You are not logged in.
Pages: 1
Hi,
when I want to start openvpn via systemd, it fails.
As the config file in /etc/openvpn is called netctrl.conf, I tried to start the service as follows, but it instantly brings up an error:
# systemctl status openvpn@netctrl.service
Job for openvpn@netctrl.service failed. See 'systemctl status openvpn@netctrl.service' and 'journalctl' for details.
The log shows:
# journalctl
[...]
Oct 11 00:25:37 PHIL_T420 systemd[1]: Starting OpenVPN connection to netctrl...
Oct 11 00:25:37 PHIL_T420 openvpn[1270]: Enter Private Key Password:
Oct 11 00:25:37 PHIL_T420 systemd[1]: openvpn@netctrl.service: control process exited, code=exited status
Oct 11 00:25:37 PHIL_T420 systemd[1]: Failed to start OpenVPN connection to netctrl.
Oct 11 00:25:37 PHIL_T420 systemd[1]: Unit openvpn@netctrl.service entered failed state.
So I guess that I need to make openvpn to ask me for the password instead of just dumping that into the journal.
But how to do so?
Bye the way, starting openvpn with the old initscript method, so
# rc.d start openvpn
works perfectly fine.
best regards,
Philipp
Last edited by phi-mah (2012-10-10 23:57:00)
Offline
why don't you set private key in /etc/openvpn/netctrl.conf ?
Linux, Vim, Ruby, Javascript and Go.
Offline
Systemd services cannot ask for passwords on the command line, and in fact they shouldn't.
Instead, I'd try to use the openvpn management interface and use --management-query-passwords. Or find out how systemd-ask-password works with this.
Offline
Ok, it took me some but now, as users are pushed more and more towards the systemd direction, I ended up with the following service file:
cat /etc/systemd/system/openvpn\@.service
[Unit]
Description=OpenVPN connection to %i
After=network.target
[Service]
Type=forking
ExecStart=/usr/sbin/openvpn --management localhost 5559 --management-query-passwords --management-forget-disconnect --config /etc/openvpn/%i.conf --daemon openvpn@%i --cd /etc/openvpn
ExecStartPost=/usr/bin/expect /etc/systemd/system/telnet_pw.exp
[Install]
WantedBy=multi-user.target
cat /etc/systemd/system/telnet_pw.exp
#!/usr/bin/expect
set pass [exec /usr/bin/systemd-ask-password "Please insert Private Key password: "]
spawn telnet 127.0.0.1 5559
expect ">PASSWORD:Need 'Private Key' password"
send "password 'Private Key' $pass\r"
expect "SUCCESS: 'Private Key' password entered, but not yet verified"
send "exit\r"
expect eof
As suggested by brain0, I used systemd-ask-password and the management console of openvpn together with the expect utility to pass the private key from the command line to openvpn.
Maybe someone is interested in the solution or want to comment on this.
Nevertheless, it was way more complicated for me than the outdated initscipt method, which supports things like that right out of the box. Shouldn't there be an official solution for such problems?
Last edited by phi-mah (2012-11-06 23:28:46)
Offline
This is interesting, but I had hoped it was easier.
The official solution for these problem, from systemd's side, is systemd-ask-password - it supports multiple password agents, so it is possible to provide a password when a service is launched in the background while you are logged into your desktop (GNOME for example will launch a password dialog).
I wonder if we could turn this into a general solution for the openvpn package, so password querying would work ootb again.
Offline
@brian0 or phi-mah: can you update with exactly how one uses systemd-ask-password? I've searched in vain for concrete examples of how to use it and come up with nothing except for people saying to use it. I'm trying to use the Arch wiki guide for truecrypt volumes with a service. I don't like providing my password in a command, so I want it to prompt (at boot, after when I start the service... I don't really care). I haven't been able to do so.
My best guess was to append `systemd-ask-password` after my truecrypt command:
truecrypt -t ... commands/options ... && systemd-ask-password
As you might figure that did absolutely nothing. How does one use the ask-password command in conjunction with a service? Thanks!
Offline
systemd-ask-password returns the password to standard output. The best way to do this is to have truecrypt call it and use that password - but I don't know if truecrypt has such a function (it was overly complicated with openvpn, too). I have not seen any examples either.
Offline
Yeah, I have no idea how to make truecrypt "call" another binary/script? I'm playing around with seeing if starting systemd-ask-password-console.service will handle it when truecrypt asks, but now I'm having issues my truecrypt command to play nicely...
Offline
Maybe you could go for something like this:
ExecStart=/bin/sh -c "truecrypt -t .... ... -p `systemd-ask-pasword Please\ enter\ password:`"
From my point of view, you would need the preceding /bin/sh -c "" in order to make use of the command substitution.
Offline
@phi-mah: tried that and no success. One issue I'm having is that I pass -k "" for no keyfile and when I pull up the status, it's not showing the empty string but simply a space.
Here is the command I'm trying:
ExecStart=/bin/sh -c "/usr/bin/truecrypt -t --protect-hidden=no -k "" --filesystem=none --slot=1 -p `systemd-ask-password "Please enter password for truecrypt volume"` /dev/sda4"
Then I run:
$ sudo systemctl start truecrypt-vault.service
I then immediately get a command line prompt again (no messages, no pause, no prompt). If I check the status:
$ sudo systemctl status truecrypt-vault.service
truecrypt-vault.service - Truecrypt Setup for
Loaded: loaded (/etc/systemd/system/truecrypt-vault.service; disabled)
Active: failed (Result: exit-code) since Thu, 2012-11-08 17:05:55 CST; 2min 24s ago
Process: 8541 ExecStop=/usr/bin/truecrypt --filesystem=none -d /dev/sda4 (code=exited, status=1/FAILURE)
Process: 8514 ExecStart=/bin/sh -c /usr/bin/truecrypt -t --protect-hidden=no -k --filesystem=none --slot=1 -p `systemd-ask-password Please enter password for truecrypt volume"` /dev/sda4" (code=exited, status=1/FAILURE)
CGroup: name=systemd:/system/truecrypt-vault.service
Nov 08 17:05:17 bigBang systemd[1]: Starting Truecrypt Setup for ...
Nov 08 17:05:17 bigBang systemd[1]: Started Truecrypt Setup for .
Nov 08 17:05:17 bigBang systemd[1]: truecrypt-vault.service: main process exited, code=exited, status=1/FAILURE
Nov 08 17:05:55 bigBang systemd[1]: Stopping Truecrypt Setup for ...
Nov 08 17:05:55 bigBang systemd[1]: Stopped Truecrypt Setup for .
Nov 08 17:05:55 bigBang systemd[1]: Unit truecrypt-vault.service entered failed state
Does that help at all? Any other way to get more detailed results about the failure? I should probably start a new thread. Sorry to derail and mooch off of this; it was just so similar...
Offline
ok, I only can state that
ExecStart=/bin/sh -c "echo `systemd-ask-password Please\ insert\ here` > /home/phimah/test.log"
gave me a promt and the "password" I was asked for could be found in the test.log file later on. Therefore I hoped it would work in your case as well. Maybe there is just something wrong with your quotation (double usage of "" looks somehow strange) , so I would try one of the following possibilities:
ExecStart=/bin/sh -c '/usr/bin/truecrypt -t --protect-hidden=no -k "" --filesystem=none --slot=1 -p `systemd-ask-password "Please enter password for truecrypt volume"` /dev/sda4'
ExecStart=/bin/sh -c "/usr/bin/truecrypt -t --protect-hidden=no -k '' --filesystem=none --slot=1 -p `systemd-ask-password 'Please enter password for truecrypt volume'` /dev/sda4"
But this is more a guess, I am neither an expert on systemd, nor on truecrypt or proper quotation....
Last edited by phi-mah (2012-11-08 23:53:56)
Offline
Totally stumped:
$ cat /usr/lib/systemd/system/test.service
[Unit]
Description=Truecrypt Setup for vault
DefaultDependencies=no
Conflicts=umount.target
Before=umount.target
#After=systemd-readahead-collect.service systemd-readahead-replay.service
[Service]
RemainAfterExit=yes
StandardInput=tty-force
ExecStart=/bin/sh -c "echo `systemd-ask-password Enter\ password` > /home/jwhendy/test.log"
#ExecStop=/usr/bin/truecrypt --filesystem=none -d /dev/sda4
[Install]
WantedBy=cryptsetup.target
I get nothing when I run it. With a status check, I get:
$ sudo systemctl status test.service
test.service - Truecrypt Setup for vault
Loaded: loaded (/usr/lib/systemd/system/test.service; disabled)
Active: active (exited) (Result: exit-code) since Thu, 2012-11-08 17:59:47 CST; 16s ago
Main PID: 10153 (code=exited, status=1/FAILURE)
CGroup: name=systemd:/system/test.service
Nov 08 17:59:47 bigBang systemd[1]: Starting Truecrypt Setup for vault...
Nov 08 17:59:47 bigBang systemd[1]: Started Truecrypt Setup for vault.
Nov 08 17:59:56 bigBang systemd[1]: test.service: main process exited, code=exited, status=1/FAILURE
Nov 08 17:59:57 bigBang systemd[1]: Started Truecrypt Setup for vault.
Stupid question... are you starting this from the terminal, or only at boot? I'm troubleshooting by starting this in a terminal from openbox. Should that work, or not? Just wanted to make sure I don't need to be testing this at boot every time. Thanks for persisting.
Offline
Just misused my openvpn@ service file for testing:
cat /etc/systemd/system/openvpn\@.service
[Unit]
Description=OpenVPN connection to %i
After=network.target
[Service]
Type=forking
#ExecStart=/usr/sbin/openvpn --management localhost 5559 --management-query-passwords --management-forget-disconnect --config /etc/openvpn/%i.conf --daemon openvpn@%i --cd /etc/openvpn
#ExecStartPost=/usr/bin/expect /etc/systemd/system/telnet_pw.exp
ExecStart=/bin/sh -c 'echo `systemd-ask-password "Please insert password here"` > /home/phimah/test.log'
[Install]
WantedBy=multi-user.target
Starting it from a normal terminal (never tried it at boot) works as described above.
Offline
Playing line by line, I've narrowed things down to these lines:
StandardInput=tty-force
Yours doesn't have it, and removing it allows it to work. Also,
Type=forking
Doesn't play well with
RemainAfterExit=yes
I changed the type to oneshot after reading the type definitions. I think the tty-input is trying to get intput outside of X. I've noticed that when I start this service, my alt+left arrow, which I usually use in browsers to go back a page suddenly causes my monitor to turn black, flicker to the main tty, and then back to my X desktop. I think the service is trying to access tty (as in the tty available at boot prior to startx) and causing something weird to happen.
SUCCESS! (After figuring this out, I played around a bit with my original and got this working):
This is what finally worked for me:
[Unit]
Description=Truecrypt Setup for vault
DefaultDependencies=no
Conflicts=umount.target
Before=umount.target
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/sh -c '/usr/bin/truecrypt -t --protect-hidden=no -k "" --filesystem=none --slot=1 -p `systemd-ask-password "Enter password for truecrypt volume: "` /dev/sda4'
ExecStop=/usr/bin/truecrypt --filesystem=none -d /dev/sda4
[Install]
WantedBy=multi-user.target
Now, I'll probably play with WantedBy (the Arch wiki suggests cryptsetup.target) and After (this was just a leftover from phi-mah's script), but it's working! Both start and stop are doing what they should from what I can tell. One key is that all of the command line options for truecrypt need to be specified. One hang up was that I'd removed the `-k ""` line because I thought the quotations were messing me up. When starting the service, it failed. Then I manually copied the ExecStart line to the command line and ran it by hand. It asked for the password and then truecrypt asked for a keyfile. I hit enter for the default of "none" and it worked. I added -k "" back to the options and the service worked great.
Still have to try enabling and testing at boot, but I'm hoping I have something!
If it works, I'll add it to the wiki, as the wiki versions aren't working for me at all for some reason.
Thanks sooooo much for the assistance. While not a huge pain to mount manually, it's definitely been a frustration. This is a shared truecrypt partition for Windows/Linux dual boot and I keep a lot of configs in there for Emacs, org-mode, R, etc... so I often forget it's not mounted until something complains about not having any of it's files at which point I remember.
Offline
Hmmm. Not working at boot. I wonder if Input=tty-force works for boot and not having it works from a terminal?
Offline
For openvpn, the next major release will be interesting: http://openvpn.git.sourceforge.net/git/ … c9f087080f
Offline
As the config file in /etc/openvpn is called netctrl.conf, I tried to start the service as follows, but it instantly brings up an error:
# systemctl status openvpn@netctrl.service Job for openvpn@netctrl.service failed. See 'systemctl status openvpn@netctrl.service' and 'journalctl' for details.
The log shows:
# journalctl [...] Oct 11 00:25:37 PHIL_T420 systemd[1]: Starting OpenVPN connection to netctrl... Oct 11 00:25:37 PHIL_T420 openvpn[1270]: Enter Private Key Password: Oct 11 00:25:37 PHIL_T420 systemd[1]: openvpn@netctrl.service: control process exited, code=exited status Oct 11 00:25:37 PHIL_T420 systemd[1]: Failed to start OpenVPN connection to netctrl. Oct 11 00:25:37 PHIL_T420 systemd[1]: Unit openvpn@netctrl.service entered failed state.
So I guess that I need to make openvpn to ask me for the password instead of just dumping that into the journal.
OpenVPN 2.3.0 is now in testing. It should "just work" now.
Offline
Pages: 1