[tor-relays] FreeBSD 11.1 ZFS Tor Image

Conrad Rockenhaus conrad at rockenhaus.com
Thu Mar 1 01:04:40 UTC 2018 

On Wednesday, February 28, 2018 6:46:00 PM CST George wrote:
> Vinícius Zavam:
> > 2018-02-25 21:23 GMT+00:00 Conrad Rockenhaus <conrad at rockenhaus.com>:
> >> On Sunday, February 25, 2018 3:05:00 PM CST George wrote:
> >>> Conrad Rockenhaus:
> >>>> Hello All,
> >>>> 
> >>>> If anyone is interested, I have a RAW image of a FreeBSD 11.1 ZFS
> > 
> > image
> > 
> >>>> that is fully configured and ready to run Tor. Right now it's an
> > 
> > eight GB
> > 
> >>>> image, but I'm reducing the size by removing all of the extra stuff
> > 
> > on it
> > 
> >>>> from the upgrade from FreeBSD 11 to 11.1.
> >>> 
> >>> I think it's great to ease the implementation of Tor relays,
> >>> particularly on BSDs.
> >> 
> >> My main thought process behind trying to ease the implementation of BSD
> > 
> > relays
> > 
> >> is the fact that we should diversify what we have online within the
> > 
> > network.
> > 
> >> Most of our nodes are Linux. What if we have another vulnerability that
> > 
> > comes
> > 
> >> out that hits Linux specifically again?
> >> 
> >>> However, I'd be wary of an image that I didn't build myself, personally.
> >> 
> >> That's your opinion. The AWS relay project was very successful. Numerous
> >> people ran an image that they didn't build. Numerous people also run
> > 
> > Docker
> > 
> >> containers that they didn't build. Numerous people run Vagrant boxes they
> >> didn't build. You have the right to be weary, but there's numerous people
> > 
> > out
> > 
> >> there who run other people's images everyday.
> >> 
> >>>> If you're interested in the image let me know. This image has been
> > 
> > fully
> > 
> >>>> tested on OVH's Openstack infrastructure, so if you're interested in
> >>>> running it on their infrastructure, let me know and I can walk you
> >>>> through it, or you're more than welcome to host is within my cloud at
> >>>> cost (it's a low monthly rate and unlimited bandwidth).
> >>> 
> >>> Another issue is that OVH is over relied upon for public nodes. It's the
> >>> leading ASN with almost 15%.
> >> 
> >> They're one of the few providers out there that allow exits. That's why
> > 
> > 15% of
> > 
> >> our exits are on OVH.
> >> 
> >>> https://torbsd.org/oostats/relays-bw-by-asn.txt
> >>> 
> >>> OTOH, I do think we (in particular BSD people) need to facilitate the
> >>> implementation of BSD relays, including for VPS services for those
> >>> looking to test the waters.
> >> 
> >> I completely agree.
> > 
> > I wonder if people hosting Tor relays in any sort of VPS are doing
> > filesystem encryption.
> > 
> >>> The TDP wiki has a list of other BSD-offering VPSs, plus a script for
> >>> Vultur to build on OpenBSD. I tend to think using other people's scripts
> >>> that can be reviewed and hacked is a better gateway for new relay
> >>> operators than images.
> > 
> > you can combine the FreeBSD jails feature with your idea.
> > plus, do not share many Tor instances on the same machine/server/jail.
> 
> Actually, that raises a side point...
> 
> FreeBSD jails are usually viewed as a tool to create full system with
> the glorious addition of root.
> 
> But they can also be used to build minimal chroot-looking systems, in
> that they can be deliciously small, yet incredibly secure, especially
> compared to chroot.
> 
> FreeBSD jails started as a simple http hosting solution a long while
> back, very much a "unorthodox solution to a traditional problem." But
> they have a utility that gets confused when they are considered
> just-another-virtualization alternative to delude users into thinking
> they have full system control.
> 
> <snip>
> 
> g

We could always make it more fun and throw FreeBSD/Docker on top of the mess:

https://wiki.freebsd.org/Docker

I was looking at Jails before, but I ruled it out because I'm looking at this 
project from the level of I'm running a VM on a OpenStack/VMware, or AWS 
infrastructure as a small VM dedicated to just Tor.

So the who VM is dedicated to just Tor. So, basically instead of virtualizing  
an environment already running in a virtual machine dedicated to the task of 
running that run task, I figured just keep things on the VM.

Of course, I may be looking at that wrong, but I think that would be the best 
option to weigh all of the factors that go into the project.

Conrad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180228/f739764c/attachment.sig>

More information about the tor-relays mailing list