Re: How to avoid using policy kit with openvpn

From: Dan Williams <dcbw redhat com>
To: matti kaasinen <matti kaasinen gmail com>, Lubomir Rintel <lkundrak v3 sk>
Cc: "networkmanager." <networkmanager-list gnome org>
Subject: Re: How to avoid using policy kit with openvpn
Date: Thu, 15 Dec 2016 10:41:54 -0600

On Thu, 2016-12-15 at 15:14 +0200, matti kaasinen wrote:

Ping started to work after executing command:


*route add default dev eth0 metric 99*
So, everything is fine!


That implies that the default route was not set up correctly
beforehand.  What's the output of "ip route" before you add that
default route?

You might try setting the "never-default" option in the VPN
connection's config to "true", to indicate that the VPN shouldn't grab
the default route.

Dan

Cheers,
Matti

2016-12-13 11:37 GMT+02:00 matti kaasinen <matti kaasinen gmail com>:


Lubomir, Dan,
I found what triggers this issue. I don't know what the reason is,
though!
It has nothing to do with NetworkManager.

The trigger:
1) I load openvpn cert as zipped tar archive to root.
2) I uncompress/untar the archive that creates /etc/openvpn
directory with
openvpn cert/config files, user = original user.
There is no way back at this point. Whole system is corrupted. It
does not
help deleting /etc/openvpn directory and note that it is not needed
to
start openvpn service to get this triggered. Only way I have found
to
recover is re-install whole system!

I'm somewhat worried how easily one can corrupt whole Linux system
- just
load files to /etc whose user is not a proper user of the
installation!
They can be loaded to other place, change owner there and load then
tho
/etc. Anyhow this is none of your worry, I suppose.

Cheers,
Matti

2016-12-09 16:35 GMT+02:00 matti kaasinen <matti kaasinen gmail com


Lubo,
It took some time before I had change to get to this issue again.
I got
new board and it did not start at all, so I had to study u-boot
in between..
Anyhow, answers to your comments:

2016-11-25 18:15 GMT+02:00 Lubomir Rintel <lkundrak v3 sk>:


That sounds very strange.

Please enable eavesdropping on the system bus:
https://wiki.ubuntu.com/DebuggingDBus#How_to_monitor_the_system
_bus

And then monitor the actual bus traffic before starting the
"openvpn
service" (is that the NM VPN plugin?) and after starting it and
look
out for what changed.

No. That is coming from Yocto/meta-openembedded/meta-networking
layer.
Just pure openvpn binary and systemd unit file for starting
service.
Only (main) difference I noticed from dbus-monitor log was that
before
openvpn I got following errors:

   string "Could not get owner of name
'org.freedesktop.nm_avahi_autoipd':
no such name"
   string "Could not get owner of name
'org.fedoraproject.FirewallD1':
no such name"
   string "Could not get owner of name 'org.freedesktop.login1':
no such
name"
   string "Could not get owner of name 'org.bluez': no such name"
   string "Could not get owner of name
'org.freedesktop.ModemManager1':
no such name"
   string "Could not get owner of name 'org.bluez': no such name"
   string "Could not get owner of name
'org.freedesktop.nm_dispatcher':
no such name"

And after enabling openvpn service I got:

   string "Could not get owner of name
'org.freedesktop.nm_avahi_autoipd':
no such name"
   string "Could not get owner of name
'org.fedoraproject.FirewallD1':
no such name"
   string "Could not get owner of name 'org.freedesktop.login1':
no such
name"
   string "Could not get owner of name 'org.bluez': no such name"
   string "Could not get owner of name
'org.freedesktop.PolicyKit1': no
such name"
   string "Could not get owner of name 'org.bluez': no such name"
   string "Could not get owner of name
'org.freedesktop.nm_dispatcher':
no such name"

So, policy kit has vanished.

I'm not sure at all that I could concentrate on the correct
details of
these logs, though.  So, I would really appreciate any
suggestions.

What I noticed from systemd journal regarding ntp synchronization
was:

Dec 09 15:08:47 cpr3 systemd[1]: Starting Network Time
Synchronization...
Dec 09 15:08:47 cpr3 systemd-timesyncd[467]: [[0;1;31mFailed to
allocate
manager: Permission denied[[0m
Dec 09 15:08:47 cpr3 systemd[1]: [[0;1;39msystemd-
timesyncd.service:
Main process exited, code=exited, status=1/FAILURE[[0m
Dec 09 15:08:47 cpr3 systemd[1]: [[0;1;31mFailed to start Network
Time
Synchronization.[[0m
Dec 09 15:08:47 cpr3 systemd[1]: [[0;1;39msystemd-
timesyncd.service:
Unit entered failed state.[[0m
Dec 09 15:08:47 cpr3 systemd[1]: [[0;1;39msystemd-
timesyncd.service:
Failed with result 'exit-code'.[[0m
Dec 09 15:08:47 cpr3 systemd[1]: systemd-timesyncd.service:
Service has
no hold-off time, scheduling restart.
Dec 09 15:08:47 cpr3 systemd[1]: Stopped Network Time
Synchronization.
Dec 09 15:08:47 cpr3 systemd[1]: Starting Network Time
Synchronization...
....

Avahi was behaving pretty much the same besides that "Permission
denied"
message:

Dec 09 15:09:01 cpr3 systemd[1]: Starting Avahi mDNS/DNS-SD
Stack...
Dec 09 15:09:01 cpr3 systemd[1]: [[0;1;39mavahi-daemon.service:
Main
process exited, code=exited, status=255/n/a[[0m
Dec 09 15:09:01 cpr3 systemd[1]: [[0;1;31mFailed to start Avahi
mDNS/DNS-SD Stack.[[0m
Dec 09 15:09:01 cpr3 systemd[1]: [[0;1;39mavahi-daemon.service:
Unit
entered failed state.[[0m
Dec 09 15:09:01 cpr3 systemd[1]: [[0;1;39mavahi-daemon.service:
Failed
with result 'exit-code'.[[0m
Dec 09 15:09:01 cpr3 systemd[1]: avahi-daemon.service: Service
hold-off
time over, scheduling restart.
Dec 09 15:09:01 cpr3 systemd[1]: Stopped Avahi mDNS/DNS-SD Stack.
Dec 09 15:09:01 cpr3 systemd[1]: Starting Avahi mDNS/DNS-SD
Stack...

Any help appreciated,
-Matti

Follow-Ups:
- Re: How to avoid using policy kit with openvpn
  - From: matti kaasinen

References:
- Re: How to avoid using policy kit with openvpn
  - From: matti kaasinen
- Re: How to avoid using policy kit with openvpn
  - From: matti kaasinen
- Re: How to avoid using policy kit with openvpn
  - From: matti kaasinen

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]