My OpenVPN server is unable to execute a python script configured as --learn-address
when the daemon is launched as a systemd service. It works fine when launched manually as root. I found that it also work as a systemd service if I comment the following line in /etc/systemd/system/[email protected]
:
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE
So, I guess my problem is related to a missing Capability
. How can I debug that to find out what's missing? OpenVPN log just say WARNING: Failed running command (--learn-address): external program exited with error status: 1
. I find nothing related to this in the syslog either.
The learn-address script is used to apply custom firewall rules based on who is connecting. The script does group membership lookups (using /usr/bin/id command) and add rules/chain with the iptable command (with sudo). After further debugging, I think it may fails when trying to call iptables. The command exits with code 3.
It already worked for a while, I wonder if it doesn't stopped to work after a system update.
Probably not a simple solution, but it can help: Replace your command to start with an
strace
starting your command, and then examine the log to find out what system call is failing. Then, reading the docs for that system call, guess what capability is missing.Example command:
strace -f -o /your/logfile your-command your-parameters
Maybe even try option
-e status=failed
.