Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-13T18:36:27Zhttps://gitlab.torproject.org/legacy/trac/-/issues/33088Offer obfs4 docker image for additional architectures2020-06-13T18:36:27ZPhilipp Winterphw@torproject.orgOffer obfs4 docker image for additional architecturesA bridge operator asked us to cross-compile our docker image for arm64. This sounds like an easy-ish fix that would make the lifes of our bridge operators easier. Let's figure out what it takes to support ARM and potentially other archit...A bridge operator asked us to cross-compile our docker image for arm64. This sounds like an easy-ish fix that would make the lifes of our bridge operators easier. Let's figure out what it takes to support ARM and potentially other architectures.https://gitlab.torproject.org/legacy/trac/-/issues/31834Make obfs4 Docker image more usable2020-06-13T18:36:22ZPhilipp Winterphw@torproject.orgMake obfs4 Docker image more usableHere is some feedback we got from an operator (see [this blog post](https://www.securimancy.com/dockerizing-tor-bridge/) for the full story):
* ~~Make it easier to get the bridge's fingerprint and/or bridge line. At the moment, users ha...Here is some feedback we got from an operator (see [this blog post](https://www.securimancy.com/dockerizing-tor-bridge/) for the full story):
* ~~Make it easier to get the bridge's fingerprint and/or bridge line. At the moment, users have to spawn a shell in the container, which is tedious.~~
* ~~Maybe provide a docker-compose file.~~
* ~~Improve our [official setup instructions](https://community.torproject.org/relay/setup/bridge/docker/). [These instructions](https://dip.torproject.org/torproject/anti-censorship/docker-obfs4-bridge) were more helpful to an operator.~~
* ~~Add a note that operators can run `docker logs <container>` to check if it's up and running.~~
* ~~Mention concerns regarding permanence: Ideally, a container should run as long as possible.~~
* ~~Allow running a bridge on a port <1024 (as per mrphs's request in comment:2).~~Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/legacy/trac/-/issues/33461Multiarch docker obfs4 bridge2020-06-13T18:33:16ZTracMultiarch docker obfs4 bridgeHaving more images enables the bridge operators to directly pull an image instead of modifying the Dockerfile and consequently building that image. For example, the supported architectures can be x86_64, aarch64 and arm.
In order to do s...Having more images enables the bridge operators to directly pull an image instead of modifying the Dockerfile and consequently building that image. For example, the supported architectures can be x86_64, aarch64 and arm.
In order to do so we can have multiple `Dockerfile.arch` where is used https://github.com/multiarch/qemu-user-static in order to build such image.
For example in the Dockerfile.arm file the content should be something like:
```
# Base docker image
FROM multiarch/qemu-user-static:x86_64-arm as qemu
FROM arm32v7/debian:buster-slim
COPY --from=qemu /usr/bin/qemu-arm-static /usr/bin
# Install remaining dependencies.
RUN apt-get update && apt-get install -y \
tor \
tor-geoipdb \
obfs4proxy \
libcap2-bin \
--no-install-recommends
# Allow obfs4proxy to bind to ports < 1024.
RUN setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy
RUN setcap cap_net_bind_service=+ep /usr/bin/tor
# Our torrc is generated at run-time by the script start-tor.sh.
RUN rm /etc/tor/torrc
RUN chown debian-tor:debian-tor /etc/tor
RUN chown debian-tor:debian-tor /var/log/tor
COPY start-tor.sh /usr/local/bin
RUN chmod 0755 /usr/local/bin/start-tor.sh
COPY get-bridge-line /usr/local/bin
RUN chmod 0755 /usr/local/bin/get-bridge-line
USER debian-tor
CMD [ "/usr/local/bin/start-tor.sh" ]
```
**Trac**:
**Username**: thymbahutymbahttps://gitlab.torproject.org/legacy/trac/-/issues/33153Make obfs4 Docker image support private bridges2020-06-13T18:33:15ZPhilipp Winterphw@torproject.orgMake obfs4 Docker image support private bridgesFor #28526 it would be helpful if one could configure an obfs4 Docker container to be private. We could simply add a new environment variable, say `PRIVATE_BRIDGE`, which controls whether the container sets `BridgeDistribution none` in i...For #28526 it would be helpful if one could configure an obfs4 Docker container to be private. We could simply add a new environment variable, say `PRIVATE_BRIDGE`, which controls whether the container sets `BridgeDistribution none` in its torrc or not.https://gitlab.torproject.org/legacy/trac/-/issues/32550Static tor in docker container2020-06-13T18:33:15ZTracStatic tor in docker containerI was wondering about how to improve the docker image. The current version of provided image, in such case for bridges, uses debian. This ends up in a "big" image that, in my honest opinion waste a lot of space.
In order to improve the ...I was wondering about how to improve the docker image. The current version of provided image, in such case for bridges, uses debian. This ends up in a "big" image that, in my honest opinion waste a lot of space.
In order to improve the deployment and the space required by such container, which can be even extended for all relay, I wrote a Makefile for statically build tor. Once there is a statically build of tor, it should be enough provide just it inside the container.
```
PREFIX=$(shell pwd)/dist
RELEASE=$(shell pwd)/release
TOR=https://dist.torproject.org
TOR_VER=0.4.1.6
LIBEVENT=https://github.com/libevent/libevent/releases/download
LIBEVENT_VER=2.1.11-stable
OPENSSL=https://github.com/openssl/openssl/archive
OPENSSL_VER=1_0_2t
ZLIB=https://zlib.net
ZLIB_VER=1.2.11
CLEAN_DIRS=$(dir .)
all: tor
tor: tor-${TOR_VER} libevent libseccomp zlib openssl
cd $< && \
./configure \
--prefix=${RELEASE} \
--enable-static-tor \
--with-openssl-dir=${PREFIX} \
--with-libevent-dir=${PREFIX} \
--with-zlib-dir=${PREFIX} \
--disable-asciidoc \
--disable-system-torrc \
--disable-seccomp \
&& $(MAKE) $(MAKEFLAGS) && $(MAKE) install
libevent: libevent-${LIBEVENT_VER}
cd $< && \
./configure --prefix=${PREFIX} --enable-shared=no && \
$(MAKE) $(MAKEFLAGS) && $(MAKE) install
openssl: OpenSSL_${OPENSSL_VER}
cd $< && \
./config no-shared no-dso no-zlib --prefix=${PREFIX} && \
$(MAKE) depend && $(MAKE) $(MAKEFLAGS) && $(MAKE) install_sw
zlib: zlib-${ZLIB_VER}
cd $< && \
./configure --prefix=${PREFIX} --static && \
$(MAKE) $(MAKEFLAGS) && $(MAKE) install
## Download and extract source if required
tor-${TOR_VER}:
wget -qO- ${TOR}$@.tar.gz | \
bsdtar xzf -
libevent-${LIBEVENT_VER}:
wget -qO- ${LIBEVENT}/release-${LIBEVENT_VER}/$@.tar.gz | \
bsdtar xzf -
OpenSSL_${OPENSSL_VER}:
wget -qO- ${OPENSSL}/$@.tar.gz | \
bsdtar xzf -
mv openssl-$@ $@
zlib-${ZLIB_VER}:
wget -qO- ${ZLIB}/$@.tar.gz | \
bsdtar xzf -
```
**Trac**:
**Username**: thymbahutymbaPhilipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/legacy/trac/-/issues/33162Create a "torproject" Docker organisation2020-06-13T17:37:31ZPhilipp Winterphw@torproject.orgCreate a "torproject" Docker organisationWe should create an organisation account on hub.docker.com to publish our official Docker images; for example our [obfs4 bridge image](https://dip.torproject.org/torproject/anti-censorship/docker-obfs4-bridge). Unfortunately, the organis...We should create an organisation account on hub.docker.com to publish our official Docker images; for example our [obfs4 bridge image](https://dip.torproject.org/torproject/anti-censorship/docker-obfs4-bridge). Unfortunately, the organisation "torproject" already exists and it's not clear who owns it.
[Docker's FAQ says](https://hub.docker.com/support/doc/how-can-i-claim-ownership-of-an-existing-docker-id):
> All Docker IDs are first come, first serve except for companies that have a US Trademark on a username.
>
> If you have a US Trademark claim on a name, open a support ticket and include:
>
> * The username you wish to claim
> * Proof of US Trademark on the username
I filed a support ticket referencing the two trademarks that Tor has registered in the U.S.: 3,465,433 and 3,465,432. I'll update this ticket once I hear back. If Docker's support is unable to help us, we should ask around (e.g., on the tor-project@ list) if anyone knows who owns the "torproject" account.Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/legacy/trac/-/issues/32860Bridge Dockerfile for Raspberry Pi 32020-06-13T15:49:39ZTracBridge Dockerfile for Raspberry Pi 3It would be great to see support for these devices, as they are getting more and more popular.
I can provide a Dockerfile for a Bridge+obfs4 for Raspberry Pi 3, based on phw@ work
**Trac**:
**Username**: qdiiIt would be great to see support for these devices, as they are getting more and more popular.
I can provide a Dockerfile for a Bridge+obfs4 for Raspberry Pi 3, based on phw@ work
**Trac**:
**Username**: qdiiPhilipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/legacy/trac/-/issues/30240Tor should ship docker images of onion services (and other services)2020-06-13T15:40:55ZGeorge KadianakisTor should ship docker images of onion services (and other services)Seems like people are interested in docker images of Tor relays, or onion services (or even bridgedb). We should consider providing docker images for the people who want to use them.
Here is a recent attempt by Alessandro Fiori:
https:/...Seems like people are interested in docker images of Tor relays, or onion services (or even bridgedb). We should consider providing docker images for the people who want to use them.
Here is a recent attempt by Alessandro Fiori:
https://lists.torproject.org/pipermail/tor-dev/2019-March/013756.html
and there have been previous attempts as well here:
https://blog.jessfraz.com/post/running-a-tor-relay-with-docker/ (tor relay)
Also see this page for an organized version of infrastructure related projects:
https://trac.torproject.org/projects/tor/wiki/community/relay_infrastructure
https://www.andreafortuna.org/2018/11/05/easily-setup-a-onion-service-using-docker/
https://0day.work/dockerized-tor-onion-services-with-vanity-v3-tor-addresses/ (onion services)
We should figure out how to make these unofficial attempt useful to other people by legitimizing them and offering them to people in a useful way.https://gitlab.torproject.org/legacy/trac/-/issues/15730Write OONI Pipeline init script2016-06-17T18:01:17ZArturo FilastòWrite OONI Pipeline init scriptCurrently when the machine hosting the pipeline reboots the docker container services need to be rested manually.
This is a summary of them:
```
root@IX-0150:~# docker ps
CONTAINER ID IMAGE COMMAND ...Currently when the machine hosting the pipeline reboots the docker container services need to be rested manually.
This is a summary of them:
```
root@IX-0150:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f117c1ea99b0 ooni/sshd:latest "/usr/sbin/sshd -D" 2 weeks ago Up 2 weeks 127.0.0.1:49154->22/tcp sshd
fc50af5348e5 ooni-app:latest "grunt" 6 weeks ago Up 2 weeks 35729/tcp, 104.193.9.122:3000->3000/tcp romantic_hypatia
48b5ce0241e8 ooni/web-server:latest "nginx" 7 weeks ago Up 2 weeks 104.193.9.122:80->80/tcp web-server
a87fac01ec4d dockerfile/mongodb:latest "mongod" 7 weeks ago Up 2 weeks 28017/tcp, 127.0.0.1:49153->27017/tcp mongodb
```
This task is to implement init scripts for either all the pipeline or the individual servicesArturo FilastòArturo Filastò