http://bugzilla.novell.com/show_bug.cgi?id=559041 http://bugzilla.novell.com/show_bug.cgi?id=559041#c2 Marius Tomaschewski changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID Severity|Normal |Enhancement --- Comment #2 from Marius Tomaschewski 2009-11-30 10:21:26 UTC --- Yes, I'm the maintainer. Openvpn writes the pid as root: root@exodus:/etc/openvpn # rcopenvpn start Starting OpenVPN [tun0] Enter Auth Username:mt Enter Auth Password: done root@exodus:/etc/openvpn # l /var/run/openvpn/ insgesamt 12 drwxr-xr-x 2 root root 4096 2009-11-30 10:46:15 ./ drwxr-xr-x 25 root root 4096 2009-11-30 10:38:36 ../ -rw-r--r-- 1 root root 6 2009-11-30 10:46:15 tun0.pid root@exodus:/etc/openvpn # grep -E "^user|^group" tun0.conf user openvpn group openvpn root@exodus:/etc/openvpn # ps ax | grep openvpn | grep -v grep 12531 ? Ss 0:00 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/tun0.pid --config /etc/openvpn/tun0.conf --cd /etc/openvpn Even when there is a stale pid file because I've killed it manually, the pid file is removed in the init script: /etc/init.d/openvpn start Starting OpenVPN [tun0] (removed stale pid file) Enter Auth Username:mt Enter Auth Password: done I guess, you've enabled an insufficient apparmor profile for openvpn. I was unable to reproduce it and I'll not grep messages for permission errors -- openvpn is using exit code 1 in most cases. We also don't ship any openvpn configuration and also do not pass any --user or --group options via init script. It is also simply not enough to set the --user/--group options in the config; many another options have to be set as well. Also it is often required to use the "down-root" plugin to execute commands. All this depends on the particular config/tunnel setup, the script use, .. settings provided from the server side. Even the initial start works in most cases, a "rcopenvpn reload" or "rcopenvpn reopen" will fail in many cases. There are (too) many corner cases that have to be considered when running as non-root, that are described in the openvpn manual page. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=559041 http://bugzilla.novell.com/show_bug.cgi?id=559041#c4 --- Comment #4 from Gerald Pfeifer 2009-12-26 13:41:21 CET --- Created an attachment (id=334311) --> (http://bugzilla.novell.com/attachment.cgi?id=334311) Suggested patch

guess, you've enabled an insufficient apparmor profile for openvpn. I was unable to reproduce it and I'll not grep messages for permission errors -- openvpn is using exit code 1 in most cases.

I am sorry, clearly my original description did not reflect what I had encountered and was trying to see addressed (AppArmor was not involved at all). Let me see whether a patch proposal brings the point across better. :-) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=559041 http://bugzilla.novell.com/show_bug.cgi?id=559041#c6 Marius Tomaschewski changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #334311|0 |1 is obsolete| | --- Comment #6 from Marius Tomaschewski 2010-03-11 08:05:54 UTC --- Created an attachment (id=347806) --> (http://bugzilla.novell.com/attachment.cgi?id=347806) Patch I would prefer This patch changes to make the check after failure of the first instance; IMO there is no need to exit before a real try to write. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=559041 http://bugzilla.novell.com/show_bug.cgi?id=559041#c8 --- Comment #8 from Gerald Pfeifer 2010-03-13 20:16:04 CET --- Nice, thanks Marius. I had a hunch that speaking via a prototype patch would relay my thoughts better than my textual description. ;-) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.