Hi,
I'm aiming to enable tor's 'Sandbox' feature by default on Debian based relays starting with the next release of ansible-relayor [1].
Before doing so I'd like to collect some feedback from tor relay operators willing to test this feature.
If you - run tor 0.3.0.x >= 0.3.0.8 - are on Linux - willing to report proplems
it would be greate if you could add the following line to your torrc configuration file:
Sandbox 1
Ideally you have also a system monitoring in place that tells you whether this config change has any impact (i.e. on CPU or bandwidth).
I will shortly. All of my relays or just one?
On Jun 25, 2017, at 13:21, nusenu nusenu-lists@riseup.net wrote:
Hi,
I'm aiming to enable tor's 'Sandbox' feature by default on Debian based relays starting with the next release of ansible-relayor [1].
Before doing so I'd like to collect some feedback from tor relay operators willing to test this feature.
If you
- run tor 0.3.0.x >= 0.3.0.8
- are on Linux
- willing to report proplems
it would be greate if you could add the following line to your torrc configuration file:
Sandbox 1
Ideally you have also a system monitoring in place that tells you whether this config change has any impact (i.e. on CPU or bandwidth).
[1] https://github.com/nusenu/ansible-relayor
-- https://mastodon.social/@nusenu https://twitter.com/nusenu_
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
John Ricketts:
I will shortly. All of my relays or just one?
Maybe start with one and if it runs without any issues or negative impact for a week proceed with the rest, but whatever you feel comfortable with.
thanks!
On Sun, 25 Jun 2017 18:25:00 +0000 nusenu nusenu-lists@riseup.net wrote:
I'm aiming to enable tor's 'Sandbox' feature by default on Debian based relays starting with the next release of ansible-relayor [1].
Before doing so I'd like to collect some feedback from tor relay operators willing to test this feature.
If you
- run tor 0.3.0.x >= 0.3.0.8
- are on Linux
- willing to report proplems
it would be greate if you could add the following line to your torrc configuration file:
Sandbox 1
Ideally you have also a system monitoring in place that tells you whether this config change has any impact (i.e. on CPU or bandwidth).
FWIW I haven't noticed any impact, bad or good, after enabling this on a couple of relays since the date you asked.
On Sun, 25 Jun 2017 18:25:00 +0000 nusenu nusenu-lists@riseup.net wrote:
I'm aiming to enable tor's 'Sandbox' feature by default on Debian based relays starting with the next release of ansible-relayor [1].
Before doing so I'd like to collect some feedback from tor relay operators willing to test this feature.
If you
- run tor 0.3.0.x >= 0.3.0.8
- are on Linux
- willing to report proplems
it would be greate if you could add the following line to your torrc configuration file:
Sandbox 1
Ideally you have also a system monitoring in place that tells you whether this config change has any impact (i.e. on CPU or bandwidth).
FWIW I haven't noticed any impact, bad or good, after enabling this on a couple of relays since the date you asked.
thank you for testing it
I haven't noticed any performance impact, but I picked up a recent version of ansible-relayor that enables the sandbox by default and it broke two of my relays running Debian 8.9 under OpenVZ with kernel version 2.6.32. Given the old kernel version I'm not exactly surprised, but enabling the sandbox by default does cause those two relays to fail to start.
If anyone is interested, the relevant log lines (with debug enabled) look like this:
sandbox_getaddrinfo(): (Sandbox) getaddrinfo succeeded. sandbox_getaddrinfo(): (Sandbox) getaddrinfo failed. sandbox_getaddrinfo(): (Sandbox) getaddrinfo succeeded. install_syscall_filter(): Bug: (Sandbox) failed to load: -22 (Invalid argument)! (on Tor 0.3.0.9 ) tor_main(): Bug: Failed to create syscall sandbox filter (on Tor 0.3.0.9 ) main process exited, code=exited, status=1/FAILURE
On Tue, Jul 4, 2017 at 11:35 PM, Roman Mamedov rm@romanrm.net wrote:
On Sun, 25 Jun 2017 18:25:00 +0000 nusenu nusenu-lists@riseup.net wrote:
I'm aiming to enable tor's 'Sandbox' feature by default on Debian based relays starting with the next release of ansible-relayor [1].
Before doing so I'd like to collect some feedback from tor relay operators willing to test this feature.
If you
- run tor 0.3.0.x >= 0.3.0.8
- are on Linux
- willing to report proplems
it would be greate if you could add the following line to your torrc configuration file:
Sandbox 1
Ideally you have also a system monitoring in place that tells you whether this config change has any impact (i.e. on CPU or bandwidth).
FWIW I haven't noticed any impact, bad or good, after enabling this on a couple of relays since the date you asked.
-- With respect, Roman _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 2 Aug 2017, at 13:32, Kevin Beranek kevin@kberanek.com wrote:
I haven't noticed any performance impact, but I picked up a recent version of ansible-relayor that enables the sandbox by default and it broke two of my relays running Debian 8.9 under OpenVZ with kernel version 2.6.32. Given the old kernel version I'm not exactly surprised, but enabling the sandbox by default does cause those two relays to fail to start.
If anyone is interested, the relevant log lines (with debug enabled) look like this:
sandbox_getaddrinfo(): (Sandbox) getaddrinfo succeeded. sandbox_getaddrinfo(): (Sandbox) getaddrinfo failed. sandbox_getaddrinfo(): (Sandbox) getaddrinfo succeeded. install_syscall_filter(): Bug: (Sandbox) failed to load: -22 (Invalid argument)! (on Tor 0.3.0.9 ) tor_main(): Bug: Failed to create syscall sandbox filter (on Tor 0.3.0.9 ) main process exited, code=exited, status=1/FAILURE
I logged this on the tor bug tracker: https://trac.torproject.org/projects/tor/ticket/23090
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
tor-relays@lists.torproject.org
-
John Ricketts -
Kevin Beranek -
nusenu -
Roman Mamedov -
teor