Control port connection issue when running multiple instences

Question

Control port connection issue when running multiple instences

m0tmd opened this issue 5 years ago · 4 comments

Can't connect to the others ports control with nyx when running multiple instences :

podman run -it -p 8118:8118 -p 9050:9050 -p 9051:9051 -d dperson/torproxy -p "test"
podman run -it -p 9150:9150 -p 9151:9151 -v /some/torrc:/etc/tor/torrc:ro -d dperson/torproxy -p "test"

Torrc config of the second instence :

ControlSocket /etc/tor/run/control
ControlSocketsGroupWritable 1
ControlPort 9151
CookieAuthentication 1
CookieAuthFileGroupReadable 1
CookieAuthFile /etc/tor/run/control.authcookie
DataDirectory /var/lib/tor
RunAsDaemon 0
User tor
AutomapHostsOnResolve 1
ExitPolicy reject :
VirtualAddrNetworkIPv4 10.192.0.0/10
DNSPort 5353
SocksPort 0.0.0.0:9150 IsolateDestAddr
TransPort 0.0.0.0:9040

Socks proxy 9050 & 9150 work well

nyx -i 9051 # works
nyx -i 9151 # return --> Unable to authenticate: socket connection failed (Received empty socket content.)

Answer 1 · 2019-11-03T15:12:06.000Z

I managed installing nyx inside running containers with python, which avoids exposing control port :

podman exec -it container_id bash

bash-5.0# apk add --update py3-setuptools
bash-5.0# pip3 install --upgrade pip
bash-5.0# pip install nyx
bash-5.0# nyx

Have to create a user to avoid root warning when using nyx

Answer 2 · 2019-11-03T16:19:14.000Z

So it sounds like you've found a solution?

Answer 3 · 2019-11-04T11:58:37.000Z

Still don't understand why in the first case, control port 9151 isn't reachable.
The solution I've found needs to install python into the container which isn't recommended too.
Any clue avoiding python install ? I'm not familiar enough with alpine for building nyx from source.
Thanks for helps !

Answer 4 · 2019-11-04T12:28:53.000Z

Well looking at the open TCP ports in the container:

$ sudo docker exec -it tor netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:9040            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:8118            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:9050            0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:9051          0.0.0.0:*               LISTEN

And the configuration of the ports:

$ sudo docker exec -it tor grep -i port /etc/tor/torrc
ControlPort 9051
DNSPort 5353
SocksPort 0.0.0.0:9050 IsolateDestAddr
TransPort 0.0.0.0:9040

I can see that it's not configured to listen to remote management requests. Which is a security concern when people can remotely manage you security device. But feel free to change it if you wish.