From: Selva Nair Date: Wed, 9 Sep 2020 22:15:29 +0000 (-0400) Subject: Add a remark on dropping privileges when --mlock is used X-Git-Tag: v2.5_rc1~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=be68b361a9c95218c671ee86d25a29019bab7239;p=thirdparty%2Fopenvpn.git Add a remark on dropping privileges when --mlock is used trac #1059 Signed-off-by: Selva Nair Acked-by: Gert Doering Message-Id: <1599689729-25906-1-git-send-email-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20937.html Signed-off-by: Gert Doering (cherry picked from commit 5b815eb449314a43e2b73325948edea8a4cfb215) --- diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index a07fe7e7d..d5f08839b 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -230,6 +230,13 @@ which mode OpenVPN is configured as. The downside of using ``--mlock`` is that it will reduce the amount of physical memory available to other applications. + The limit on how much memory can be locked and how that limit + is enforced are OS-dependent. On Linux the default limit that an + unprivileged process may lock (RLIMIT_MEMLOCK) is low, and if + privileges are dropped later, future memory allocations will very + likely fail. The limit can be increased using ulimit or systemd + directives depending on how OpenVPN is started. + --nice n Change process priority after initialization (``n`` greater than 0 is lower priority, ``n`` less than zero is higher priority).