[Openvpn-devel] Add a remark on dropping privileges when --mlock is used

Message ID 1599689729-25906-1-git-send-email-selva.nair@gmail.com
State Accepted
Headers show
  • [Openvpn-devel] Add a remark on dropping privileges when --mlock is used
Related show

Commit Message

Selva Nair Sept. 9, 2020, 10:15 p.m.
From: Selva Nair <selva.nair@gmail.com>

trac #1059

Signed-off-by: Selva Nair <selva.nair@gmail.com>
 doc/man-sections/generic-options.rst | 7 +++++++
 1 file changed, 7 insertions(+)


Gert Doering Sept. 11, 2020, 9:55 a.m. | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

Additional documentation of possible consequences of --mlock + --user is 
good, and pointers to "what to do about it" are always useful :-)

Your patch has been applied to the master and release/2.5 branch.

I have not backported it to .8 format for 2.4 - I do not think it's
critically important enough to to so.

commit 5b815eb449314a43e2b73325948edea8a4cfb215 (master)
commit be68b361a9c95218c671ee86d25a29019bab7239 (release/2.5)
Author: Selva Nair
Date:   Wed Sep 9 18:15:29 2020 -0400

     Add a remark on dropping privileges when --mlock is used

     Signed-off-by: Selva Nair <selva.nair@gmail.com>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <1599689729-25906-1-git-send-email-selva.nair@gmail.com>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20937.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>

kind regards,

Gert Doering


diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst
index a07fe7e..d5f0883 100644
--- a/doc/man-sections/generic-options.rst
+++ b/doc/man-sections/generic-options.rst
@@ -230,6 +230,13 @@  which mode OpenVPN is configured as.
   The downside of using ``--mlock`` is that it will reduce the amount of
   physical memory available to other applications.
+  The limit on how much memory can be locked and how that limit
+  is enforced are OS-dependent. On Linux the default limit that an
+  unprivileged process may lock (RLIMIT_MEMLOCK) is low, and if
+  privileges are dropped later, future memory allocations will very
+  likely fail. The limit can be increased using ulimit or systemd
+  directives depending on how OpenVPN is started.
 --nice n
   Change process priority after initialization (``n`` greater than 0 is
   lower priority, ``n`` less than zero is higher priority).