From: David Sommerseth <davids@openvpn.net>
Date: Wed, 7 Dec 2016 02:51:52 +0000 (+0100)
Subject: systemd: Intermediate --chroot fix with the new sd_notify() implementation
X-Git-Tag: v2.4_rc2~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=65140a3acfa42e5d42cdfcf8108f00a62d5767ff;p=thirdparty%2Fopenvpn.git

systemd: Intermediate --chroot fix with the new sd_notify() implementation

Commit c5931897ae8d663e7e introduced support for talking directly
to the systemd service manager about the situation for the OpenVPN
tunnel. This approach makes a lot of sense and is mostly the proper
way to do it.  But it was discovered that it breaks OpenVPN
configurations using --chroot.

The reason sd_notify() calls fails when using chroot() is that
sd_notify() expects to have access to a file as declared in the
$NOTIFY_SOCKET environment variable.  It is the main systemd
instance which is responsible to provide both the environment variable
as well as the socket file sd_nodify() should use.  When --chroot
comes into play, the $NOTIFY_SOCKET file will not be available
for OpenVPN any more.

As things are getting close to the 2.4_rc2 release we will not dare
to bring a too invasive fix.  As well we need some time to discuss
an approrpriate solution.  So this intermediate fix will only
provide a "successful start" message to the systemd service manager
right before chroot() happens.  This will at least resolve the issue
in a safe and non-intrusive way.

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Christian Hesse <mail@eworm.de>
Message-Id: <1481079112-22990-1-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13416.html
---

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index fb0d0dec4..26b236de0 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -967,7 +967,27 @@ do_uid_gid_chroot (struct context *c, bool no_delay)
       if (c->options.chroot_dir)
 	{
 	  if (no_delay)
-	    platform_chroot (c->options.chroot_dir);
+            {
+#ifdef ENABLE_SYSTEMD
+              /* If OpenVPN is started by systemd, the OpenVPN process needs
+               * to provide a preliminary status report to systemd.  This is
+               * needed as $NOTIFY_SOCKET will not be available inside the
+               * chroot, which sd_notify()/sd_notifyf() depends on.
+               *
+               * This approach is the simplest and the most non-intrusive
+               * solution right before the 2.4_rc2 release.
+               *
+               * TODO: Consider altnernative solutions - bind mount?
+               * systemd does not grok OpenVPN configuration files, thus cannot
+               * have a sane way to know if OpenVPN will chroot or not and to
+               * which subdirectory it will chroot into.
+               */
+              sd_notifyf(0, "READY=1\n"
+                "STATUS=Entering chroot, most of the init completed successfully\n"
+                "MAINPID=%lu", (unsigned long) getpid());
+#endif
+              platform_chroot (c->options.chroot_dir);
+            }
 	  else if (c->first_time)
 	    msg (M_INFO, "NOTE: chroot %s", why_not);
 	}