Ignoring SIG_CHLD breaks external scripts about duo_openvpn HOT 9 CLOSED

I'm experiencing exactly the same, this issue is breaking IPv6 support for my openvpn client as I can't control the ndp proxy anymore via an external script.

from duo_openvpn.

I've commented out line line 64 signal(SIGCHLD, SIG_IGN); and recompiled it as a temporary fix to keep it working. However, every time a openvpn client authenticates a zombie process is kept on the system. Anyone know a more permanent fix?

To cleanup the zombie processes without restarting openvpn, you can use gdb, first find the zombie PIDs.

pstree -p|grep -A2 openvpn                                                                                                                                                     
        |-openvpn(20633)-+-python(20775)
        |                `-python(20988)

Output shows two authentication attempts were made as two zombie processes (PID 20775, 20988) have raised. Cleanup (periodically) by hooking gdb into openvpn. Note it will freeze all current openvpn connections while you are in the gdb prompt.

sudo gdb -p 20633
…
(gdb) call waitpid(20775, 0, 0)
$1 = 20775
(gdb) call waitpid(20988, 0, 0)
$2 = 20988
(gdb) quit

from duo_openvpn.

Hey, thanks for bringing this to our attention! It looks like you've gotten a pretty good grasp of the issue, and a workaround as well. I'll take a look at this when I get the opportunity. In the mean time, if you wanted to open up a PR with a suitable fix I'd welcome that as well :)

from duo_openvpn.

How does that work? The call to execve() should not return. If it ever hits the exit call after that it's because execve failed.

from duo_openvpn.

I've made a permanent fix in PR #10

The fix (482a033) uses the previously created fork() to execute the execvp. The parent process waits using waitpid() for the execvp to complete.

from duo_openvpn.

I don't think waitpid is the solution. It should be daemonized so PID 1 reaps it.

from duo_openvpn.

@Owling, can you please try PR #11 and see if that works for you? If you turn up your openvpn server's log verbage, you should see a difference between your patch and this one in what the server does between the initial auth call and when auth is granted.

To download the patched code, clone https://github.com/petiepooo/duo_openvpn, switch to the fix-SIG_IGN branch, and compile. Thanks!

from duo_openvpn.

I see it's merged. Thanks! Glad to help out.

from duo_openvpn.

Fixed in #11. Cheers!

from duo_openvpn.