Debian – Running tor on lxc-based virtual infrastructure

debiandebian-squeezelxctor

I tried to set up a tor relay node on my server running debian squeeze with linux containers for better maintainability. Installing from main repository and tor repository failed. In debug.log there is only one error message:

Sep 20 21:24:12.402 [notice] Tor 0.2.2.39 (git-2f7e71c2e896772f) opening log file.
Sep 20 21:24:12.402 [info] tor_lockfile_lock(): Locking "/var/lib/tor/lock"
Sep 20 21:24:12.402 [debug] parse_dir_server_line(): Trusted 4 dirserver at 128.31.0.39:9131 (9695)
Sep 20 21:24:12.402 [debug] parse_dir_server_line(): Trusted 15 dirserver at 86.59.21.38:80 (847B)
Sep 20 21:24:12.402 [debug] parse_dir_server_line(): Trusted 6 dirserver at 194.109.206.212:80 (7EA6)
Sep 20 21:24:12.402 [debug] parse_dir_server_line(): Trusted 16 dirserver at 82.94.251.203:80 (4A0C)
Sep 20 21:24:12.402 [debug] parse_dir_server_line(): Trusted 4 dirserver at 76.73.17.194:9030 (F397)
Sep 20 21:24:12.402 [debug] parse_dir_server_line(): Trusted 4 dirserver at 212.112.245.170:80 (F204)
Sep 20 21:24:12.402 [debug] parse_dir_server_line(): Trusted 4 dirserver at 193.23.244.244:80 (7BE6)
Sep 20 21:24:12.402 [debug] parse_dir_server_line(): Trusted 4 dirserver at 208.83.223.34:443 (0AD3)
Sep 20 21:24:12.402 [debug] parse_dir_server_line(): Trusted 4 dirserver at 171.25.193.9:443 (BD6A)
Sep 20 21:24:12.402 [info] or_state_load(): Loaded state from "/var/lib/tor/state"
Sep 20 21:24:12.402 [info] circuit_build_times_parse_state(): Adding 0 timeouts.
Sep 20 21:24:12.402 [info] circuit_build_times_parse_state(): Loaded 0/0 values from 0 lines in circuit time histogram
Sep 20 21:24:12.402 [info] read_file_to_str(): Could not open "/var/lib/tor/router-stability": No such file or directory
Sep 20 21:24:12.402 [err] /dev/null can't be opened. Exiting.

I have full access to /dev/null in the container, for example

dd if=/home of=/dev/null

works proper.

Config of the lxc container is with option

lxc.tty = 4
lxc.pts = 1024
lxc.rootfs = /var/lib/lxc/tor/rootfs
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
# mounts point
lxc.mount.entry=proc /var/lib/lxc/tor/rootfs/proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry=devpts /var/lib/lxc/tor/rootfs/dev/pts devpts defaults 0 0
lxc.mount.entry=sysfs /var/lib/lxc/tor/rootfs/sys sysfs defaults  0 0
# network
lxc.utsname = tor
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.ipv4 = 172.24.18.14

So, does anybody got an idea whats wrong there?

Best Answer

Ok, i got it... the permissions inside the LXC is different to the hosts permisssons.

While the host has 0666 on /dev/null, the container has read-only access. It is a bit strange because the lxc config file has something like

lxc.cgroup.devices.allow = c 1:3 rwm

for /dev/null.

Thank you Michael

Related Topic