[tor-relays] tor relay recommended upgrade procedure?

Roger Dingledine arma at mit.edu
Sun Mar 30 01:47:57 UTC 2014

On Sun, Mar 30, 2014 at 11:21:02AM +1100, Zenaan Harkness wrote:
> > The Debian install script evidently gives tor 30 seconds to
> > disconnect, since it did stop tor after 30 seconds.

This is actually Tor's behavior. From the man page:

       ShutdownWaitLength NUM
           When we get a SIGINT and we're a server, we begin shutting down:
           we close listeners and start refusing new circuits. After NUM
           seconds, we exit. If we get a second SIGINT, we exit immediately.
           (Default: 30 seconds)

But you're right that the Debian init script has a bound on the time
it will let Tor sit around before it gives up and declares that it has
failed to do what you asked. See:
in /etc/init.d/tor

> > HOWEVER: killing tor in 30 seconds seems to me a little harsh on all
> > those anonymous connections that were previously going through my exit
> > relay. Can those clients (if they need) pick up their connections
> > after about 3 minutes? It appeared that all connections were
> > completely gone when I finally got tor restarted

As soon as your relay goes away the circuits will be cut, and the streams
that clients had on those circuits will be cut too. Whether those clients
will automatically reconnect those streams on new circuits depends on
the application.

> > Is there are a gentler way such as "don't take new connections, notify
> > clients we are going down for an upgrade" but allow continuation for
> > say up to 10 or 30 minutes?

You could set ShutdownWaitLength to something much larger. You'd want to
either do a controlled shutdown of Tor on your own, or modify the init
script so it knows you raised the value of ShutdownWaitLength.

> There is of course MaxAdvertisedBandwidth -
> so ought this option be set to say zero for say 10 or 20 minutes,
> before stopping/upgrading the server (either manually by admin, me, or
> assuming admin config allows this)?

No, a change to the advertised bandwidth of your relay will take hours
to propagate to clients.

> > Would that be better or could that be worse eg for privacy,
> > correlation attacks etc?
> Should I forward this question (or rather, create a thread) "optimal
> tor relay upgrade protocol" on tor-talk?

This list is the better choice.


More information about the tor-relays mailing list