-
Notifications
You must be signed in to change notification settings - Fork 9
Expand file tree
/
Copy pathsystemd-graceful-cleanup.conf
More file actions
47 lines (44 loc) · 2.06 KB
/
systemd-graceful-cleanup.conf
File metadata and controls
47 lines (44 loc) · 2.06 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#
# This is a systemd dropin, intended to land on on openvpn-server@.service as
# styled by reasonably-recent (2.5+) openvpn packages.
#
# openvpn's .service file does KillMode=process by default:
# https://github.com/OpenVPN/openvpn/commit/29446a18e1f2b52d20f359253b085e96fe458367
#
# This means systemd zaps openvpn but not its children. openvpn itself can
# shut quickly, but those cleanups (openvpn-netfilter / learn-address / delete)
# need a little time to go through their clean up work as part of the whole
# service shutting down.
#
# On shutdown, the cleanup of openvpn-netfilter takes down iptables/nftables rules.
# So, for starters, don't rip out nftables before we finish shutting openvpn.
#
[Unit]
#
# Here we set vpn after nftables on bringup. That makes openvpn go down
# before nftables on shutdown.
#
After=nftables.service
#
# Even that ordering needs a little more. systemd will declare openvpn down
# when openvpn is down (and thus move on to the next things to shutdown) but
# it won't know that the forked openvpn-netfilter cleanup tasks are still
# pending. And if we can't do 'event-driven' waiting for those, we'll
# have to do a time delay and hope they finish up.
#
# When these tasks run out of order (nftables goes down before vpn), we get a
# traceback. In iptables, it didn't happen: the process is "delete this
# chain and it's okay if it's not there," but with nftables we have to look
# a chain up, and if nftables shuts down and takes the chain away, we complain
# because that lookup shouldn't fail. It's not terrible, but it's not good,
# and we don't want that failure to be acceptable in the normal-running case,
# so there's no code change we want to make: we WANT a traceback if a lookup
# fails during normal operations. But for shutdown, let's pause and let the
# cleanup (hopefully) happen.
#
# You don't need a lot of time, just enough to win a race most of the time.
# So here we add a few seconds at shutdown time, giving us a gap of time for
# the cleanup jobs to run, before nftables takes everything away.
#
[Service]
ExecStopPost=/bin/sleep 5