found 406895 2.1.3-2
thanks

On 01/-10/-28163 08:59 PM, Anthony DeRobertis wrote:
> I can confirm this bug still exists in 2.1.0-1 and also 2.1~rc11-1. Note
> that I don't see it on all my OpenVPN machines...
> 
> I suspect (but have not tested) the difference with the two I just saw
> it on is that I gave a 'user' option, to run as non-root.

I too can confirm that the combination of mlock + user option can
trigger an OOM.

A bit of investigating revealed the following from mlock(2):

Limits and permissions
  <...>
  Since Linux 2.6.9, no limits are placed on the amount of memory that
  a privileged process can lock and the RLIMIT_MEMLOCK soft resource
  limit instead defines a limit on how much memory an unprivileged
  process may lock.

BUGS
  Since kernel 2.6.9, if a privileged process calls
  mlockall(MCL_FUTURE) and later drops privileges (loses the
  CAP_IPC_LOCK capability by, for example, setting its effective UID
  to a nonzero value), then subsequent memory allocations (e.g.,
  mmap(2), brk(2)) will fail if the RLIMIT_MEMLOCK resource limit is
  encountered.

Which is consistent with what I am currently seeing:

1) No matter what I do, a config with --mlock but without --user always
works, even when setting ulimit -l 0. Which is not suprising, because
the default limit of 64KB was obviously being ignored.

2) With --mlock and --user openvpn, the server process dies when a
client connects. Changing the ulimit for user openvpn does nothing.

3) Like 2), but changing the ulimit for user root instead of openvpn.
This is weird, but works AFAICT.

> FYI, 16384 wasn't enough for me; I used 65536.

as 3) above.

In conjunction with #484113, now that Squeeze has support for a drop-in
directory for limits in /etc/security/limits.d/, a less invasive
solution than modifying the init script might be to provide a template
file such as this one:

/etc/security/limits.d/openvpn.conf
===
# Uncomment the following if you intend to use OpenVPN with
# both the --mlock and --user options
#root            hard    memlock     16000
#root            soft    memlock     16000
===


Regards,
Chrisian

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to