after resume, looks like
4: tun0:
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c1
--- Comment #1 from Jiri Slaby
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c2
Marius Tomaschewski
One more note, I use linux-next kernel. If you feel this is a kernel regression, let me know.
No, I don't think it is a regression. You can tune the defaults by setting a shorter "ping-restart" option:
From "man openvpn":
--ping-restart n Similar to --ping-exit, but trigger a SIGUSR1 restart after n seconds pass without reception of a ping or other packet from remote. [...] In client mode, the --ping-restart parameter is set to 120 seconds by default. [...] SIGHUP Cause OpenVPN to close all TUN/TAP and network connec- tions, restart, re-read the configuration file (if any), and reopen TUN/TAP and network connections. SIGUSR1 Like SIGHUP, except don't re-read configuration file, and possibly don't close and reopen TUN/TAP device, re- read key files, preserve local IP address/port, or pre- serve most recently authenticated remote IP address/port based on --persist-tun, --persist-key, --persist-local- ip, and --persist-remote-ip options respectively (see above). This signal may also be internally generated by a time- out condition, governed by the --ping-restart option. This signal, when combined with --persist-remote-ip, may be sent when the underlying parameters of the host's network interface change such as when the host is a DHCP client and is assigned a new IP address. See --ipchange above for more information. So by default, it need 120 seconds to recover. You can use "/etc/init.d/openvpn reopen" to send a USR1 to all running instances. Hmm... there seems to be a bug in the init script -- reopen is also in the reload case, so it will never send USR1, but HUP (which is more intrusive / closes & restarts running conns). On the another side, a resume is different event than the other reconnects that ping-reconnect handles (e.g. external IP changed), where a "long" delay of 120 secs makes sense. So it would make sense to add a suspend/resume script to pm-utils: hibernate|suspend) test -x /etc/init.d/openvpn && \ /etc/init.d/openvpn status &>/dev/null && \ reopen_on_resume=yes || reopen_on_resume=no savestate "reopen_on_resume" "$reopen_on_resume" ;; thaw|resume) restorestate "reopen_on_resume" test "x$reopen_on_resume" = "xyes" && \ /etc/init.d/openvpn reopen ;; Vojtech (pm-utils maintainer), what do you think? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c3
--- Comment #3 from Marius Tomaschewski
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c4
--- Comment #4 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c5
Wojtek Dziewięcki
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c
Wojtek Dziewięcki
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c6
--- Comment #6 from Jiri Slaby
and I have to send a HUP signal to the openvpn process (USR1 is not enough).
See this ^^^ ^^^^^^^^^^^^^^^^^^ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c7
--- Comment #7 from Jiri Slaby
openvpn used to work fine with respect to suspend/resume.
And also this ^^^^. This used to work. Some time ago it stopped. Even if I wait more than 120 s, vpn won't recover. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c8
Wojtek Dziewięcki
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c9
Marius Tomaschewski
(In reply to comment #0)
openvpn used to work fine with respect to suspend/resume.
And also this ^^^^. This used to work. Some time ago it stopped. Even if I wait more than 120 s, vpn won't recover.
I've overlooked the "USR1 is not enough", sorry! Any idea which version were working with USR1 --2.2.1 from 12.1? / which kernel? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c10
Jiri Slaby
(In reply to comment #7)
(In reply to comment #0)
openvpn used to work fine with respect to suspend/resume.
And also this ^^^^. This used to work. Some time ago it stopped. Even if I wait more than 120 s, vpn won't recover.
I've overlooked the "USR1 is not enough", sorry!
Any idea which version were working with USR1 --2.2.1 from 12.1? / which kernel?
From logs it looks like that the first time I had to restart openvpn after resume on Jul 13th. I had this kernel since Jun 28th: 3.5.0-rc4-next-20120628. And I resumed 13 times since 28th till 13th without restarting vpn, so I think this is not a kernel issue.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c11
--- Comment #11 from Jiri Slaby
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c12
--- Comment #12 from Jiri Slaby
I booted 3.4.11, 3.5.4 and 3.6-rc6, all work. So this is a kernel issue I'm currently bisecting.
And while bisecting I've found out, that it is not the kernel. It's a matter of
timing. It happens on the first or second invocation of suspend/resume.
It seems to be accompanied with a warning to the console when network is
restarted:
tun0
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c13
--- Comment #13 from Jiri Slaby
tun0
Device or resource busy
network[9389]: tun0 TUNSETIFF: Device or resource busy more precisely. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c14
Marius Tomaschewski
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c15
Jiri Slaby
would you attach your configuration or it sent to me by mail, please?
It's a simple setup: client dev tun proto udp remote gate.suse.cz nobind persist-key persist-tun ns-cert-type server ca /etc/openvpn/SUSE/SUSE-Prague-ca.crt cert /etc/openvpn/SUSE/SUSE-Prague-jslaby.crt key /etc/openvpn/SUSE/SUSE-Prague-jslaby.key auth-user-pass comp-lzo verb 3 explicit-exit-notify 5 I added explicit-exit-notify even recently, I commented that out now to see if that makes a difference.
TUNSETIFF creates a new tun interface... could you tell me which matter of timing it is, that the creation of the interface fails?
I don't understand... If I add this (sleep 40; killall -HUP openvpn) & to /etc/pm/sleep.d/02vpn as a resume/thaw part, it works. If I reduce the sleep time, it does not work. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c19
--- Comment #19 from Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c20
--- Comment #20 from Jiri Slaby
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c21
--- Comment #21 from Marius Tomaschewski
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c22
--- Comment #22 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c23
Marius Tomaschewski
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c24
Marius Tomaschewski
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c25
Marius Tomaschewski
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c26
--- Comment #26 from Jiri Slaby
Adoption of the network script inside of the pm-utils is requested in https://gitorious.org/opensuse/pm-utils/merge_requests/2 and follows.
As far as I understand, pm-utils scripts are no longer called. See bnc#790157. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c27
Marius Tomaschewski
(In reply to comment #23)
Adoption of the network script inside of the pm-utils is requested in https://gitorious.org/opensuse/pm-utils/merge_requests/2 and follows.
As far as I understand, pm-utils scripts are no longer called. See bnc#790157.
On my factory there is no openvpn pm-utils script any more, but there were a network script, which were called and which I've adopted. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c28
Benjamin Brunner
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c29
--- Comment #29 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=781106
https://bugzilla.novell.com/show_bug.cgi?id=781106#c30
--- Comment #30 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com