Opened 3 years ago

Last modified 19 months ago

#17754 needs_information defect

0.2.7.5 cannot work inside lxc container

Reported by: kibba Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: 0.2.7.5
Severity: Normal Keywords: lxc tor-client compatibility apparmor needs-diagnosis container
Cc: weasel, patrick@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I am running tor inside a lxc container running ubuntu/vivid and Tor don't run since system tor status show it running

Tor version 0.2.7.5 (git-6184c873e90d93b2)

before upgrading to this version, everything work well inside the container. Outside of the container, in a host running ubuntu/vivid, everything work.

output of journalctl : 

déc. 04 22:50:29 torouter systemd[1]: Starting Anonymizing overlay network for TCP (multi-instance-master)..
déc. 04 22:50:29 torouter systemd[1]: Started Anonymizing overlay network for TCP (multi-instance-master).
déc. 04 22:54:09 torouter systemd[1]: tor.service: Failed to kill control group: Invalid argument
déc. 04 22:54:09 torouter systemd[1]: tor.service: Failed to kill control group: Invalid argument
déc. 04 22:54:09 torouter systemd[1]: tor.service: Failed to kill control group: Invalid argument
déc. 04 22:54:09 torouter systemd[1]: tor.service: Failed to kill control group: Invalid argument
déc. 04 22:54:09 torouter systemd[1]: Stopped Anonymizing overlay network for TCP (multi-instance-master).
déc. 04 22:59:32 torouter systemd[1]: Starting Anonymizing overlay network for TCP (multi-instance-master)..
déc. 04 22:59:32 torouter systemd[1]: Started Anonymizing overlay network for TCP (multi-instance-master).

output of systemctl status tor@…

● tor@default.service - Anonymizing overlay network for TCP
   Loaded: loaded (/lib/systemd/system/tor@default.service; static; vendor preset: enabled)
   Active: failed (Result: start-limit) since ven. 2015-12-04 23:51:04 CET; 36s ago
  Process: 4478 ExecStart=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 (code=exited, status=231/APPARMOR)
  Process: 4464 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=0/SUCCESS)
  Process: 4450 ExecStartPre=/usr/bin/install -Z -m 02750 -o debian-tor -g debian-tor -d /var/run/tor (code=exited, status=0/SUCCESS)
 Main PID: 4478 (code=exited, status=231/APPARMOR)

déc. 04 23:51:04 torouter systemd[1]: Failed to start Anonymizing overlay network for TCP.
déc. 04 23:51:04 torouter systemd[1]: tor@default.service: Unit entered failed state.
déc. 04 23:51:04 torouter systemd[1]: tor@default.service: Failed with result 'exit-code'.
déc. 04 23:51:04 torouter systemd[1]: tor@default.service: Service hold-off time over, scheduling restart.
déc. 04 23:51:04 torouter systemd[1]: Stopped Anonymizing overlay network for TCP.
déc. 04 23:51:04 torouter systemd[1]: tor@default.service: Start request repeated too quickly.
déc. 04 23:51:04 torouter systemd[1]: Failed to start Anonymizing overlay network for TCP.
déc. 04 23:51:04 torouter systemd[1]: tor@default.service: Unit entered failed state.
déc. 04 23:51:04 torouter systemd[1]: tor@default.service: Failed with result 'start-limit'.

in /var/log/tor/log =>
Interrupt: exiting cleanly

find /etc/systemd/ | grep /tor 
/etc/systemd/system/multi-user.target.wants/tor.service

I have try to use the patch in this issue :
https://trac.torproject.org/projects/tor/ticket/17693

Don't work

Child Tickets

Change History (14)

comment:1 Changed 3 years ago by teor

Please send us the log entries for:

  • the kernel log for apparmor denying tor (this looks like the log in #17693),
  • the log of systemd killing the tor process.

comment:2 Changed 3 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.2.8.x-final
Status: newneeds_information

comment:3 Changed 3 years ago by kibba

Hope it can help :

kern.log :

Dec  8 01:54:08 torouter kernel: [384376.105956] audit: type=1400 audit(1449536048.599:71891): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/defer" pid=1407 comm="smtp" requested_mask="r" denied_mask="r" fsuid=109 ouid=0
Dec  8 01:54:17 torouter kernel: [384384.558916] audit_printk_skb: 48 callbacks suppressed
Dec  8 01:54:17 torouter kernel: [384384.558925] audit: type=1400 audit(1449536057.055:71918): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/bounce" pid=1410 comm="smtp" requested_mask="r" denied_mask="r" fsuid=109 ouid=0
Dec  8 01:55:51 torouter kernel: [384479.375750] audit: type=1400 audit(1449536151.847:71926): apparmor="DENIED" operation="file_perm" profile="lxc-container-default" name="private/defer" pid=1406 comm="smtp" requested_mask="r" denied_mask="r" fsuid=109 ouid=0

dmesg :

[384228.364335] audit: type=1400 audit(1449535900.891:71845): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/" pid=29331 comm="systemd" flags="ro, nosuid, nodev, noexec, remount, strictatime"
[384233.054448] audit: type=1400 audit(1449535905.579:71846): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=30235 comm="(install)" flags="rw, rslave"
[384233.233420] audit: type=1400 audit(1449535905.759:71847): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=30389 comm="(tor)" flags="rw, rslave"
[384235.601373] audit: type=1400 audit(1449535908.123:71848): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=30864 comm="(tor)" flags="rw, rslave"
[384236.463215] audit: type=1400 audit(1449535908.987:71849): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=30976 comm="(install)" flags="rw, rslave"
[384236.492256] audit: type=1400 audit(1449535909.015:71850): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=31005 comm="(tor)" flags="rw, rslave"
[384236.539962] audit: type=1400 audit(1449535909.063:71851): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=31043 comm="(tor)" flags="rw, rslave"
[384236.934917] audit: type=1400 audit(1449535909.459:71852): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=31391 comm="(install)" flags="rw, rslave"
[384236.964545] audit: type=1400 audit(1449535909.487:71853): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=31460 comm="(tor)" flags="rw, rslave"
[384237.020065] audit: type=1400 audit(1449535909.543:71854): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=31522 comm="(tor)" flags="rw, rslave"
[384238.450632] audit_printk_skb: 9 callbacks suppressed
[384238.450634] audit: type=1400 audit(1449535910.975:71858): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=31650 comm="(install)" flags="rw, rslave"
[384238.475414] audit: type=1400 audit(1449535910.999:71859): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=31804 comm="(tor)" flags="rw, rslave"
[384238.528398] audit: type=1400 audit(1449535911.051:71860): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=31833 comm="(tor)" flags="rw, rslave"
[384241.850826] lxcbr0: port 3(vethYAGFKF) entered forwarding state

systemctl :

déc. 08 02:04:20 torouter systemd[1]: Failed to reset devices.list on /lxc/torouter/system.slice/tor.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Starting Anonymizing overlay network for TCP (multi-instance-master)...
déc. 08 02:04:20 torouter systemd[1]: Failed to reset devices.list on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Starting Anonymizing overlay network for TCP...
déc. 08 02:04:20 torouter systemd[1]: Started Anonymizing overlay network for TCP (multi-instance-master).
déc. 08 02:04:20 torouter systemd[1]: Failed to reset devices.list on /lxc/torouter/system.slice/tor.service: Permission denied
déc. 08 02:04:20 torouter tor[1740]: Dec 08 02:04:20.350 [notice] Tor v0.2.7.5 (git-6184c873e90d93b2) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.2d and Zlib 1.2.8.
déc. 08 02:04:20 torouter tor[1740]: Dec 08 02:04:20.350 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
déc. 08 02:04:20 torouter tor[1740]: Dec 08 02:04:20.350 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
déc. 08 02:04:20 torouter tor[1740]: Dec 08 02:04:20.350 [notice] Read configuration file "/etc/tor/torrc".
déc. 08 02:04:20 torouter tor[1740]: Configuration was valid
déc. 08 02:04:20 torouter systemd[1754]: tor@default.service: Failed at step APPARMOR spawning /usr/bin/tor: Operation not permitted
déc. 08 02:04:20 torouter systemd[1]: tor@default.service: Main process exited, code=exited, status=231/APPARMOR
déc. 08 02:04:20 torouter systemd[1]: tor@default.service: Failed to kill control group: Invalid argument
déc. 08 02:04:20 torouter systemd[1]: tor@default.service: Failed to kill control group: Invalid argument
déc. 08 02:04:20 torouter systemd[1]: tor@default.service: Failed to kill control group: Invalid argument
déc. 08 02:04:20 torouter systemd[1]: tor@default.service: Failed to kill control group: Invalid argument
déc. 08 02:04:20 torouter systemd[1]: Failed to start Anonymizing overlay network for TCP.
déc. 08 02:04:20 torouter systemd[1]: tor@default.service: Unit entered failed state.
déc. 08 02:04:20 torouter systemd[1]: tor@default.service: Failed with result 'exit-code'.
déc. 08 02:04:20 torouter systemd[1]: tor@default.service: Service hold-off time over, scheduling restart.
déc. 08 02:04:20 torouter systemd[1]: Stopped Anonymizing overlay network for TCP.
déc. 08 02:04:20 torouter systemd[1]: Failed to reset devices.list on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Starting Anonymizing overlay network for TCP...
déc. 08 02:04:20 torouter tor[1785]: Dec 08 02:04:20.802 [notice] Tor v0.2.7.5 (git-6184c873e90d93b2) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.2d and Zlib 1.2.8.
déc. 08 02:04:20 torouter tor[1785]: Dec 08 02:04:20.802 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
déc. 08 02:04:20 torouter tor[1785]: Dec 08 02:04:20.802 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
déc. 08 02:04:20 torouter tor[1785]: Dec 08 02:04:20.802 [notice] Read configuration file "/etc/tor/torrc".
déc. 08 02:04:20 torouter tor[1785]: Configuration was valid
déc. 08 02:04:20 torouter systemd[1799]: tor@default.service: Failed at step APPARMOR spawning /usr/bin/tor: Operation not permitted
déc. 08 02:04:20 torouter systemd[1]: tor@default.service: Main process exited, code=exited, status=231/APPARMOR
déc. 08 02:04:20 torouter systemd[1]: tor@default.service: Failed to kill control group: Invalid argument
déc. 08 02:04:20 torouter systemd[1]: tor@default.service: Failed to kill control group: Invalid argument
déc. 08 02:04:20 torouter systemd[1]: tor@default.service: Failed to kill control group: Invalid argument
déc. 08 02:04:20 torouter systemd[1]: tor@default.service: Failed to kill control group: Invalid argument
déc. 08 02:04:20 torouter systemd[1]: Failed to start Anonymizing overlay network for TCP.
déc. 08 02:04:20 torouter systemd[1]: tor@default.service: Unit entered failed state.
déc. 08 02:04:20 torouter systemd[1]: tor@default.service: Failed with result 'exit-code'.
déc. 08 02:04:20 torouter systemd[1]: tor@default.service: Service hold-off time over, scheduling restart.
déc. 08 02:04:20 torouter systemd[1]: Stopped Anonymizing overlay network for TCP.
déc. 08 02:04:20 torouter systemd[1]: Failed to reset devices.list on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:20 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:21 torouter systemd[1]: Starting Anonymizing overlay network for TCP...
déc. 08 02:04:21 torouter tor[1830]: Dec 08 02:04:21.054 [notice] Tor v0.2.7.5 (git-6184c873e90d93b2) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.2d and Zlib 1.2.8.
déc. 08 02:04:21 torouter tor[1830]: Dec 08 02:04:21.054 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
déc. 08 02:04:21 torouter tor[1830]: Dec 08 02:04:21.054 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
déc. 08 02:04:21 torouter tor[1830]: Dec 08 02:04:21.054 [notice] Read configuration file "/etc/tor/torrc".
déc. 08 02:04:21 torouter tor[1830]: Configuration was valid
déc. 08 02:04:21 torouter systemd[1844]: tor@default.service: Failed at step APPARMOR spawning /usr/bin/tor: Operation not permitted
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Main process exited, code=exited, status=231/APPARMOR
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Failed to kill control group: Invalid argument
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Failed to kill control group: Invalid argument
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Failed to kill control group: Invalid argument
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Failed to kill control group: Invalid argument
déc. 08 02:04:21 torouter systemd[1]: Failed to start Anonymizing overlay network for TCP.
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Unit entered failed state.
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Failed with result 'exit-code'.
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Service hold-off time over, scheduling restart.
déc. 08 02:04:21 torouter systemd[1]: Stopped Anonymizing overlay network for TCP.
déc. 08 02:04:21 torouter systemd[1]: Failed to reset devices.list on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:21 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:21 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:21 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:21 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:21 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:21 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:21 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:21 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:21 torouter systemd[1]: Starting Anonymizing overlay network for TCP...
déc. 08 02:04:21 torouter tor[1875]: Dec 08 02:04:21.296 [notice] Tor v0.2.7.5 (git-6184c873e90d93b2) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.2d and Zlib 1.2.8.
déc. 08 02:04:21 torouter tor[1875]: Dec 08 02:04:21.296 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
déc. 08 02:04:21 torouter tor[1875]: Dec 08 02:04:21.296 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
déc. 08 02:04:21 torouter tor[1875]: Dec 08 02:04:21.296 [notice] Read configuration file "/etc/tor/torrc".
déc. 08 02:04:21 torouter tor[1875]: Configuration was valid
déc. 08 02:04:21 torouter systemd[1889]: tor@default.service: Failed at step APPARMOR spawning /usr/bin/tor: Operation not permitted
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Main process exited, code=exited, status=231/APPARMOR
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Failed to kill control group: Invalid argument
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Failed to kill control group: Invalid argument
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Failed to kill control group: Invalid argument
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Failed to kill control group: Invalid argument
déc. 08 02:04:21 torouter systemd[1]: Failed to start Anonymizing overlay network for TCP.
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Unit entered failed state.
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Failed with result 'exit-code'.
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Service hold-off time over, scheduling restart.
déc. 08 02:04:21 torouter systemd[1]: Stopped Anonymizing overlay network for TCP.
déc. 08 02:04:21 torouter systemd[1]: Failed to reset devices.list on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:21 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:21 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:21 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:21 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:21 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:21 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:21 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:21 torouter systemd[1]: Failed to set devices.allow on /lxc/torouter/system.slice/system-tor.slice/tor@default.service: Permission denied
déc. 08 02:04:21 torouter systemd[1]: Starting Anonymizing overlay network for TCP...
déc. 08 02:04:21 torouter tor[1920]: Dec 08 02:04:21.544 [notice] Tor v0.2.7.5 (git-6184c873e90d93b2) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.2d and Zlib 1.2.8.
déc. 08 02:04:21 torouter tor[1920]: Dec 08 02:04:21.544 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
déc. 08 02:04:21 torouter tor[1920]: Dec 08 02:04:21.544 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
déc. 08 02:04:21 torouter tor[1920]: Dec 08 02:04:21.544 [notice] Read configuration file "/etc/tor/torrc".
déc. 08 02:04:21 torouter tor[1920]: Configuration was valid
déc. 08 02:04:21 torouter systemd[1934]: tor@default.service: Failed at step APPARMOR spawning /usr/bin/tor: Operation not permitted
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Main process exited, code=exited, status=231/APPARMOR
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Failed to kill control group: Invalid argument
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Failed to kill control group: Invalid argument
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Failed to kill control group: Invalid argument
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Failed to kill control group: Invalid argument
déc. 08 02:04:21 torouter systemd[1]: Failed to start Anonymizing overlay network for TCP.
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Unit entered failed state.
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Failed with result 'exit-code'.
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Service hold-off time over, scheduling restart.
déc. 08 02:04:21 torouter systemd[1]: Stopped Anonymizing overlay network for TCP.
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Start request repeated too quickly.
déc. 08 02:04:21 torouter systemd[1]: Failed to start Anonymizing overlay network for TCP.
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Unit entered failed state.
déc. 08 02:04:21 torouter systemd[1]: tor@default.service: Failed with result 'start-limit'.
déc. 08 02:04:35 torouter systemd[1]: tor.service: Failed to kill control group: Invalid argument
déc. 08 02:04:35 torouter systemd[1]: tor.service: Failed to kill control group: Invalid argument
déc. 08 02:04:35 torouter systemd[1]: tor.service: Failed to kill control group: Invalid argument
déc. 08 02:04:35 torouter systemd[1]: tor.service: Failed to kill control group: Invalid argument
déc. 08 02:04:35 torouter systemd[1]: Stopped Anonymizing overlay network for TCP (multi-instance-master).
Last edited 3 years ago by kibba (previous) (diff)

comment:4 Changed 3 years ago by teor

I think this is another one for weasel and the debian package.

comment:5 Changed 3 years ago by nickm

Cc: weasel added

Adding weasel in case he's interested. Is this one for you, weasel?

comment:6 Changed 3 years ago by weasel

Can you confirm it works for you if you disable apparmor for the tor running in the container?

mkdir /etc/systemd/system/tor@default.service.d/
(echo "[Service]"; echo "AppArmorProfile=") > /etc/systemd/system/tor@default.service.d/override.conf
systemctl daemon-reload

And then try to start tor,

service tor restart

.

comment:7 Changed 3 years ago by kibba

Yes it work if i disable apparmor for the tor running in the container

comment:8 Changed 3 years ago by nickm

Milestone: Tor: 0.2.8.x-finalTor: 0.2.???

comment:9 Changed 2 years ago by PZajda

Cc: patrick@… added

comment:10 Changed 2 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:11 Changed 2 years ago by nickm

Keywords: tor-03-unspecified-201612 added
Milestone: Tor: 0.3.???Tor: unspecified

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

comment:12 Changed 23 months ago by nickm

So, if disabling apparmor made it work, what does this tell us about whether there's a bug here?

comment:13 Changed 20 months ago by nickm

Keywords: tor-03-unspecified-201612 removed

Remove an old triaging keyword.

comment:14 Changed 19 months ago by nickm

Keywords: tor-client compatibility apparmor needs-diagnosis container added
Note: See TracTickets for help on using tickets.