[Feature Request] Offer relay functionality

I don't know where to put this. If this is an inappropriate repository for this issue please close it and tell me where to request it.

This docker container already has all the functionality needed for relay operations I think. Please corretc me if I'm wrong. So not only obfs4 bridges, but also normal exit and non-exit relays. As a result I would like to have the option to specify the type of relay (bridge, middle/guard, exit) via enviroment variable and adjust the torrc config accordingly. The container already allows passing of custom variables through OBFS4V_variable. Renaming the prefix and offering to also change BridgeRelay 1 already would enable the functionality of an normal relay.

There currently is no official container available to host an tor relay on docker.

assigned to @meskio

moved from tpo/anti-censorship/docker-obfs4-bridge#14 (moved)

assigned to @meskio

Let's keep this docker image dedicated to bridges.

@ahf how do you feel about creating and maintaining a docker image for tor relays? Where will be the right place to do that?

We used to have some volunteers and core contributors running a relay docker image, see: https://gitlab.torproject.org/tpo/community/relays/-/wikis/Relay-Infrastructure

If people thinks it's a good idea, we can move this ticket to community/relays, and we can find a maintainer for this.

@meskio @ahf If you want I could contribute and create an repo and try to create an Dockerfile for guard/exit relay on the weekend. It shouldn't be that different to the one inside this repo. However I still don't know where the repo belongs. Anti-Censorship as org isn't the right place in my opinion.

@gus I'm not sure I have a clear opinion on that. It might be good to have an official image coming from tor as people know what to trust, but I'm always worried to add more stuff for us to maintain.

@Felixkruemel if you want to give it a try you can start having a repo in your own space and we'll figure out what is the best place to move it once is working. You should check the resources @gus is linking, as most of the work might be already done.

I'll move the issue to community/relays.

It looks like I don't have rights to move the issue.

added Roadmap::Future label

added First Contribution label

@meskio I have found the following distro already providing nearly up-to-date relay builds: https://github.com/brunneis/tor-relay-docker

It builds Tor from source, a way we could go with the docker image, but pulling it simply from the repo also would work.

Something like this for the Dockerfile (http://eweiibe6tdjsdprb4px6rqrzzcsi22m4koia44kc5pcjr7nec2rlxyad.onion/Felixkruemel/tor-relay-docker/-/tree/main):

FROM ubuntu:20.04

RUN \
  apt-get update \
  && apt-get -y upgrade \
  && apt-get -y install \
    apt-transport-https \
    wget \
    gnupg \
  && printf "deb     [arch=amd64 signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org focal main\ndeb-src [arch=amd64 signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org focal main" >> /etc/apt/sources.list.d/tor.list \
  && apt-get clean

RUN \
  wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
RUN \
  apt-get update \
  && apt-get -y install tor deb.torproject.org-keyring \
  && apt-get -y remove \
    wget \
  && apt-get clean

COPY entrypoint.sh /
RUN chmod +rx entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

This will correctly install the latest Tor release. Just need to modify it slightly so that it gets the correct arch (this is hardcoded to amd64 which isn't good).

The only thing which I struggle with is to get the entrypoint.sh file running easily. Somehow I'm too dumb for that ^^

The dockerfile sounds good. I would only change it to have the key in the repo and use it from there, instead of download it each time from the network.

You can get inspiration on the entrypoint.sh used by the obfs4-bridge image.

Hey @meskio @gus I've got a working solution which is easily usable I think: http://eweiibe6tdjsdprb4px6rqrzzcsi22m4koia44kc5pcjr7nec2rlxyad.onion/Felixkruemel/tor-relay-docker

I could not test anything else than middle yet, but I think everything should work. Please have a look at it. Would love to finally have something official. We would need to move the repository then though. Once we have something official I need to look in how to migrate my Tor relay.

@meskio I justed wanted to ask if there's some news here.

Is in my queue of things to look into, I'm sorry is taking me some time to do it. But I'm not sure I'm the right person here to review it, as I don't have much experience operating a relay.

assigned to @gus and unassigned @meskio

Hi @Felixkruemel, one thing that it's crucial when managing public relays is to have a way to declare the MyFamily.

From the Tor relay guide: https://community.torproject.org/relay/setup/post-install/

To avoid putting Tor clients at risk, when operating multiple relays you must set a proper MyFamily value and have a valid ContactInfo in your torrc configuration. The MyFamily setting is simply telling Tor clients what Tor relays are controlled by a single entity/operator/organization, so they are not used in multiple positions in a single circuit.

If you run two relays and they have fingerprints AAAAAAAAAA and BBBBBBBB, you would add the following configuration to set MyFamily:

MyFamily AAAAAAAAAA,BBBBBBBB

to both relays. To find your relay's fingerprint you can look into the log files when tor starts up or find the file named "fingerprint" in your tor DataDirectory.

Instead of doing so manually, for big operators we recommend to automate the MyFamily setting via a configuration management solution. Manually managing MyFamily for big relay groups is error-prone and can put Tor clients at risk.

Hi @gus I added a FAMILY envinroment var in the last two commits. Launching with it works and it also is been set correctly in torrc when specified. Sadly I can not run two relays to test it but it should work as expected.

@gus Did you already had time to review the changes I made to my repository to include relay families?

@gus Are there any news? I'm using my image now since some weeks without issues.

Sorry, I didn't have time to test this.

mentioned in issue #36 (closed)

/cc @gk

mentioned in merge request tpo/anti-censorship/docker-obfs4-bridge!14 (closed)

cc @micah

unassigned @gus