Re: [tor-relays] How to Run High Capacity Tor Relays
Pardon the thread necromancy, but I'm wondering if this document ever made its way off this mailing list and onto a blog? Or perhaps there is some other modern doc covering this topic? I've recently setup a relay on a Gb/s fiber connection, and am struggling to understand how to optimize performance. It's not clear 5 years later which if any of the tweaks listed below are still relevant. I'm running a modern debian-based system. Thanks in advance.
After talking to Moritz and Olaf privately and asking them about their nodes, and after running some experiments with some high capacity relays, I've begun to realize that running a fast Tor relay is a pretty black art, with a lot of ad-hoc practice. Only a few people know how to do it, and if you just use Linux and Tor out of the box, your relay will likely underperform on 100Mbit links and above. In the interest of trying to help grow and distribute the network, my ultimate plan is to try to collect all of this lore, use Science to divine out what actually matters, and then write a more succinct blog post about it. However, that is a lot of work. It's also not totally necessary to do all this work, when you can get a pretty good setup with a rough superset of all of the ad-hoc voodoo. This post is thus about that voodoo. Hopefully others will spring forth from the darkness to dump their own voodoo in this thread, as I suspect there is one hell of a lot of it out there, some (much?) of which I don't yet know. Likewise, if any blasphemous heretic wishes to apply Science to this voodoo, they should yell out, "Stand Back, I'm Doing Science!" (at home please, not on this list) and run some experiments to try to eliminate options that are useless to Tor performance. Or cite academic research papers. (But that's not Science, that's computerscience - which is a religion like voodoo, but with cathedrals). Anyway, on with the draft:
== Machine Specs == First, you want to run your OS in x64 mode because openssl should do crypto faster in 64bit. Tor is currently not fully multithreaded, and tends not to benefit beyond 2 cores per process. Even then, the benefit is still marginal beyond just 1 core. 64bit Tor nodes require about one 2Ghz Xeon/Core2 core per 100Mbit of capacity. Thus, to fill an 800Mbit link, you need at least a dual socket, quad core cpu config. You may be able to squeeze a full gigabit out of one of these machines. As far as I know, no one has ever done this with Tor, on any one machine. The i7's also just came out in this form factor, and can do hyperthreading (previous models may list 'ht' in cpuinfo, but actually don't support it). This should give you a decent bonus if you set NumCPUs to 2, since ht tends to work better with pure integer math (like crypto). We have not benchmarked this config yet though, but I suspect it should fill a gigabit link fairly easily, possibly approaching 2Gbit. At full capacity, exit node Tor processes running at this rate consume about 500M of ram. You want to ensure your ram speed is sufficient, but most newish hardware is good. Using on this chart:
https://secure.wikimedia.org/wikipedia/en/wiki/List_of_device_bandwidths#Mem... you can do the math and see that with a dozen memcpys in each direction, you come out needing DDR2 to be able to push 1Gbit full duplex. As far as ethernet cards, the Intel e1000e *should* be theoretically good, but they seem to fail at properly irq balancing across multiple CPUs on recent kernels, which can cause you to bottleneck at 100% CPU on one core. At least that has been Moritz's experience. In our experiments, the RTL-8169 works fine (once tweaked, see below).
== System Tweakscript Wibbles and Config Splatters == First, you want to ensure that you run no more than 2 Tor instances per IP. Any more than this and clients will ignore them. Next, paste the following smattering into the shell (or just read it and make your own script): # Set the hard limit of open file descriptors really high. # Tor will also potentially run out of ports. ulimit -SHn 65000 # Set the txqueuelen high, to prevent premature drops ifconfig eth0 txqueuelen 20000 # Tell our ethernet card (interrupt found from /proc/interrupts) # to balance its IRQs across one whole CPU socket (4 cpus, mask 0f). # You only want one socket for optimal ISR and buffer caching. # # Note that e1000e does NOT seem to obey this, but RTL-8169 will. echo 0f > /proc/irq/17/smp_affinity # Make sure you have auxiliary nameservers. I've seen many ISP # nameservers fall over under load from fast tor nodes, both on our # nodes and from scans. Or run caching named and closely monitor it. echo "nameserver 8.8.8.8" >> /etc/resolv.conf echo "nameserver 4.2.2.2" >> /etc/resolv.conf # Load an amalgam of gigabit-tuning sysctls from: # http://datatag.web.cern.ch/datatag/howto/tcp.html # http://fasterdata.es.net/TCP-tuning/linux.html # http://www.acc.umu.se/~maswan/linux-netperf.txt # http://www.psc.edu/networking/projects/tcptune/#Linux # and elsewhere... # We have no idea which of these are needed yet for our actual use # case, but they do help (especially the nf-contrack ones): sysctl -p << EOF net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 65536 16777216 net.core.netdev_max_backlog = 2500 net.ipv4.tcp_no_metrics_save = 1 net.ipv4.tcp_moderate_rcvbuf = 1 net.core.rmem_max = 1048575 net.core.wmem_max = 1048575 net.ipv4.ip_local_port_range = 1025 61000 net.ipv4.tcp_synack_retries = 3 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_max_syn_backlog = 10240 net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_keepalive_time = 1200 net.netfilter.nf_conntrack_tcp_timeout_established=7200 net.netfilter.nf_conntrack_checksum=0 net.netfilter.nf_conntrack_max=131072 net.netfilter.nf_conntrack_tcp_timeout_syn_sent=15 net.ipv4.tcp_keepalive_time=60 net.ipv4.tcp_keepalive_time = 60 net.ipv4.tcp_keepalive_intvl = 10 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.ip_local_port_range = 1025 65530 net.core.netdev_max_backlog=300000 net.core.somaxconn=20480 net.ipv4.tcp_max_tw_buckets=2000000 net.ipv4.tcp_timestamps=0 vm.min_free_kbytes = 65536 net.ipv4.ip_forward=1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_synack_retries = 2 net.ipv4.conf.default.forwarding=1 net.ipv4.conf.default.proxy_arp = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.send_redirects = 1 net.ipv4.conf.all.send_redirects = 0 EOF # XXX: ethtool wibbles # You may also have to tweak some parameters with ethtool, possibly # also enabling some checksum offloading or irq coalescing options to # spare CPU, but for us this hasn't been needed yet.
== Setting up the Torrc == Basically you can just read through the stock example torrc, but there are some as-yet undocumented magic options, and options that need new defaults. # NumCPUs doesn't provide any benefit beyond 2, and setting it higher # may cause cache misses. NumCPUs 2 # These options have archaic maximums of 2-5Mbyte BandwidthRate 100 MB BandwidthBurst 200 MB
== Waiting for the Bootstrap and Measurement Process == Perhaps the most frustrating part of this setup is how long it takes for you to acquire traffic. If you are starting new at an ISP, I would consider only 200-400Mbit for your first month. Hitting that by the end of the month may be a challenge, mostly because their may be dips and total setbacks along the way. The slow rampup is primarily due to limitations in Tor's ability to rapidly publish descriptor updates, and to measure relays. It ends up taking about 2-3 days to hit an observed bandwidth of 2Mbyte/sec per relay, but it can take well over a week or more (Moritz, do you have a better number?) to reach 8-9Mbyte/relay. This is for an Exit node. A middle node will likely gather traffic slower. Also once you crash, you lose it. This bug is about that issue: https://trac.torproject.org/projects/tor/ticket/1863 There is also a potential dip when you get the Guard flag, as our load balancing formulas try to avoid you, but no clients have chosen you yet. Changes to the authority voting on Guards in Tor 0.2.2.15 should make this less drastic. It is also possible that your observed bandwidth will be greater than without it. However, it will still take up to 2 months for clients to choose you as their new Guard.
== Running temporary auxiliary nodes == One way to shortcut this process and avoid paying for bandwidth you don't use is to spin up a bunch of temporary nodes to utilize the CPU and quickly gather that easy first 2MB/sec of observed bandwidth. But you need the spare IPs to do this.
== Monitoring == Personally, I prefer console-based options like nload, top, and Damian's arm (http://www.atagar.com/arm/) because I don't like the idea of running extra services to publish my monitoring data to the world. Other people have web-based monitoring using things like munin and mrtg. It would be nice to get a script/howto for that too.
== Current 1-Box Capacity Record == Our setup has topped at 450Mbit, but averages between 300-400Mbit. We are currently having uptime issues due to heat (melting, poorly ventilated harddrives). It is likely that once we resolve this, we will continually increase to our CPU ceiling. I believe Moritz and Olaf also push this much capacity, possibly a bit more, but with less nodes (4 as opposed to our 8). I hear Jake is also ramping up some Guard nodes (or maybe I didn't? Did I just betray you again Jake?)
== Did I leave anything out? == Well, did I?
-- Mike Perry Mad Computer Scientist fscked.org evil labs
On 07/22/2015 12:57 AM, Green Dream wrote:
Pardon the thread necromancy, but I'm wondering if this document ever made its way off this mailing list and onto a blog? Or perhaps there is some other modern doc covering this topic?
We have https://www.torservers.net/wiki/setup/server . Most of the high bandwidth optimization parts are obsolete (and marked as such), modern kernels and modern OpenSSL do much better by default. -- Moritz Bartl https://www.torservers.net/
https://www.torservers.net/wiki/setup/server has excellent guidance for setting-up relays seriously. Would those at Torproject think about linking to it from their installation guides? Robert
We have https://www.torservers.net/wiki/setup/server . Most of the high bandwidth optimization parts are obsolete (and marked as such), modern kernels and modern OpenSSL do much better by default.
-- Moritz Bartl https://www.torservers.net/
On 07/22/2015 01:34 AM, I wrote:
https://www.torservers.net/wiki/setup/server has excellent guidance for setting-up relays seriously. Would those at Torproject think about linking to it from their installation guides?
Robert
https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines links to it, as well as to https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity . Both these pages could use some overhaul, but they're not too bad. -- Moritz Bartl https://www.torservers.net/
Moritz and all, I mean no offence to anyone since we're all in this for the greater good, but really approaching joining the Tor community is pretty hard if you are not a Linux wiz and know about servers or a number of other things. I have tried to look around the multitude of interconnecting links but a lot are out of sync slightly or are not clear because of presumed knowledge and understanding or are irrelevant because of evolution Wouldn't it be better to be clear and neat in the way Torservers guides are? Would someone presume the Torproject installation guide was not complete and know where to look? Robert
On 07/22/2015 01:34 AM, I wrote:
https://www.torservers.net/wiki/setup/server has excellent guidance for setting-up relays seriously. Would those at Torproject think about linking to it from their installation guides?
Robert
https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines links to it, as well as to https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity . Both these pages could use some overhaul, but they're not too bad.
-- Moritz Bartl
Robert: you're right. The group in general isn't very knowledge about Windows. I'm a Windows sysadmin and spent a long time deciphering the Tor documentation on windows and it's poor. Best info was another operator who posted on the mailing list months ago. I've reached out to the website maintainers and gotten radio silence on updating the Wiki for Windows. I've added other things to the wiki though (on exits). I'm a bit perplexed on the OS religiousness since we need more inclusive for Tor relays. We need a status of liberty, and the EFF's push isn't enough. Sigh.... -Ben -----Original Message----- From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of I Sent: Tuesday, July 21, 2015 8:29 PM To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] How to Run High Capacity Tor Relays Moritz and all, I mean no offence to anyone since we're all in this for the greater good, but really approaching joining the Tor community is pretty hard if you are not a Linux wiz and know about servers or a number of other things. I have tried to look around the multitude of interconnecting links but a lot are out of sync slightly or are not clear because of presumed knowledge and understanding or are irrelevant because of evolution Wouldn't it be better to be clear and neat in the way Torservers guides are? Would someone presume the Torproject installation guide was not complete and know where to look? Robert
On 07/22/2015 01:34 AM, I wrote:
https://www.torservers.net/wiki/setup/server has excellent guidance for setting-up relays seriously. Would those at Torproject think about linking to it from their installation guides?
Robert
https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines links to it, as well as to https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity . Both these pages could use some overhaul, but they're not too bad.
-- Moritz Bartl
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 22 Jul 2015, at 22:14 , Ben Serebin <ben@reefsolutions.com> wrote:
Robert: you're right. The group in general isn't very knowledge about Windows. I'm a Windows sysadmin and spent a long time deciphering the Tor documentation on windows and it's poor. Best info was another operator who posted on the mailing list months ago. I've reached out to the website maintainers and gotten radio silence on updating the Wiki for Windows.
What's the specific issue? Is it the (static) website, or the wiki, that you want to edit? I've made all sorts of edits to the OS X portion of the wiki, and the only trouble I had was replacing an attachment. (But I could add another attachment as a workaround.) The website, on the other hand, probably needs a Trac ticket logged or, even better, a patch submitted to get updates.
I've added other things to the wiki though (on exits). I'm a bit perplexed on the OS religiousness since we need more inclusive for Tor relays. We need a status of liberty, and the EFF's push isn't enough.
There are all sorts of security risks associated with an operating system monoculture (or a library monoculture, for that matter). Once the OpenSSL monoculture developed a nasty rash of bugs (for example, heartbleed), alternatives were developed. As Linux configurations are considerably more diverse than OpenSSL installs (were), it's less likely, but I'd hate to see something similar happen to Linux in general, or Tor-on-Linux in particular. Because a single bug in a common configuration carries the risk of compromising large portions of the Tor network. And there are known state and non-state actors who would take a childish delight in making it happen. As an aside: The 20 July 2015 platform percentages on https://metrics.torproject.org/servers-data.html are: 87.9 Linux 6.9 Windows 4.5 FreeBSD 0.5 Darwin (OS X, OpenDarwin, …) 0.1 Other It's an engineering question whether the proportion of any operating system should be increased or decreased in the Tor network. (Not a social question.) We could consider attributes like security, closed-source, performance, and ease of configuration, and many others, when making this decision; as well as the dangers of an OS monoculture. Looking at the stats above, I wonder: Should any OS comprise more than (for example) half the Tor network? Should OSs with poor security records comprise more than (for example) 10% of the Tor network? In total, or separately? Should closed-source OSs comprise more than (for example) 10% of the Tor network? In total, or separately? I don't know the answers to these questions, but I wonder if we could reach a consensus on them. (Of course, a human consensus is very much a question of group culture, as much as it is of engineering tradeoffs. Are we dogmatically OS religious? I hope not.) As these questions have been considered for the Tor Directory Authorities, perhaps a (relaxed) version could be used for the diversity of the entire network? (Is there a policy on OS diversity among directory authorities?) Tim
-----Original Message----- From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of I Sent: Tuesday, July 21, 2015 8:29 PM To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] How to Run High Capacity Tor Relays
Moritz and all,
I mean no offence to anyone since we're all in this for the greater good, but really approaching joining the Tor community is pretty hard if you are not a Linux wiz and know about servers or a number of other things.
I have tried to look around the multitude of interconnecting links but a lot are out of sync slightly or are not clear because of presumed knowledge and understanding or are irrelevant because of evolution
Wouldn't it be better to be clear and neat in the way Torservers guides are? Would someone presume the Torproject installation guide was not complete and know where to look?
Robert
On 07/22/2015 01:34 AM, I wrote:
https://www.torservers.net/wiki/setup/server has excellent guidance for setting-up relays seriously. Would those at Torproject think about linking to it from their installation guides?
Robert
https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines links to it, as well as to https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity . Both these pages could use some overhaul, but they're not too bad.
-- Moritz Bartl
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Tim Wilson-Brown (teor) teor2345 at gmail dot com pgp ABFED1AC https://gist.github.com/teor2345/d033b8ce0a99adbc89c5 teor at blah dot im OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7
I attempted to edit the following page under Win32 to add a Windows install guide and not able to (like I said, I was able to edit the exit page) https://trac.torproject.org/projects/tor/wiki And Under Win32 This page is 404 "Vidalia is a cross-platform controller GUI for Tor" I'd like to get the Windows documentation much improved since there's a lot of good info out there and I have experience too. -Ben -----Original Message----- From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of teor Sent: Wednesday, July 22, 2015 11:08 AM To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] How to Run High Capacity Tor Relays
On 22 Jul 2015, at 22:14 , Ben Serebin <ben@reefsolutions.com> wrote:
Robert: you're right. The group in general isn't very knowledge about Windows. I'm a Windows sysadmin and spent a long time deciphering the Tor documentation on windows and it's poor. Best info was another operator who posted on the mailing list months ago. I've reached out to the website maintainers and gotten radio silence on updating the Wiki for Windows.
What's the specific issue? Is it the (static) website, or the wiki, that you want to edit? I've made all sorts of edits to the OS X portion of the wiki, and the only trouble I had was replacing an attachment. (But I could add another attachment as a workaround.) The website, on the other hand, probably needs a Trac ticket logged or, even better, a patch submitted to get updates.
I've added other things to the wiki though (on exits). I'm a bit perplexed on the OS religiousness since we need more inclusive for Tor relays. We need a status of liberty, and the EFF's push isn't enough.
There are all sorts of security risks associated with an operating system monoculture (or a library monoculture, for that matter). Once the OpenSSL monoculture developed a nasty rash of bugs (for example, heartbleed), alternatives were developed. As Linux configurations are considerably more diverse than OpenSSL installs (were), it's less likely, but I'd hate to see something similar happen to Linux in general, or Tor-on-Linux in particular. Because a single bug in a common configuration carries the risk of compromising large portions of the Tor network. And there are known state and non-state actors who would take a childish delight in making it happen. As an aside: The 20 July 2015 platform percentages on https://metrics.torproject.org/servers-data.html are: 87.9 Linux 6.9 Windows 4.5 FreeBSD 0.5 Darwin (OS X, OpenDarwin, …) 0.1 Other It's an engineering question whether the proportion of any operating system should be increased or decreased in the Tor network. (Not a social question.) We could consider attributes like security, closed-source, performance, and ease of configuration, and many others, when making this decision; as well as the dangers of an OS monoculture. Looking at the stats above, I wonder: Should any OS comprise more than (for example) half the Tor network? Should OSs with poor security records comprise more than (for example) 10% of the Tor network? In total, or separately? Should closed-source OSs comprise more than (for example) 10% of the Tor network? In total, or separately? I don't know the answers to these questions, but I wonder if we could reach a consensus on them. (Of course, a human consensus is very much a question of group culture, as much as it is of engineering tradeoffs. Are we dogmatically OS religious? I hope not.) As these questions have been considered for the Tor Directory Authorities, perhaps a (relaxed) version could be used for the diversity of the entire network? (Is there a policy on OS diversity among directory authorities?) Tim
-----Original Message----- From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of I Sent: Tuesday, July 21, 2015 8:29 PM To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] How to Run High Capacity Tor Relays
Moritz and all,
I mean no offence to anyone since we're all in this for the greater good, but really approaching joining the Tor community is pretty hard if you are not a Linux wiz and know about servers or a number of other things.
I have tried to look around the multitude of interconnecting links but a lot are out of sync slightly or are not clear because of presumed knowledge and understanding or are irrelevant because of evolution
Wouldn't it be better to be clear and neat in the way Torservers guides are? Would someone presume the Torproject installation guide was not complete and know where to look?
Robert
On 07/22/2015 01:34 AM, I wrote:
https://www.torservers.net/wiki/setup/server has excellent guidance for setting-up relays seriously. Would those at Torproject think about linking to it from their installation guides?
Robert
https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines links to it, as well as to https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity . Both these pages could use some overhaul, but they're not too bad.
-- Moritz Bartl
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Tim Wilson-Brown (teor) teor2345 at gmail dot com pgp ABFED1AC https://gist.github.com/teor2345/d033b8ce0a99adbc89c5 teor at blah dot im OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7
On 23 Jul 2015, at 02:24 , Ben Serebin <ben@reefsolutions.com> wrote:
I attempted to edit the following page under Win32 to add a Windows install guide and not able to (like I said, I was able to edit the exit page)
That page is WikiStart and it's locked down (most users can't edit it, myself included). You can edit or create any other page on the wiki, though. Is there an existing Windows install guide? If not, a URL like https://trac.torproject.org/projects/tor/wiki/doc/WindowsRelayInstall should allow you to create the page WindowsRelayInstall. Once the page is there, it should be easier to get it linked from the front page. Please log a Trac ticket for the link from WikiStart once the Windows install page is ready.
And Under Win32 This page is 404 "Vidalia is a cross-platform controller GUI for Tor"
We should get that removed. Vidalia is unmaintained. Please log a Trac ticket for this, too. It makes sure it won't get lost.
I'd like to get the Windows documentation much improved since there's a lot of good info out there and I have experience too.
Please do, with 6.9% of the network on Windows (#2 OS after Linux), the least we can do is document how to set it up correctly / securely, and any tradeoffs involved in using Windows vs Linux. Tim
-----Original Message----- From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of teor Sent: Wednesday, July 22, 2015 11:08 AM To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] How to Run High Capacity Tor Relays
On 22 Jul 2015, at 22:14 , Ben Serebin <ben@reefsolutions.com> wrote:
Robert: you're right. The group in general isn't very knowledge about Windows. I'm a Windows sysadmin and spent a long time deciphering the Tor documentation on windows and it's poor. Best info was another operator who posted on the mailing list months ago. I've reached out to the website maintainers and gotten radio silence on updating the Wiki for Windows.
What's the specific issue? Is it the (static) website, or the wiki, that you want to edit?
I've made all sorts of edits to the OS X portion of the wiki, and the only trouble I had was replacing an attachment. (But I could add another attachment as a workaround.)
The website, on the other hand, probably needs a Trac ticket logged or, even better, a patch submitted to get updates.
I've added other things to the wiki though (on exits). I'm a bit perplexed on the OS religiousness since we need more inclusive for Tor relays. We need a status of liberty, and the EFF's push isn't enough.
There are all sorts of security risks associated with an operating system monoculture (or a library monoculture, for that matter).
Once the OpenSSL monoculture developed a nasty rash of bugs (for example, heartbleed), alternatives were developed.
As Linux configurations are considerably more diverse than OpenSSL installs (were), it's less likely, but I'd hate to see something similar happen to Linux in general, or Tor-on-Linux in particular. Because a single bug in a common configuration carries the risk of compromising large portions of the Tor network.
And there are known state and non-state actors who would take a childish delight in making it happen.
As an aside:
The 20 July 2015 platform percentages on https://metrics.torproject.org/servers-data.html are: 87.9 Linux 6.9 Windows 4.5 FreeBSD 0.5 Darwin (OS X, OpenDarwin, …) 0.1 Other
It's an engineering question whether the proportion of any operating system should be increased or decreased in the Tor network. (Not a social question.) We could consider attributes like security, closed-source, performance, and ease of configuration, and many others, when making this decision; as well as the dangers of an OS monoculture.
Looking at the stats above, I wonder:
Should any OS comprise more than (for example) half the Tor network? Should OSs with poor security records comprise more than (for example) 10% of the Tor network? In total, or separately? Should closed-source OSs comprise more than (for example) 10% of the Tor network? In total, or separately?
I don't know the answers to these questions, but I wonder if we could reach a consensus on them. (Of course, a human consensus is very much a question of group culture, as much as it is of engineering tradeoffs. Are we dogmatically OS religious? I hope not.)
As these questions have been considered for the Tor Directory Authorities, perhaps a (relaxed) version could be used for the diversity of the entire network? (Is there a policy on OS diversity among directory authorities?)
Tim
-----Original Message----- From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of I Sent: Tuesday, July 21, 2015 8:29 PM To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] How to Run High Capacity Tor Relays
Moritz and all,
I mean no offence to anyone since we're all in this for the greater good, but really approaching joining the Tor community is pretty hard if you are not a Linux wiz and know about servers or a number of other things.
I have tried to look around the multitude of interconnecting links but a lot are out of sync slightly or are not clear because of presumed knowledge and understanding or are irrelevant because of evolution
Wouldn't it be better to be clear and neat in the way Torservers guides are? Would someone presume the Torproject installation guide was not complete and know where to look?
Robert
On 07/22/2015 01:34 AM, I wrote:
https://www.torservers.net/wiki/setup/server has excellent guidance for setting-up relays seriously. Would those at Torproject think about linking to it from their installation guides?
Robert
https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines links to it, as well as to https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity . Both these pages could use some overhaul, but they're not too bad.
-- Moritz Bartl
On Wed, Jul 22, 2015 at 11:08 AM, teor <teor2345@gmail.com> wrote:
The 20 July 2015 platform percentages on https://metrics.torproject.org/servers-data.html are: 87.9 Linux 6.9 Windows 4.5 FreeBSD 0.5 Darwin (OS X, OpenDarwin, …) 0.1 Other
with counts... 6042 Linux 83% 889 Windows 12% 220 FreeBSD 3% 71 OpenBSD 1% 41 Darwin .5% 10 NetBSD .1% 5 SunOS 4 DragonFly 4 Bitrig 1 GNU/kFreeBSD 1 ElectroBSD Market share doesn't really say anything about ability to fill the relay role, after all, any well managed OS can run a daemon and pass packets relatively securely. If you're not bent on Linux, or are already on one OS, choose any other OS, learn something new. Diversity is not just about diversity in relays. Personal diversity feeds back into the crypto, privacy, freedom sphere in more ways than one.
On Fri, Jul 24, 2015 at 04:06:14AM -0400, grarpamp wrote:
On Wed, Jul 22, 2015 at 11:08 AM, teor <teor2345@gmail.com> wrote:
The 20 July 2015 platform percentages on https://metrics.torproject.org/servers-data.html are: 87.9 Linux 6.9 Windows 4.5 FreeBSD 0.5 Darwin (OS X, OpenDarwin, …) 0.1 Other
with counts... 6042 Linux 83% 889 Windows 12% 220 FreeBSD 3% 71 OpenBSD 1% 41 Darwin .5% 10 NetBSD .1% 5 SunOS 4 DragonFly 4 Bitrig 1 GNU/kFreeBSD 1 ElectroBSD
Market share doesn't really say anything about ability to fill the relay role,
Good point. This also may not be the revealing indication of market share. The distribution can be quite different if the question is not number of relays per platform but fraction of bandwidth by platform or probability of being chosen as exit (or guard, etc.) by platform. aloha, Paul
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
6042 Linux 83% 889 Windows 12% 220 FreeBSD 3% 71 OpenBSD 1% 41 Darwin .5% 10 NetBSD .1% 5 SunOS 4 DragonFly 4 Bitrig 1 GNU/kFreeBSD 1 ElectroBSD
Market share doesn't really say anything about ability to fill the relay role,
Good point. This also may not be the revealing indication of market share. The distribution can be quite different if the question is not number of relays per platform but fraction of bandwidth by platform or probability of being chosen as exit (or guard, etc.) by platform.
+--------+---------+----------+--------+---------+ | OS | #relays | cw_fract | exit_p | guard_p | +--------+---------+----------+--------+---------+ | Linux | 5691 | 94.654 | 95.137 | 94.690 | | FreeBSD| 207 | 3.728 | 2.847 | 4.457 | | Windows| 473 | 0.547 | 0.390 | 0.103 | | SunOS | 5 | 0.507 | 1.172 | 0.336 | | OpenBSD| 67 | 0.313 | 0.233 | 0.171 | | Darwin | 29 | 0.126 | 0.090 | 0.115 | | Electr | 1 | 0.054 | 0.000 | 0.088 | | Bitrig | 4 | 0.032 | 0.128 | 0.000 | | NetBSD | 9 | 0.032 | 0.000 | 0.037 | | Dragon | 4 | 0.002 | 0.000 | 0.000 | | GNU/kF | 1 | 0.002 | 0.000 | 0.000 | +--------+---------+----------+--------+---------+ onionoo.thecthulhu.com's data from 2015-07-24 14:00 UTC (running relays only) https://trac.torproject.org/projects/tor/ticket/14862 https://trac.torproject.org/projects/tor/ticket/6856 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVslJGAAoJEFv7XvVCELh0cH0P/RoK9CUBbZUpYCHCKgnLGhN7 C9o19bFBZfAEjArpQIbWzFw/Xy/wkFh6kmSbdD8MFK4xpPbUsOishEROct/Iemb+ F/Vw8iIOVsnTCNzyCUN6O9sW28223q6VyT8jdWjlmDQsPfMGiEoR5lg9PNTyKish 4nAqhxb9OliHJEpWDhl02rN3OL+NFxvOOFYEaOda6YXgsPKnkE+aGsliy+cumxDH euJdpGRDwYHOSnlRoAbdHWUJolPLYbs9Z9q6FlDFogqZkLSGzap/SOcbV+KuYhMb sXWbXIYNNXPpJcwWTyt1zQOTx5YsWdBEqU84jPOJ19XSY8HYFj9aF8q9T1givzuX L064uB6YgJqHS8hO1ZtF/7YPNX98ZOLH80HaBwCXJuyNjyHCWCeyE/OUGuKr+1w4 Cjsm8Ntf/y7CpBFnC4p0lyUeCqZsqOGnH0AdDF/7qaP+4XoApKfsuYqD9hnKJxf+ t15evCg4KJznMqpdbfUbh19l+EH/tSyPcy+jcN5SwAbJ234sCnkFruXKF8YR4380 1JdCPSws9plsMjGji+KmfOu1QHhzw/t09Lv6RYC1TH+ChuUyXXX5E251fj1q0Cja 9lfe2K0xc/jLSYyM61a3L8lUIp6FuZMZzbUyWAUCHnUV0QuphST0osMvNSpPghPH WTYDZMnm7gO0IhptmnHs =qIfp -----END PGP SIGNATURE-----
participants (8)
-
Ben Serebin -
grarpamp -
Green Dream -
I -
Moritz Bartl -
nusenu -
Paul Syverson -
teor