From patchwork Tue Feb 17 16:23:05 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4772 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7001:ab03:b0:838:aef6:1aff with SMTP id xi3csp654452mab; Tue, 17 Feb 2026 08:23:31 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCV3QdBstW3SIBZrODO/LUqD4y5b4ugfKWdKrtCg8mz0EEhrKGgepLSHgiYevgkxqT/sKE98WViE4Do=@openvpn.net X-Received: by 2002:a05:6870:9d81:b0:409:8ccb:bc12 with SMTP id 586e51a60fabf-40f0d54703fmr6379927fac.10.1771345411647; Tue, 17 Feb 2026 08:23:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1771345411; cv=none; d=google.com; s=arc-20240605; b=WIy8QtWC/gigbbwzYoUaf2bZ8C+Gb7GOFuZ9aLl7ZKOSfBRV+SQcnK1xOpF/H4XPtc Kb2UaEZmcPEMpN6vfpcY54oGb+wyfWN51h0j1OT6MEndXVcSCLJJFiE7I6X0kRzyLFQg f/S0PXsZL4/6Hg/caOi69xocRFLzySO3ltO6M/o102iWEM6eki7D0m3/loQJV/OEbQBH 6gMVsKeg2OUX43eHPyS0QbEpNOFEdtjUTKkZzIZipKxnBj/nlD7/b3OMaQqvWEjnvxRv ljvaxCQWln0VLKeJgw8KQdsFOuTWHgOYicY8+sMXVwruv6GpLvtzIsyESeILSMFU4m/L mBzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=kHbS8IDs2ORmcUPBhTlOne/SmI0eeqiUtCBncCfuy8k=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=kotuQFJHpRwxlwShzeYvUD6roCI+0RkC+ufJ9xmKGoTje+QaWHVzxSNRcwLsK9YP3f oIS9CfoKYDm7svFm1en2Hz3Eb4Nspnn2+Y/NdtL0HZ0ebux1oF+S603QdVDSzXJvn2tx IEKsUoOK0d+OBXsXYgPLpV+Nr5IFOk8+0ESn7SFVG2WjroRIeAUPTdaMg5TzzX01jEb5 edaeU0q/PTC09MgHEThGWlIOqlxMk/GScjlWT1Ka0sHb/0VYYyaFunzu/BKq9JM+Vxoz NWmAtMLfM75UBUXKV/83ZjDFFO9CRD29Xs8YSUzb/OYLO/Q9AT+VDgH/U7VwfaPYgSlP LLUQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=A1Vxz+G9; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=eN1vhYPJ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=hzxH3Q6A; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-40f06e8adaesi8690051fac.104.2026.02.17.08.23.31 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Feb 2026 08:23:31 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=A1Vxz+G9; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=eN1vhYPJ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=hzxH3Q6A; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=kHbS8IDs2ORmcUPBhTlOne/SmI0eeqiUtCBncCfuy8k=; b=A1Vxz+G9YMJ8K6rVJOvXKfi6EA 5/+yXeSvfu1YOk8LNJRUJTw6RlLvG6dDpLKmP/DpHCo4G/mW2fmJN/u8/KnUVKVRzjJ41bXyPC+F+ ppGc4C4Qo8Ln4xQESjhY26Oo6Q6NUU4XvRxkFm1mYhTt12ZNoNWy4NuCGPYgsnzwJv9U=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vsNrC-0004Xq-EQ; Tue, 17 Feb 2026 16:23:26 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vsNrB-0004Xi-4b for openvpn-devel@lists.sourceforge.net; Tue, 17 Feb 2026 16:23:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zNOPnGX/i8KCFcyoES2SJzJUsylYzka/ZSBJXdoMcU8=; b=eN1vhYPJsnAkX4A2dz0EtGsBHq 4Q13Wt7lj1WY6oxdQrK2QdoELNiXAimUYCKLbd3z5fJUAlye3dfuBHAdZrc93lc+i36UDtkPejFoA 4b3UHaV4es8VR+f2gLF0QQ2SaCGusSpbza/5i0cGliJCyLF1XTPrc91i6LyMyJLvzSH4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=zNOPnGX/i8KCFcyoES2SJzJUsylYzka/ZSBJXdoMcU8=; b=hzxH3Q6A01dix1ABIo7XN96wGF vzqISK+3CDl6xKfLyoUAcjG31L5IM5v7O+AfOKP3s2uXbwVzAivUuAvqm14F+mpuY/xKEKkdFWV9K svGDYclWXZgheolMCV1oFQxC1yWuot1vKR538hPsTe5ynmVgSjhpu46S9FNb1M/ztMh0=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vsNr9-0004T4-QQ for openvpn-devel@lists.sourceforge.net; Tue, 17 Feb 2026 16:23:25 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 61HGNBS6026723 for ; Tue, 17 Feb 2026 17:23:11 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 61HGNBTV026722 for openvpn-devel@lists.sourceforge.net; Tue, 17 Feb 2026 17:23:11 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 17 Feb 2026 17:23:05 +0100 Message-ID: <20260217162311.26702-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld There were some complaints about valid setups that ran into problems with LimitNPROC. This is especially true since LimitNPROC limits the total amounts of threads running for the same uid, so if multi [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vsNr9-0004T4-QQ Subject: [Openvpn-devel] [PATCH v1] systemd: Change LimitNPROC to TasksMax X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1857390286379640943?= X-GMAIL-MSGID: =?utf-8?q?1857390286379640943?= From: Frank Lichtenheld There were some complaints about valid setups that ran into problems with LimitNPROC. This is especially true since LimitNPROC limits the total amounts of threads running for the same uid, so if multiple openvpn services run under the same user, they will compete for resources. As suggested in the systemd documentation change this to TasksMax which really counts the threads running in one specific service. Github: Fixes #929 Change-Id: Ic877f9a9c6459c6eb97cde1099f47f0b196b8084 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1539 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1539 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/distro/systemd/openvpn-client@.service.in b/distro/systemd/openvpn-client@.service.in index 326bb73..e311978 100644 --- a/distro/systemd/openvpn-client@.service.in +++ b/distro/systemd/openvpn-client@.service.in @@ -12,7 +12,7 @@ WorkingDirectory=/etc/openvpn/client ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_SYS_NICE -LimitNPROC=10 +TasksMax=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in index d43bce1..e3e9895 100644 --- a/distro/systemd/openvpn-server@.service.in +++ b/distro/systemd/openvpn-server@.service.in @@ -12,7 +12,7 @@ WorkingDirectory=/etc/openvpn/server ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_SYS_NICE CAP_AUDIT_WRITE -LimitNPROC=10 +TasksMax=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true