[tor-relays] new ansible-tor features: automatic instance configuration + automatic MyFamily generation (PATCH)

David Stainton dstainton415 at gmail.com
Mon Feb 16 18:59:50 UTC 2015 

Hi Nusenu,

Thanks for the patch. You've added quite a bit more features than 2.
Would you mind telling me which 2 features are critical for your
use-case and why?
Can you share your ansible-tor playbook? Perhaps a redacted copy if
you have sensitive information in it...

I'd like for this ansible role to be useful to relay operators like
yourself... so I'm very interested in learning about how you'd like to
use it.

Why do you think the ORPorts should default to 80 and 443?
Are you operating an exit relay?

This is a good idea -> added torrc sanity check (tor --verify-config )

I think your auto tor instance deployment feature should be an
optional feature that is off by default.

The collecting fingerprints idea seems great for the myfamily torrc
option is definitely a good idea.

If using configure_apt_single.yml then the torrc is in fact owned by
root... and tor will then drop prives. The other way tor is deployed
with this role is using the configure_tor_instance.yml... and i
suppose the individual torrc files could be owned as root as long as
they are readable by the tor user. But does this matter? What are the
implications?

I'd be much more likely to merge your patches if they were one feature
per patch... instead of this monolithic patch with many features.

Furthermore... I hate centralized media and all but github sure would
make patch submission and review easier. I definitely do not need any
gpg signature on patches submitted. Your code will be reviewed no
matter who has signed your key. =-p


Sincerely,

David


On Mon, Feb 16, 2015 at 5:57 PM, Nusenu <nusenu at openmailbox.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi David,
>
> thanks for creating ansible-tor. I added two features that are crucial
> to me and maybe useful for others as well. If you like it, feel free
> to merge - this is my first ansible experience and it is lightly tested.
>
> Example:
> lets say you have added a new server to your inventory. The server has
> 3 public IP addresses (1.1.1.1, 2.2.2.2, 3.3.3.3). After running
> ansible-tor with the new changes you will have the following 6 tor
> instances/ORPorts running (without manually specifying IP addresses
> first):
>
> 1.1.1.1:80
> 1.1.1.1:443
> 2.2.2.2:80
> 2.2.2.2:443
> 3.3.3.3:80
> 3.3.3.3:443
>
> including MyFamily configuration across all servers/instances.
>
> regards,
> Nusenu
>
> changes
> =======
>
> - - auto instance deployment without manual IP/ORPort configuration (new)
>         starts 2 tor instances per available IP address by default
>         makes manually specifying IP addresses and ORPorts via
>         proc_instances obsolete
>         ORPorts default to 80 and 443 (DirPort not added yet)
>         replace "single.yml" + "instances.yml" -> instance.yml only
>         (handles both cases dynamically)
>
> - - MyFamily autogeneration (new)
>         Keeping all relay fingerprints in sync is probably one
>         of the most annoying tasks for a relay operator
>         managing multiple relays, now ansible takes care of this
>         (all relays need to be in the 'relays' group)
>
> - - directory structure (changed)
>         defaults:
>         configs -> /etc/tor/<ip>_<orport>.torrc
>         log dir -> /var/log/tor/<ip>_<orport>.log
>         datadir -> /var/lib/tor/<ip>_<orport>/
>         pid dir -> /var/run/tor/<ip>_<orport>.pid
>
>         (previously everything was located in /etc)
>
> - - added torrc sanity check (tor --verify-config ) (new)
>
> - - torrc files are owned by root (previously owned by $tor_user)
>
> - - the pid file check has been removed since the file is not required
> to exist
> (it will be created when tor starts)
>
>
> open
> - -----
> - - it does not take care of instance removals yet
> (in case IPs are no longer available or amount of ORPorts have been
> reduced)
> - - allow opt-out -> only 1 tor instance per host
> (even if there are more IPs available)
> - - DirPort support
> - - detect RFC1918 IPs (opt-in)
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJU4i+CAAoJEFv7XvVCELh0y+kP/i4Mn/XClgXYloGdgWU9UPR+
> Y8yZv97FvJOMPI40tccPKcNPcLQFRvGFYkR96sAOGoMfbJT/tQeH2dOxwAEF31mv
> afFkLsVPAOpNzlyO2qP1mkLtB/aYXtZ6jb2+JtpAhVBLKOVFBN2nNRiwdgFYZFGy
> f0ZIp7xyR9XcAhXo4nc0hlETREAnbMOgFGM6vqqIpJfimF3liE6va5HNw2CD+7Zd
> MmeIOuVNvQh09SiYf48AJpBeBRoybOvmFIPphtXEYlC/y6cd/IyUIYdOBuaLa5td
> vQnrQOC7TUgp74uarl0yaatOYOEagl0lrNeN6+Vgy5e0e12TgVccWW5ZosM1PBXG
> VH2FTfjHXUO+VN0p4xn6AS0dhWTRKb7isj3jpznTMsiq0AcvXM6DZjkzkcCPChVz
> jptdUbNvgpdP7j5X11iZniGpxVe7aFo2wCzgZORY1xMysiigJsL4M/nonr4YO4G9
> w7kyNcco9gStklJSvOJXbfX4HrOCuWdq8hp4xubyON+5jpEUgMmG1o/v5NJANV4C
> CLzlz4kf9l9o351Z7DJQzilxzDEwe6oZwSWnsq+yB65Mgj5sUJnchi40iPLOHSUr
> DaVSSUxoZ8VVNYqqvGYb2fysYa7DsCgofsF/eXP4QyJp1WFNwc0ft6qIhyAGIDwx
> RfwQHrA+Lg95mdXDyr0B
> =QHkD
> -----END PGP SIGNATURE-----

More information about the tor-relays mailing list