#990283 openvpn: Upgrades break systemd supervision

Package:
openvpn
Source:
openvpn
Description:
virtual private network daemon
Submitter:
Date:
2021-08-05 14:39:05 UTC
Severity:
important
#990283#5
Date:
2021-06-24 14:59:17 UTC
From:
To:
Shortly after the release of 2.4.7-1+deb10u1, a system with unattended-upgrades configured started to complain:

`systemctl status` reveals that my `openvpn@.service` units are dead, and my openvpn processes are now sitting inside my `apt-daily-upgrade.service` cgroup.  Pretty sure that's not what we want.

#990283#12
Date:
2021-08-03 17:32:16 UTC
From:
To:
tags 990283 + moreinfo
thanks


Hi,

I have checked your bug report on every server I have access to.

Likewise, I have checked the problem in multiple VMs. The error was not
reproducible there either.

Can you please provide the complete update logs?
Was the computer rebooted after the update?

Or can someone confirm the error?

Many thanks

CU
Jörg

#990283#19
Date:
2021-08-03 22:23:28 UTC
From:
To:
Hello Jörg, thanks for the reply.

It was not.  Rebooting fixes the issue, as does manually kill(1)ing the
errant openvpn instances and restarting the systemd unit(s).

Sorry, "Upgrades break systemd supervision" was perhaps not the best
summary.  It's more like "Upgrades restart openvpn outside of
systemd".

This worked for me on a fresh amd64 buster VM:

   echo "deb http://snapshot.debian.org/archive/debian/20210601T022916Z/ buster main" >/etc/apt/sources.list.d/snapshot.list
   apt update
   apt install openvpn=2.4.7-1 ssl-cert

   # placeholder config
   zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz >/etc/openvpn/server.conf
   ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/openvpn/server.crt
   ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/openvpn/ca.crt
   ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/openvpn/server.key
   openssl dhparam -out /etc/openvpn/dh2048.pem 2048
   openvpn --genkey --secret /etc/openvpn/ta.key

   systemctl start openvpn@server

   apt install unattended-upgrades
   systemctl start apt-daily-upgrade
   systemctl status
   # Observe: openvpn process is now in apt-daily-upgrade.service
   systemctl start apt-daily-upgrade  # (a second time)
   # systemd now warns about the lingering process

Alternatively, replace 'apt install unattended-upgrades' and everything
thereafter with:

   apt upgrade
   systemctl status

Which should show the openvpn daemon lingering in whatever scope unit
contains your shell.

Or, simpler still:

   invoke-rc.d openvpn cond-restart

which is invoked by openvpn's postinst and has much the same effect.

Attached are extracts of of `journalctl --output=with-unit` and
/var/log/unattended-upgrades/unattended-upgrades-dpkg.log after having
done the above.  HTH!

Thanks,

#990283#24
Date:
2021-08-05 14:36:41 UTC
From:
To:
tags 990283 - moreinfo
fixed 990283 openvpn/2.5.1-2~bpo10+1
severity 990283 important
thanks



Hello Daniel,

thanks for your answer.

since the 2.4.9-3 release, the restart on an update of openvpn was
disabled due to bug #959464.

This change is present in Debian stable in the current backport 
2.5.1-2~bpo10+1.

A new point release is therefore IMHO not necessary.

I will still consult with the maintainer about this, though.


CU
Jörg