From patchwork Fri Mar 13 22:38:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4829 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:2755:b0:83c:d90d:321 with SMTP id j21csp1551749maq; Fri, 13 Mar 2026 15:38:51 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVfAFu82taNpNhhFxFIhmwjsK8qkL2CEBVK+e6edrDe+et60b2g1UQZgVq5NFjU8NyJRBnO5f+biEQ=@openvpn.net X-Received: by 2002:a05:6808:6d8a:b0:455:daf0:9998 with SMTP id 5614622812f47-467575af06dmr2456377b6e.41.1773441531364; Fri, 13 Mar 2026 15:38:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1773441531; cv=none; d=google.com; s=arc-20240605; b=b9jW6dMCMVSIRdZRjuMB1kuvlc6UtaytivBwJwBdxKw7HoDZVWXPqI52yOccUhBSNj /Xy2D9T6jm5PxugtsfM5C4VnEHwhtaptPeZic3knZZukYAZcY7l80ri4tp6Odv1MpuZL dyFcifItx+AG0lfwsgv7nu2pJkncevvPTHfqKAAJzouBZjg3D6a+3xQGmZzi1xcMKVD5 Qdg28klyCI6gkPhiQgdGfTlysqqfB/6T5/eY73t1mD+NmUzZsJTXVN7F/Q4byTN2RudS 13qwQBA6jjUX9/DH7egDRZZ36Vm73AOCh5uy/SyrGK2L5hNgbPAfo8mpWu/mmM8H3lWq RUxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=Kk8Q5O5y97s3jRLUOGmJuW5UFeyoF2XTvvaFsrUChiY=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=dSbTozoHvrMOZMuPE3uLepFFfRvvqXQiGc0crdTIcku55RyLDm0iO170IOMb/OYY5n Z5VJleUEp0mhh3y51sclfrAPzqZsthpRIIyLEKPFDDmGxDQaFvQ7r7BO0IPHDjqiNrTV 7JcEzXMWyBQss5CFcxhCAUjdSIsVdv6mTb8ceLtkwrPnASAg+Lx+F1F7Ou3QT3VMM0WO noDmfmpdzdOCu8ty/xq2zYhl1uVI7M3R8MVNUWrkZNPCzkT9sV/9x0zJow0jXCBh2mOC vBcG9dh8VJCW+QlMsV1HQPoJAA/KRZXR9EU14+5y1BNiOsa37myV2c4e/biXdYgPMC9p WZqQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="He77ho/S"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=UwEQ4S5f; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=fON1nwaT; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-46734488b5esi4832133b6e.138.2026.03.13.15.38.51 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 13 Mar 2026 15:38:51 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="He77ho/S"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=UwEQ4S5f; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=fON1nwaT; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=Kk8Q5O5y97s3jRLUOGmJuW5UFeyoF2XTvvaFsrUChiY=; b=He77ho/SolDU7svZa7o9XEQ2tC LylyjJzxYA35RIIQJ2vboDF2xdr+N83QLMYVLshGq19heKZO+b7O06Gv+p6UlHjbP397Ila/jULBT PQGQwC14KtsBYWpC1a0JEWdZQZtJWNa2pMGNMiMdTVQpJj+c93pjkQMjq7HFGkj2iBc0=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1w1B9d-0001YD-7R; Fri, 13 Mar 2026 22:38:49 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1w1B9b-0001Y7-J5 for openvpn-devel@lists.sourceforge.net; Fri, 13 Mar 2026 22:38:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=1p4ZWrRifrrnltGsd8JURLQ8/JqMD09M+WTNfX6buUI=; b=UwEQ4S5fD1MI5S7CLNfjvCrsdt JI9u60pwXUcnz1eFzl2+H0veRahYEp9sTXrMZ88yc0ce8Vqn/tPNQFhdhgKsgqIAA58MYlfcifnWy YU3GanQHKrm3SJ9ZrjEAxKSxviUhSKGPYjaOHAYUYjQqDKulqDoROAtDLrFwdkUR7ofI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=1p4ZWrRifrrnltGsd8JURLQ8/JqMD09M+WTNfX6buUI=; b=fON1nwaTbZlAhps5qHwQRnOuNr fd4/vV6hDln5qC/bxChnyP+lP7K7gUZ3lL1MILTv4ZVqmMR7Ebd4IxUM5JSjC1dii9yQ98NYdFKoL 12LuGb8Tu0r+v3bUDaQkQxY9pcjNDuLhkKLnp71xMSY3LUnl79JcwDfEUiMF8f0RXWqA=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1w1B9a-00017p-CW for openvpn-devel@lists.sourceforge.net; Fri, 13 Mar 2026 22:38:47 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 62DMcYx3003829 for ; Fri, 13 Mar 2026 23:38:34 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 62DMcYmn003828 for openvpn-devel@lists.sourceforge.net; Fri, 13 Mar 2026 23:38:34 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Fri, 13 Mar 2026 23:38:28 +0100 Message-ID: <20260313223833.3813-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld There were some complaints about valid setups that ran into problems with LimitNPROC. This is especially true since LimitNPROC limits the total amounts of threads running for the same uid, so if multi [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1w1B9a-00017p-CW Subject: [Openvpn-devel] [PATCH v2] systemd: Change LimitNPROC to TasksMax and increase limit X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1859588226798393499?= X-GMAIL-MSGID: =?utf-8?q?1859588226798393499?= From: Frank Lichtenheld There were some complaints about valid setups that ran into problems with LimitNPROC. This is especially true since LimitNPROC limits the total amounts of threads running for the same uid, so if multiple openvpn services run under the same user, they will compete for resources. As suggested in the systemd documentation change this to TasksMax which really counts the threads running in one specific service. Also increase the limit. When using e.g. resolvconf for DNS configuration the limit can be exhausted just due to the amount of nested shell scripts. Github: Fixes #929 Change-Id: Ic877f9a9c6459c6eb97cde1099f47f0b196b8084 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1539 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1539 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/distro/systemd/openvpn-client@.service.in b/distro/systemd/openvpn-client@.service.in index 326bb73..340603e 100644 --- a/distro/systemd/openvpn-client@.service.in +++ b/distro/systemd/openvpn-client@.service.in @@ -12,7 +12,7 @@ WorkingDirectory=/etc/openvpn/client ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_SYS_NICE -LimitNPROC=10 +TasksMax=20 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in index d43bce1..3462f33 100644 --- a/distro/systemd/openvpn-server@.service.in +++ b/distro/systemd/openvpn-server@.service.in @@ -12,7 +12,7 @@ WorkingDirectory=/etc/openvpn/server ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_SYS_NICE CAP_AUDIT_WRITE -LimitNPROC=10 +TasksMax=20 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true