* [gentoo-user] openvpn rc script dependencies
@ 2018-04-10 8:55 Christoph Böhmwalder
2018-04-10 11:25 ` Simon Thelen
2018-04-10 16:25 ` [gentoo-user] " Ian Zimmerman
0 siblings, 2 replies; 8+ messages in thread
From: Christoph Böhmwalder @ 2018-04-10 8:55 UTC (permalink / raw
To: gentoo-user
I was wondering how the OpenRC dependencies between start scripts work.
Basically, I have two network interfaces on my laptop (wlp3s0 and
enp0s20u2u3 for wireless and ethernet respectively). When I start the
wireless interface service (rc-service net.wlp3s0 start) the OpenVPN
service starts and vice versa. That's great, but I didn't configure
that anywhere.
What's even worse is that when I'm not connected via WiFi (i.e.
ethernet), the VPN service won't start because net.wlp3s0 isn't started:
# rc-service net.enp0s20u2u3 start
# ...
# rc-service openvpn.mullvad_at start
# rc-service openvpn.mullvad_at start
openvpn.mullvad_at| * Caching service dependencies ... [ ok ]
net.wlp3s0 | * Bringing up interface wlp3s0
net.wlp3s0 | * Starting wpa_supplicant on wlp3s0 ...
net.wlp3s0 |Successfully initialized wpa_supplicant [ ok ]
openvpn.mullvad_at| * WARNING: openvpn.mullvad_at will start when net.wlp3s0 has started
net.wlp3s0 | * Starting wpa_cli on wlp3s0 ... [ ok ]
net.wlp3s0 | * Backgrounding ... ...
net.wlp3s0 | * WARNING: net.wlp3s0 has started, but is inactive
Why would it do that, can I configure this anywhere?
Thanks for your help
--
Regards,
Christoph
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] openvpn rc script dependencies
2018-04-10 8:55 [gentoo-user] openvpn rc script dependencies Christoph Böhmwalder
@ 2018-04-10 11:25 ` Simon Thelen
2018-04-10 13:28 ` Michael Orlitzky
` (2 more replies)
2018-04-10 16:25 ` [gentoo-user] " Ian Zimmerman
1 sibling, 3 replies; 8+ messages in thread
From: Simon Thelen @ 2018-04-10 11:25 UTC (permalink / raw
To: gentoo-user
On 18-04-10 at 10:55, Christoph Böhmwalder wrote:
> I was wondering how the OpenRC dependencies between start scripts work.
>
> Basically, I have two network interfaces on my laptop (wlp3s0 and
> enp0s20u2u3 for wireless and ethernet respectively). When I start the
> wireless interface service (rc-service net.wlp3s0 start) the OpenVPN
> service starts and vice versa. That's great, but I didn't configure
> that anywhere.
What does your /etc/runlevels/ look like? Is the openvpn service in one
of the runlevels? Are either of your network interfaces in one of the
runlevels?
> What's even worse is that when I'm not connected via WiFi (i.e.
> ethernet), the VPN service won't start because net.wlp3s0 isn't started:
[..]
> Why would it do that, can I configure this anywhere?
Also check /etc/rc.conf and try setting rc_depend_strict="NO". I do wish
there were a way to modify require/provides without having to edit the
init scripts themselves.
--
Simon Thelen
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] openvpn rc script dependencies
2018-04-10 11:25 ` Simon Thelen
@ 2018-04-10 13:28 ` Michael Orlitzky
2018-04-10 14:02 ` Christoph Böhmwalder
2018-04-10 13:59 ` Christoph Böhmwalder
2018-04-11 18:38 ` J. Roeleveld
2 siblings, 1 reply; 8+ messages in thread
From: Michael Orlitzky @ 2018-04-10 13:28 UTC (permalink / raw
To: gentoo-user
On 04/10/2018 07:25 AM, Simon Thelen wrote:
>
> Also check /etc/rc.conf and try setting rc_depend_strict="NO". I do wish
> there were a way to modify require/provides without having to edit the
> init scripts themselves.
>
This is half the problem, but the OpenVPN init script probably shouldn't
have "need net" in its depend() function to begin with. It runs fine
with only the loopback interface up.
You could try to file a bug for that with
https://github.com/OpenRC/openrc/blob/master/service-script-guide.md
as a reference. There's a section titled "Be wary of 'need net'
dependencies" that covers the issue.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] openvpn rc script dependencies
2018-04-10 11:25 ` Simon Thelen
2018-04-10 13:28 ` Michael Orlitzky
@ 2018-04-10 13:59 ` Christoph Böhmwalder
2018-04-10 15:43 ` Mick
2018-04-11 18:38 ` J. Roeleveld
2 siblings, 1 reply; 8+ messages in thread
From: Christoph Böhmwalder @ 2018-04-10 13:59 UTC (permalink / raw
To: gentoo-user
On Tue, Apr 10, 2018 at 01:25:42PM +0200, Simon Thelen wrote:
> What does your /etc/runlevels/ look like? Is the openvpn service in one
> of the runlevels? Are either of your network interfaces in one of the
> runlevels?
Looking at `rc-status -a`, the openvpn service and the wifi interface
are both in runlevel default (which is kind of intentional). The wired
interface is in runlevel manual (I don't use it that often, so that's
fine).
The thing is, I want to:
* Start the wifi service at boot
* Start the openvpn service when _any_ network connection is active
> Also check /etc/rc.conf and try setting rc_depend_strict="NO". I do wish
> there were a way to modify require/provides without having to edit the
> init scripts themselves.
Unfortunately I can't test this anymore, but looking at the
documentation this _should_ work.
Thanks!
--
Regards,
Christoph
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] openvpn rc script dependencies
2018-04-10 13:28 ` Michael Orlitzky
@ 2018-04-10 14:02 ` Christoph Böhmwalder
0 siblings, 0 replies; 8+ messages in thread
From: Christoph Böhmwalder @ 2018-04-10 14:02 UTC (permalink / raw
To: gentoo-user
On Tue, Apr 10, 2018 at 09:28:10AM -0400, Michael Orlitzky wrote:
> This is half the problem, but the OpenVPN init script probably shouldn't
> have "need net" in its depend() function to begin with. It runs fine
> with only the loopback interface up.
That's exactly why I got confused. Shouldn't it be possible to just
"tie" openvpn to _any_ network interface? It's especially weird how it
just magically defaults to the wifi interface (it is in runlevel
default, but still). Very unclear imo.
> You could try to file a bug for that with
>
> https://github.com/OpenRC/openrc/blob/master/service-script-guide.md
>
> as a reference. There's a section titled "Be wary of 'need net'
> dependencies" that covers the issue.
That does look like it addresses the issue. I'll try and poke around
in there.
Thanks!
--
Regards,
Christoph
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] openvpn rc script dependencies
2018-04-10 13:59 ` Christoph Böhmwalder
@ 2018-04-10 15:43 ` Mick
0 siblings, 0 replies; 8+ messages in thread
From: Mick @ 2018-04-10 15:43 UTC (permalink / raw
To: gentoo-user; +Cc: Christoph Böhmwalder
[-- Attachment #1: Type: text/plain, Size: 1671 bytes --]
On Tuesday, 10 April 2018 14:59:39 BST Christoph Böhmwalder wrote:
> On Tue, Apr 10, 2018 at 01:25:42PM +0200, Simon Thelen wrote:
> > What does your /etc/runlevels/ look like? Is the openvpn service in one
> > of the runlevels? Are either of your network interfaces in one of the
> > runlevels?
>
> Looking at `rc-status -a`, the openvpn service and the wifi interface
> are both in runlevel default (which is kind of intentional). The wired
> interface is in runlevel manual (I don't use it that often, so that's
> fine).
>
> The thing is, I want to:
> * Start the wifi service at boot
> * Start the openvpn service when _any_ network connection is active
>
> > Also check /etc/rc.conf and try setting rc_depend_strict="NO". I do wish
> > there were a way to modify require/provides without having to edit the
> > init scripts themselves.
>
> Unfortunately I can't test this anymore, but looking at the
> documentation this _should_ work.
>
> Thanks!
>
> --
> Regards,
> Christoph
I recall noticing a somewhat similar behaviour with the ipsec service of
strongswan. In particular, it would complain that the wired interface was not
up and therefore ipsec would not start until then. The wireless interface
itself being up was not enough to start ipsec. I used to start it up manually
from the command line. I didn't look into it back then. I wonder if it was
also something to do with the configuration of the start up script of ipsec.
PS. I had commented out #rc_depend_strict="YES" in /etc/rc.conf and set
rc_hotplug="*", but did not experiment further with these settings at the
time.
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* [gentoo-user] Re: openvpn rc script dependencies
2018-04-10 8:55 [gentoo-user] openvpn rc script dependencies Christoph Böhmwalder
2018-04-10 11:25 ` Simon Thelen
@ 2018-04-10 16:25 ` Ian Zimmerman
1 sibling, 0 replies; 8+ messages in thread
From: Ian Zimmerman @ 2018-04-10 16:25 UTC (permalink / raw
To: gentoo-user
On 2018-04-10 10:55, Christoph Böhmwalder wrote:
> I was wondering how the OpenRC dependencies between start scripts
> work.
openvpn start-up dependencies (and, I imagine, any user space based VPN)
are definitely a pain point. One part is the subject of the main thread
here ie. what other scripts openvpn itself should depend on. Is it
really safe to start it before the hardware interfaces are up? I guess
in its default config it will keep trying until it can connect to the
server, but I think it can also be configured to just give up.
Another part is the reverse dependencies. On my systems, any network
service that provides the option is configured to only listen on the VPN
interface (plus localhost if necessary). But that means the service
depends on the interface being functional - and, as I have learned, in
the case of openvpn and TUN interface that means not just being in the
UP state, but also the routing table being updated which happens _after_
it is put into UP state. The work to ensure all this state is done by
the openvpn daemon in the background, out of control of openrc or
sysvinit, so it is definitely possible that the openvpn initscript
finishes before the final working state is reached. Then I have network
service daemons failing to start (even if they have an explicit
dependency on openvpn) because they cannot listen() on the VPN
interface. I have to work around this with nefarious hacks using netcat
or ping to test the VPN.
I assume systemd handles this correctly, and this is an occasion when I
envy systemd users and consider, for a few seconds, joining them.
--
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for no-use.mooo.com.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] openvpn rc script dependencies
2018-04-10 11:25 ` Simon Thelen
2018-04-10 13:28 ` Michael Orlitzky
2018-04-10 13:59 ` Christoph Böhmwalder
@ 2018-04-11 18:38 ` J. Roeleveld
2 siblings, 0 replies; 8+ messages in thread
From: J. Roeleveld @ 2018-04-11 18:38 UTC (permalink / raw
To: gentoo-user
On Tuesday, April 10, 2018 1:25:42 PM CEST Simon Thelen wrote:
> On 18-04-10 at 10:55, Christoph Böhmwalder wrote:
> > I was wondering how the OpenRC dependencies between start scripts work.
> >
> > Basically, I have two network interfaces on my laptop (wlp3s0 and
> > enp0s20u2u3 for wireless and ethernet respectively). When I start the
> > wireless interface service (rc-service net.wlp3s0 start) the OpenVPN
> > service starts and vice versa. That's great, but I didn't configure
> > that anywhere.
>
> What does your /etc/runlevels/ look like? Is the openvpn service in one
> of the runlevels? Are either of your network interfaces in one of the
> runlevels?
>
> > What's even worse is that when I'm not connected via WiFi (i.e.
>
> > ethernet), the VPN service won't start because net.wlp3s0 isn't started:
> [..]
>
> > Why would it do that, can I configure this anywhere?
>
> Also check /etc/rc.conf and try setting rc_depend_strict="NO". I do wish
> there were a way to modify require/provides without having to edit the
> init scripts themselves.
There is. You have (at least) 2 other options:
1) In the "/etc/conf.d" files (as I tend to do):
# grep need /etc/conf.d/postgresql-9.5
rc_need="netmount"
(This means, postgresql-9.5 needs the 'netmount' service to have started first)
# grep need /etc/conf.d/netmount
rc_need="net iscsid"
(This means, netmount needs 'net' and 'iscsid' started first)
2) /etc/rc.conf
See the following section in the default version:
===
# It's possible to define extra dependencies for services like so
#rc_config="/etc/foo"
#rc_need="openvpn"
#rc_use="net.eth0"
#rc_after="clock"
#rc_before="local"
#rc_provide="!net"
===
--
Joost
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2018-04-11 18:39 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-04-10 8:55 [gentoo-user] openvpn rc script dependencies Christoph Böhmwalder
2018-04-10 11:25 ` Simon Thelen
2018-04-10 13:28 ` Michael Orlitzky
2018-04-10 14:02 ` Christoph Böhmwalder
2018-04-10 13:59 ` Christoph Böhmwalder
2018-04-10 15:43 ` Mick
2018-04-11 18:38 ` J. Roeleveld
2018-04-10 16:25 ` [gentoo-user] " Ian Zimmerman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox