Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
systemd: Enable systemd's auto-restart feature for server profiles
Systemd supervises services it has started and can act upon unexpected scenarios. This change will restart OpenVPN after 5 seconds if the OpenVPN process exits unexpectedly. The on-failure mode is the recommended mode by upstream systemd. This change have been tested on a test server for some month, and it works indeed as intended when provoking the OpenVPN process to stop. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: <20170906235202.26551-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15370.html Signed-off-by: David Sommerseth <davids@openvpn.net>
- Loading branch information
a4686e9There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems that this systemd service is not working with sytemd --version
Will keep you posted if I find out why :)
a4686e9There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please do. It's interesting it is complaining about missing installation configs which, at least to my eyes, exists.
a4686e9There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The server systemd service is working fine on systemd v232 on Debian Stretch for me. @dsommers, I am curious about why the Restart/RestartSec configuration lines were added only to the server service and not the client. Any reason for doing so only for the server and not for the client systemd service? I ran into a case where the openvpn client could not reconnect to the server because of a permissions issue (because it had dropped privileges and needed it to re-establish connection to a newer version of the server). The client service then stops and doesn't come back up because it doesn't have the Restart config that the server has. It might make sense to have the client restart on failure too?
a4686e9There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was a fairly thorough discussion in the developers community before this change got accepted and merged. Most use cases for a server profile is that it should be available by default. If the server crashes or needs to be restarted, that was considered a good feature.
The client side can be much more differentiated in the expectations. Some would like to have the client be restarted automatically, while for others that could be disastrous as it might to be started in a special order to avoid other issues on the client. Some users have more VPN profiles setup as well, while some of them would benefit from this features other profiles might not. So by not changing the client side, we would therefore not break any existing client setups. If we changed this behaviour, it would be far more unclear what the consequences for all of our Linux users would be.
All this said, it is fairly easy to enable this feature on-the-fly. Just use
systemctl edit openvpn-client@CONFIGNAMEand add the[Service]section as well as the appropriateRestart=settings. This gives you a much more fine-grained control of which services would automatically be restarted or not. And it is preserved through upgrades using this approach.a4686e9There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the explanation David. Yes, I added a drop-in config file (
/etc/systemd/system/openvpn-client@.service.d/restart-client-always.conf) with the following content for adding restart configuration to the client service: