From be68b361a9c95218c671ee86d25a29019bab7239 Mon Sep 17 00:00:00 2001 From: Selva Nair Date: Wed, 9 Sep 2020 18:15:29 -0400 Subject: [PATCH] Add a remark on dropping privileges when --mlock is used trac #1059 Signed-off-by: Selva Nair Acked-by: Gert Doering Message-Id: <1599689729-25906-1-git-send-email-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20937.html Signed-off-by: Gert Doering (cherry picked from commit 5b815eb449314a43e2b73325948edea8a4cfb215) --- doc/man-sections/generic-options.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index a07fe7e7d..d5f08839b 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -230,6 +230,13 @@ which mode OpenVPN is configured as. The downside of using ``--mlock`` is that it will reduce the amount of physical memory available to other applications. + The limit on how much memory can be locked and how that limit + is enforced are OS-dependent. On Linux the default limit that an + unprivileged process may lock (RLIMIT_MEMLOCK) is low, and if + privileges are dropped later, future memory allocations will very + likely fail. The limit can be increased using ulimit or systemd + directives depending on how OpenVPN is started. + --nice n Change process priority after initialization (``n`` greater than 0 is lower priority, ``n`` less than zero is higher priority). -- 2.47.2