Hi,
On 18/05/2017 01:56, Gunnar Wolf wrote:
Cristian Consonni dijo [Wed, May 17, 2017 at 05:04:29PM +0200]:
AS you can see from the Debian package page[1] the latest available version of Tor packaged for Wheezy is 0.2.4.27-3, which to me looks quite behind either 0.2.5.12-4 available in Jessie (stable) or the 0.2.9.X series available through backports or testing.
What's the best to do in this cases?
- Should I start updating tor manually?
- Should I update Debian on the server? (which could well me start with
a fresh install?
- Is it ok like it is now, provided that the system is updated?
While Debian Wheezy (7, our "oldstable" release) still has security support via LTS¹, it is not recommended to run a Tor relay with such old packages. In fact, not even the version available in Jessie (8, our "stable" release - 0.2.5.12-4) is recommended nowadays.
I suggest you to update to _at least_ Jessie and use the version in backports (depends on your sysadmining, but if your machine's only use is to run a Tor node, I'd suggest installing Stretch, 9, which has 0.2.9.9-1).
I am running the relays on VPS providers so, I can choose (only) among the versions of Debian that are provided by the services as templates. When Stretch is release I will see if they make it available, in a reasonable time.
I am settled anyhow to upgrade the nodes as soon as the new Debian version is released and I have a question. I have read that I can move the node keys when upgrading[1] and I will do that.
One thing that will change with a fresh install is the IP address of the nodes. So, I was wondering, in general is a good thing to keep the same IP or changing it? Because in any case, I could try and do a dist-upgrade[2] so that I keep the old IP. I have also discovered now that DigitalOcean, one of the providers I use, provides a kernel-management interface[3] that could make the process easier.
So, which is preferable between the two processes where one has the advantage of keeping the same IP (dist-upgrade) and the other not (fresh install)?
Of course, I am assuming that I will be able to complete any of the two processes successfully.
Cristian
[1]: https://www.torproject.org/docs/faq.html.en#UpgradeOrMove [2]: https://www.debian.org/releases/stable/amd64/release-notes/ [3]: https://www.digitalocean.com/community/tutorials/how-to-update-a-digitalocea...
2017-05-18 13:15 GMT+02:00 Cristian Consonni cristian@balist.es:
I am running the relays on VPS providers so, I can choose (only) among the versions of Debian that are provided by the services as templates.
It should be possible to upgrade to Jessie from the template. At least that is what I did on my maschine hosted as a VPS.
Sebastian
On 2017-05-18 14:09, Sebastian Niehaus wrote:
It should be possible to upgrade to Jessie from the template. At least that is what I did on my maschine hosted as a VPS.
Yes. Running on a shared Linode, I am free to do practically anything to the Debian OS installed, except updating the kernel.
On 18 May 2017, at 21:15, Cristian Consonni cristian@balist.es wrote:
One thing that will change with a fresh install is the IP address of the nodes. So, I was wondering, in general is a good thing to keep the same IP or changing it? Because in any case, I could try and do a dist-upgrade[2] so that I keep the old IP. I have also discovered now that DigitalOcean, one of the providers I use, provides a kernel-management interface[3] that could make the process easier.
So, which is preferable between the two processes where one has the advantage of keeping the same IP (dist-upgrade) and the other not (fresh install)?
It doesn't matter: if your IP address changes, the directory authorities will take an hour or so to check your relay's reachability, and then it will get back its flags and weight over the next week or so.
If your relay is a fallback directory mirror[0], please keep the same key, IP address, and ports. You can check that here[1] or here[2] (large page).
[0]: https://trac.torproject.org/projects/tor/wiki/doc/FallbackDirectoryMirrors [1]: https://gitweb.torproject.org/tor.git/tree/src/or/fallback_dirs.inc [2]: https://consensus-health.torproject.org/consensus-health.html
T -- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
Hi,
thanks for your response.
On 19/05/2017 02:28, teor wrote:
On 18 May 2017, at 21:15, Cristian Consonni cristian@balist.es wrote:
One thing that will change with a fresh install is the IP address of the nodes. So, I was wondering, in general is a good thing to keep the same IP or changing it? Because in any case, I could try and do a dist-upgrade[2] so that I keep the old IP. I have also discovered now that DigitalOcean, one of the providers I use, provides a kernel-management interface[3] that could make the process easier.
So, which is preferable between the two processes where one has the advantage of keeping the same IP (dist-upgrade) and the other not (fresh install)?
It doesn't matter: if your IP address changes, the directory authorities will take an hour or so to check your relay's reachability, and then it will get back its flags and weight over the next week or so.
If your relay is a fallback directory mirror[0], please keep the same key, IP address, and ports. You can check that here[1] or here[2] (large page).
so, to be clear, if I was a fallback directory mirror (which I am note) I should manintain the same IP. Otherwise it is ok to change IP.
Cristian
On 23/05/2017 15:45, Cristian Consonni wrote:
so, to be clear, if I was a fallback directory mirror (which I am note) I should manintain the same IP. Otherwise it is ok to change IP.
Correction, one of my node is a Fallback Directory, actually.
I am a little bit perplexed because I responded to a call for fallback dirs last December (Dec 2016), but then I got no answer or confirmation that the relay was elected to become a fallback dir and so I assumed it was not.
Now, from this list[1] I see that it has the FallbackDir flag.
So, again, in this case I should try to keep the same IP address when upgrading, right?
Cristian
[1]: https://consensus-health.torproject.org/consensus-health.html
On 24 May 2017, at 01:05, Cristian Consonni cristian@balist.es wrote:
On 23/05/2017 15:45, Cristian Consonni wrote:
so, to be clear, if I was a fallback directory mirror (which I am note) I should manintain the same IP. Otherwise it is ok to change IP.
Correction, one of my node is a Fallback Directory, actually.
I am a little bit perplexed because I responded to a call for fallback dirs last December (Dec 2016), but then I got no answer or confirmation that the relay was elected to become a fallback dir and so I assumed it was not.
Sorry about that, I tried to BCC all the fallback operators the first few times we changed the list.
But it is a lot of work, and sometimes spam filters eat the email anyway.
So this time I just announced it on tor-relays: https://lists.torproject.org/pipermail/tor-relays/2017-May/012285.html
Now, from this list[1] I see that it has the FallbackDir flag.
So, again, in this case I should try to keep the same IP address when upgrading, right?
Please keep the same IP address, ports, and RSA and ed25519 keys (fingerprint).
Again, sorry about the lack of notification. It's a big job, and I was short on time this time around.
I would love someone to volunteer to notify all the fallback directory operators: the list only changes once every 6-12 months.
Cristian
T -- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
Hi Theor,
Again, sorry about the lack of notification. It's a big job, and I was short on time this time around.
I would love someone to volunteer to notify all the fallback directory operators: the list only changes once every 6-12 months.
What would that involve if someone decides to volunteer?
- Generating a list with the email address per relay - Sending an email to the Operator - Updating the list with the operators and their answer - (Dealing with all the unreachable addresses)
And the list contains between 150 and 200 fallback dirs.
Cheers, Jan
On 24 May 2017, at 17:27, Jan Welker jan@wth.in wrote:
Again, sorry about the lack of notification. It's a big job, and I was short on time this time around.
I would love someone to volunteer to notify all the fallback directory operators: the list only changes once every 6-12 months.
What would that involve if someone decides to volunteer?
- Generating a list with the email address per relay
You can get the fingerprints from: https://gitweb.torproject.org/tor.git/tree/src/or/fallback_dirs.inc And then write a quick script to get the contact details.
Or use the instructions at: https://trac.torproject.org/projects/tor/wiki/doc/UpdatingFallbackDirectoryM... To modify the script at: https://gitweb.torproject.org/tor.git/tree/scripts/maint/updateFallbackDirs....
(No one has automated that yet, but we are close: we just need to do something like the check_existing mode that outputs contacts.)
- Sending an email to the Operator
Most operators change their email address to avoid spam. You will need to work out what each address is.
It is ok to send one email, and BCC all the operators. Put me in To: or CC: please. And then send a copy to tor-relays saying that's what you sent to all the operators.
https://trac.torproject.org/projects/tor/wiki/doc/UpdatingFallbackDirectoryM...
- Updating the list with the operators and their answer
If you open a ticket with a list of opt-outs, I will fix this up when we next rebuild the list.
- (Dealing with all the unreachable addresses)
That's ok, as long as the relay has the same details, I don't worry about emails that bounce.
And the list contains between 150 and 200 fallback dirs.
Yes.
When we go looking for new fallback operators, we do a similar thing for all relays that are *not* on the list, and have good bandwidth and uptime.
T -- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
On 24/05/2017 03:25, teor wrote:
On 24 May 2017, at 01:05, Cristian Consonni cristian@balist.es wrote: I am a little bit perplexed because I responded to a call for fallback dirs last December (Dec 2016), but then I got no answer or confirmation that the relay was elected to become a fallback dir and so I assumed it was not.
Sorry about that, I tried to BCC all the fallback operators the first few times we changed the list.
But it is a lot of work, and sometimes spam filters eat the email anyway.
So this time I just announced it on tor-relays: https://lists.torproject.org/pipermail/tor-relays/2017-May/012285.html
No worries :-)
Now, from this list[1] I see that it has the FallbackDir flag.
So, again, in this case I should try to keep the same IP address when upgrading, right?
Please keep the same IP address, ports, and RSA and ed25519 keys (fingerprint).
I'll do.
Cristian
tor-relays@lists.torproject.org
-
Cristian Consonni -
Ian Zimmerman -
Jan Welker -
Sebastian Niehaus -
teor