[systemd-devel] script assigned via Unit's ExecStartPre= only partially executes, fails to complete ?
jen142 at promessage.com
jen142 at promessage.com
Sun Dec 1 09:44:10 PST 2013
> There is no reason to lose valuable debugging information. All output
> is collected by systemd and is available via journal. Hiding it makes
> really no sense.
...
> Show quoted textThis is not a shell, and you cannot reference $PATH like this. Full
> content of the variable has to included instead.
I fixed both of those.
Now,
cat /etc/systemd/system/openvpn.service
[Unit]
Description=OpenVPN Server
After=syslog.target network.target
Before=openvpn.target
[Service]
Type=forking
PrivateTmp=true
PIDFile=/var/run/openvpn/openvpn.pid
Environment=PATH="/usr/local/openvpn-unpriv:/usr/local/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
ExecStartPre=/usr/local/etc/openvpn/up.script
ExecStart=/usr/local/sbin/openvpn --daemon --writepid
/var/run/openvpn/openvpn.pid --cd
/usr/local/etc/openvpn/ --config server.conf
ExecStopPost=/usr/local/etc/openvpn/down.script
[Install]
WantedBy=multi-user.target
and
cat /usr/local/etc/openvpn/up.script
#!/bin/sh
/usr/local/sbin/openvpn --rmtun --dev tun1
/usr/local/sbin/openvpn --mktun --dev tun1 --dev-type
tun --user openvpn --group openvpn
/usr/sbin/iptables -v -I FORWARD -i eth0 -o tun1 -j
ACCEPT
/usr/sbin/iptables -v -I FORWARD -i tun1 -o eth0 -j
ACCEPT
, adding the "-v" verbose flag to iptables
> Use "journalctl -u openvpn.service", this will show *all* output
> associated with your unit start/stop.
The output from 'journalctl -u openvpn.service' was helpful. Thanks for
the pointer!
A colleague pointed out permissions problems for iptables & insmod, and
suggested a solution
Adding
Defaults:openvpn !requiretty
openvpn ALL=(ALL) NOPASSWD: /usr/sbin/iptables
openvpn ALL=(ALL) NOPASSWD: /usr/sbin/ip6tables
openvpn ALL=(ALL) NOPASSWD: /sbin/insmod
to
/etc/sudoers.d/openvpn
seems to do the trick.
Now, after boot,
journalctl -u openvpn.service
...
Dec 01 09:44:45 test systemd[4461]: Executing:
/usr/local/etc/openvpn/up.script
Dec 01 09:44:46 test up.script[4461]: Sun Dec 1
09:44:46 2013 TUN/TAP device tun1 opened
Dec 01 09:44:46 test up.script[4461]: Sun Dec 1
09:44:46 2013 Persist state set to: OFF
Dec 01 09:44:46 test up.script[4461]: Sun Dec 1
09:44:46 2013 TUN/TAP device tun1 opened
Dec 01 09:44:46 test up.script[4461]: Sun Dec 1
09:44:46 2013 Persist state set to: ON
Dec 01 09:44:46 test up.script[4461]: ACCEPT all opt --
in eth0 out tun1 0.0.0.0/0 -> 0.0.0.0/0
Dec 01 09:44:46 test up.script[4461]: ACCEPT all opt --
in tun1 out eth0 0.0.0.0/0 -> 0.0.0.0/0
Dec 01 09:44:46 test systemd[4489]: Executing:
/usr/local/sbin/openvpn --daemon --writepid
/var/run/openvpn/openvpn.pid --cd
/usr/local/etc/openvpn/ --config server.conf
Dec 01 09:44:47 test sudo[4504]: root : TTY=unknown ;
PWD=/usr/local/etc/openvpn ; USER=root ;
COMMAND=/sbin/ip link set dev tun1 up mtu 1500
Dec 01 09:44:47 test sudo[4530]: root : TTY=unknown ;
PWD=/usr/local/etc/openvpn ; USER=root ;
COMMAND=/sbin/ip addr add dev tun1 local 10.1.1.1 peer
10.1.1.2
Dec 01 09:44:47 test sudo[4552]: root : TTY=unknown ;
PWD=/usr/local/etc/openvpn ; USER=root ;
COMMAND=/sbin/ip route add 10.1.1.0/24 via 10.1.1.2
there's no more permission errors, and it appears iptables execs, now.
checking,
iptables -L -v -n | grep tun
0 0 ACCEPT all -- tun1 eth0 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- eth0 tun1 0.0.0.0/0
0.0.0.0/0
it's clearly been exec'd.
iptables & insmod needing root perms via sudoers I _suspect_ has to do
with openvpn being chroot'd, with user:group == openvpn:openvpn.
I don't know is there's a systemd-specific method of granting those
permissions correctly, without using sudoers.
The "-v" flag to iptables is required in the unit's referenced
ExecStartPre= script -- without it, there's NO trace of iptables
exec'ing in the journalctl output.
JenL
More information about the systemd-devel
mailing list