butterfly Fails with systemd

[E 150903 03:21:40 ioloop:612] Exception in callback (<socket object, fd=4, family=10, type=1, protocol=0>, <function null_wrapper at 0x7f5e0107ec08>)
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/tornado/ioloop.py", line 866, in start handler_func(fd_obj, events)
File "/usr/local/lib/python2.7/dist-packages/tornado/stack_context.py", line 275, in null_wrapper return fn(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/tornado/netutil.py", line 265, in accept_handler callback(connection, address)
File "/usr/local/lib/python2.7/dist-packages/tornado/tcpserver.py", line 239, in _handle_connection do_handshake_on_connect=False)
File "/usr/local/lib/python2.7/dist-packages/tornado/netutil.py", line 510, in ssl_wrap_socket return context.wrap_socket(socket, **kwargs)
File "/usr/lib/python2.7/ssl.py", line 352, in wrap_socket _context=self)
File "/usr/lib/python2.7/ssl.py", line 537, in __init__ socket.__init__(self, _sock=sock._sock)
AttributeError: '_socket.socket' object has no attribute '_sock'

Sep 03 '15 03:09 vsviridov

This service file works for me. You have to turn on unsecure so it doesn't use ssl.

[Unit]
Description=Butterfly Terminal Server
After=syslog.target

[Service]
ExecStart=/usr/bin/butterfly.server.py --unsecure
Restart=on-abort

[Install]
WantedBy=multi-user.target

Jun 30 '16 16:06 meskarune

I have exactly the same issue. I did everything according to README. It seems that butterfly.socket can't start butterfly.service... Unfortunately unsecure is not acceptable.

Sep 22 '16 22:09 tomekceszke

Same here ... Unsecure is not an option. What did I wrong?

Jun 19 '17 08:06 TWuerdemann

Do you have https://github.com/paradoxxxzero/tornado-systemd installed? pip install tornado-systemd

Jun 19 '17 09:06 paradoxxxzero

Yes I have... At least PIP tells me so. But I uninstalled and reinstalled it ... now it works ...

So I guess thank you for this hint. :)

Jun 19 '17 09:06 TWuerdemann

Well... there is still an issue. After a normal reboot. Butterfly was back to not really running. After reinstalling tornado-systemd it worked.

Jun 20 '17 07:06 TWuerdemann

This does not make much sense! Is this really reproductible?

Jun 20 '17 08:06 paradoxxxzero

The short answer is "yes". The longer one is "It's complicated".

And I'm not 100% sure if it isn't me who is the problem. It looks like I overlooked something.

Okay here is what I did:

reboot
Socket seems to work but the website will not show (see first post)
Try to restart "service butterfly restart"
Nothing changes
Stopping service "service butterfly stop"
Uninstall tornado-systemd "pip uninstall tornado-systemd"
Install tornado-systemd "pip install tornado-systemd"
Now I HAVE TO restart the service "service butterfly restart" (otherwise it will not work)
Now I have my Butterfly Web Terminal...

It's totally strange and I have no idea whats going on. And like I said, there is a quiet big chance that I'm making a mistake here. But I can't see it.

Btw, these are my service and socket files:

butterfly.service

[Unit]
Description=Butterfly Terminal Server

[Service]
ExecStart=/usr/local/bin/butterfly.server.py

butterfly.socket:

[Socket]
ListenStream=8443

[Install]
WantedBy=sockets.target

Jun 20 '17 08:06 TWuerdemann

I can't see either what reinstalling tornado-systemd could change. Does it work using socket only (butterfly.service stop, butterfly.socket start)? Could you try with python 3 (if you are using python 2 too)?

Jun 22 '17 08:06 paradoxxxzero

I have this problem, too. ubuntu 17.04, running on Linode (under KVM) Installed with pip install 'butterfly[systemd]' and downloaded the system/socket files with wget as per the README I generated the cert files, and enabled/started the butterfly.socket. When I connect using https with Chrome, this is the error I get:

Sep 24 20:32:15 ln butterfly.server.py[16807]: [E 170924 20:32:15 ioloop:638] Exception in callback (<socket object, fd=
Sep 24 20:32:15 ln butterfly.server.py[16807]:     Traceback (most recent call last):
Sep 24 20:32:15 ln butterfly.server.py[16807]:       File "/usr/local/lib/python2.7/dist-packages/tornado/ioloop.py", li
Sep 24 20:32:15 ln butterfly.server.py[16807]:         handler_func(fd_obj, events)
Sep 24 20:32:15 ln butterfly.server.py[16807]:       File "/usr/local/lib/python2.7/dist-packages/tornado/stack_context.
Sep 24 20:32:15 ln butterfly.server.py[16807]:         return fn(*args, **kwargs)
Sep 24 20:32:15 ln butterfly.server.py[16807]:       File "/usr/local/lib/python2.7/dist-packages/tornado/netutil.py", l
Sep 24 20:32:15 ln butterfly.server.py[16807]:         callback(connection, address)
Sep 24 20:32:15 ln butterfly.server.py[16807]:       File "/usr/local/lib/python2.7/dist-packages/tornado/tcpserver.py",
Sep 24 20:32:15 ln butterfly.server.py[16807]:         do_handshake_on_connect=False)
Sep 24 20:32:15 ln butterfly.server.py[16807]:       File "/usr/local/lib/python2.7/dist-packages/tornado/netutil.py", l
Sep 24 20:32:15 ln butterfly.server.py[16807]:         return context.wrap_socket(socket, **kwargs)
Sep 24 20:32:15 ln butterfly.server.py[16807]:       File "/usr/lib/python2.7/ssl.py", line 363, in wrap_socket
Sep 24 20:32:15 ln butterfly.server.py[16807]:         _context=self)
Sep 24 20:32:15 ln butterfly.server.py[16807]:       File "/usr/lib/python2.7/ssl.py", line 569, in __init__
Sep 24 20:32:15 ln butterfly.server.py[16807]:         socket.__init__(self, _sock=sock._sock)
Sep 24 20:32:15 ln butterfly.server.py[16807]:     AttributeError: '_socket.socket' object has no attribute '_sock'

I have installed tornado and tornado-systemd with pip as well. Re-installing and re-starting doesn't solve anything for me.

Sep 24 '17 20:09 jwatte

Another problem is that butterfly uses the "host" argument both for the name of the certificates, and the interface to bind to. Thus, if I want it to bind to 0.0.0.0, I also have to generate certificates for 0.0.0.0, which isn't right. I'll file that elsewhere.

Sep 24 '17 20:09 jwatte

@jwatte Running a web based terminal on your vps is a really bad idea. You are just asking for someone to hack you.

Sep 27 '17 22:09 meskarune

I'm aware of the security implications (and also how to front an insecure web service with NGINX, web security, and HTTPS.) I'm more interested in advice helping make the software actually do what it's supposed to. (The fact that the web console by default doesn't implement login might be considered a weakness, too, but one I'm prepared to work around.) Btw: Linode provides "lish" over the web for their instances, and this is not a marked source of hacks.

Sep 28 '17 01:09 jwatte

@jwatte funny you should mention Linode. I used to work there :P

The lish console is a necessary evil. Without it, customers could not have out of band access to their VPS's and their customer support team would have a hell of a lot of extra work on their hands.

Linode's ajax lish console is hosted behind a login, the connection is encrypted and hopefully protected by 2 factor. (if you don't have it enabled, you should). They have put a lot of extra thought into the console because it is one of the biggest attack vectors against customer VPSs.

Even with all that though, if you don't have 2fa, it only takes someone knowing your username and password to access the lish console. If you use the lish console as root and don't log out, bam, someone can gain root access using your linode manager login credentials.

Butterfly is an interesting script, but it isn't secure enough for production use like you are talking about.

Is there a reason why you think you need to have a web console on your Linode VPS? Especially considering that a more secure one already exists?

Oct 20 '17 01:10 meskarune

The host that I ultimately need a web-based console on is not on Linode but another host; I'm using linode for testing. One way to secure it is to stick another login in front -- for example, nginx with web authentication. Old school, but if I can rely on password authentication, then good enough. Of course this wouldn't be a problem if all the firewalls between points A and B on the web let port 22 through, but that's not always the case for whatever reasons that are often outside of my control. That's the whole reason scripts like these exist in the first place ...

Oct 20 '17 15:10 jwatte

Password auth is not "good enough", you need encryption too as well as process segregation. shellinabox or gotty would be more secure as they are further along in development and have security recommendations.

If the only reason why you want a web console is due to ssh being on port 22, then just change the port that ssh runs on. You can set it to port 80 or 443 which isn't filted by NAT.

The ONLY reason scripts like this exist is to give people a local terminal to use with true color and unicode OR to give people out of band access to a vps. They are not supposed to replace ssh.

Oct 31 '17 19:10 meskarune

Worked for me after I just uninstalled tornado-systemd entirely.

Nov 08 '17 22:11 vsviridov

On CentOS 7 the default socket and service files are not working correctly. I.e. you cannot use the stop command.

Here is a working systemd config:

# cat /etc/systemd/system/butterfly.service

[Unit]
Description=Butterfly Terminal Server
After=network.target butterfly.socket
Requires=butterfly.socket

[Service]
ExecStart=/usr/local/bin/butterfly.server.py --unsecure --login --i-hereby-declare-i-dont-want-any-security-whatsoever
Restart=on-abort

[Install]
WantedBy=default.target

# cat /etc/systemd/system/butterfly.socket

[Unit]
Description=Butterfly Socket
PartOf=butterfly.service

[Socket]
ListenStream=127.0.0.1:57575

[Install]
WantedBy=sockets.target

To enable

# systemctl daemon-reload
# systemctl enable butterfly.service

To start, get status and stop

# systemctl start butterfly.service
# systemctl status butterfly.service
# systemctl stop butterfly.service

Nov 30 '19 00:11 brtgh

butterfly butterfly copied to clipboard

Fails with systemd

butterfly
butterfly copied to clipboard