Jan Just Keijser <janjust <at> nikhef.nl> writes:

> >
> I've managed to reproduce most of your setup on my FC22 box; however, 
> the env.conf file is never picked up by my systemd. What *does* work for 
> me, however, is to use
> 
> [Service]
> EnvironmentFile=/etc/openvpn/environment
> 
> and then add an environment file /etc/openvpn/environment containing
> 
> OPENSSL_ENABLE_MD5_VERIFY=1
> 
> so how did you get systemd to pick up the env.d directory? on FC22 this 
> did not happen automagically...

Using drop-in is a technical difference but I'm sure this does not have 
any impact on the behavior. Using EnvironmentFile= or Environment= 
directly in service file is perfectly fine. I'm not sure if you named your 
drop-in directory correctly as you refer to "env.d" which is not the 
correct name. If you have template /usr/lib/systemd/sytem/openvpn@.service 
and you start tunnel through `sudo systemctl start 
openvpn@my_tunnel.service` then your drop-in directory should be named 
/etc/systemd/system/openvpn@my_tunnel.d and there you put as many *.conf 
files as you need (env.conf in this case). More on using drop-ins – 
https://coreos.com/os/docs/latest/using-systemd-drop-in-units.html

Bug https://bugzilla.redhat.com/show_bug.cgi?id=1174915 makes it clear the 
problem is due to lack of appropriate SELinux policy. Turning SELinux off 
solves the problem. As I wrote in comment 
https://bugzilla.redhat.com/show_bug.cgi?id=1174915#c15 the fix could have 
been reverted since it had been included in Fedora 21 due to security 
implications. Please notice that current systemd unit for openvpn 
(https://sourceforge.net/p/openvpn/openvpn/ci/3341a98c2852d1d0c1eafdc70a3b
db218ec29049/tree/distro/systemd/openvpn-client%40.service) uses 
CapabilityBoundingSet param as follows:
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
It could be that properly setting this param could also solve the problem. 
However I'm not sure if it's really feasible as I'm guessing one has to 
restrict reading environment to specific variables only 
(OPENSSL_ENABLE_MD5_VERIFY in this case) and I don't see a way to describe 
this requirement using only capabilities in CapabilityBoundingSet.
Nevertheless I'm happy I found out the reason my setup was not working and 
I don't have the need to explore it further.

Thanks for your interest and time! I very much appreciate.

Regards,
Piotr Dobrogost

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to