Tor fails to start, apparmor policy error operation="change_onexec" info="label not found" #782
Comments
@NanoG6 What is the output from |
git rev-parse HEAD |
@NanoG6 Very strange. I thought we had squashed this bug w/ that commit. Can you share the output from:
(As an aside: It's late in my time-zone, I'll have to pick this issue up again tomorrow, I'm signing off shortly) |
Hi @cpu thanks for your prompt reply. Yes I thought this issue has been solved by latest commit, but still no luck. root@LSW:~/streisand# ps aux | grep tor root@LSW:~/streisand# journalctl -b --no-pager | grep -i tor | tail -n50 |
@NanoG6 It does seem to be another apparmor related problem:
One thing to try in the short term is putting app armor into warn mode for tor:
Thanks for your patience! Talk more soon. |
@cpu yes putting app armor into warn mode solved the issue. |
Hi @NanoG6, Ok! I'm glad that workaround was helpful to you. That certainly confirms that there are remaining AppArmor issues to sort out. When I can find the time I will see about provisioning a small LeaseWeb server to try and reproduce the problem on my own so that I can iterate on a solution. Was there anything "special" about your particular instance? Do you think a "S" virtual instance with 16.04 would be an approximate match to your affected server? Thanks! |
Yes that is my server package, the one with 1 core, 1 gb ram, 40 gb storage, and 4 tb bandwidth. The only different is mine using SAN instead of SSD (not sure wether it is SAN SSD or HDD), and a lot cheaper because it was promotional offer :) |
@NanoG6 Great - thanks! I'm going to update this issue title to reflect the app armor problem and will hopefully have a fix in the next few days. |
Linking this as another related issue to #778 |
I tried to sign up for a LeaseWeb account. Unfortunately they require some kind of manual telephone verification process for initial account creation that I find uncomfortable. Worse, they don't mention this requirement ahead of time & have already charged me $7 for an order that is "on hold" pending phone verification. Pretty un-enthused about that user experience :'( At this point I'll have to reproduce the problem elsewhere & if I can't I'll have to close this issue as a peculiarity of an unsupported provider. |
Yeah they did manual verification to me too.. In that case I believe that $7 would be refunded to you? |
@NanoG6 That's ok - I'll try this on a few providers and see what I can come up with. I will probably ask you to test a few things on your leaseweb instance if that's OK but I won't need access myself. |
Sure! Just tell me what to do. Glad to help |
@NanoG6 Can you share the output of |
Additionally, do you happen to know what virtualization technology LeaseWeb uses? Are they KVM or LXC based? |
root@LSW:~# hostnamectl status Bochs? Haven't heard that |
Ah just got a reply from support, it is based on CloudStack |
I'm totally unfamiliar with CloudStack, but I'm beginning to suspect that the apparmor error you are seeing matches this bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1648143 that stems from a bug related to stacking apparmor profiles with containers. I'm not sure which kernel update "solved" the problem based on that Ubuntu bug report, perhaps Can you also share the output of:
and
|
|
@NanoG6 Thanks. At this point my best theory is that this is related to the CloudStack environment and your Linux kernel version. I haven't been able to replicate this on any of the supported providers or any of the additional VPS providers I have access to that I test local/remote provisioning with. I'm going to close this issue for now since you have a viable workaround through disabling apparmor. If another user on a different provider runs into this problem we can reopen and dig more but until then I think I have to cut my losses here. Apologies! I really wanted to solve this mystery for good! |
I have the same problem on Linux Mint 18.2 running on my laptop, no CloudStack involved.
The workaround with aa-complain worked but happy to help with debugging the root cause. |
@mludvig What is the target OS / provider of the Streisand run? Can you share |
Linux koumak 4.4.0-93-generic #116-Ubuntu SMP Fri Aug 11 21:17:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux Actually .. I'm not using Streisand, just a |
@mludvig If you aren't using Streisand this won't be the right place to report that bug :-) |
Steps to Reproduce:
Additional Details:
Log output from Ansible or other relevant services (link to Gist for longer output):
TASK [tor-bridge : Wait until obfs4proxy information has shown up in its state file]
fatal: [localhost]: FAILED! => {"changed": false, "elapsed": 300, "failed": true, "msg": "Timeout when waiting for search string node-id in /var/lib/tor/pt_state/obfs4_state.json"}
RUNNING HANDLER [rsyslog : Restart rsyslog]
RUNNING HANDLER [openconnect : Restart ocserv]
RUNNING HANDLER [l2tp-ipsec : Restart Libreswan]
RUNNING HANDLER [l2tp-ipsec : Restart xl2tpd]
RUNNING HANDLER [dnsmasq : Restart dnsmasq]
RUNNING HANDLER [openvpn : Restart OpenVPN]
RUNNING HANDLER [stunnel : Restart stunnel]
RUNNING HANDLER [ssh : Restart SSH]
RUNNING HANDLER [tinyproxy : Restart Tinyproxy]
to retry, use: --limit @/root/streisand/playbooks/localhost.retry
PLAY RECAP
localhost : ok=190 changed=174 unreachable=0 failed=1
Target Cloud Provider: LeaseWeb
Operating System of target host: Ubuntu 16.04 64bit
Operating System of client: Localhost
Version of Ansible, using
ansible --version
: ansible 2.3.1.0config file = /root/streisand/ansible.cfg
configured module search path = Default w/o overrides
python version = 2.7.12 (default, Nov 19 2016, 06:48:10) [GCC 5.4.0 20160609]
The text was updated successfully, but these errors were encountered: