Hello Alon, What dou you mean by: > This is what SIGUSR1 is for.
If you mean SIGUSR1 is for reopen, I knew that. If you mean SIGUSR1 is fol solving the problem I had after a reload... no that does not work. After a failed reload there is no running openvpn session anymore, the reopen command does not work. Did some more testing with 2.0.9 on my system. It's the "user nobody" line in the client.conf file that's the cause for the failure to open the keyfile after a reload. The "group nobody" does not affect this behaviour. Files are: -r--r--r-- 1 root root 3471 Mar 6 2007 bonnothuis.crt -r--r--r-- 1 root root 729 Mar 6 2007 bonnothuis.csr -r-------- 1 root root 887 Mar 6 2007 bonnothuis.key -r--r--r-- 1 root root 1212 Mar 6 2007 ca.crt -rw-r--r-- 1 root root 245 May 12 10:14 client.conf It seems that openvpn running as nobody is not allowed to do several things, among them to open the key file, when doing a reload. I only have an old RedHat 9 system here currently for testing, not sure I can get 2.1rc7 on that as it also has no gcc. So, if the problem I'm describing is unknow to the developers yet and you want me to do some more testing let me know. I'll have to rebuild my testbed machine first though to a later Linux version, probabbly Debian lenny or unstable. Please let me know. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 b.blok...@tio.nl / www.tio.nl ----- Original Message ----- From: Alon Bar-Lev To: Bonno Bloksma Cc: openvpn-devel@lists.sourceforge.net Sent: Saturday, May 10, 2008 11:29 PM Subject: Re: [Openvpn-devel] SIGHUP SIGUSR1 new logfile This is what SIGUSR1 is for. On 5/11/08, Bonno Bloksma <b.blok...@tio.nl> wrote: > > > Hello, > > I might look into the syslog way to seperate the openvpn log messages. > That leaves the unwanted effect of killing the connection when doing a > reload. Is that a know bug or something specific to my situation? > > > > > Met vriendelijke groet, > Bonno Bloksma > hoofd systeembeheer > > > tio hogeschool hospitality en toerisme > begijnenhof 8-12 / 5611 el eindhoven > t 040 296 28 28 / f 040 237 35 20 > b.blok...@tio.nl / www.tio.nl > > > ----- Original Message ----- > From: Alon Bar-Lev > To: Bonno Bloksma > Cc: openvpn-devel@lists.sourceforge.net > > Sent: Saturday, May 10, 2008 9:51 AM > Subject: Re: [Openvpn-devel] SIGHUP SIGUSR1 new logfile > > SIGUSR1 is used for other stuff in openvpn. > > Why don't you use syslog, catch the openvpn related messages and place > them in separate file? It is much simpler and can be managed in > greater flexibility. > > Alon. > > On 5/10/08, Bonno Bloksma <b.blok...@tio.nl> wrote: > > > > > > Hi, > > > > > > > > I wanted to implement a weekly logfile rotation for the openvpn logfile > and > > noticed that it did not work, openvpn kept writing to the old logfile. > > > > If I did a manual mv openvpn.log openvpn.1 openvpn would still write to > the > > same file, now called openvpn.1, and not start a new openvpn.log. Only > after > > restarting openvpn dit it start a new openvpn.log file. > > What is the correct way to keep openvpn up and running but have it start > > using the new logfile? > > > > The logrotate program has a workaround by using the copytruncate option > but > > that is more of a stopgap sollution for dumb programs, of which I'm sure > > openvpn is not one. > > The logrotate program can send a SIGHUP, SIGUSR1, etc after the rotation > to > > tell the program the logfile has been rotated. > > > > The openvpn script in the init.d/ folder has options like reload and > reopen > > which correspondent to SIGHUP, SIGUSR1 and might do what I want but.... so > > far it seems not. After both reload and reopen the old logfile is still > > being used. > > Besides that.... > > > > Testing with 2.0.9-1 on a Redhat 9 machine I found out that trying to do a > > reload would produce several errors, one about opening the key file, and I > > would loose the vpn connection. > > Sat May 10 08:58:44 2008 us=750706 TCP/UDP: Closing socket > > Sat May 10 08:58:44 2008 us=750822 /sbin/ip route del 172.16.1.64/26 > > RTNETLINK answers: Operation not permitted > > Sat May 10 08:58:44 2008 us=755306 ERROR: Linux route delete command > failed: > > shell command exited with error status: 2 > > [.....] > > Sat May 10 08:58:44 2008 us=865438 OpenVPN 2.0.9 i386-redhat-linux-gnu > [SSL] > > [LZO] [EPOLL] built on Feb 2 2007 > > Sat May 10 08:58:44 2008 us=865545 Restart pause, 2 second(s) > > Sat May 10 08:58:46 2008 us=866570 IMPORTANT: OpenVPN's default port > number > > is now 1194, based on an official port number assignment by IANA. OpenVPN > > 2.0-beta16 and earlier used 5000 as the default port. > > Sat May 10 08:58:46 2008 us=867202 Cannot load private key file > > bonnothuis.key: error:0200100D:system library:fopen:Permission denied: > > error:20074002:BIO routines:FILE_CTRL:system lib: error:140B0002:S > > SL routines:SSL_CTX_use_PrivateKey_file:system lib > > Sat May 10 08:58:46 2008 us=867316 Error: private key password > verification > > failed > > Sat May 10 08:58:46 2008 us=867342 Exiting > > Is this a known error, maybe connected to the nobody options, or should I > do > > some testing with the new 2.1 version? > > > > > > Is the issue with the logfile rotation dealt with in the 2.1 release? If > > not, will it be in a next rc? Do I need to help testing some things? > > I am NOT a C programmer, at least not anymore. My programming skills are > old > > and were in several other languages like Pascal, Forth, etc. :-) > > > > p.s. In my production environment I will be using Openvpn mainly on Debian > > etch, so for that I would still be using the 2.0.9 release for a while. > But > > at home I'd like to use the newer version to see if openvpn 2.1 does work > as > > it should. > > > > Groetjes, > > Bonno Bloksma > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > > Don't miss this year's exciting event. There's still time to save $100. > > Use priority code J8TL2D2. > > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > > _______________________________________________ > > Openvpn-devel mailing list > > Openvpn-devel@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > > > > >
