Hi, There's an open bug in Debian [1] since 2007, that seems to be quite documented right now. To sum up, when you run openvpn with --mlock and --user, the daemon will die with "out of memory", possibly due to mlock(2):
BUGS Since kernel 2.6.9, if a privileged process calls mlockall(MCL_FUTURE) and later drops privileges (loses the CAP_IPC_LOCK capability by, for example, setting its effective UID to a nonzero value), then subsequent memory allocations (e.g., mmap(2), brk(2)) will fail if the RLIMIT_MEMLOCK resource limit is encountered. The bug report contains a workaround (editing PAM limits) and a plea to document this behaviour. I guess it's better to document this (after verification of the facts) in OpenVPN's man page rather than just Debian's package. Regards, Alberto [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=406895 -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3
