Q: Is being a maker connecting to a remote tor daemon supported?

[theborakompanioni]

Experiencing a problem related to Tor when running a maker on regtest.

Scenario: 3 instances of joinmarket, 2 acting as maker or taker, 1 directory node.

The directory node is built with --with-local-tor and connects to Tor locally. The 2 instances (call them A and B; acting as maker or taker) connect to a remote Tor daemon. They have tor_control_host and tor_control_port set and do not use irc, connecting only to the directory node.

The remote Tor daemon has a HashedControlPassword value and CookieAuthentication enabled (as far as I understand, one of those has to be provided, otherwise Tor's control port will be closed).

Difference between A and B instance is solely that B has access to the remote Tor's /home/tor/.tor directory - whereas A has not!

With A being a taker and B being the maker, a collaborative transaction can be successfully initiated from A.
Whereas if A is starting a maker, following exception occurs on A:

'/api/v1/wallet/funded.jmdat/maker/start'
<_io.BytesIO object at 0x7f3701fcdc20>
[(b'Sec-Fetch-Site', [b'same-origin']), (b'Sec-Fetch-Mode', [b'cors']), (b'Sec-Fetch-Dest', [b'empty']), (b'Connection', [b'close']), (b'DNT', [b'1']), (b'Content-Length', [b'85']), (b'Origin', [b'http://localhost:3000']), (b'Content-Type', [b'text/plain;charset=UTF-8']), (b'X-Jm-Authorization', [b'Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ3YWxsZXQiOiJmdW5kZWQuam1kYXQiLCJleHAiOjE2NTcyMzU4OTN9.79baOUnvAFlFmTOJC4XYt8XTn4Exb3pMEn_Ea6Kh8aQ']), (b'Referer', [b'http://localhost:3000/earn']), (b'Accept-Encoding', [b'gzip, deflate, br']), (b'Accept-Language', [b'en-US,en;q=0.5']), (b'Accept', [b'*/*']), (b'User-Agent', [b'Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0']), (b'Host', [b'localhost:28183']), (b'Authorization', [b'Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ3YWxsZXQiOiJmdW5kZWQuam1kYXQiLCJleHAiOjE2NTcyMzU4OTN9.79baOUnvAFlFmTOJC4XYt8XTn4Exb3pMEn_Ea6Kh8aQ'])]
2022-07-06 03:04:16,833 [INFO]  JoinMarket 0.9.7dev
2022-07-06 03:04:16,836 [DEBUG]  connection was made, starting client.
2022-07-06 03:04:16,838 [INFO]  Attempting to start onion service on port: 5222 ...
2022-07-06 03:04:16,864 [ERROR]  Setup failed: [Failure instance: Traceback: <class 'RuntimeError'>: Failed to read COOKIEFILE '/home/tor/.tor/control_auth_cookie': [Errno 2] No such file or directory: '/home/tor/.tor/control_auth_cookie'

/usr/local/lib/python3.9/site-packages/twisted/internet/defer.py:700:errback
/usr/local/lib/python3.9/site-packages/twisted/internet/defer.py:763:_startRunCallbacks
/usr/local/lib/python3.9/site-packages/twisted/internet/defer.py:857:_runCallbacks
/usr/local/lib/python3.9/site-packages/twisted/internet/defer.py:1750:gotResult
--- <exception caught here> ---
/usr/local/lib/python3.9/site-packages/twisted/internet/defer.py:1656:_inlineCallbacks
/usr/local/lib/python3.9/site-packages/twisted/python/failure.py:514:throwExceptionIntoGenerator
/usr/local/lib/python3.9/site-packages/txtorcon/controller.py:462:connect
/usr/local/lib/python3.9/site-packages/txtorcon/controller.py:456:connect
/usr/local/lib/python3.9/site-packages/twisted/internet/defer.py:1656:_inlineCallbacks
/usr/local/lib/python3.9/site-packages/twisted/python/failure.py:514:throwExceptionIntoGenerator
/usr/local/lib/python3.9/site-packages/txtorcon/controller.py:427:try_endpoint
/usr/local/lib/python3.9/site-packages/twisted/internet/defer.py:1656:_inlineCallbacks
/usr/local/lib/python3.9/site-packages/twisted/python/failure.py:514:throwExceptionIntoGenerator
/usr/local/lib/python3.9/site-packages/txtorcon/torconfig.py:584:from_protocol
/usr/local/lib/python3.9/site-packages/twisted/internet/defer.py:857:_runCallbacks
/usr/local/lib/python3.9/site-packages/txtorcon/torcontrolprotocol.py:849:_do_authenticate
]
created the onion endpoint, now calling listen

Question is, can you be a maker connecting to a remote Tor daemon, without connecting to irc channels? If so, how to do that?
I suppose, it wants to read the auth cookie file /home/tor/.tor/control_auth_cookie to allow inbound connections to an onion service. Suppose it is not possible to mount the remotes directory.. Is there any other possibility to provide this value (cookie or password), e.g. via the config file?

Sorry if this in the docs or in the code somewhere, I just cannot find it.. There is one sentence that says "If you don't currently have a Tor daemon running on your machine [...]" which suggests it is not possible.

edit: Also notice the message created the onion endpoint, now calling listen after the exception.

edit2: Even with ControlPort 0.0.0.0:9051 and without CookieAuthentication or HashedControlPassword it does not work. This is obviously not advised, and seems to close the control port immediately. Fails as expected with Setup failed: [Failure instance: Traceback: <class 'twisted.internet.error.ConnectionRefusedError'>: Connection was refused by other side: 111: Connection refused.)

[theborakompanioni]

Please excuse me for the lengthy explanation while still being so unspecific. I am trying to investigate a problem on Umbrel where the provided Tor params include host, port and password. It seems, getting the contents of the cookie file is not possible. I really just wanted to know if there is a way to use the provided services. I am totally fine with "then just install with flags --with-local-tor" as solution..

[AdamISZ]

Question is, can you be a maker connecting to a remote Tor daemon, without connecting to irc channels? If so, how to do that?

So if I understand correctly this is the main question, and I have a suspicion that the answer is no, but I don't understand exactly why. We had at least one person investigate this and discover it wasn't possible, let me try to find the links here in the repo.

Just to clear up one point: having no IRC does not cause any issues.

[AdamISZ]

Sorry I could not find the earlier discussions here (or maybe they were somewhere else).

I just remember that connecting to a remote Tor daemon may not be supported. Tbh I had no specific intention to support that (though I suppose it should be possible but it'll require understanding Tor configuration in detail I guess).

[theborakompanioni]

Sorry I could not find the earlier discussions here (or maybe they were somewhere else).

Don't worry, no problem. Thanks for investigating!

I just remember that connecting to a remote Tor daemon may not be supported. Tbh I had no specific intention to support that (though I suppose it should be possible but it'll require understanding Tor configuration in detail I guess).

It seems providing a password would be possible via a password_function callback. Is there some chance that this will be supported eventually? I'm just concerned right now with how to proceed and plan the next steps for intergations in Umbrel/Citadel/etc. If the answer is "No", don't worry. It is not perfect, but I guess it is kind of "okay" to have Tor running inside the docker container, if this is the only viable alternative.

[AdamISZ]

It seems providing a password would be possible via a password_function callback. Is there some chance that this will be supported eventually? I'm just concerned right now with how to proceed and plan the next steps for intergations in Umbrel/Citadel/etc. If the answer is "No", don't worry. It is not perfect, but I guess it is kind of "okay" to have Tor running inside the docker container, if this is the only viable alternative.

I'd certainly not be against adding it.

What I don't understand is, what are the precise conditions preventing it working right now. Is it possible it can be changed simply with changes to the Tor daemon configuration (or the machine it's on)?

I remember addressing a similar issue for btcpayserver here: #1041 (not the same but a similar Tor configuration issue).

[theborakompanioni]

What I don't understand is, what are the precise conditions preventing it working right now. Is it possible it can be changed simply with changes to the Tor daemon configuration (or the machine it's on)?

Changing the Tor configuration to include CookieAuthentication instead or in addition to HashedControlPassword, and copying the control_auth_cookie file would indeed function as a workaround. However, this scenario is specific to the Umbrel integration where a Tor container is provided and its config cannot be changed.

Since this really is an edge case, I am closing this issue now. Might function as reference if someone ever can only useHashedControlPassword in their Tor config (for whatever reason).

Jam will now revert to running a Tor daemon inside the docker image.
I hope it's okay with you that such tickets are opened, even if they only contain questions. I don't want to create unnecessary work.
Thank you @AdamISZ for your time and brain cycles on this.

[3nprob]

@theborakompanioni In case this is still relevant for you: #1799