Tor not starting cleanly on boot - tor

I'm running Debian 10 with bitcoind configured as a systemd service that accesses the tor service via localhost. Every reboot the bitcoind error log is filled with the following, and tor services seem to be stuck in a non-working state.
2020-11-18T03:38:30Z connect() to 127.0.0.1:9050 failed after select(): Connection refused (111)
2020-11-18T03:38:30Z connect() to 127.0.0.1:9050 failed after select(): Connection refused (111)
2020-11-18T03:38:31Z connect() to 127.0.0.1:9050 failed after select(): Connection refused (111)
2020-11-18T03:38:31Z connect() to 127.0.0.1:9050 failed after select(): Connection refused (111)
Upon startup systemctl status tor returns the following, indicating tor started successfully
tor.service - Anonymizing overlay network for TCP (multi-instance-master)
Loaded: loaded (/lib/systemd/system/tor.service; enabled; vendor preset: enabled)
Active: active (exited) since Tue 2020-11-17 19:54:04 PST; 4min 19s ago
Process: 413 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 413 (code=exited, status=0/SUCCESS)
Nov 17 19:54:04 cryptoDaemon systemd[1]: Starting Anonymizing overlay network for TCP (multi-instance-master)...
Nov 17 19:54:04 cryptoDaemon systemd[1]: Started Anonymizing overlay network for TCP (multi-instance-master).
However tail -f /var/log/tor/notices.log indicates tor hasn't started. There are no entries after the reboot.
If I restart tor.service with sudo systemctl restart tor the error immediately disappears and bitcoind starts to function over tor correctly. This indicates to me that the tor service itself is not starting properly after reboot.
After restarting the service /var/log/notices.log gets new entries:
Nov 17 20:02:22.000 [notice] Tor 0.3.5.10 opening log file.
Nov 17 20:02:22.875 [notice] We compiled with OpenSSL 1010104f: OpenSSL 1.1.1d 10 Sep 2019 and we are running with OpenSSL 1010107f: OpenSSL 1.1.1g 21 Apr 2020. These two versions should be binary compatible.
Nov 17 20:02:22.877 [notice] Tor 0.3.5.10 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1g, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.3.8.
Nov 17 20:02:22.877 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Nov 17 20:02:22.877 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Nov 17 20:02:22.877 [notice] Read configuration file "/etc/tor/torrc".
Nov 17 20:02:22.881 [notice] You configured a non-loopback address '10.1.10.20:9050' for SocksPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Nov 17 20:02:22.881 [notice] Opening Socks listener on 127.0.0.1:9050
Nov 17 20:02:22.881 [notice] Opened Socks listener on 127.0.0.1:9050
Nov 17 20:02:22.881 [notice] Opening Control listener on 127.0.0.1:9051
Nov 17 20:02:22.881 [notice] Opened Control listener on 127.0.0.1:9051
Nov 17 20:02:22.881 [warn] Unable to make /var/lib/tor group-readable: Permission denied
Nov 17 20:02:22.881 [warn] Unable to make /var/lib/tor group-readable: Permission denied
Nov 17 20:02:22.000 [notice] Not disabling debugger attaching for unprivileged users.
Nov 17 20:02:22.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Nov 17 20:02:23.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Nov 17 20:02:23.000 [notice] Bootstrapped 0%: Starting
Nov 17 20:02:23.000 [notice] Starting with guard context "default"
Nov 17 20:02:23.000 [notice] Signaled readiness to systemd
Nov 17 20:02:24.000 [notice] Bootstrapped 10%: Finishing handshake with directory server
Nov 17 20:02:24.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Nov 17 20:02:24.000 [notice] Opening Control listener on /run/tor/control
Nov 17 20:02:24.000 [notice] Opened Control listener on /run/tor/control
Nov 17 20:02:24.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Nov 17 20:02:25.000 [notice] Bootstrapped 100%: Done
Further investigation reveals that tor is not starting at boot. /var/log/tor/debug.log is empty after reboot. I can even run systemctl start tor and it starts. systemctl start tor won't mess with a service that is already started, so for some reason systemd isn't starting tor, despite it being enabled. Just for fun I disabled with systemctl disable tor and re-enabled, but to no avail.
Any ideas why tor doesn't start?

I also use this server as a Tor SOCKS proxy on the LAN using SOCKSPORT IP.OF.SERVER:9050 in torrc. disabling this and the associated SOCKSPolicy accept IP.OF.SERVER/24 fixed the issue. If anybody has any insight as to why tor behaves this way and doesn't log why, it'd be appreciated.

I fixed it by overriding the systemd configuration for the tor service since i Need the tor Proxy to listen to an actual network interface.
/etc/systemd/system/tor#default.service.d/override.conf
[Unit]
After=network.target nss-lookup.target network-online.target
Wants=network-online.target
Easy way to create the file is systemctl edit tor#default.service

Related

NGINX error after 'sudo systemctl status nginx' - Failed with result 'exit-code'

After trying to add new domains do my ubuntu 20.04 cloud server with nginx and pm2,I created a server block in
'/etc/nginx/sites-available/mydomain.ar'
and did the same thing into
'/etc/nginx/sites-enabled/mydomain.ar'
The next step was to do a link to both files with
ln -s /etc/nginx/sites-available/cloud.ktsoftware.ar /etc/nginx/sites-enabled/cloud.ktsoftware.ar
got a error that files already existed
ln: failed to create symbolic link '/etc/nginx/sites-enabled/mydomain.ar': File exists
in consequence i run to forced the link
sudo ln -sf /etc/nginx/sites-available/cloud.ktsoftware.ar /etc/nginx/sites-enabled/cloud.ktsoftware.ar
everything appears ok, no error response after that. Then i do
sudo systemctl status nginx
and got this error:
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sun 2022-07-10 13:47:17 -03; 17min ago
Docs: man:nginx(8)
Process: 1287489 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
below first error paragraph
Jul 10 13:47:17 vps-2421400-x systemd[1]: nginx.service: Succeeded.
Jul 10 13:47:17 vps-2421400-x systemd[1]: Stopped A high performance web server and a reverse proxy server.
Jul 10 13:47:17 vps-2421400-x systemd[1]: Starting A high performance web server and a reverse proxy server...
Jul 10 13:47:17 vps-2421400-x nginx[1287489]: nginx: [emerg] open() "/etc/nginx/sites-enabled/mydomain.conf" failed (2: No such file or directory) in /etc/n>
Jul 10 13:47:17 vps-2421400-x nginx[1287489]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jul 10 13:47:17 vps-2421400-x systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jul 10 13:47:17 vps-2421400-x systemd[1]: nginx.service: Failed with result 'exit-code'.
Jul 10 13:47:17 vps-2421400-x systemd[1]: Failed to start A high performance web server and a reverse proxy server.
lines 1-14/14 (END)
"lines 1-14/14 (END)" *
and crashed everything i think.
What is the best way to link the domains server blocks?

Nginx error that I can't understand at all

When I try to start nginx or apt reload, I get this error:
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2022-05-17 04:46:59 UTC; 8ms ago
Docs: man:nginx(8)
Process: 119844 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
May 17 04:46:59 instance-20211219-2046 systemd[1]: Starting A high performance web server and a reverse proxy server...
May 17 04:46:59 instance-20211219-2046 nginx[119844]: nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/bitwarden.joscodes.xyz/fullchain.pem": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)
May 17 04:46:59 instance-20211219-2046 nginx[119844]: nginx: configuration file /etc/nginx/nginx.conf test failed
May 17 04:46:59 instance-20211219-2046 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
May 17 04:46:59 instance-20211219-2046 systemd[1]: nginx.service: Failed with result 'exit-code'.
May 17 04:46:59 instance-20211219-2046 systemd[1]: Failed to start A high performance web server and a reverse proxy server.
When I do certbot certificates it tells me I have no certs installed, and I have no idea how to resolve this issue.
System Information:
Linux instance-20211219-2046 5.13.0-1021-oracle #26~20.04.1-Ubuntu SMP Mon Mar 7 14:30:17 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux
I resolved this by completely reloading and wiping NGINX, then regenerating the certs after removing them from the cert bot config :3

Apache2: Failed to set up mount namespacing: Permission denied

I have VPS server with Debian 10. I want to start Apache2 with option PrivateTmp=true.
But on start it failed with error: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied.
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2020-11-27 17:17:43 CET; 5s ago
Docs: https://httpd.apache.org/docs/2.4/
Process: 523 ExecStart=/usr/sbin/apachectl start (code=exited, status=226/NAMESPACE)
Nov 27 17:17:43 5091-server systemd[1]: Starting The Apache HTTP Server...
Nov 27 17:17:43 5091-server systemd[523]: apache2.service: Failed to set up mount namespacing: Permission denied
Nov 27 17:17:43 5091-server systemd[523]: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied
Nov 27 17:17:43 5091-server systemd[1]: apache2.service: Control process exited, code=exited, status=226/NAMESPACE
Nov 27 17:17:43 5091-server systemd[1]: apache2.service: Failed with result 'exit-code'.
Nov 27 17:17:43 5091-server systemd[1]: Failed to start The Apache HTTP Server.
I checked the permissions for tmp:
root#5091-server:~# ls -ld /tmp
drwxrwxrwt 8 root root 4096 Nov 27 17:17 /tmp
root#5091-server:~# ls -ld /var/tmp
drwxrwxrwt 2 root root 4096 Nov 27 17:17 /var/tmp
Any idea which permissions are wrong?
This can work...
sudo sed -i -e 's,PrivateTmp=true,PrivateTmp=false\nNoNewPrivileges=yes,g' /lib/systemd/system/apache2.service
sudo systemctl daemon-reload
sudo systemctl start apache2.service
sudo systemctl status apache2.service
This is related to new systemd security features (v220+?) conflicting with unprivileged LXC containers like the ones inside Proxmox.
Edit apache config (the clean way):
sudo systemctl edit apache2.service
Add this to disable new systemd security features (affect LXC containers like the ones inside Proxmox)
[Service]
PrivateDevices=false
PrivateTmp=false
ProtectControlGroups=false
ProtectKernelModules=false
ProtectSystem=false
Maybe only necessary:
ProtectHome=false
ProtectSystem=false
Then
sudo systemctl start apache2.service
sudo systemctl status apache2.service # Just to check the output
I saw this on apache2 and memcached. Also with systemd-logind. In this last case ssh connection speed was affected. ssh -vvv was stuck on debug1: pledge: filesystem (without VPN), and debug1: pledge: network (with VPN). As mention here and here the problem is solved enabling nesting (also here) on the Proxmox containers.
Probably simply enabling the "nesting" feature for the container (if it is unprivileged) will allow systemd to make use of its namespacing features.
Related
Nested containers in LXD | Ubuntu
Roadmap - Proxmox VE 7.1 The real fix is to upgrade host?
Failed to reset devices.list...Operation not permitted · Issue #2004 · lxc/lxd

Apache2 fails to start Putty AWS Windows

I am trying to start a django project using an AWS EC2 linux server using putty on windows, however Apache2 is showing an error related to the fact that the address is already used as shown in the next code:
apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sat 2020-07-25 19:51:59 UTC; 2min 7s ago
Docs: https://httpd.apache.org/docs/2.4/
Process: 15022 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
Jul 25 19:51:59 ip-172-31-4-25 apachectl[15022]: AH00558: apache2: Could not reliably determine
the server's fully qualified domain name, using 127.0.0.1. Set the 'Serv
Jul 25 19:51:59 ip-172-31-4-25 apachectl[15022]: (98)Address already in use: AH00072: make_sock:
could not bind to address [::]:80
Jul 25 19:51:59 ip-172-31-4-25 apachectl[15022]: (98)Address already in use: AH00072: make_sock:
could not bind to address 0.0.0.0:80
Jul 25 19:51:59 ip-172-31-4-25 apachectl[15022]: no listening sockets available, shutting down
Jul 25 19:51:59 ip-172-31-4-25 apachectl[15022]: AH00015: Unable to open logs
Jul 25 19:51:59 ip-172-31-4-25 apachectl[15022]: Action 'start' failed.
Jul 25 19:51:59 ip-172-31-4-25 apachectl[15022]: The Apache error log may have more information.
Jul 25 19:51:59 ip-172-31-4-25 systemd[1]: apache2.service: Control process exited, code=exited,
status=1/FAILURE
Jul 25 19:51:59 ip-172-31-4-25 systemd[1]: apache2.service: Failed with result 'exit-code'.
Jul 25 19:51:59 ip-172-31-4-25 systemd[1]: Failed to start The Apache HTTP Server.
I already tried to verify the status of the network using the next code, but the failure still the same.
systemctl status apache2.service
I also tried to verify the service listening ports using the next code, and the output was:
bitnami#ip-172-31-4-25:~$ sudo netstat -ntlp | grep 80
tcp6 0 0 :::80 :::* LISTEN 15122/httpd
I would appreciate any recommendation on it.
Check Skype, if its running then close first and then start Apache service.
Skype also use port 80.

haproxy error on restarting

HAProxy error on restarting. This is the error i have:
# systemctl status haproxy
● haproxy.service - SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments.
Loaded: loaded (/etc/rc.d/init.d/haproxy; bad; vendor preset: disabled)
Active: failed (Result: exit-code) since Fri 2017-11-03 03:34:04 EDT; 16s ago
Docs: man:systemd-sysv-generator(8)
Process: 6170 ExecStart=/etc/rc.d/init.d/haproxy start (code=exited, status=1/FAILURE)
Nov 03 03:34:04 server systemd[1]: Starting SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments....
Nov 03 03:34:04 server haproxy[6170]: /etc/rc.d/init.d/haproxy: line 26: [: =: unary operator expected
Nov 03 03:34:04 server haproxy[6170]: Starting haproxy: [WARNING] 306/033404 (6178) : config : frontend 'GLOBAL' has no 'bind' directive. Please declare it... intended.
Nov 03 03:34:04 server haproxy[6170]: [ALERT] 306/033404 (6178) : Starting frontend http_front: cannot bind socket [0.0.0.0:80]
Nov 03 03:34:04 server haproxy[6170]: [FAILED]
Nov 03 03:34:04 server systemd[1]: haproxy.service: control process exited, code=exited status=1
Nov 03 03:34:04 server systemd[1]: Failed to start SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments..
Nov 03 03:34:04 server systemd[1]: Unit haproxy.service entered failed state.
Nov 03 03:34:04 server systemd[1]: haproxy.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
My configuration file:
haproxy.cfg
Since you are using systemd, you should use systemd unit file instead of the init.d script.
I don't know how you installed haproxy, you can find haproxy.service in haproxy source directory(contrib/systemd), copy it to systemd folder and use it.
cp contrib/systemd_haproxy.service /lib/systemd/system/
systemctl daemon-reload
systemctl enable haproxy
systemctl start haproxy
systemctl status haproxy

Resources