Multiple relay instances, debian + systemd
Dear all, I run an exit node on debian strech, fingerprint 13E75F70220903A68BAF1F80B3DA9AB913961841 I would like to use more bandwidth, but I'm unsure how to do that with systemd. So, Lets say I want two exit nodes, each at 20MB/s. As per https://www.torservers.net/wiki/setup/server#high_bandwidth_tweaks_100_mbps, I am supposed to use tor-instance-create tor{1,2} [1] systemctl enable tor@tor1 etc. but what goes in the individual tor@tor1 torrc in /etc/tor/instances/tor1/torrc and what goes in the main instance in /etc/tor/torrc? Looking at the status for the new instance systemctl status tor@tor1 Process: 22722 ExecStartPre=/usr/bin/tor --defaults-torrc /var/run/tor-instances/tor1.defaults -f /etc/tor/instances/tor1/torrc --verify-config it seems the main torrc is not read, so maybe this is just an fancy way of doing the "old" /usr/sbin/tor -f /usr/local/etc/torrc1 /usr/sbin/tor -f /usr/local/etc/torrc2 ... with separate configurationfiles and datadir? I have a few extra ipv4 addresses. Should I allow each instance it's own IP or is sharing fine with one having (80,443) and the other (9091,9030) as (QR,DIR)port? I am aware that one IP can only be shared between two instances. Another question: Should I set the NumCPUs option to 2 or just leave it at 0(default)? https://www.torproject.org/docs/tor-manual.html.en#NumCPUs The processor is a bit old: Model name: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz pidstat 5 -p `pidof tor` Linux 4.9.0-3-amd64 (tiger) 2017-07-01 _x86_64_ (4 CPU) 23:38:33 UID PID %usr %system %guest %CPU CPU Command 23:38:38 127 10706 38,60 16,80 0,00 55,40 2 tor 23:38:43 127 10706 37,20 14,20 0,00 51,40 3 tor 23:38:48 127 10706 33,20 12,20 0,00 45,40 3 tor 23:38:53 127 10706 41,00 11,80 0,00 52,80 3 tor 23:38:58 127 10706 46,40 14,80 0,00 61,20 2 tor And finally: Do you change the number of maximum file descriptors? As of now, cat /proc/sys/fs/file-nr 9248 0 163085 where ls -l /proc/`echo $(pidof tor)`/fd | wc -l 5866 Best, Paw [1] http://manpages.ubuntu.com/manpages/zesty/man8/tor-instance-create.8.html
Paw Møller:
I am supposed to use tor-instance-create tor{1,2} [1] systemctl enable tor@tor1 etc.
but what goes in the individual tor@tor1 torrc in /etc/tor/instances/tor1/torrc and what goes in the main instance in /etc/tor/torrc?
When you create additional tor instances on the same host you can treat their torrc files individually with two exceptions: - don't run more than 2 instances per IP - (and obviously do not use same ports to bind to / data dirs)
I have a few extra ipv4 addresses. Should I allow each instance it's own IP or is sharing fine with one having (80,443) and the other (9091,9030) as (QR,DIR)port?
Sharing is fine if you do not run more than 2 instances per IP.
I am aware that one IP can only be shared between two instances.
Great, that is the most important point when running multiple instances on a single host. If you run more than a single host you might also want to look into something that does all that the work (and more) for you https://github.com/nusenu/ansible-relayor -- https://mastodon.social/@nusenu https://twitter.com/nusenu_
On 2 Jul 2017, at 10:02, nusenu <nusenu-lists@riseup.net> wrote:
Paw Møller:
I am supposed to use tor-instance-create tor{1,2} [1] systemctl enable tor@tor1 etc.
but what goes in the individual tor@tor1 torrc in /etc/tor/instances/tor1/torrc and what goes in the main instance in /etc/tor/torrc?
/etc/tor/torrc is not used as the defaults torrc file. It's the torrc file for tor@default.service, and /etc/tor/defaults-torrc (?) is its defaults file. /etc/tor/tor-service-defaults-torrc-instances is the template file for each instance's defaults torrc file. You can use it to name instances and set common torrc options.
When you create additional tor instances on the same host you can treat their torrc files individually with two exceptions: - don't run more than 2 instances per IP - (and obviously do not use same ports to bind to / data dirs)
Using /etc/tor/tor-service-defaults-torrc-instances is easier, unless you use something even more automated:
If you run more than a single host you might also want to look into something that does all that the work (and more) for you https://github.com/nusenu/ansible-relayor
T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
On 02.07.2017 00:03, Paw Møller wrote:
it seems the main torrc is not read, so maybe this is just an fancy way of doing the "old" /usr/sbin/tor -f /usr/local/etc/torrc1 /usr/sbin/tor -f /usr/local/etc/torrc2 ... with separate configurationfiles and datadir?
Yes.
I have a few extra ipv4 addresses. Should I allow each instance it's own IP or is sharing fine with one having (80,443) and the other (9091,9030) as (QR,DIR)port? I am aware that one IP can only be shared between two instances.
It does not really matter that much for exit relays. For guards, clients may have difficulty reaching "non-standard ports". ORPort 443 and DirPort 80 make the most sense as to the casual bystander it looks like any other HTTPS/HTTP connection, so I would use multiple IPs and 443/80.
Another question: Should I set the NumCPUs option to 2 or just leave it at 0(default)? https://www.torproject.org/docs/tor-manual.html.en#NumCPUs
In some cases of severe optimization, you might want to use NumCPU 1 to pin Tor to one CPU core. In all other cases, I would simply leave it at 0 (auto detect).
And finally: Do you change the number of maximum file descriptors?
In most cases this should not be necessary. -- Moritz Bartl https://www.torservers.net/
participants (4)
-
Moritz Bartl -
nusenu -
Paw Møller -
teor