Dirauths should save a copy of a consensus that didn't get enough signatures

Basically right now when a dirauth doesn't get the consensus it generated signed, we don't know what kind of consensus that dirauth wanted because it isn't valid (not enough signatures). We could save a copy so we can investigate

changed milestone to %Tor: unspecified

added 033-unreached-backport-maybe 034-unreached-backport-maybe 035-removed-20180711 auditability component::core tor/tor dump milestone::Tor: unspecified points::1 priority::medium save severity::normal status::needs-revision tor-dirauth type::enhancement labels

Sounds good to me

Probably not hard to do; definitely worth looking into soon.

Trac:
Milestone: N/A to Tor: 0.2.3.x-final
Type: defect to enhancement

Trac:
Milestone: Tor: 0.2.3.x-final to Tor: unspecified

Trac:
Keywords: N/A deleted, tor-auth added

Trac:
Component: Tor Directory Authority to Tor

Turns out that tor-auth is for directory authority so make it clearer with tor-dirauth

Trac:
Keywords: tor-auth deleted, tor-dirauth added

Trac:
Severity: N/A to Normal
Points: N/A to 1
Keywords: tor-dirauth deleted, tor-dirauth auditability save dump added
Sponsor: N/A to N/A
Reviewer: N/A to N/A

See also #4539 (moved)

Here's the hack I'm using on moria1 today:

diff --git a/src/or/dirauth/dirvote.c b/src/or/dirauth/dirvote.c
index 1643990..b832b51 100644
--- a/src/or/dirauth/dirvote.c
+++ b/src/or/dirauth/dirvote.c
@@ -3351,6 +3351,16 @@ dirvote_compute_consensuses(void)
       pending[flav].body = consensus_body;
       pending[flav].consensus = consensus;
       n_generated++;
+
+      /* write it out to disk too, for dir auth debugging purposes */
+      {
+      char *filename;
+      tor_asprintf(&filename, "my-consensus-%s",
+                   networkstatus_get_flavor_name(flav));
+      write_str_to_file(get_datadir_fname(filename), consensus_body, 0);
+      tor_free(filename);
+      }
+
       consensus_body = NULL;
       consensus = NULL;
     }

Trac:
Milestone: Tor: unspecified to Tor: 0.3.5.x-final
Status: new to needs_review

#4539 (moved) makes authorities write mismatching signatures to disk, it isn't as useful as the consensus, but we might want to fix it in the same release.

Also, I wonder if we want to backport this patch? (All public non-bridge authorities are on 033 or later.)

Trac:
Keywords: tor-dirauth auditability save dump deleted, tor-dirauth auditability save dump 033-backport-maybe 034-backport-maybe added

Trac:
Reviewer: N/A to mikeperry

Note that my hack placement writes out the consensus with one signature on it (our own). I could imagine a different placement of this code that writes out the consensus with as many sigs as we were able to place on it -- wherever it is that we check to see whether there are enough sigs.

I'm also not clear that I've picked the best possible file names. And maybe dir auths want to do this behavior by default, or maybe it should be gated by a torrc option.

Here be bike sheds. :)

I suggest that we:

• write out the consensus with no signatures, as early as possible (in case we crash parsing or signing it)
• write out our own signature
• write out any signatures we get (good or bad) to a file like the existing v3-status-votes, but for signatures

We should think about how to handle the disk DoS risk for the final file, because anyone can attempt to sign a consensus, and we would put the signature in that file. Maybe we should limit the size of the file?

Is the only patch here armadev's comment? If so, this ticket is not ready for review.

Besides following our github+travis flow, in terms of the code, I think we should try to save more than just one failure. And definitely make the filename clear that it is a failed consensus.

Trac:
Status: needs_review to needs_revision

Removing needs_revision tickets from 0.3.5 that seem to be stalled. Please move back if they are under active revision or discussion.

Trac:
Milestone: Tor: 0.3.5.x-final to Tor: unspecified
Keywords: tor-dirauth auditability save dump 033-backport-maybe 034-backport-maybe deleted, 033-backport-maybe, save, 035-removed-20180711, 034-backport-maybe, tor-dirauth, auditability, dump added

These open, non-merge_ready tickets can not get backported to 0.3.3, because 0.3.3 is now unsupported.

Hmm, I guess they should still get 033-backport-unreached

Trac:
Keywords: N/A deleted, 033-backport-unreached added

Removing 034-backport from all open tickets: 034 has reached EOL.

0.3.4 is unsupported, we won't be backporting anything else to it.

Trac:
Keywords: 034-backport-maybe deleted, 034-unreached-backport-maybe added

Fix 033-unreached-backport spelling.

Trac:
Keywords: 033-backport-unreached deleted, 033-unreached-backport added

Remove outdated 033-backport-maybe

Trac:
Keywords: 033-backport-maybe deleted, 033-unreached-backport-maybe added

Trac:
Keywords: 033-unreached-backport deleted, N/A added

Remove MikePerry from reviewer from all this old tickets.

Trac:
Reviewer: mikeperry to N/A

changed time estimate to 8h

mentioned in issue #4539 (moved)

mentioned in issue #26485 (moved)

moved to tpo/core/tor#4363

mentioned in issue tpo/core/tor#26485 (closed)