Message ID | 1599689729-25906-1-git-send-email-selva.nair@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel] Add a remark on dropping privileges when --mlock is used | expand |
Acked-by: Gert Doering <gert@greenie.muc.de> Additional documentation of possible consequences of --mlock + --user is good, and pointers to "what to do about it" are always useful :-) Your patch has been applied to the master and release/2.5 branch. I have not backported it to .8 format for 2.4 - I do not think it's critically important enough to to so. commit 5b815eb449314a43e2b73325948edea8a4cfb215 (master) commit be68b361a9c95218c671ee86d25a29019bab7239 (release/2.5) Author: Selva Nair Date: Wed Sep 9 18:15:29 2020 -0400 Add a remark on dropping privileges when --mlock is used Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1599689729-25906-1-git-send-email-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20937.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index a07fe7e..d5f0883 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -230,6 +230,13 @@ which mode OpenVPN is configured as. The downside of using ``--mlock`` is that it will reduce the amount of physical memory available to other applications. + The limit on how much memory can be locked and how that limit + is enforced are OS-dependent. On Linux the default limit that an + unprivileged process may lock (RLIMIT_MEMLOCK) is low, and if + privileges are dropped later, future memory allocations will very + likely fail. The limit can be increased using ulimit or systemd + directives depending on how OpenVPN is started. + --nice n Change process priority after initialization (``n`` greater than 0 is lower priority, ``n`` less than zero is higher priority).