Bug 13832

Summary: collectd-5.12.0 openvpn errors if openvpn not used
Product: IPFire Reporter: Adolf Belka <adolf.belka>
Component: ---Assignee: Adolf Belka <adolf.belka>
Status: ASSIGNED --- QA Contact:
Severity: Minor Usability    
Priority: - Unknown -    
Version: 2   
Hardware: all   
OS: Unspecified   

Description Adolf Belka 2025-03-16 09:46:27 UTC 
Error messages from collectd have been reported in the forum with Core Update 192 (so the collectd-5.12.0 update).

The messages were:-

07:19:24 collectd[17386]: read-function of plugin `openvpn/ovpnserver.log' failed. Will suspend it for 30720.000 seconds.
07:19:24 collectd[17386]: openvpn plugin: failed to get data from: /var/run/ovpnserver.log
03:03:24 collectd[17386]: read-function of plugin `openvpn/ovpnserver.log' failed. Will suspend it for 15360.000 seconds.
03:03:24 collectd[17386]: openvpn plugin: failed to get data from: /var/run/ovpnserver.log
00:55:24 collectd[17386]: read-function of plugin `openvpn/ovpnserver.log' failed. Will suspend it for 7680.000 seconds.
00:55:24 collectd[17386]: openvpn plugin: failed to get data from: /var/run/ovpnserver.log 

It appears that the users that are not using openvpn are the ones seeing these messages. They apparently do have the /var/run/ovpnserver.log file but it is empty.

Looking back through the IPFIre git repo I saw that some of the 22 odd patches that had been applied to collectd-4.10.9 were related to openvpn and some of them to silencing openvpn errors.

I identified 7 patches related to openvpn, all patching the /src/openvpn.c file in the collectd source tarball.

I compared all these patches with the collectd-5.12.0 source tarball.

One of the files had its contents now included in the source tarball. This was the one related to changing the openvpn plugin from a COUNTER to a DERIVE approach.

The other 6 patches I could not find any match as the openvpn.c code is significantly different compared to collectd-4.10.9.

Raised this issue on the dev mailing list and the feedback was to comment out the

include "/etc/collectd.vpn"

line in the collectd.conf file in a similar way as done with the thermal plugin etc.

This just means that we also want to restart collectd after OpenVPN was enabled/disabled so that it is always in sync.

I have raised this as a bug so it is recorded and so that I will not forget about it.
Comment 1 Adolf Belka 2025-03-16 20:00:38 UTC 
I tested this out on a vm system.

A fresh install without the OpenVPN enabled gave the log messages found by other users on the forum.

I then created the root and host certificates for the OpenVPN server and then selected enabled on Red and saved and then started the OpenVPN server.

After that the collect openvpn error messages stopped.

So commenting out the include openvpn plugin line and checking if OpenVPN is enabled when starting collectd with the initscript and using that to uncomment the include openvpn plugin line will work.

Additionally when the openvpn is enabled it will need to run the collectd restart command to ensure that the collectd openvpn plugin is then working.
Comment 2 Adolf Belka 2025-03-17 11:45:42 UTC 
Did some further checking out.

Just enabling the OpenVPN server on Red does not create contents in the /var/run/ovpnserver.log file.

The OpenVPN server has to be started. Once it is started then the ovpnserver.log file has the contents that the collectd openvpn plugin is expecting and there are no error messages.

However, once that ovpnserver.log file has been created it is never deleted. So after once starting the OpenVPN server you can then stop it, disable it on all interfaces and remove the x509 certficate set so you end up with nothing defined in the OpenVPN WUI page but ovpnserver.log is still present with the expected contents so collectd will never again complain about it.

However it still makes sense to comment out the openvpn plugin include statement in collectd.conf but this needs to be triggered by OpenVPN being started and successfully running.

So it can't be done by simply doing a readhash from the openvpn settings file.

I will look at how to get the running status. openvpnctrl.c has no status command for the running status but it must be found to be able to show Running in green rather than Stopped in red. So I will have a look through the ovpnmain.cgi code further.
Comment 3 Adolf Belka 2025-03-17 12:02:47 UTC 
Turned out to be easier than I thought. The status is shown as RUNNING in green if the openvpn.pid file exists.

So basically we uncomment the include openvpn plugin line if /var/run/openvpn.pid exists.

Then we also need to restart the collectd initscript if the OpenVPN server is started, after the WUI page update with the status is shown.

 will test out the required changes on my vm testbed.
Comment 4 Adolf Belka 2025-03-17 19:54:11 UTC 
Patch set fix for this bug submitted to the dev mailing list and patchwork.

https://lists.ipfire.org/development/20250317195123.2092-1-adolf.belka@ipfire.org/T/#t

https://patchwork.ipfire.org/project/ipfire/list/?series=4786