relayor: automation for relay operators (ansible)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, computers are better at doing repeatable things over and over again so let them take care of boring tasks. Based on David's ansible-tor [1] I created an ansible role to make relay operations more convenient (see the initial commit message for a longer list of changes). https://github.com/nusenu/relayor Core features: - - configure multipe tor instances on a server automatically generates two instances per available IP address (Memory auto detection is not implemented yet) - - take care of MyFamily automatically - - user configurable Nickname prefix - - easy Exit/Non-Exit setting (boolean) - - alpha vs. stable releases (boolean) Supported platforms: - Debian - CentOS - OpenBSD Everything is still fresh, so I would NOT recommend to use this on production relays. Testing and review is appreciated. There is still a crucial piece missing (init scripts), but I hope tor packagers are willing to incorporate multi-init support patches (see issues). I also have parts that adds monitoring (munin+vnstat+webserver) but that will go into a separate role. If you have never heard of ansible, it speaks to your servers using SSH and does not require an agent or a central management server - just run it from you client machine. http://www.ansible.com/resources (not entirely torbrowser friendly) http://docs.ansible.com If you are planing to run this role over tor when connecting to your servers, make sure you have the following set in your ~/.ansible.cfg: ssh_args = -o ControlMaster=auto -o ControlPersist=60s This ansible role is not about bridges or hidden services, but I'd like to add "management HSes" (SSH and monitoring) in the future. Nusenu [1] https://github.com/david415/ansible-tor -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJU8OdxAAoJEFv7XvVCELh0Aw0P/AiiprSbE5apWUtrCoyrO5GN MKRfwpvy/BGrKjOjBZAtIs+8+AMaRQXV54CUIG0QlewnVgWRUyXA635OIAY43hFR BY/In1IiSXcqKyjaTsM4No/Nh+tvdj2rt+MoYvrMTVQVl8i+CYQKt4ypHjRN1cGS OIdP/AWi9tt/eAl+IgUNf4/pud94UbruDfGHtDQ4xGeReNdo64Q92c2QicFOdwNc fIqrhb/aWydfgQehmjSAXM9i9WfBi5vMSh7D5lUxheqhEmjSiV1bw8mvQML+kXse nwv7AZj0MkoBYqTd0t3h1JJwPXt0Vjfi3ZZNPlOTx6gZmPfbgrezya+TrWHQy65M rw6B3E3L5UDjkJ1k3cyJWvtpUSyYCqzcUDIq6+gQxZhGH0pWQhutxqdt5C5S+qn7 9hWJcDUyjeSFwxRfhLphiSrPQEue6Eox+EWzcSh4YQh8hol/P8Ev5C4P/yavWF0m w0jGbQoVIwz0jMhZwW9w6KxmaZO68/3aEfWUXjLFg/DCp/nLXqR1kHxuiLgO/sd6 QumoOjxqu9KwV9crQX86dl9oMFFvUb7l1WqidMVZIR81WQkDIVWoypvxCnG2QhDo Z4Nily3qg3I3nW+QLTIY8XjUkVMLV/1kky9ETDb2Vvz0uR2H5tyZR6I9hQ4FaGHt Xjm7kZ9JgRZjixqyAhTz =/jyQ -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
I'm sorry if you are looking for the repo, github decided to hide my account from the public.. (without sending an email notification about anything) " One of our mostly harmless robots seems to think you are not a human. Because of that, it's hidden your profile from the public. " -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJU8RzzAAoJEFv7XvVCELh0R1UQAJ6hR8fAs4BHNkJ2rmV7KewZ Z68SvolYnK9SJShKABP+Kk9cbZg9a6SpOKwNDuITnhVTVEfcvdh8i9Esh6YndaBR 7IUhO+LEhAZ3k9hYEUk8qPt+3gB9Ag9V9lUojPGWskTWwFnawvDkzMJeykARnSwH mKkDjssHpyLKB522nq+ZXrj+jpHX27FdHhPiKl37mfIbGXe88hECQmtWygOtQnwD GPwWMSq4+g9zEaTwcMJyMoFudbnAn2sbYWwfCdXprEqnj5b8GwA3A/3PzzPj9DXG gD/ufvTwijVwDeWHRU9Eq1VQRQ1TeELOeJc/G5MNH6EzoaJAAVF0GqRnJDy4i5Ir qNCE3rG3BTbhzTjPW7uUi+Dt2F0g2UPfE+sXP2mvhnORH+foH9URGc6hWQ9PmNvA 9ONkK+6D3cN03zgJYl2CJT/Vpv5DPwWpWDuDyAsRxnOnJ61FOnSHuvbGYGPL2vlv 9in6Rqu9GG9uu5pPsVGFiCVyHZkv1LL3o3Ir3fndZD4EmcHBp4yr539Q4z5HJIVF SpxP0NjkF3gJufOQqzL2GoIcNdWEJpzBiXTAZHG4ZTgtdSHNA8XVXjBNwBwwYGDs CfapoCbobSOVd1DKW+g4Y8xqIZizysjlMGHa7o3ZosGfUlViZPSKLFPoxmXXG0cr LKM3J/5h+tMTQh6apQin =lW9Q -----END PGP SIGNATURE-----
On 2015-02-27 14:53, Nusenu wrote:
Supported platforms: ... - OpenBSD
Everything is still fresh, so I would NOT recommend to use this on production relays. Testing and review is appreciated.
There is still a crucial piece missing (init scripts), but I hope tor packagers are willing to incorporate multi-init support patches (see issues).
In the interest of going with the OS flow and intent/defaults, I recommend the following for OpenBSD. Configure relays with a unique ${tag} appended to "tor". Say you have 2 IPs, want to run 4 total relays, and you want ${tag} to be 1 2 3 or 4. Call each by the name tor${tag}, and use that name to set up resources. Content changes in the /etc/rc.d/tor... startup/shutdown scripts are unneeded. Straight copies to /etc/rc.d/tor${tag} are best for avoiding having to maintain them separately across upgrades. Give each relay its own torrc via /etc/tor/tor${tag}, and each its own /var/tor${tag} directory referenced in that torrc. Then in /etc/rc.conf.local, hook them together and tell OpenBSD how to launch each of them: tor1_flags = {tor1_flags} -f /etc/tor/tor1 tor2_flags = {tor2_flags} -f /etc/tor/tor2 tor3_flags = {tor3_flags} -f /etc/tor/tor3 tor4_flags = {tor4_flags} -f /etc/tor/tor4 pkg_scripts = "... tor1 tor2 tor3 tor4" At the end of /etc/login.conf, tell OpenBSD to give them a few more resources than the default for daemon class: -------8<------- # Override resource limits for certain LOCAL daemons started by rc.d(8) # # For Tor, set an openfiles-max to override default openfiles-max 1024 # (we leave _tor user in 'daemon' class and rely on /etc/rc.d/tor* names # to pick up possibly unique settings for each instance) tor1:\ :openfiles-cur=1024:\ :openfiles-max=8192:\ :tc=daemon: tor2:\ :openfiles-cur=1024:\ :openfiles-max=4096:\ :tc=daemon: tor3:\ :openfiles-cur=1024:\ :openfiles-max=8192:\ :tc=daemon: tor4:\ :openfiles-cur=1024:\ :openfiles-max=8192:\ :tc=daemon: -------8<------- Richard
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi,
Content changes in the /etc/rc.d/tor... startup/shutdown scripts are unneeded. Straight copies to /etc/rc.d/tor${tag} are best for avoiding having to maintain them separately across upgrades.
I saw your previous email with this description for multiple tor instances on OpenBSD, but it is my intention to get multi-instance support into the upstream package - also for OpenBSD. For the following reasons: - - we prefer having a single line in /etc/login.conf for all tor instances, no matter how many you run (compared to N lines if you run N tor instances) This is the reason we assign a custom login class to the _tor user (as you probably saw) - - no need to copy files in /etc/rc.d/ - - we can simply rely on ansible's service module without "manually" tweaking rc.conf.local with a file module (manually tweaking it is assumed to be more error prone) - - fewer lines are easier to maintain (and faster generated) In the meantime (and as an alternative approach) I will simply go with rc.local. Thanks for your feedback. btw: github restored my account - repo is available again -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJU9CZdAAoJEFv7XvVCELh0D1IP/Ra6WnxUMxh3OzD6ph6VZLko ayp9laEmbFZ3aIAlpf5rwP225I3u0LVSP/kiCTXqiEcrNa3fzj0H331EtclT205n iyyJlLPHJUkFsEgJ80l9dKOlHD2oL/3Wr3AiwkhVuJGSYa4u6iTTaa1/V3z0rBIZ 8ZRflkTGaerjUc1zzLYu/pXfcNBIcuk71L8K62oKs8BFBR3C96EOXpfZqBHZ9A/y 58R4ODCpOoSeTDqNQCP3MD0t7N2yQx5SkZAz9AX6RGEv5cI1eVGxW9IVA9Egpm4s MMvEIbMY9LiX/3LA+Fjvs0DFXgCzJGhySP6H0ecOkcOLZVFH1vsvlNWRKoObreWL +F16dG2bJelb5rojyxHx5HQRIo3PMyFrI3yLAFCY5tBLLe9SwC21ZXBIVUKcRquG qJVJcoM/BiFsR5egh41FnNzmL6V7MElnSED1swLUsUzx92yt1HzbmH0YPH6q0uX/ xC74rhDoK3wLjZaxReoN5wOoypLSkpfHWXDtazP5DOQcBow0F52yZFVmP4voMfO1 mBg5U+EmRtfNwk12ud7QpZdHS5aNnqGrQTXoEm0B6oeg7ZQdOirH2XtEEy5HsTqK zKWb40W4hBOo69zWyuFM687FQ75p7/Kn0lmAlYozhajMqxQy4zEdC9dW78CnQqLL Kvb1ZB/Hl7BMr2k218YI =qhNO -----END PGP SIGNATURE-----
participants (2)
-
Nusenu -
Richard Johnson