search

PurpleI2P / i2pd

🛡 I2P: End-to-End encrypted and anonymous Internet
https://i2pd.website
BSD 3-Clause "New" or "Revised" License
3.19k stars 415 forks source link

i2pd.service: Can't open PID file /run/i2pd/i2pd.pid (yet?) after start: Operation not permitted #1933

Open slrslr opened 1 year ago

slrslr commented 1 year ago

Hello,

I have installed I2Pd on Debian 11 like this under root terminal: apt-get install apt-transport-https gpg && wget -q -O - https://repo.i2pd.xyz/.help/add_repo | bash -s - && apt update && wget -q -O - https://repo.i2pd.xyz/r4sas.gpg | sudo apt-key add - && apt install i2pd

also as root: "systemctl status i2pd" shows:

systemd[1]: Starting I2P Router written in C++...
systemd[1]: i2pd.service: Can't open PID file /run/i2pd/i2pd.pid (yet?) after start: Operation not permitted
systemd[1]: Started I2P Router written in C++.

Any idea what to try to get rid of that "operation not permitted"? It is confusing to appear under root.

stat /run/i2pd/i2pd.pid

  File: /run/i2pd/i2pd.pid
  Size: 6               Blocks: 8          IO Block: 4096   regular file
Device: 17h/23d Inode: 1105        Links: 1
Access: (0600/-rw-------)  Uid: (  105/    i2pd)   Gid: (  111/    i2pd)
Access: 2023-05-21 20:13:39.376000000 +0100
Modify: 2023-05-21 20:13:39.368000000 +0100
Change: 2023-05-21 20:13:39.368000000 +0100
 Birth: -

lsof -p $(pidof i2pd)

COMMAND   PID USER   FD      TYPE DEVICE SIZE/OFF     NODE NAME
i2pd    14859 i2pd  cwd       DIR    8,3      257 51386435 /var/lib/i2pd
i2pd    14859 i2pd  rtd       DIR    8,3      325      128 /
i2pd    14859 i2pd  txt       REG    8,3  4172296  2119027 /usr/sbin/i2pd
...

Operating System: Debian GNU/Linux 11 (bullseye) Kernel: Linux 5.10.0-20-amd64 Architecture: x86-64

i2pd --version

i2pd version 2.47.0 (0.9.58) Boost version 1.74.0 OpenSSL 1.1.1n 15 Mar 2022

r4sas commented 1 year ago

Are you have apparmor activated?

slrslr commented 1 year ago

Are you have apparmor activated?

# aa-status apparmor module is loaded.

# aa-status --verbose

apparmor module is loaded.
4 profiles are loaded.
4 profiles are in enforce mode.
   lsb_release
   nvidia_modprobe
   nvidia_modprobe//kmod
   system_tor
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
   /usr/bin/tor (18673) system_tor
   /usr/bin/obfs4proxy (18674) system_tor
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

# journalctl -rg apparmor|grep -E "den|fail"

May 21 21:34:56 abc kernel: audit: type=1400 audit(1684701296.592:6): apparmor="DENIED" operation="open" profile="system_tor" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=18674 comm="obfs4proxy" requested_mask="r" denied_mask="r" fsuid=106 ouid=0
May 21 21:34:56 abc audit[18674]: AVC apparmor="DENIED" operation="open" profile="system_tor" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=18674 comm="obfs4proxy" requested_mask="r" denied_mask="r" fsuid=106 ouid=0

# cat /etc/apparmor.d/usr.sbin.i2pd

# Basic profile for i2pd
# Should work without modifications with Ubuntu/Debian packages
# Author: Darknet Villain <supervillain@riseup.net>
#
#include <tunables/global>

profile i2pd /{usr/,}sbin/i2pd {
  #include <abstractions/base>
  #include <abstractions/openssl>
  #include <abstractions/nameservice>

  # path specific (feel free to modify if you have another paths)
  /etc/i2pd/** r,
  /var/lib/i2pd/** rw,
  /var/log/i2pd/i2pd.log w,
  /{var/,}run/i2pd/i2pd.pid rwk,
  /{usr/,}sbin/i2pd mr,
  @{system_share_dirs}/i2pd/** r,

  # user homedir (if started not by init.d or systemd)
  owner @{HOME}/.i2pd/   rw,
  owner @{HOME}/.i2pd/** rwk,

  #include if exists <local/usr.sbin.i2pd>
}

If apparmor is the cause, can you do something on your side to prevent this issue? Is there any command i can run so this issue is fixed? (ideally if for security reason i do not need to disable apparmor entirely?)

r4sas commented 1 year ago

Looks like there is no enabled profile for i2pd, so there can be other problem. Anyway, it can be disabled for sure like this:

sudo ln -s /etc/apparmor.d/usr.sbin.i2pd /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.i2pd
r4sas commented 1 year ago

btw, check who is owner of /run/i2pd and i2pd.pid in it.

slrslr commented 1 year ago

owner is i2pd i am now on different VPS with same OS release, only with higher kernel. Change from Linux 5.10.0-20-amd64 -> 5.10.0-23-amd64 I2Pd should be installed same way with same configuration as before, now unlike previous system/kernel, the # aa-status shows i2pd:

apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
   i2pd
   lsb_release
   nvidia_modprobe
   nvidia_modprobe//kmod
   system_tor
0 profiles are in complain mode.
3 processes have profiles defined.
3 processes are in enforce mode.
   /usr/sbin/i2pd (584) i2pd
   /usr/bin/tor (611) system_tor
   /usr/bin/obfs4proxy (615) system_tor
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

journalctl -rg apparmor|grep i2p

kernel: audit: type=1400 audit(1686561884.728:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="i2pd" pid=361 comm="apparmor_parser" audit[361]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="i2pd" pid=361 comm="apparmor_parser"

And the "i2pd.service: Can't open PID file /run/i2pd/i2pd.pid (yet?) after start: Operation not permitted" for which i have opened this issue, no longer happen..