06.12.2025 18:50, Jeremie Courreges-Anglas пишет:
> On Sat, Dec 06, 2025 at 11:48:26AM +0000, Klemens Nanni wrote:
>> 06.12.2025 14:37, Stuart Henderson пишет:
>>> then if someone doesn't set --daemon themselves (either on the command line or in config) the script won't work properly.
> 
> Which is a problem in itself that we're trying to avoid in other rc
> scripts.

If whatever you set for flags doesn't work, the first thing should be
to check the rc.d script's defaults, the package's README/MESSAGE, etc.

OpenVPN isn't as trivial as, say tftpd(8), so I'd expect users to have
already read the manual and know how to deal with our service scripts
before starting them.

> 
>> not sure I see the problem with specifying --config?
> 
> I didn't think that people could expect
> 
>   openvpn_flags=/etc/openvpn/server.conf
> 
> to work, which wouldn't work because of the interaction with --daemon.
> I can see how that would confuse people, but it can be documented.

Sure, documenting works here and causes less friction, but not mandating
usage by hardcoding flags in `daemon' would be straight forward and allow
users to use the simplest form wrt. rc.conf.local: a single file argument
with everything else being in there  -  all without README/MESSAGE bits.

> 
>> Hence the sentence about MESSAGE or current.html.
>>
>> Altough this is more about --daemon not being usable inside a config file
>> due to our rc.d script's assumption about it not taking arguments.
> 
> This I did envision, and it was more of a compromise than an
> assumption.  But I've been lazy and didn't document the trick to set
> the name in syslog messages.
> 
>>> upstream supports multiple sockets in server mode now, btw.
>>
>> Oh?  I'll take another look, thanks.
> 
> That'll be only for openvpn-2.7.
> 
>> I don't think it's super critical, but I'd still like to rectify this;
>> we have relatively few scripts forcing flags in `daemon' and for openvpn
>> this is not strictly neccessary.
> 
> The reason we force some flags in $daemon in other scripts is
> precisely to get these programs to daemonize by default, whatever the
> user specifies in the flags.

Right, but here it has more impact than that:

    [...] The syslog redirection occurs
    immediately at the point that --daemon is parsed on the command
    line even though the daemonization point occurs later. If one of
    the --log options is present, it will supersede syslog
    redirection.

This renders -d to debug service startups useless, because everything
is syslog'd immediately, which is bad, imho:

	# rcctl enable openvpn
	# rcctl set openvpn flags --ops
	# rcctl -d start openvpn
	doing _rc_parse_conf
	openvpn_flags >--oops<
	doing rc_check
	openvpn
	doing rc_start
	doing _rc_wait_for_start
	doing rc_check
	doing _rc_rm_runfile
	(failed)

Without hardcoded flag, careful readers of the manual can defer their
`daemon' option in flags or their config file.

It's just another minor issue, but we can fix it, so why not?

> 
> See below,
> 
> [...]
>>>> Existing setups need adjusting, but I'm not sure whether MESSAGE or
>>>> current.html is the best way to signal that.
> 
> Your use case isn't niche, but as you noted it can already be achieved
> with the current script.  Dropping --daemon would be the wrong move
> anyway, both in itself and because it would break currently working
> setups.
> 
> So what about just documenting the --config and --daemon quirks?
> I tried to make it reasonably concise but it can probably be improved.
> 
> 
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/net/openvpn/Makefile,v
> diff -u -p -r1.138 Makefile
> --- Makefile	29 Nov 2025 15:43:27 -0000	1.138
> +++ Makefile	6 Dec 2025 14:31:48 -0000
> @@ -1,6 +1,7 @@
>  COMMENT=	easy-to-use, robust, and highly configurable VPN
>  
>  DISTNAME=	openvpn-2.6.17
> +REVISION=	0
>  
>  CATEGORIES=	net security
>  
> Index: pkg/README
> ===================================================================
> RCS file: /cvs/ports/net/openvpn/pkg/README,v
> diff -u -p -r1.9 README
> --- pkg/README	22 Feb 2023 18:04:27 -0000	1.9
> +++ pkg/README	6 Dec 2025 15:35:46 -0000
> @@ -14,7 +14,17 @@ Using the openvpn rc script
>  # rcctl enable openvpn
>  # rcctl set openvpn flags '--config /etc/openvpn/server.conf'
>  
> +To avoid ambiguity in options handling, always explicitly
> +specify --config before the path to your configuration file.
> +

openvpn(8) itself explains the details and it only doesn't work because
of what is now explained below, so I'd drop that sentence.

>  To handle multiple openvpn instances see EXAMPLES in rcctl(8).
> +
> +The openvpn rc script always passes --daemon before the user-selectable
> +flags.  This breaks the effets of 'daemon <custom-progname>' in
> +configuration files.  To work around this, you can pass an optional
> +<custom-progname> at the start of the user-selectable flags:
> +
> +# rcctl set openvpn flags 'openvpn-custom --config /etc/openvpn/custom.conf'

If we go that way, this seems good enough, although I'd say just "progname"
to match openvpn(8) wording and use ... instead of --config /file for brevity.

>  
>  Using an /etc/hostname.* file without persist-tun
>  -------------------------------------------------
> Index: pkg/openvpn.rc
> ===================================================================
> RCS file: /cvs/ports/net/openvpn/pkg/openvpn.rc,v
> diff -u -p -r1.2 openvpn.rc
> --- pkg/openvpn.rc	10 Mar 2022 00:04:07 -0000	1.2
> +++ pkg/openvpn.rc	6 Dec 2025 14:31:48 -0000
> @@ -1,5 +1,7 @@
>  #!/bin/ksh
>  
> +# XXX "--daemon" must kept at the end of $daemon
> +# See pkg-readmes/openvpn
>  daemon="${TRUEPREFIX}/sbin/openvpn --daemon"
>  
>  . /etc/rc.d/rc.subr
>