New relay minor issues, notices.log, curl

Support Relay Operator
1

New relay : 6AD7A3E682FE74BDFE34AC0F0D17714480BA773B

is running okay but I messed about with ownership of the /var/log/tor/notices.log file and now it’s not receiving logs at all. What should the result of ls -l notices.log be by default? permissions and ownership?
And should I uncomment the log notifications? Doesn’t it receive logs by default, too?

Also, on an old relay I could get info with curl http://127.0.0.1:9035/metrics (as I recall) but on this instance I get

curl: (7) Failed to connect to 127.0.0.1 port 9035 after 0 ms: Could not connect to server

(tried port 9050, too, with the same result)

Should I put something into the torrc file to sort that?

Thanks for any advice.

2

The solutions, if this is of any interest to anyone are:

The relay makes a new /var/log/notices.log file itself (daily? regularly) so you don’t need to do anything.

and:

curl -s localhost:9052/metrics

works if you have:

MetricsPort 127.0.0.1:9052
MetricsPortPolicy accept 127.0.0.1
MetricsPortPolicy accept [::1]

in your torrc file. (Thanks @toralf )

and

curl http://127.0.0.1:9035/metrics

works if you have:

MetricsPort 127.0.0.1:9035
MetricsPortPolicy accept 127.0.0.1

in your torrc file.

From:

http://rzuwtpc4wb3xdzrj3yeajsvm3fkq4vbeubm2tdxaqruzzzgs5dwemlad.onion/relays/performance/overloaded/#metricsport

.. ..

3

Can you share your torrc file? Or at least the lines related to the logs and the metrics port?

What should […] notices.log be by default? permissions and ownership?

By default if you don’t specify the log file, all logs go into the system log. If you specify a log file, then all you need is to make sure that the user that is running tor (e.g. for Debian it’s debian-tor) can read & write to the file.
You can check if the tor service user has access by running sudo -u debian-tor test -w /var/log/tor/notices.log && echo OK || echo NOT OK (replace debian-tor if it’s different on your OS).

1 Like
4

I don’t run relays but my guess would be the same permission and ownership as the /var/log/tor/ folder, minus execution and other special permissions. Specifics depend on how your distro maintainers package Tor.

This is a metrics port, it can be enabled with MetricsPort 9035 (default on 127.0.0.1) in torrc but is not required. You can expose the port to a Prometheus server if used with MetricsPortPolicy, consult Tor manual page.
Note that exposing this port to public internet can endanger Tor users.

1 Like
5

Thanks @Princess-Daisy and @Lind ,

Here’s everything relevant that’s uncommented in my torrc file atm:

Log notice file /var/log/tor/notices.log

MetricsPort 127.0.0.1:9035
MetricsPortPolicy accept 127.0.0.1

I was using:

MetricsPort 127.0.0.1:9052
MetricsPortPolicy accept 127.0.0.1
MetricsPortPolicy accept [::1]

which worked just fine. But changed it to the above as that’s the advice from the link in the OP.
So that MetricsPort being via 127.0.0.1 - the loopback address - should not be accessible from public internet, right? And it didn’t work without enabling the current:

MetricsPort 127.0.0.1:9035
MetricsPortPolicy accept 127.0.0.1

in the torrc file.

Having looked at the relevant parts of the manual I’m wary of this but I have a firewall only letting in the ORPort port number, 443 and ssh, default reject all others. No one else has access to this server. So the metrics are only accessible when logged into the vps running the relay via ssh (very strong passphrase).

I could comment out that:

MetricsPort 127.0.0.1:9035
MetricsPortPolicy accept 127.0.0.1

and thus close that access when not using it (as per advice in the link in the OP) but then I’d have to pkill -sighup tor the process which I’d rather not do too often ‘cos … interrupting users.

If I would be better off with a different set up please let me know. This works but I’d be grateful for any advice.

Thanks, too, for the advice re. /var/log/tor/notices.log files. The relay process has added a new notices.log file with whatever permissions and ownership it chose, namely:

-rw-r----- 1 debian-tor

and running @Princess-Daisy ‘s test command returns OK (it is on Debian).

6

Yes it would be fine if it’s just listening on localhost/127.0.0.1/[::1] . No other computer on the network would have access to that. (Unless you’re running untrusted code on that server.)

Also, if you already have MetricsPort 127.0.0.1:9052 there, I think you can already access the metrics with curl http://127.0.0.1:9052/metrics, it’s just on a different port.

1 Like