diff options
author | Bernhard Schmidt <berni@debian.org> | 2017-10-09 21:26:31 +0200 |
---|---|---|
committer | Bernhard Schmidt <berni@debian.org> | 2017-10-09 21:26:31 +0200 |
commit | 1a0cdf35d6f7e3a80eaf3989e415baf23f879488 (patch) | |
tree | 575818d90ddbf2b89205c58a7f143937ff2cb398 | |
parent | 8b66a35385f4350db57d6a9d4f40ad732267e6b9 (diff) |
openvpn@.service: Use KillMode=process
This copies a change in the upstream systemd unit into the Debian-specific
one
===
systemd: Ensure systemd shuts down OpenVPN in a proper way
By default, when systemd is stopping OpenVPN it will send the SIGTERM
to all processes within the same process control-group. This can come
as a surprise to plug-ins which may have fork()ed out child processes.
So we tell systemd to only send the SIGTERM signal to the main OpenVPN
process and let OpenVPN take care of the shutdown process on its own.
If the main OpenVPN process does not stop within 90 seconds (unless
changed), it will send SIGKILL to all remaining processes within
the same process control-group.
This issue have been reported in both Debian and Fedora.
Trac: 581
Message-Id: <20170906234705.26202-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15369.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
[DS: Applied lazy-ack policy]
===
-rw-r--r-- | debian/openvpn@.service | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/debian/openvpn@.service b/debian/openvpn@.service index 992cc3b..7f0134b 100644 --- a/debian/openvpn@.service +++ b/debian/openvpn@.service @@ -15,6 +15,7 @@ PrivateTmp=true WorkingDirectory=/etc/openvpn ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid PIDFile=/run/openvpn/%i.pid +KillMode=process ExecReload=/bin/kill -HUP $MAINPID CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 |