Again, thank your very much for your instructions, Patrick!
Done:
https://github.com/Whonix/anon-gw-anonymizer-config/pull/9
I set User=root
in /lib/systemd/system/anon-gw-anonymizer-config.service
. Otherwise, I do not know how to write to /use/local
.
We should avoid any %include directory
for now.
Systemd units running as root is the systemd default. I doubt any of the
units in /lib/systemd/system/ use User=root. So this can be dropped.
All merged, thanks!
Some commits on top.
WantedBy… Not easy to explain. I learned this mostly by looking at other systemd unit files.
https://www.freedesktop.org/software/systemd/man/systemd.unit.html
Could you please review my latest additions?
Hi Patrick!
For unknown reason, the latest tor@default.service
does not work as expected:
sudo rm -r /usr/local/etc
Expected behavior: systemctl restart tor@default.service
will run anon-gw-anonymizer-config.service
which will grantee /usr/local/etc/torrc.d
and the two files in it.
Actually, anon-gw-anonymizer-config.service
will not be run, causing the Tor fail to start due to the missing torrc files. Running systemctl restart anon-gw-anonymizer-config.service
manually will works fine though.
I tried to debug it by removing several additional commit but I did not figure out the reason.
Works as expected by me. It only works after boot. (And this is important because that helps our torrc.d implementation also also creating the files in time for first boot and even in Qubes-Whonix.) It is to cover the Whonix specific implementation (which is not simple with Qubes vs persistence of TemplateBased VMs) so we can provide a config file for acw and user-modified-only. I think this is sufficient. (Deleting /usr/local/etc and then rebooting works as well.)
The case that the user deletes files and user restarts Tor is not covered.
- Are there other systemd unit files where once you restart them, also another systemd unit gets restarted automatically beforehand?
- Are there any other daemons that file to start if their config file is missing?
- Are there any other daemons where missing config files in /etc (root required!) will be automagically created if missing?
- If the user starts deleting files, it’s up to the user to fix?
(We could even do the opposite. Doing this creation of files only at first boot and not again.)
Whonix 14 repository Tor package was upgraded. Just now uploaded.
user@host:~$ anon-info
INFO: version of the 'tor' package: 0.3.3.7-1~d90.stretch+1
Would %include /etc/torrc.d/*.conf
work now? If so, could you make the pull request please?
I tried the latest uploaded Tor. No, it doesn’t work.
I’ve been keeping an eye on the ticket and the status is still needs_revision
. Jigsaw52 has not been working on it after the review by ahf:
I will keep an eye on it and do a PR whenever the feature is ready.
Note: anon-verify also needs to be changed to simulate new parsing rule when it’s ready.
Debian likes neither:
- /etc/torrc.d/
- /usr/local/etc/torrc.d/
Source:
Apparmor profile whitelist /etc/torrc.d/ and /usr/local/etc/torrc.d/
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910017
Maybe it will be /etc/tor/torrc.d/
but it’s not yet finally decided.
Since still not done I am considering to create a script that runs before Tor which would move any files not ending with *.conf
out of the way. May be possible to start using systemd drop-in ExecStartPre.
Implemented in git master.
This was implemented in testers repository. In essence:
/etc/tor/torrc
:
%include /etc/torrc.d/
/etc/torrc.d/95_whonix.conf
:
%include /usr/local/etc/torrc.d/
/usr/local/etc/torrc.d/
folder:
40_tor_control_panel.conf 50_user.conf
- anon-gw-anonymizer-config/usr/share/tor/tor-service-defaults-torrc.anondist at master · Whonix/anon-gw-anonymizer-config · GitHub
- anon-gw-anonymizer-config/etc/tor/torrc.anondist at master · Whonix/anon-gw-anonymizer-config · GitHub
- anon-gw-anonymizer-config/etc/torrc.d/95_whonix.conf at master · Whonix/anon-gw-anonymizer-config · GitHub
https://github.com/Whonix/anon-gw-anonymizer-config/commit/3a6b47c6b9c23fceb4ea4d75b78d88e9f4f8ba4b
https://github.com/Whonix/anon-gw-anonymizer-config/commit/702dc5191fbc85933b576e64105513c983f0b5e1
/etc/torrc.d/*.conf
/ /usr/local/etc/torrc.d/*.conf
support might be causing issues.
If that is the case it can be solved by adding to documentation to manually run torrc-d-cleaner before restarting Tor or perhaps a usability tool which does both (run torrc-d-cleaner + restart Tor).
On top of that anon-verify has a bug and does not show all config files which makes debugging for users harder. I am working on it.
anon-verify fixes and torrc.d improvements:
anon-connection-wizard vs torrc.d fixes:
These fixes are now in the testers repository.