azure troubles

[psifertex]

Was trying a manual setup of a streisand instance on azure, but unfortunately, it looks like obfsproxy port changes and needs to be added manually, but this hangs the setup process? Or maybe that step takes a long time.

Additionally, the correct external IP address (which is specified manually in my inventory) isn't used for some of the service configurations, but rather, the internal IP address of the azure node is, which isn't helpful since it won't be routable.

[psifertex]

I'm planning on trying to work through these if I get a chance, but figured I'd at least file the big here so I can either propose a patch or comment on my fixes. Only downside is I've been avoiding using the azure cli since it looked obnoxious but will probably have to if this is to get solved the right way.

[jlund]

Obfsproxy does choose random ports for both the obfs3 and ScrambleSuit pluggable transports. It shouldn't hang the setup process though, but I haven't tried running this on Azure yet.

Amazon AWS had the same issue with external/internal IP address discovery, and the server name on AWS was also not being set correctly. If you look in playbooks/roles/common/tasks/set-default-variables.yml you can see the logic that fixes this. All of the 'genesis' roles have tasks that set things appropriately before the common role gets hits and these conditionals are evaluated. The fix for Azure would likely be similar.

Azure and Google Compute Engine are next on my list of platforms to support. Ansible has modules for them, and I don't think it would take too long. I really appreciate you documenting what you have found so far. It is very helpful.

[psifertex]

For what it's worth, the install really does timeout and dies when the obfsproxy fails to start up properly (due to the aforementioned random port and azure):

failed: [hostname.cloudapp.net] => (item=obfs3) => {"elapsed": 300, "failed": true, "item": "obfs3"}
msg: Timeout when waiting for search string obfs3 in /var/lib/tor/state

I've just added a manual pause so I can fix it up by hand to see if that fixes it.

Also, I should note that so far, my changes involved:

1. root -> azureuser (as well as adding sudo: yes)
2. editing defaults to the set-default-variables as you described above. For now, I'm just putting in my azure hostname and IP address in by hand.

Running it again while trying to see why it wasn't connecting and I don't know what's not working. I've added all listening ports to the endpoint connection list on the azure interface, but it still times out. Interestingly, this time I get the same error message as above, but it continues on and tries REMOTE_MODULE wait_for path=/var/lib/tor/state search_regex=scramblesuit which I don't remember it trying before.

[psifertex]

Ok, I've worked through the azure command-line setup (and stumbled across an annoying bug in the process) and have the following setup notes:

Azure Command-Line Setup

npm install azure-cli --global
npm install azure --global

azure account download
azure account import path-to-credentials.publishsettings

Addendum 1: This bug: https://github.com/Azure/azure-sdk-tools-xplat/issues/1293 means the above scripts don’t work right now depending on what version of the command-line tools you have. D’oh! Not sure how to best work around that? Suggest people git clone the Azure repo directly, maybe? I dunno, I’ve just patched the fix in by hand myself. (The latest version fixes these related bugs)

Streisand Steps

//First generate a random hostname (azure instances get a hostname.cloudapp.net domain), username, and password.
//Maybe prompt the user for the zone they prefer? Or you can query to see if they have existing zones and use those? Not sure how it's handled in the EC2 playbook, probably easiest to replicate that.

// It's probably best to make a fresh ssh keypair for the newly created image and add the pubkey into the .ssh/config or just manually specify it. Again, I'd just go with whatever you do for EC2. Here's the conversion line though if needed (and once their bug below is fixed):
// openssl rsa -in ~/.ssh/id_rsa -outform pem > ~/.ssh/azure.pem

//The following doesn't work, waiting for https://github.com/Azure/azure-sdk-tools-xplat/issues/1284 to be fixed.
// azure vm create -l "East US" -z extrasmall --no-ssh-password --ssh-cert ~/.ssh/azure.pem -n $hostname $hostname b39f27a8b8c64d52b05eac6a62ebad85__Ubuntu-14_04-LTS-amd64-server-20140724-en-us-30GB $username

azure vm create -l "East US" -z extrasmall -n $hostname $hostname b39f27a8b8c64d52b05eac6a62ebad85__Ubuntu-12_04-LTS-amd64-server-20140724-en-us-30GB $username $password

//Note that extra small is a bit anemic and you will likely get some performance boost (and cost increase) out of using a small instance instead. 
//If you want to run 14.04 (which has bugs and won't work), just change the text of the image name in the above command.

//wait until "azure vm list" shows that machine with Status “ReadyRole”
// Sample output: 
// data:    Name     Status              Location  DNS Name              IP Address
// data:    -------  ------------------  --------  --------------------  -------------
// data:    streisn  RoleStateUnknown    East US   streisn.cloudapp.net  100.10.10.10
//
//Note that the IP address is not publicly routable, I’m querying the name servers (dig +short a $hostname.cloudapp.net @prd1.azuredns-cloud.net) to find it out, but there might be a way to do it directly

Firewall adjustment

azure vm endpoint create-multiple $hostname 636:636,8888:8888,443:443,8443:8443,16001:16001,1701:1701:UDP,$obfs3port:$obfs3port
//needs to be adjusted for the actual ports, can just steal from the ec2 setup, I'm sure.

Addendum 1: The VM commands sometimes fail, so it’d be good to have a retry count so that if they fail they are re-run a certain number of times.

[psifertex]

So this is still failing for me now that I've had more time to play with it. Same error as before:

failed: [191.238.11.40] => (item=obfs3) => {"elapsed": 300, "failed": true, "item": "obfs3"}
msg: Timeout when waiting for search string obfs3 in /var/lib/tor/state

and:

failed: [191.238.11.40] => (item=scramblesuit) => {"elapsed": 300, "failed": true, "item": "scramblesuit"}
msg: Timeout when waiting for search string scramblesuit in /var/lib/tor/state

FATAL: all hosts have already failed -- aborting

[jlund]

Thanks again for your help with this.

Are you using Ubuntu 14.04 instead of Debian 7 by any chance?

[psifertex]

Yup! Unfortunately, Azure doesn't have any Debian images.

[jlund]

Do they have any other Ubuntu images? There are known issues with Tor and 14.04 when pluggable transports are being used, which is why the port information never shows up in the state file.

On July 31, 2014 1:52:32 AM MDT, psifertex [email protected] wrote:

Yup! Unfortunately, Azure doesn't have any Debian images.

---

Reply to this email directly or view it on GitHub:
#4 (comment)

[psifertex]

Sure, easy enough to try a 14.10 alpha, or go older. Any suggestion as to which is preferable?

(Updated to add): I fixed the first bug by following the advice from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739279 which lets obfs3 run (actually, the first time around I just shut down apparmor entirely), but it still hung on scramblesuit, so I got past that by cheating and simply running: echo "scramblesuit" >> /var/log/tor/state as root. The port will be wrong, but it at least got me my first almost working streisand system and I'm not as concerned about not running scramblesuit initially.

Found one other minor bug which is that ansible complains about the ansible_system variable, not sure what might be causing that, this is something on my OS X host I assume, though it looks like it should be able to handle Darwin just fine as a result, this looks more like a version problem with ansible itself? Not sure, but I followed the install instructions pretty carefully for my native box.

fatal: [168.62.176.220] => error while evaluating conditional: hostvars['127.0.0.1']['ansible_system'] == "Linux"

[jlund]

I would try 12.04 if they have it. 'Precise' is still getting security updates and will be for another few years. It could be a good alternative base to have tested for providers that don't offer Debian 7.

That conditional is looking for the OS value from the system running the playbook, yeah. This is collected by Ansible during the "Gathering Facts" phase. What version of OS X are you on? I am considering removing those tasks. They happen after everything has been completely set up, and they seem to be error prone. All they do is open the HTML instructions at the end which is cool but might not be worth the error messages for some users.

On July 31, 2014 8:39:16 AM MDT, psifertex [email protected] wrote:

Sure, easy enough to try a 14.10 alpha, or go older. Any suggestion as
to which is preferable?

I got past the bug by cheating and simply running: echo "scramblesuit"

/var/log/tor/state as root. The port will be wrong, but it at least
got me my first almost working streisand system. ;-)

Found one other minor bug which is that ansible complains about the
ansible_system variable, not sure what might be causing that, this is
something on my OS X host I assume, though it looks like it should be
able to handle Darwin just fine as a result, this looks more like a
version problem with ansible itself? Not sure, but I followed the
install instructions pretty carefully for my native box.

fatal: [168.62.176.220] => error while evaluating conditional: hostvars['127.0.0.1']['ansible_system'] == "Linux"

---

Reply to this email directly or view it on GitHub:
#4 (comment)

[psifertex]

So I (sorta) got it working by disabling apparmor which got past the obfs3 error, but then had to manually echo into the state the scramblesuit plugin. Way, way too ugly.

Ok, so on to 12.04. I'll update the instructions in #4 (comment) with the filename of a 12.04 image, and update this comment in a few minutes when I've tested it out.

[psifertex]

Also, running the latest OS X Mavericks (10.9.4).

I don't really know much about ansible yet to be able to troubleshoot that system variable, looks like the bug is entirely within ansible or something it's doing as far as I can tell.

[joaocc]

Hi.
I started working on Azure support here (joaocc@95fba56).
It may take a few days, and all help is welcomed.
J

[blotzu]

Hi guys, I finished the Azure implementation here: (#598)

[jlund]

Azure support was just merged into the master branch. Thanks to @blotzu and @joaocc for making it happen!