Fails with systemd

[vsviridov]

[E 150903 03:21:40 ioloop:612] Exception in callback (<socket object, fd=4, family=10, type=1, protocol=0>, <function null_wrapper at 0x7f5e0107ec08>)
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/tornado/ioloop.py", line 866, in start handler_func(fd_obj, events)
File "/usr/local/lib/python2.7/dist-packages/tornado/stack_context.py", line 275, in null_wrapper return fn(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/tornado/netutil.py", line 265, in accept_handler callback(connection, address)
File "/usr/local/lib/python2.7/dist-packages/tornado/tcpserver.py", line 239, in _handle_connection do_handshake_on_connect=False)
File "/usr/local/lib/python2.7/dist-packages/tornado/netutil.py", line 510, in ssl_wrap_socket return context.wrap_socket(socket, **kwargs)
File "/usr/lib/python2.7/ssl.py", line 352, in wrap_socket _context=self)
File "/usr/lib/python2.7/ssl.py", line 537, in __init__ socket.__init__(self, _sock=sock._sock)
AttributeError: '_socket.socket' object has no attribute '_sock'

[meskarune]

This service file works for me. You have to turn on unsecure so it doesn't use ssl.

[Unit]
Description=Butterfly Terminal Server
After=syslog.target

[Service]
ExecStart=/usr/bin/butterfly.server.py --unsecure
Restart=on-abort

[Install]
WantedBy=multi-user.target

[tomekceszke]

I have exactly the same issue. I did everything according to README. It seems that butterfly.socket can't start butterfly.service... Unfortunately unsecure is not acceptable.

[TWuerdemann]

Same here ... Unsecure is not an option. What did I wrong?

[paradoxxxzero]

Do you have https://github.com/paradoxxxzero/tornado-systemd installed? pip install tornado-systemd

[TWuerdemann]

Yes I have... At least PIP tells me so. But I uninstalled and reinstalled it ... now it works ...

So I guess thank you for this hint. :)

[TWuerdemann]

Well... there is still an issue. After a normal reboot. Butterfly was back to not really running. After reinstalling tornado-systemd it worked.

[paradoxxxzero]

This does not make much sense! Is this really reproductible?

[TWuerdemann]

The short answer is "yes". The longer one is "It's complicated".

And I'm not 100% sure if it isn't me who is the problem. It looks like I overlooked something.

Okay here is what I did:

• reboot
• Socket seems to work but the website will not show (see first post)
• Try to restart "service butterfly restart"
• Nothing changes
• Stopping service "service butterfly stop"
• Uninstall tornado-systemd "pip uninstall tornado-systemd"
• Install tornado-systemd "pip install tornado-systemd"
• Now I HAVE TO restart the service "service butterfly restart" (otherwise it will not work)
• Now I have my Butterfly Web Terminal...

It's totally strange and I have no idea whats going on. And like I said, there is a quiet big chance that I'm making a mistake here. But I can't see it.

Btw, these are my service and socket files:

butterfly.service

[Unit]
Description=Butterfly Terminal Server

[Service]
ExecStart=/usr/local/bin/butterfly.server.py

butterfly.socket:

[Socket]
ListenStream=8443

[Install]
WantedBy=sockets.target

[paradoxxxzero]

I can't see either what reinstalling tornado-systemd could change. Does it work using socket only (butterfly.service stop, butterfly.socket start)? Could you try with python 3 (if you are using python 2 too)?

[jwatte]

I have this problem, too. ubuntu 17.04, running on Linode (under KVM) Installed with pip install 'butterfly[systemd]' and downloaded the system/socket files with wget as per the README I generated the cert files, and enabled/started the butterfly.socket. When I connect using https with Chrome, this is the error I get:

Sep 24 20:32:15 ln butterfly.server.py[16807]: [E 170924 20:32:15 ioloop:638] Exception in callback (<socket object, fd=
Sep 24 20:32:15 ln butterfly.server.py[16807]:     Traceback (most recent call last):
Sep 24 20:32:15 ln butterfly.server.py[16807]:       File "/usr/local/lib/python2.7/dist-packages/tornado/ioloop.py", li
Sep 24 20:32:15 ln butterfly.server.py[16807]:         handler_func(fd_obj, events)
Sep 24 20:32:15 ln butterfly.server.py[16807]:       File "/usr/local/lib/python2.7/dist-packages/tornado/stack_context.
Sep 24 20:32:15 ln butterfly.server.py[16807]:         return fn(*args, **kwargs)
Sep 24 20:32:15 ln butterfly.server.py[16807]:       File "/usr/local/lib/python2.7/dist-packages/tornado/netutil.py", l
Sep 24 20:32:15 ln butterfly.server.py[16807]:         callback(connection, address)
Sep 24 20:32:15 ln butterfly.server.py[16807]:       File "/usr/local/lib/python2.7/dist-packages/tornado/tcpserver.py",
Sep 24 20:32:15 ln butterfly.server.py[16807]:         do_handshake_on_connect=False)
Sep 24 20:32:15 ln butterfly.server.py[16807]:       File "/usr/local/lib/python2.7/dist-packages/tornado/netutil.py", l
Sep 24 20:32:15 ln butterfly.server.py[16807]:         return context.wrap_socket(socket, **kwargs)
Sep 24 20:32:15 ln butterfly.server.py[16807]:       File "/usr/lib/python2.7/ssl.py", line 363, in wrap_socket
Sep 24 20:32:15 ln butterfly.server.py[16807]:         _context=self)
Sep 24 20:32:15 ln butterfly.server.py[16807]:       File "/usr/lib/python2.7/ssl.py", line 569, in __init__
Sep 24 20:32:15 ln butterfly.server.py[16807]:         socket.__init__(self, _sock=sock._sock)
Sep 24 20:32:15 ln butterfly.server.py[16807]:     AttributeError: '_socket.socket' object has no attribute '_sock'

I have installed tornado and tornado-systemd with pip as well. Re-installing and re-starting doesn't solve anything for me.

[jwatte]

Another problem is that butterfly uses the "host" argument both for the name of the certificates, and the interface to bind to. Thus, if I want it to bind to 0.0.0.0, I also have to generate certificates for 0.0.0.0, which isn't right. I'll file that elsewhere.

[meskarune]

@jwatte Running a web based terminal on your vps is a really bad idea. You are just asking for someone to hack you.

[jwatte]

I'm aware of the security implications (and also how to front an insecure web service with NGINX, web security, and HTTPS.) I'm more interested in advice helping make the software actually do what it's supposed to. (The fact that the web console by default doesn't implement login might be considered a weakness, too, but one I'm prepared to work around.) Btw: Linode provides "lish" over the web for their instances, and this is not a marked source of hacks.

[meskarune]

@jwatte funny you should mention Linode. I used to work there :P

The lish console is a necessary evil. Without it, customers could not have out of band access to their VPS's and their customer support team would have a hell of a lot of extra work on their hands.

Linode's ajax lish console is hosted behind a login, the connection is encrypted and hopefully protected by 2 factor. (if you don't have it enabled, you should). They have put a lot of extra thought into the console because it is one of the biggest attack vectors against customer VPSs.

Even with all that though, if you don't have 2fa, it only takes someone knowing your username and password to access the lish console. If you use the lish console as root and don't log out, bam, someone can gain root access using your linode manager login credentials.

Butterfly is an interesting script, but it isn't secure enough for production use like you are talking about.

Is there a reason why you think you need to have a web console on your Linode VPS? Especially considering that a more secure one already exists?

[jwatte]

The host that I ultimately need a web-based console on is not on Linode but another host; I'm using linode for testing. One way to secure it is to stick another login in front -- for example, nginx with web authentication. Old school, but if I can rely on password authentication, then good enough. Of course this wouldn't be a problem if all the firewalls between points A and B on the web let port 22 through, but that's not always the case for whatever reasons that are often outside of my control. That's the whole reason scripts like these exist in the first place ...

[meskarune]

Password auth is not "good enough", you need encryption too as well as process segregation. shellinabox or gotty would be more secure as they are further along in development and have security recommendations.

If the only reason why you want a web console is due to ssh being on port 22, then just change the port that ssh runs on. You can set it to port 80 or 443 which isn't filted by NAT.

The ONLY reason scripts like this exist is to give people a local terminal to use with true color and unicode OR to give people out of band access to a vps. They are not supposed to replace ssh.

[vsviridov]

Worked for me after I just uninstalled tornado-systemd entirely.

[brtgh]

On CentOS 7 the default socket and service files are not working correctly. I.e. you cannot use the stop command.

Here is a working systemd config:

# cat /etc/systemd/system/butterfly.service

[Unit]
Description=Butterfly Terminal Server
After=network.target butterfly.socket
Requires=butterfly.socket

[Service]
ExecStart=/usr/local/bin/butterfly.server.py --unsecure --login --i-hereby-declare-i-dont-want-any-security-whatsoever
Restart=on-abort

[Install]
WantedBy=default.target

# cat /etc/systemd/system/butterfly.socket

[Unit]
Description=Butterfly Socket
PartOf=butterfly.service

[Socket]
ListenStream=127.0.0.1:57575

[Install]
WantedBy=sockets.target

To enable

# systemctl daemon-reload
# systemctl enable butterfly.service

To start, get status and stop

# systemctl start butterfly.service
# systemctl status butterfly.service
# systemctl stop butterfly.service