Bug 675406

Summary:	openvpn: needs systemd async ask-password integration
Product:	[openSUSE] openSUSE 12.1	Reporter:	Andreas Jaeger <aj>
Component:	Basesystem	Assignee:	Marius Tomaschewski <mt>
Status:	RESOLVED FIXED	QA Contact:	E-mail List <qa-bugs>
Severity:	Major
Priority:	P5 - None	CC:	fcrozat, gp, ismail, jslaby, kkaempf, radmanic, werner, wstephenson
Version:	Factory
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Bug Depends on:
Bug Blocks:	696902

Description Andreas Jaeger 2011-02-26 20:34:57 UTC

If I run "rcopenvpn start" or "systemctl start openvpn.service", nothing happens, /var/log/messages contains only:
Feb 26 17:23:03 x61s-aj systemd[1]: openvpn.service operation timed out. Terminating.
Feb 26 17:23:03 x61s-aj systemd[1]: Unit openvpn.service entered failed state.

the openvpn.service needs to ask myself for a password and the init file contains "X-Interactive: true" - but it just does not work. I see an sd-exec process.

Comment 1 Andreas Jaeger 2011-02-26 20:35:16 UTC

Btw. everything works fine if I do not use systemd.

Comment 2 Kay Sievers 2011-03-02 16:13:37 UTC

It's known issue being worked on. With systemd all services are started from pid 1, never from the calling shell. openvpn needs to hook into the ask-password mechanism of systemd, to be able to retrieve the password from the shell that calls systemadm start ...

Comment 3 Kay Sievers 2011-03-19 05:33:02 UTC

*** Bug 680958 has been marked as a duplicate of this bug. ***

Comment 4 Kay Sievers 2011-03-19 19:57:40 UTC

*** Bug 681074 has been marked as a duplicate of this bug. ***

Comment 5 Kay Sievers 2011-03-20 14:17:27 UTC

*** Bug 681074 has been marked as a duplicate of this bug. ***

Comment 6 Kay Sievers 2011-05-31 14:18:41 UTC

Please remove X-Interactive. Openvpn needs proper async password
integration instead of waiting on the console.

Until someone provides the password integration -- Debian people
planned to look into that -- passwords queried at service startup
are not supported by systemd bootups.

Comment 7 Marius Tomaschewski 2011-05-31 19:42:56 UTC

Removing X-Interactive seems to be a bad idea. See insserv(8).

Revert systemd changes to handle LSB services correctly again.

Comment 8 Kay Sievers 2011-05-31 20:35:36 UTC

Unlike SYSV/insserv, interactive init scripts are not supported.

There is nothing to revert. Or to go back to something that was ever
working. IT can't work this way with systemd. There was the idea
to support X-Interactive, but it doesn't, and it is not planned.
I could only patch out the wait X-Interactive wait-for-the-console
logic in systemd.

Please close the bug if you refuse to keep track of it. Nobody expects
you to fix it, it will probably just flow in from upstream or Debian
some day.

It's nothing we can fix in systemd. Services are completely disconnected
from consoles, ttys, login-shells. This can only be fixed in openvpn, so
it should stick with the openvpn package.

Comment 9 Klaus Kämpf 2011-06-01 06:29:24 UTC

(In reply to comment #8)
> Unlike SYSV/insserv, interactive init scripts are not supported.
[...]
> It's nothing we can fix in systemd. Services are completely disconnected
> from consoles, ttys, login-shells. This can only be fixed in openvpn, so
> it should stick with the openvpn package.

Kay, can you point us to documentation/examples on how stuff like openvpn, crypto partitions, etc. are supposed to work with systemd then ?

Comment 10 Andreas Jaeger 2011-06-07 12:14:38 UTC

AFAIK crypto partitions are already supported.

Comment 11 Klaus Kämpf 2011-06-07 13:30:24 UTC

(In reply to comment #10)
> AFAIK crypto partitions are already supported.

Oh, great, but how, if in systemd "Services are completely disconnected from consoles, ttys, login-shells." ?

A pointer to documentation would be nice.

Comment 12 Kay Sievers 2011-06-07 14:05:52 UTC

Luks/device-mapper crypto stuff is supported natively by systemd.

Apache has a nice infrastructure to call a binary to ask for the
password, which makes is simple:
  https://bugzilla.redhat.com/show_bug.cgi?id=707917#c3

openVpn seems, compared to apache, require the more complicated
"plugins" which need to be written. I don't think anybody really
looked into it so far. Guys from Debian planned to do it, but I
did not hear any update.

The password agents in general are described here:
 http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents

Comment 13 Frederic Crozat 2011-07-08 17:59:23 UTC

test packages available for both systemd and openvpn in home:fcrozat:systemd

openvpn should ask for password in both systemd and sysvinit boots.

user/pass query isn't optimal, due to the way systemd is parallelizing the request. Not sure we can do anything .

Comment 14 Jiri Slaby 2011-07-09 08:22:34 UTC

(In reply to comment #13)
> test packages available for both systemd and openvpn in home:fcrozat:systemd

For me the fix is actually this line:
-# X-Interactive:                true

Because I have openvpn built with option to suck passwd from file. And this is exactly what I had to remove from init script to make it working.

Comment 15 Marius Tomaschewski 2011-07-11 14:56:58 UTC

(In reply to comment #13)
> test packages available for both systemd and openvpn in home:fcrozat:systemd
> 
> openvpn should ask for password in both systemd and sysvinit boots.
> 
> user/pass query isn't optimal, due to the way systemd is parallelizing the
> request. Not sure we can do anything .

Thanks!
I'll look into this issue and review / test your patch when I'm back in August.

(In reply to comment #14)
> (In reply to comment #13)
> > test packages available for both systemd and openvpn in home:fcrozat:systemd
> 
> For me the fix is actually this line:
> -# X-Interactive:                true
> 
> Because I have openvpn built with option to suck passwd from file. And this is
> exactly what I had to remove from init script to make it working.

For the moment, I've removed it. Further, I've also enabled to allow to
store the passwd in a file.

=> https://build.opensuse.org/request/show/76057

Comment 16 Marius Tomaschewski 2011-07-11 15:02:23 UTC

(In reply to comment #13)

BTW: I didn't tested yet, so I don't know if the patch catches it or not...
I expect there may be a little bit more work to do than the patch does:
Think of pwd protected key/p12 file: "pkcs12 client.p12".
You have 3 prompts for each config in this case: user, pwd, encrypted key.

Comment 17 Frederic Crozat 2011-08-02 08:34:18 UTC

it "should" work since the patch is plugging itself at the console query level (it doesn't care about what it being queried). But I didn't test this setting.

Comment 18 Andreas Jaeger 2011-08-19 12:54:54 UTC

Frederic, can you test this, please?

Comment 19 Frederic Crozat 2011-08-19 13:08:22 UTC

Marius, could you give me a way / howto to create such setup ?

Comment 20 Frederic Crozat 2011-08-24 16:53:08 UTC

in the mean time, I've sr current work to network:vpn (sr 79685)

Comment 21 Bernhard Wiedemann 2011-08-29 16:00:11 UTC

This is an autogenerated message for OBS integration:
This bug (675406) was mentioned in
https://build.opensuse.org/request/show/80095 Factory / openvpn

Comment 22 Bernhard Wiedemann 2011-08-29 19:00:08 UTC

This is an autogenerated message for OBS integration:
This bug (675406) was mentioned in
https://build.opensuse.org/request/show/80109 Factory / openvpn
https://build.opensuse.org/request/show/80110 Factory / openvpn

Comment 23 Marius Tomaschewski 2011-08-29 19:58:38 UTC

Fixed.