Opened 4 years ago

Closed 4 years ago

#17713 closed defect (not a bug)

Debian 8.2 latest tor package tor_0.2.7.5-1~d80.jessie+1_amd64.deb fails on start with "NO_NEW_PRIVILEGES"

Reported by: DeS Owned by:
Priority: Medium Milestone: Tor: 0.2.7.x-final
Component: Core Tor/Tor Version: Tor: 0.2.7.5
Severity: Normal Keywords: NO_NEW_PRIVILEGES, VM
Cc: weasel Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Hello,
I operate a tor middle node since several years on a VM in a datacenter. The VM is running Debian Jessie 8.2.
Up to now I never had a problem.
After Upgrade to the lates 0.2.7.5.-1 package the tor service does not start anymore.
See below the syslog information. There is no info in the tor server log

Nov 27 10:22:19 vmd tor[11811]: Nov 27 10:22:19.381 [notice] Read configuration file "/etc/tor/torrc".
Nov 27 10:22:19 vmd tor[11811]: Nov 27 10:22:19.383 [notice] Based on detected system memory, MaxMemInQueues is set to 2976 MB. You can override this by setting MaxMemInQueues by hand.
Nov 27 10:22:19 vmd tor[11811]: Configuration was valid
Nov 27 10:22:19 vmd systemd[11814]: Failed at step NO_NEW_PRIVILEGES spawning /usr/bin/tor: Invalid argument
Nov 27 10:22:19 vmd systemd[1]: tor@default.service: main process exited, code=exited, status=227/NO_NEW_PRIVILEGES
Nov 27 10:22:19 vmd systemd[1]: Failed to start Anonymizing overlay network for TCP.
Nov 27 10:22:19 vmd systemd[1]: Unit tor@default.service entered failed state.
Nov 27 10:22:19 vmd systemd[1]: tor@default.service start request repeated too quickly, refusing to start.
Nov 27 10:22:19 vmd systemd[1]: Failed to start Anonymizing overlay network for TCP.
Nov 27 10:22:19 vmd systemd[1]: Unit tor@default.service entered failed state.

Reinstalling the old version 0.2.5.12-1 fixed the Problem.
On another metal maschine I do not experience this problem running several exits.

Might have something to do with the KVM based virtualization. But this is just an guess.
Let me know if you need more information

Child Tickets

Change History (14)

comment:1 Changed 4 years ago by stemid

I also have this issue on Debian 8.2 with Tor 0.2.7.5-1 using systemd.

I managed to get around this particular error by overriding NoNewPrivileges=no in /etc/systemd/system/tor@default.service.d/workaround.conf and doing systemctl daemon-reload before restarting tor.

However this resulted in new issues with systemctl hanging indefinitely, and whether I leave the systemctl command running, or if I interrupt it, this results in a state where tor service keeps being interrupted every minute.

Nov 29 17:09:43 vpn.domain Tor[8239]: Self-testing indicates your DirPort is reachable from the outside. Excellent.
Nov 29 17:11:34 vpn.domain systemd[1]: tor@default.service start operation timed out. Terminating.
Nov 29 17:11:34 vpn.domain Tor[8239]: Interrupt: we have stopped accepting new connections, and will shut down in 30 seconds. Interrupt again to exit now.

And this repeats, over and over.

Seems to me these issues are in jessie/systemd, not any hypervisor.

The latest issue now is that the service keeps being interrupted every minute and restarting.

Edit: My issue with systemctl hanging and service interrupting ended up being quite banal, I had simply forgotten to change wheezy into jessie in the sources.list.d file for the tor Deb repo.

So I changed wheezy to jessie, sudo apt-get update and sudo apt-get upgrade and sudo apt-get dist-upgrade and after the service was restarted it worked without errors. But I still had to keep the NoNewPrivileges=no workaround in systemd.

So the only issue left is the one reported in the original post, and that was worked around with a systemd override.

Last edited 4 years ago by stemid (previous) (diff)

comment:2 Changed 4 years ago by nickm

Milestone: Tor: 0.2.7.x-final

comment:3 Changed 4 years ago by nickm

Keywords: TorCoreTeam201512 added

comment:4 Changed 4 years ago by weasel

Which kernels are you on?

comment:5 Changed 4 years ago by weasel

Cc: weasel added

comment:6 Changed 4 years ago by nickm

Status: newneeds_information

comment:7 Changed 4 years ago by nickm

Keywords: TorCoreTeam201512 removed

comment:8 Changed 4 years ago by DeS

The Server is running on: 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u1 x86_64 GNU/Linux

comment:9 Changed 4 years ago by DeS

Status: needs_informationnew

comment:10 Changed 4 years ago by weasel

Interesting. Does it also happen on a jessie kernel?

comment:11 Changed 4 years ago by nickm

Status: newneeds_information

comment:12 Changed 4 years ago by DeS

Yes that is an Jessie Kernel. See Comment 8.

comment:13 Changed 4 years ago by weasel

That's not a jessie kernel. That's a wheezy kernel, and one that is several updates behind as well.

comment:14 Changed 4 years ago by DeS

Resolution: not a bug
Status: needs_informationclosed

Ohhhhhhhhh. O.k. Seems out of some reason my kernel got never updated. Installing the correct Jessie Kernel solved the problem for the Tor package as well.
Issue resolved. User error.

Note: See TracTickets for help on using tickets.