[tor-relays] new ansible-tor features: automatic instance configuration + automatic MyFamily generation (PATCH)

Nusenu nusenu at openmailbox.org
Mon Feb 16 21:31:20 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi David,

thanks for your quick feedback.

> Would you mind telling me which 2 features are critical for your
> use-case and why?

- - automatic instance deployment (and all the dependencies that comes
with that, like ORListenAddress - without it tor0 would block tor2 from
starting since they are binding on the same port)

- - automatic MyFamily management
	this is just too annoying to manage manually

- - the directory layout change is more cosmetic but your current way
(everything in /etc) is rather unusual and as an example would require
custom logrotate configuration that wouldn't be required otherwise

> Can you share your ansible-tor playbook? 

Since everything tor process specific is handled in ansible-tor, my
playbook will mainly just references the role.

> I'd like for this ansible role to be useful to relay operators like
> yourself... so I'm very interested in learning about how you'd like to
> use it.

- From the examples I assumed you are probably not using it mainly for
relays, is that correct?

> Why do you think the ORPorts should default to 80 and 443?

It is assumed that these well known ports are less likely blocked by
outbound firewalls and therefore more useful for clients than on some
highports. Once dirport support is added, I would use 80 as dirport.

For an example of common ORPorts see
https://atlas.torproject.org/#search/contact:torservers

..but since it is very easy to modify the defaults, I've no strong
feeling what is actually defined in default/main.yml.

One could also add some auto detection to see if the ports are already
in use..

> I think your auto tor instance deployment feature should be an
> optional feature that is off by default.

Yes that is fine, configuration changes are easy enough.

> If using configure_apt_single.yml then the torrc is in fact owned by
> root... and tor will then drop prives. The other way tor is deployed
> with this role is using the configure_tor_instance.yml... and i
> suppose the individual torrc files could be owned as root as long as
> they are readable by the tor user. But does this matter? What are the
> implications?

On a default install they are owned by root, I just reverted the change
from owner=tor_user to owner=root to restore defaults. Implication..
tor_user will not be able to rewrite/manipulate its own configuration.

> I'd be much more likely to merge your patches if they were one feature
> per patch... instead of this monolithic patch with many features.

Yes, that is what I expected, but then I thought that the two main
changes code wise (autoconfig + directory structure) are dependent on
each other anyway. Merging  autoconfig without the directory
restructuring (or vice versa) wouldn't be much fun since these
modifications always touch overlapping areas.
If you want to add it as additional option, including it as a separate
yml in tasks/main.yml + separate torrc is also a possibility - but
probably not the nicest way (duplicate code, multiple torrc's).

> Furthermore... I hate centralized media and all but github sure would
> make patch submission and review easier. 

Yes, I'm considering it if this becomes something reoccurring.

thanks,
Nusenu
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJU4mGiAAoJEFv7XvVCELh0QMAQAIMmbJfJ1cLBdNXeRi+x9CLo
LwYbFCP1FkMJHN6wfb/Q5wHejq88WIgUxUeob4KMVl30mCVxGIpOYZDb3rsvB3mi
lIzFiZUt/eJo40Gjdx4/BgEArEaAsmOix2O8Ev6E84bl9J/zcp8EIFPcYhtrERJ/
zoV8iHeeJnuGGYa2zTDHS2ONtJ4lE7K/DX9NmVj45jmaHOKX8Y5o1klHSnNZ7yAR
qGDRqvWlVeDwVRq+xXAyn1GK43SZPydNxZkHjMPmvKOAVGgIXgnxgtpmzj+87j/W
UBB6waNmVfMJvCPreRM7Zgc2rhUAZx1TsIy78v3g7rWns0rd6hzm4lzzaP5aBhH0
8fK++UQMwPz+o7fIyKfiJLmP6TxxGk8AZpcrLXuCuDMfGi56/kHVp9P54xJSbYqV
YNjVgVelAyZ62YB3tx3J+CWtOxbn3dHT0yllXDOQes6+/x0h7igod/2OWZBG6O6y
SCEO2GPqMHx5ZLxvsCjio1FG1oPcMAT4lNOtNPDNxJPX5J8Vwkq4wmIDlj+zJM+m
R8dOcqJ8sKtQx98rADlachXwFEFne9VEvqTj9oyq0O4szPx/jM9QAVhvAjlWqCM/
hJ+opaH/xhLs2Vu+UGqUosU23AO1p5fB+/KA4cY4CrrqJ1Inn687i3OWm6RC3cRi
kg52xwIdT354yq6xpMCu
=qFmI
-----END PGP SIGNATURE-----

More information about the tor-relays mailing list