~fkooman

Berlin

https://www.tuxed.net/

Trackers

~fkooman/php-saml-sp

Last active 5 months ago

~fkooman/php-oauth2-server

Last active 7 months ago

#189 implement Wireguard over TCP support 3 days ago

Comment by ~fkooman on ~eduvpn/server

What still needs to be done:

  • proxyguard package for Debian/Ubuntu
  • wait for proxyguard 1.0.0 release

#189 implement Wireguard over TCP support 3 days ago

Comment by ~fkooman on ~eduvpn/server

We have a branch of the "deploy" repository for new server installations to enable WireGuard+TCP out of the box:

https://codeberg.org/eduVPN/deploy/commit/7af5f4ddeba509e9979d1a5f141cd4fa59225f45

#189 implement Wireguard over TCP support 3 days ago

Comment by ~fkooman on ~eduvpn/server

The API also was updated to support the new configuration format for TCP WireGuard configurations:

https://docs.eduvpn.org/server/v3/api.html

#189 implement Wireguard over TCP support 3 days ago

Comment by ~fkooman on ~eduvpn/server

We have a working branch and documentation for it already:

https://docs.eduvpn.org/server/v3/proxyguard.html

#189 implement Wireguard over TCP support 3 days ago

v3.x added by ~fkooman on ~eduvpn/server

#189 implement Wireguard over TCP support 3 days ago

Ticket created by ~fkooman on ~eduvpn/server

#187 EL9 OpenVPN connect/disconnect SELinux denials 6 days ago

on ~eduvpn/server

On 15.02.24 17:23, ~fkooman wrote:

Thanks for the extended analysis! Wow!

I have looked at the source code of php opcache and it seems it's using hugetbls pretty dumb: if first tries with the option and if it fails it tries without. Thus, anything but disabling the extension completely won't help.

https://github.com/php/php-src/blob/master/ext/opcache/shared_alloc_mmap.c

Otherwise, this log is probably a nuisance to live with.

This was my idea yeah...

I don't know if that's a good idea. Generally, if there is a problem on the server, I'd like to check for SeLinux issues during troubleshooting. And those avcs are not helping. I like my servers and applications to run without interference of selinux. "ausearch -m avc" should report nothing.

As I wrote before: I think the fully "correct" solution would be to implement a selinux transition for those scripts into a context allow access.

The "shortcut" would be to allow openvpn_t to access hugetbls. Not nice, but I guess it's reasonable risk to take.

The alternative would be not to use php for those scripts in order to make they sure they perform well...

Setting opcache.enable_cli=0 in /etc/php.d/10-opcache.ini helps, too.

Would this have a performance impact? I can imagine that it might? Of course the biggest impact would probably be with php-fpm, but still. So, I wonder whether it is a good idea to disable (cli) opcache on new installations by default, or search some other way?

I can't tell you. You would have to check the performance of those scripts. You could try to run those scripts with "time" and check performance with opcache enabled or disabled.

Regards,

Gerald

#188 LDAP document/support multiple servers 7 days ago

v3.x added by ~fkooman on ~eduvpn/server

#188 LDAP document/support multiple servers 7 days ago

Ticket created by ~fkooman on ~eduvpn/server

It is possible to provide >1 LDAP server, this is not yet documented on https://docs.eduvpn.org/server/v3/ldap.html

It is also not clear if this is just for failover or round robin. Investigate and document! It should be possible to make it "round robin" if this is a useful feature to have...

@see https://www.php.net/manual/en/function.ldap-connect.php#refsect1-function.ldap-connect-parameters

#187 EL9 OpenVPN connect/disconnect SELinux denials 7 days ago

Comment by ~fkooman on ~eduvpn/server

Thanks for the extended analysis! Wow!

Otherwise, this log is probably a nuisance to live with.

This was my idea yeah...

Setting opcache.enable_cli=0 in /etc/php.d/10-opcache.ini helps, too.

Would this have a performance impact? I can imagine that it might? Of course the biggest impact would probably be with php-fpm, but still. So, I wonder whether it is a good idea to disable (cli) opcache on new installations by default, or search some other way?