Tor fails to start, apparmor policy omission

[spluess]

Started from scratch today with a fresh git pull and Amazon as the provider. Everything seems to be going fine until tor-bridge:

TASK [tor-bridge : Copy the fixed AppArmor abstraction into place] *************
changed: [35.182.166.2]

TASK [tor-bridge : Restart AppArmor so the abstraction takes effect] ***********
changed: [35.182.166.2]

TASK [tor-bridge : Restart Tor so the server fingerprint will be available in the state file, and the hidden service for the Gateway will start running] ***
changed: [35.182.166.2]

TASK [tor-bridge : Wait until obfs4proxy information has shown up in its state file] ***
fatal: [35.182.166.2]: FAILED! => {"changed": false, "elapsed": 300, "failed": true, "msg": "Timeout when waiting for search string node-id in /var/lib/tor/pt_state/obfs4_state.json"}

RUNNING HANDLER [rsyslog : Restart rsyslog] ************************************

RUNNING HANDLER [openconnect : Restart ocserv] *********************************

RUNNING HANDLER [l2tp-ipsec : Restart Libreswan] *******************************

RUNNING HANDLER [l2tp-ipsec : Restart xl2tpd] **********************************

RUNNING HANDLER [dnsmasq : Restart dnsmasq] ************************************

RUNNING HANDLER [openvpn : Restart OpenVPN] ************************************

RUNNING HANDLER [stunnel : Restart stunnel] ************************************

RUNNING HANDLER [ssh : Restart SSH] ********************************************

RUNNING HANDLER [tinyproxy : Restart Tinyproxy] ********************************
    to retry, use: --limit @/home/serge/repos/streisand/playbooks/amazon.retry

PLAY RECAP *********************************************************************
35.182.166.2               : ok=183  changed=172  unreachable=0    failed=1  
localhost                  : ok=17   changed=8    unreachable=0    failed=0   

Thus never getting to the generated-docs folder. Retried 3 times so far.

This did work successfully on this same host in April. Ubuntu 16.04 with all latest updates installed.

ansible 2.3.1.0
  config file = /home/serge/repos/streisand/ansible.cfg
  configured module search path = Default w/o overrides
  python version = 2.7.12 (default, Nov 19 2016, 06:48:10) [GCC 5.4.0 20160609]

[ajmurmann]

Same problem here. It would also be super awesome if there was easy way to disable certain components. I don't need Tor. I just want a proxy in Europe. But now I can't have that because of the completely unrelated Tor issue.

Having tagged known good SHAs also would be mitigate issues like this, since one could just fall back to it.

[DeepAQ]

Same problem. I am deploying on a Azure VM running Ubuntu 16.04 LTS. The Tor service exits after it is started.

azure@Ubuntu:~$ sudo service tor status
● tor.service - Anonymizing overlay network for TCP (multi-instance-master)
   Loaded: loaded (/lib/systemd/system/tor.service; enabled; vendor preset: enabled)
   Active: active (exited) since Sun 2017-07-02 18:20:13 UTC; 1min 45s ago
  Process: 17034 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 17034 (code=exited, status=0/SUCCESS)
    Tasks: 0
   Memory: 0B
      CPU: 0
   CGroup: /system.slice/tor.service

[ajmurmann]

Not sure if this is a Streisand or EC2 issue. I went back to eb3bcd9 and get the same timeout

TASK [tor-bridge : Wait until obfs4proxy information has shown up in its state file] *************************************************************************
fatal: [52.58.213.147]: FAILED! => {"changed": false, "elapsed": 300, "failed": true, "msg": "Timeout when waiting for search string node-id in /var/lib/tor/pt_state/obfs4_state.json"}

[amizzo87]

Same problem, across multiple hosts and configuration settings.

[cpu]

Same problem here. It would also be super awesome if there was easy way to disable certain components. I don't need Tor. I just want a proxy in Europe. But now I can't have that because of the completely unrelated Tor issue.

@ajmurmann Follow https://github.com/jlund/streisand/issues/746 for this.

[cpu]

The Tor service exits after it is started.

It would be useful to get the output from journalctl --no-pager -a -u tor

I'm personally unable to look at this until tomorrow at the earliest. Pull requests & more information welcome in the meantime :-)

[amizzo87]

@cpu Here ya go:

 root@ewr-vpn:~# journalctl --no-pager -a -u tor
 -- Logs begin at Sun 2017-07-02 20:38:31 UTC, end at Mon 2017-07-03 00:04:37 UTC. --
 Jul 02 20:47:38 [fqdn] systemd[1]: Starting Anonymizing overlay network for TCP (multi-instance-master)...
 Jul 02 20:47:38 [fqdn] systemd[1]: Started Anonymizing overlay network for TCP (multi-instance-master).
 Jul 02 20:47:50 [fqdn] systemd[1]: Stopped Anonymizing overlay network for TCP (multi-instance-master).
 Jul 02 20:47:50 [fqdn] systemd[1]: Stopping Anonymizing overlay network for TCP (multi-instance-master)...
 Jul 02 20:47:50 [fqdn] systemd[1]: Starting Anonymizing overlay network for TCP (multi-instance-master)...
 Jul 02 20:47:50 [fqdn] systemd[1]: Started Anonymizing overlay network for TCP (multi-instance-master).`

[cpu]

@amizzo87 Thanks, evidently the tor service isn't a heavy user of journald. For future spelunkers the meaty bits are in /var/log/tor/log.

I've reproduced this locally - working on a fix.

[cpu]

That ended up being slightly involved. I have a fix out for review in https://github.com/jlund/streisand/issues/779

I've updated the issue title to reflect the illness rather than the symptom.

[amizzo87]

@cpu Awesome, thanks! I tested your branch and works perfectly for me.

[cpu]

779 was merged to master. Everyone affected should be able to pull the newest changes from git master & be good to go. Thanks again for the report!