Problem running on OpenVZ #129 again

[HenryNe]

The issure #129 again.

daemon() failed or unsupported: Resource temporarily unavailable (errno=11)

The modifired file /etc/systemd/system/openvpn@.service seams not used by Debian 9.
I need to fix the file /lib/systemd/system/openvpn@.service, and comment out the LimitNPROC, to get it working.

# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 9.9 (stretch)
Release:        9.9
Codename:       stretch

[HenryNe]

On Debian 9 the copy of unit file /etc/systemd/system/openvpn@.service has no effect. You can test the "no effect" by changing the Description in the file /etc/systemd/system/openvpn@.service and run the commands

systemctl daemon-reload
systemctl | grep openvpn

You will still see the description from /lib/systemd/system/openvpn@.service any time.

[HenryNe]

Found the problem.
Started bash with debug:

export AUTO_INSTALL=y
export IPV6_SUPPORT=y
export ENDPOINT=some.domain.x
export CLIENT=clientname
bash -x ./openvpn-install.sh

... snip ...

Setting up openvpn (2.4.0-6+deb9u3) ...
[ ok ] Restarting virtual private network daemon.:.
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn.service → /lib/systemd/system/openvpn.service.

... snip ...

++ cp /lib/systemd/system/openvpn@.service /etc/systemd/system/openvpn@.service
++ sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn@.service
++ sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn@.service
++ systemctl daemon-reload
++ systemctl restart openvpn@server
Job for openvpn@server.service failed because the control process exited with error code.
See "systemctl status openvpn@server.service" and "journalctl -xe" for details.
++ systemctl enable openvpn@server
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn@server.service → /etc/systemd/system/openvpn@.service.

You can see, the systemctl restart was before the symlink was set to new file in /etc with the systemctl enable.

The order should be

1. systemctl daemon-reload
2. systemctl enable openvpn@server
3. systemctl restart openvpn@server

[angristan]

Not sure about this. enable only add a symlink for a systemd target which has effect on the next reboot, not during the install.

I tried producing your example but it works for me (editing /etc/systemd/system/openvpn@.service + systemctl reload)

[HenryNe]

Is it a specific system/debian problem?
Debian 9:
I have tested it multiple times with complete remove openvpn (with the script), and install it again with this script. This is the log above.

It is repuducable every time, becaus under OpenVZ the unit will not run with LimitNPROC.

Here a complete check. Copy this into a script, and run it with bash -x check.sh. Or run it step by step on command line.

#!/bin/bash

# Clean start
rm /etc/systemd/system/openvpn@.service
systemctl daemon-reload
systemctl enable openvpn@server.service
systemctl restart openvpn@server.service

systemctl | grep openvpn

# Now the patch from openvpn-install
cp /lib/systemd/system/openvpn@.service /etc/systemd/system/openvpn@.service
sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn@.service
# Additional patch the description to see, what is wrong
sed -i 's|^\(Description=.*\)$|\1 Check1|' /etc/systemd/system/openvpn@.service

echo "step 1:"
systemctl daemon-reload
systemctl | grep openvpn

echo "step 2:"
systemctl restart openvpn@server
systemctl | grep openvpn

echo "step 3:"
systemctl enable openvpn@server
systemctl | grep openvpn

This is the output:

# bash -x check.sh
+ rm /etc/systemd/system/openvpn@.service
+ systemctl daemon-reload
+ systemctl enable openvpn@server.service
Removed /etc/systemd/system/multi-user.target.wants/openvpn@server.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn@server.service → /lib/systemd/system/openvpn@.service.
+ systemctl restart openvpn@server.service
Job for openvpn@server.service failed because the control process exited with error code.
See "systemctl status openvpn@server.service" and "journalctl -xe" for details.
+ systemctl
+ grep openvpn
  iptables-openvpn.service             loaded active     exited    iptables rules for OpenVPN     
● openvpn@server.service               loaded failed     failed    OpenVPN connection to server   
  system-openvpn.slice                 loaded active     active    system-openvpn.slice           
+ cp /lib/systemd/system/openvpn@.service /etc/systemd/system/openvpn@.service
+ sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn@.service
+ sed -i 's|^\(Description=.*\)$|\1 Check1|' /etc/systemd/system/openvpn@.service
+ echo 'step 1:'
step 1:
+ systemctl daemon-reload
+ systemctl
+ grep openvpn
  iptables-openvpn.service             loaded active     exited    iptables rules for OpenVPN     
● openvpn@server.service               loaded failed     failed    OpenVPN connection to server   
  system-openvpn.slice                 loaded active     active    system-openvpn.slice           
+ echo 'step 2:'
step 2:
+ systemctl restart openvpn@server
Job for openvpn@server.service failed because the control process exited with error code.
See "systemctl status openvpn@server.service" and "journalctl -xe" for details.
+ systemctl
+ grep openvpn
  iptables-openvpn.service             loaded active     exited    iptables rules for OpenVPN     
● openvpn@server.service               loaded failed     failed    OpenVPN connection to server   
  system-openvpn.slice                 loaded active     active    system-openvpn.slice           
+ echo 'step 3:'
step 3:
+ systemctl enable openvpn@server
Removed /etc/systemd/system/multi-user.target.wants/openvpn@server.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn@server.service → /etc/systemd/system/openvpn@.service.
+ systemctl
+ grep openvpn
  iptables-openvpn.service             loaded active     exited    iptables rules for OpenVPN     
● openvpn@server.service               loaded failed     failed    OpenVPN connection to server Check1
  system-openvpn.slice                 loaded active     active    system-openvpn.slice           

Only the systemctl enable openvpn@server in step 3 changed the description, and set the symlink.
But openvpn would not start withut restart after enable.

# systemctl --version
systemd 232
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN

Debian 10:
Here it is different:
A systemctl daemon-reload use the new file /etc/systemd/system/openvpn@.service without an extra systemctl enable openvpn@server, and the unis is running directly after systemctl daemon-reload.

# systemctl --version
systemd 241 (241)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid

[HenryNe]

Not sure about this. enable only add a symlink for a systemd target which has effect on the next reboot, not during the install.

Yes a reboot would work, because the symlink is correctly after the install.

[angristan]

Thanks for the script. Systemd is behaving in a really weird manner but... okay.

[angristan]

Thanks for your time by the way.