On Mittwoch, 10. Juli 2024 00:32:04 CEST Osservatorio Nessuno via tor-relays wrote:

we are planning to get some hardware to run a physical Tor exit node, starting with a 1Gbps dedicated, unmetered uplink (10Gbps downlink). We will also route a /24 on it, so we will have large availability of addresses to run multiple instances. We have been running a few exit nodes so far, but never on our own hardware.

Your bottleneck is the 1G uplink. For comparison, I have 2x Xeon E5-2680v2 10C/20T and 256Gb RAM 2x 10G nic (LACP bond) and I can not achieve 10G throughput with it. As a rule of thumb, I would always count one instance per thread or core. I have 40T and 40 tor exit instances.

F3Netze has specified the hardware in Contact info: https://metrics.torproject.org/rs.html#search/185.220.100.

Which is the bandwith limit per core/Tore instance? Or what can we expect to be the bottleneck?

That depends on the CPU clock speed. Fast Ryzen or Epyc's can do 50-70 MiB/s per core/instance.

Due to some other requirements we need for some experiments (SFP ports, coreboot support, etc) we can mainly choose between these 2 CPUs: Intel i5-1235U Intel i7-1255U

The cost between the two models is significant enough in our case to pick the i7 only if it's really useful.

In both cases with 32GB of DDR5 RAM (we can max to 64 if needed, but is it?).

Should this allow us to saturate the uplink?

Guards need more resources than exits since the introduction of congestion- control and because of DDoS I would use 64GB RAM for a guard. With your IP space and 1G uplink, I would take the i5 with 32Gb, save the money and maybe add a second server later. Or if you build the hardware yourself, look for a used Epyc or Ryzen server. 16 or 32 core with high _base_ clock. Used server hardware from the data center is like new.

To summarize, with this bandwith, this hardware and a /24 how many Tor exit nodes should be ideal to run considering that each of them could have their own address?

https://metrics.torproject.org/rs.html#search/185.220.101. We are 5 relay orgs sharing a /24. Currently 5x 2x10G(or 25G) With now 8 relays per IP, over 2000 instances can run in a /24 subnet. It would be nice if you share the subnet with 1-2 other relay operators.

Hi,

Imo mobile chips with mostly low-performance 'efficient cores' are a suboptimal fit for running Tor at scale. A couple of reasons:

- Performance between the different core types (efficient vs. performance) is very different. You would need to lock Tor processes to specific cores and accept that you can only run 2 fast relays (and 8 slow ones), or have 10 of them capped at the efficient core's performance profile (because the Tor processes would get swapped around all the time). - These CPUs aren't build for sustained loads so their real world sustained clock speed is significantly lower than their turbo speed, hampering their performance (especially compared to benchmarks).

That being said, especially the 2 performance cores are quite decent and should be able to push some nice amount of Tor traffic (with some help from the efficient cores). My guess is that the i7 would not saturate a 1 Gb/s link (probably 600-650 Mb/s when utilizing all cores effectively) if your relays have the guard flag. Middle only relays would push more traffic. So with some quirks/workarounds, I think you could certainly make these CPUs work (but I still wouldn't recommend them).

Do you need SFP or SFP+? Both aren't a feature of the CPU (except for some embedded SoCs) and are generally easily/cheaply available. For example the Intel X520-DA2 and Mellanox ConnectX-3 are extremely affordable second hand or refurbished and both of the CPUs have enough PCI-e lanes to run them at full speed.

Regarding i5 vs i7: the i7 effectively only has a higher sustained clock speed and marginally better GPU (which is irrelevant for Tor) but otherwise is pretty much identical. If the difference would be small (i.e. ~20 euro/dollar) I would go for the i7 but otherwise I wouldn't bother. Your mileage may vary of course :-).

About RAM: Tor is (for the most part) single threaded so quite a few operators run one Tor process per physical core or per thread. In your case this would mean 10 or 12 Tor relays. Especially guard relays can go out of memory very easily nowadays because of all sorts of attacks, so I wouldn't recommend less than 4 GB of available RAM per relay (so 40-48 GB for Tor + X GB for OS/networking/routing/firewall/services/etc.). 90% of the time you don't need it, but when you do need it it makes sure Tor doesn't crash, your kernel doesn't panic and your server stays responsive (e.g. ssh) etc. You could also run less relays (or limit their bandwidth) and keep it at 32 GB of RAM, but then you would have a harder time to saturate the uplink.

Cheers,

tornth

Jul 10, 2024, 11:30 by tor-relays@lists.torproject.org:

Hi everyone, we are planning to get some hardware to run a physical Tor exit node, starting with a 1Gbps dedicated, unmetered uplink (10Gbps downlink). We will also route a /24 on it, so we will have large availability of addresses to run multiple instances. We have been running a few exit nodes so far, but never on our own hardware.

Which is the bandwith limit per core/Tore instance? Or what can we expect to be the bottleneck?

Due to some other requirements we need for some experiments (SFP ports, coreboot support, etc) we can mainly choose between these 2 CPUs: Intel i5-1235U Intel i7-1255U

The cost between the two models is significant enough in our case to pick the i7 only if it's really useful.

In both cases with 32GB of DDR5 RAM (we can max to 64 if needed, but is it?).

Should this allow us to saturate the uplink?

To summarize, with this bandwith, this hardware and a /24 how many Tor exit nodes should be ideal to run considering that each of them could have their own address?

Thanks! _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays