Exchaning the file "completely" might be too much unless we can reason all the changes.
Some I'd think were made in Debian/Ubuntu for valid reasons and should be kept.
So if I might ask you continue your test for combinations of the delta.
I only reordered things to make it more readable - overall the change from Ubuntu/Debian to upstream would be:
2. we already know we want to follow this change in the Distro:
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE
=> Probably a fusion of the capabilities here eventually
3. I think these are better than upstream, but we need to check which one of it is the reason for your issue
-ProtectSystem=true
+ProtectSystem=yes
(should be a no-op IMO)
-RestartSec=5s
-Restart=on-failure
-KillMode=process
+KillMode=mixed
These two are in fact copied over from ustraem (remember the actual upstream, not their deb package creation - there I'd hope that these are not the reason)
-ProtectHome=true
-Type=notify
+Type=forking
If you could apply #2 in any case and then test the sections of #3 one by one and report back here which one solve it for you that would be great.
Hi Martin,
no problem.
Exchaning the file "completely" might be too much unless we can reason all the changes.
Some I'd think were made in Debian/Ubuntu for valid reasons and should be kept.
So if I might ask you continue your test for combinations of the delta.
I only reordered things to make it more readable - overall the change from Ubuntu/Debian to upstream would be:
--- debian. openvpn@ .service 2018-08-28 14:58:25.145712079 +0200 openvpn@ .service 2018-08-28 15:03:00.221966742 +0200 openvpn. service edFrom= openvpn. service systemd- user-sessions. service network- online. target network- online. target man:openvpn( 8) /community. openvpn. net/openvpn/ wiki/Openvpn24M anPage /community. openvpn. net/openvpn/ wiki/Openvpn23M anPage /community. openvpn. net/openvpn/ wiki/HOWTO
+++ upstream.
@@ -3,28 +3,23 @@
PartOf=
ReloadPropagat
Before=
-After=
-Wants=
Documentation=
-Documentation=https:/
+Documentation=https:/
Documentation=https:/
[Service] ry=/etc/ openvpn /usr/sbin/ openvpn --daemon ovpn-%i --status /run/openvpn/ %i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/ %i.conf --writepid /run/openvpn/%i.pid /run/openvpn/ %i.pid /bin/kill -HUP $MAINPID dingSet= CAP_IPC_ LOCK CAP_NET_ADMIN CAP_NET_ BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE dingSet= CAP_IPC_ LOCK CAP_NET_ADMIN CAP_NET_ BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE /dev/null rw /dev/net/ tun rw
-Type=notify
+Type=forking
PrivateTmp=true
WorkingDirecto
ExecStart=
PIDFile=
-KillMode=process
+KillMode=mixed
ExecReload=
-CapabilityBoun
+CapabilityBoun
LimitNPROC=10
DeviceAllow=
DeviceAllow=
-ProtectSystem=true
-ProtectHome=true
-RestartSec=5s
-Restart=on-failure
+ProtectSystem=yes
[Install] multi-user. target
WantedBy=
Let us break this into categories:
1. Distro is better, we should not take this change (in fact we should file upstream issue to change there) network- online. target network- online. target /community. openvpn. net/openvpn/ wiki/Openvpn24M anPage /community. openvpn. net/openvpn/ wiki/Openvpn23M anPage
-After=
-Wants=
-Documentation=https:/
+Documentation=https:/
2. we already know we want to follow this change in the Distro: dingSet= CAP_IPC_ LOCK CAP_NET_ADMIN CAP_NET_ BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE dingSet= CAP_IPC_ LOCK CAP_NET_ADMIN CAP_NET_ BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE
-CapabilityBoun
+CapabilityBoun
=> Probably a fusion of the capabilities here eventually
3. I think these are better than upstream, but we need to check which one of it is the reason for your issue
-ProtectSystem=true
+ProtectSystem=yes
(should be a no-op IMO)
-RestartSec=5s
-Restart=on-failure
-KillMode=process
+KillMode=mixed
These two are in fact copied over from ustraem (remember the actual upstream, not their deb package creation - there I'd hope that these are not the reason)
-ProtectHome=true
-Type=notify
+Type=forking
If you could apply #2 in any case and then test the sections of #3 one by one and report back here which one solve it for you that would be great.
I realized that all our changes are from upstream actually, see https:/ /github. com/OpenVPN/ openvpn/ blob/master/ distro/ systemd/ openvpn- server% 40.service. in
And check which one is closer Ubuntu or the upstream .deb package :-)
Never the less, lets find out which difference it is that breaks you.
Then we can go upstream with the request to change and adapt here as well.