在基于 lxc 的虚拟基础设施上运行 tor

tag-icon tag-icon debian debian-squeeze lxc tor
在基于 lxc 的虚拟基础设施上运行 tor

为了提高可维护性,我尝试在运行 debian squeeze 的服务器上设置一个 tor 中继节点,并使用 linux 容器。从主存储库和 tor 存储库安装失败。在 debug.log 中只有一条错误消息:

Sep 20 21:24:12.402 [notice] Tor 0.2.2.39 (git-2f7e71c2e896772f) opening log file.
Sep 20 21:24:12.402 [info] tor_lockfile_lock(): Locking "/var/lib/tor/lock"
Sep 20 21:24:12.402 [debug] parse_dir_server_line(): Trusted 4 dirserver at 128.31.0.39:9131 (9695)
Sep 20 21:24:12.402 [debug] parse_dir_server_line(): Trusted 15 dirserver at 86.59.21.38:80 (847B)
Sep 20 21:24:12.402 [debug] parse_dir_server_line(): Trusted 6 dirserver at 194.109.206.212:80 (7EA6)
Sep 20 21:24:12.402 [debug] parse_dir_server_line(): Trusted 16 dirserver at 82.94.251.203:80 (4A0C)
Sep 20 21:24:12.402 [debug] parse_dir_server_line(): Trusted 4 dirserver at 76.73.17.194:9030 (F397)
Sep 20 21:24:12.402 [debug] parse_dir_server_line(): Trusted 4 dirserver at 212.112.245.170:80 (F204)
Sep 20 21:24:12.402 [debug] parse_dir_server_line(): Trusted 4 dirserver at 193.23.244.244:80 (7BE6)
Sep 20 21:24:12.402 [debug] parse_dir_server_line(): Trusted 4 dirserver at 208.83.223.34:443 (0AD3)
Sep 20 21:24:12.402 [debug] parse_dir_server_line(): Trusted 4 dirserver at 171.25.193.9:443 (BD6A)
Sep 20 21:24:12.402 [info] or_state_load(): Loaded state from "/var/lib/tor/state"
Sep 20 21:24:12.402 [info] circuit_build_times_parse_state(): Adding 0 timeouts.
Sep 20 21:24:12.402 [info] circuit_build_times_parse_state(): Loaded 0/0 values from 0 lines in circuit time histogram
Sep 20 21:24:12.402 [info] read_file_to_str(): Could not open "/var/lib/tor/router-stability": No such file or directory
Sep 20 21:24:12.402 [err] /dev/null can't be opened. Exiting.

例如,我对容器中的 /dev/null 具有完全访问权限

dd if=/home of=/dev/null

工作正常。

lxc 容器的配置带有选项

lxc.tty = 4
lxc.pts = 1024
lxc.rootfs = /var/lib/lxc/tor/rootfs
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
# mounts point
lxc.mount.entry=proc /var/lib/lxc/tor/rootfs/proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry=devpts /var/lib/lxc/tor/rootfs/dev/pts devpts defaults 0 0
lxc.mount.entry=sysfs /var/lib/lxc/tor/rootfs/sys sysfs defaults  0 0
# network
lxc.utsname = tor
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.ipv4 = 172.24.18.14

那么,有人知道那里出了什么问题吗?

答案1

好的,我明白了...LXC 内部的权限与主机的权限不同。

虽然主机在 /dev/null 上有 0666,但容器具有只读访问权限。这有点奇怪,因为 lxc 配置文件中有类似以下内容的内容

lxc.cgroup.devices.allow = c 1:3 rwm

对于/dev/null。

谢谢你迈克尔

相关内容