search

jkroepke / openvpn-auth-oauth2

openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows
https://github.com/jkroepke/openvpn-auth-oauth2/wiki
MIT License
161 stars 25 forks source link

v1.16.0-rc.2: openvpn-auth-oauth2.service: Failed with result 'core-dump'. #172

Closed jkroepke closed 7 months ago

jkroepke commented 7 months ago

@jkroepke I was already trying that yesterday, while refactoring my installation script to incorporate the ownership changes. So I do expect my current setup to fail, but I no longer get any details why it's failing in the new setup. Journalcl output:

Feb 14 11:24:28 shared-hub-vpn-gateway systemd[1]: Started OpenVPN authenticator.
░░ Subject: A start job for unit openvpn-auth-oauth2.service has finished successfully
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit openvpn-auth-oauth2.service has finished successfully.
░░ 
░░ The job identifier is 871563.
Feb 14 11:24:28 shared-hub-vpn-gateway systemd[1]: openvpn-auth-oauth2.service: Main process exited, code=dumped, status=31/SYS
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ An ExecStart= process belonging to unit openvpn-auth-oauth2.service has exited.
░░ 
░░ The process' exit code is 'dumped' and its exit status is 31.
Feb 14 11:24:28 shared-hub-vpn-gateway systemd[1]: openvpn-auth-oauth2.service: Failed with result 'core-dump'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ The unit openvpn-auth-oauth2.service has entered the 'failed' state with result 'core-dump'.

I have to add: I also did try to change from the /etc/sysconfig/openvpn-auth-oauth2 file to /etc/openvpn-auth-oauth2/config.yaml

config.yaml

-rw-r-----   1 root openvpn-auth-oauth2  851 Feb 14 11:25 config.yaml
log:
  format: console
  level: INFO
http:
  baseurl: "https://xx:9000"
  cert: "/etc/openvpn-auth-oauth2/fullchain.pem"
  key: "/etc/openvpn-auth-oauth2/privkey.pem"
  listen: ":9000"
  secret: "xx"
  tls: true
openvpn:
  addr: "unix:///run/openvpn/server.sock"
  password: "xx"
oauth2:
  issuer: "https://accounts.google.com"
  client:
    id: "xx"
    secret: "xx"
  validate:
    groups:
      - xx-admin
      - xx-developer
  refresh:
    enabled: true
    expires: 8h0m0s
    secret: "xx"
provider:
  google:
    admin-email: "xx"
    service-account-config: "file:///etc/openvpn-auth-oauth2/sa.json"

/etc/sysconfig/openvpn-auth-oauth2

# This file is sourced by the openvpn-auth-oauth2.service

# CONFIG_FILE is the path to the configuration file and used in the systemd service file only.
CONFIG_FILE=/etc/openvpn-auth-oauth2/config.yaml

Please let me know how I can see errors/misconfigurations in your component again

Originally posted by @Pionerd in https://github.com/jkroepke/openvpn-auth-oauth2/issues/168#issuecomment-1943585219

Pionerd commented 7 months ago

No issue when using the command line:

xx@xx:/etc/systemd/system$ sudo /usr/bin/openvpn-auth-oauth2 --config /etc/openvpn-auth-oauth2/config.yaml
time=2024-02-14T11:41:33.689Z level=INFO msg="discover oidc auto configuration with provider generic for issuer https://accounts.google.com"
# This is wrong, see https://github.com/jkroepke/openvpn-auth-oauth2/issues/173
time=2024-02-14T11:41:33.721Z level=INFO msg="start HTTPS server listener on :9000 with base url https://xx:9000"
time=2024-02-14T11:41:33.722Z level=INFO msg="connect to openvpn management interface unix:///run/openvpn/server.sock"
time=2024-02-14T11:41:33.729Z level=INFO msg="connection to OpenVPN management interface established."
time=2024-02-14T11:41:33.762Z level=INFO msg="OpenVPN Version: OpenVPN 2.6.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] - Management Version: 5"
time=2024-02-14T11:42:08.201Z level=INFO msg="new client connection" cid=0 kid=1 common_name=default reason=CONNECT username=""
time=2024-02-14T11:42:08.201Z level=INFO msg="start pending auth" cid=0 kid=1 common_name=default reason=CONNECT username=""
jkroepke commented 7 months ago

And journalctl -flu openvpn-auth-oauth2 and systemctl status openvpn-auth-oauth2 reports nothing?

Are files in ls -lah /var/crash/, and if not, please post the output to gain the path cat /proc/sys/kernel/core_pattern

Pionerd commented 7 months ago 
root@xx:/etc/openvpn-auth-oauth2# journalctl -flu openvpn-auth-oauth2
Feb 14 13:54:16 shared-hub-vpn-gateway systemd[1]: openvpn-auth-oauth2.service: Scheduled restart job, restart counter is at 11670.
Feb 14 13:54:16 shared-hub-vpn-gateway systemd[1]: Stopped OpenVPN authenticator.
Feb 14 13:54:16 shared-hub-vpn-gateway systemd[1]: Started OpenVPN authenticator.
Feb 14 13:54:16 shared-hub-vpn-gateway systemd[1]: openvpn-auth-oauth2.service: Main process exited, code=dumped, status=31/SYS
Feb 14 13:54:16 shared-hub-vpn-gateway systemd[1]: openvpn-auth-oauth2.service: Failed with result 'core-dump'.
Feb 14 13:54:21 shared-hub-vpn-gateway systemd[1]: openvpn-auth-oauth2.service: Scheduled restart job, restart counter is at 11671.
Feb 14 13:54:21 shared-hub-vpn-gateway systemd[1]: Stopped OpenVPN authenticator.
Feb 14 13:54:21 shared-hub-vpn-gateway systemd[1]: Started OpenVPN authenticator.
Feb 14 13:54:21 shared-hub-vpn-gateway systemd[1]: openvpn-auth-oauth2.service: Main process exited, code=dumped, status=31/SYS
Feb 14 13:54:21 shared-hub-vpn-gateway systemd[1]: openvpn-auth-oauth2.service: Failed with result 'core-dump'.
root@xx:/etc/openvpn-auth-oauth2# systemctl status openvpn-auth-oauth2
● openvpn-auth-oauth2.service - OpenVPN authenticator
     Loaded: loaded (/lib/systemd/system/openvpn-auth-oauth2.service; enabled; vendor preset: enabled)
     Active: activating (auto-restart) (Result: core-dump) since Wed 2024-02-14 13:55:00 UTC; 1s ago
       Docs: https://github.com/jkroepke/openvpn-auth-oauth2
    Process: 252226 ExecStart=/usr/bin/openvpn-auth-oauth2 --config ${CONFIG_FILE} (code=dumped, signal=SYS)
   Main PID: 252226 (code=dumped, signal=SYS)
        CPU: 107ms

Feb 14 13:55:00 shared-hub-vpn-gateway systemd[1]: openvpn-auth-oauth2.service: Main process exited, code=dumped, status=31/SYS
Feb 14 13:55:00 shared-hub-vpn-gateway systemd[1]: openvpn-auth-oauth2.service: Failed with result 'core-dump'

Yes, there is an unreadable file in ls -lah /var/crash/, do you want it? And if yes, where can I send it? I don't know if it contains information regarding my environment.

jkroepke commented 7 months ago

I don't know if it contains information regarding my environment.

You may want to remove credentials from config.yml and sysconfig first, then you can sent it to my mail address . You can find it on my GitHub profile @jkroepke

jkroepke commented 7 months ago

Also I expect, if you remove the lines

https://github.com/jkroepke/openvpn-auth-oauth2/blob/8c3b717dee1e8d80df727e875325eccb2a5d65b8/packaging/usr/lib/systemd/system/openvpn-auth-oauth2.service#L53-L55

from your systemd file, the service will start?

Pionerd commented 7 months ago

Correct, then it works. Including all locked down permissions, so overall I'm pretty happy with where we are going.

I sent the crash file to you by mail.