Re: [tor-bugs] #33362 [Internal Services/Tor Sysadmin Team]: Please provision a VM for the new exit scanner

[Tor Bug Tracker & Wiki]

#33362: Please provision a VM for the new exit scanner
-+-
 Reporter:  irl  |  Owner:  anarcat
 Type:  task | Status:  closed
 Priority:  Medium   |  Milestone:
Component:  Internal Services/Tor Sysadmin Team  |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:   |  Actual Points:
Parent ID:  #29399   | Points:  0.5
 Reviewer:   |Sponsor:
-+-
Changes (by irl):

 * parent:   => #29399


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33362 [Internal Services/Tor Sysadmin Team]: Please provision a VM for the new exit scanner

[Tor Bug Tracker & Wiki]

#33362: Please provision a VM for the new exit scanner
-+-
 Reporter:  irl  |  Owner:  anarcat
 Type:  task | Status:  closed
 Priority:  Medium   |  Milestone:
Component:  Internal Services/Tor Sysadmin Team  |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:   |  Actual Points:
Parent ID:   | Points:  0.5
 Reviewer:   |Sponsor:
-+-
Changes (by anarcat):

 * status:  accepted => closed
 * resolution:   => fixed


Comment:

 after another commit for indexes, seems like all is well. actually open a
 new ticket for next config changes. i think we can consider this VM has
 been properly created now, and the rest is routine service launch fine-
 tuning. :)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33362 [Internal Services/Tor Sysadmin Team]: Please provision a VM for the new exit scanner

[Tor Bug Tracker & Wiki]

#33362: Please provision a VM for the new exit scanner
-+-
 Reporter:  irl  |  Owner:  anarcat
 Type:  task | Status:
 |  accepted
 Priority:  Medium   |  Milestone:
Component:  Internal Services/Tor Sysadmin Team  |Version:
 Severity:  Normal   | Resolution:
 Keywords:   |  Actual Points:
Parent ID:   | Points:  0.5
 Reviewer:   |Sponsor:
-+-
Changes (by anarcat):

 * status:  reopened => accepted


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33362 [Internal Services/Tor Sysadmin Team]: Please provision a VM for the new exit scanner

[Tor Bug Tracker & Wiki]

#33362: Please provision a VM for the new exit scanner
-+-
 Reporter:  irl  |  Owner:  anarcat
 Type:  task | Status:
 |  reopened
 Priority:  Medium   |  Milestone:
Component:  Internal Services/Tor Sysadmin Team  |Version:
 Severity:  Normal   | Resolution:
 Keywords:   |  Actual Points:
Parent ID:   | Points:  0.5
 Reviewer:   |Sponsor:
-+-
Changes (by irl):

 * status:  closed => reopened
 * resolution:  fixed =>


Comment:

 Next issues...

 Please install the tor package from deb.torproject.org and keep it up to
 date, but disable the system service (i.e. have the binary available in
 the path but don't run it). I had a reusable ansible role for this so it
 wasn't in the notes when I looked at the host specific setup and I missed
 it.

 The apache vhost has the lists directory under /srv/check, but it needs to
 be under /srv/tordnsel. The scanner service writes it, check just reads
 it.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33362 [Internal Services/Tor Sysadmin Team]: Please provision a VM for the new exit scanner

[Tor Bug Tracker & Wiki]

#33362: Please provision a VM for the new exit scanner
-+-
 Reporter:  irl  |  Owner:  anarcat
 Type:  task | Status:  closed
 Priority:  Medium   |  Milestone:
Component:  Internal Services/Tor Sysadmin Team  |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:   |  Actual Points:
Parent ID:   | Points:  0.5
 Reviewer:   |Sponsor:
-+-
Changes (by anarcat):

 * status:  reopened => closed
 * resolution:   => fixed


Comment:

 enabled linger on check as well. also added sudo permissions for both
 users (from groups) and tweaked the home layout to be identical.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33362 [Internal Services/Tor Sysadmin Team]: Please provision a VM for the new exit scanner

[Tor Bug Tracker & Wiki]

#33362: Please provision a VM for the new exit scanner
-+-
 Reporter:  irl  |  Owner:  anarcat
 Type:  task | Status:
 |  reopened
 Priority:  Medium   |  Milestone:
Component:  Internal Services/Tor Sysadmin Team  |Version:
 Severity:  Normal   | Resolution:
 Keywords:   |  Actual Points:
Parent ID:   | Points:  0.5
 Reviewer:   |Sponsor:
-+-

Comment (by anarcat):

 and also:

 {{{
 08:12:53 <+irl> anarcat: irl is not allowed to run sudo on check-01.  This
 incident will be reported.
 }}}

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33362 [Internal Services/Tor Sysadmin Team]: Please provision a VM for the new exit scanner

[Tor Bug Tracker & Wiki]

#33362: Please provision a VM for the new exit scanner
-+-
 Reporter:  irl  |  Owner:  anarcat
 Type:  task | Status:
 |  reopened
 Priority:  Medium   |  Milestone:
Component:  Internal Services/Tor Sysadmin Team  |Version:
 Severity:  Normal   | Resolution:
 Keywords:   |  Actual Points:
Parent ID:   | Points:  0.5
 Reviewer:   |Sponsor:
-+-
Changes (by irl):

 * status:  closed => reopened
 * resolution:  fixed =>


Comment:

 Ah, yes, both users need linger. The separate users are for some (limited)
 priv sep, and each run their own services with systemd.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33362 [Internal Services/Tor Sysadmin Team]: Please provision a VM for the new exit scanner

[Tor Bug Tracker & Wiki]

#33362: Please provision a VM for the new exit scanner
-+-
 Reporter:  irl  |  Owner:  anarcat
 Type:  task | Status:  closed
 Priority:  Medium   |  Milestone:
Component:  Internal Services/Tor Sysadmin Team  |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:   |  Actual Points:
Parent ID:   | Points:  0.5
 Reviewer:   |Sponsor:
-+-
Changes (by anarcat):

 * status:  reopened => closed
 * resolution:   => fixed


Comment:

 create the tordnsel home and enable-linger for that user.

 i tried a new method to deploy the enable-linger, and i'm unsure about how
 effective it is. please do let me know if it works (or not).

 note that there's no enable-linger for the check user, let me know if
 that's necessary as well.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33362 [Internal Services/Tor Sysadmin Team]: Please provision a VM for the new exit scanner

[Tor Bug Tracker & Wiki]

#33362: Please provision a VM for the new exit scanner
-+-
 Reporter:  irl  |  Owner:  anarcat
 Type:  task | Status:
 |  reopened
 Priority:  Medium   |  Milestone:
Component:  Internal Services/Tor Sysadmin Team  |Version:
 Severity:  Normal   | Resolution:
 Keywords:   |  Actual Points:
Parent ID:   | Points:  0.5
 Reviewer:   |Sponsor:
-+-

Comment (by irl):

 tordnsel has no home directory, it's in LDAP as /home/tordnsel but the
 path does not exist. (if this is going to be created as soon as I sudo to
 it, ignore this ticket, still figuring out how to password again)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33362 [Internal Services/Tor Sysadmin Team]: Please provision a VM for the new exit scanner

[Tor Bug Tracker & Wiki]

#33362: Please provision a VM for the new exit scanner
-+-
 Reporter:  irl  |  Owner:  anarcat
 Type:  task | Status:
 |  reopened
 Priority:  Medium   |  Milestone:
Component:  Internal Services/Tor Sysadmin Team  |Version:
 Severity:  Normal   | Resolution:
 Keywords:   |  Actual Points:
Parent ID:   | Points:  0.5
 Reviewer:   |Sponsor:
-+-
Changes (by irl):

 * status:  closed => reopened
 * resolution:  fixed =>


Comment:

 Forgotten part of the spec: both check and tordnsel users need to have
 lingering enabled. We're managing the services as systemd user services.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33362 [Internal Services/Tor Sysadmin Team]: Please provision a VM for the new exit scanner

[Tor Bug Tracker & Wiki]

#33362: Please provision a VM for the new exit scanner
-+-
 Reporter:  irl  |  Owner:  anarcat
 Type:  task | Status:  closed
 Priority:  Medium   |  Milestone:
Component:  Internal Services/Tor Sysadmin Team  |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:   |  Actual Points:
Parent ID:   | Points:  0.5
 Reviewer:   |Sponsor:
-+-

Comment (by anarcat):

 also note that you can emulate the DNS change by adding this line to your
 `/etc/hosts` file:

 {{{
 116.202.120.181 check.torproject.org
 }}}

 enjoy!

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33362 [Internal Services/Tor Sysadmin Team]: Please provision a VM for the new exit scanner

[Tor Bug Tracker & Wiki]

#33362: Please provision a VM for the new exit scanner
-+-
 Reporter:  irl  |  Owner:  anarcat
 Type:  task | Status:  closed
 Priority:  Medium   |  Milestone:
Component:  Internal Services/Tor Sysadmin Team  |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:   |  Actual Points:
Parent ID:   | Points:  0.5
 Reviewer:   |Sponsor:
-+-
Changes (by anarcat):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 Replying to [ticket:33362 irl]:
 > * At least 2 CPU cores
 > * 1.5GB RAM
 > * 50GB disk

 done, but with:

  * 2CPU
  * 2GB RAM
  * 10GB (system) + 20GB (user) disks

 after checking with irl on IRC, because this matches our more common
 configuration.

 > This host will generate a lot of network activity, and will do a lot of
 crypto operations. I'm afraid I don't have the data to quantify "a lot"
 yet.

 i guess we'll see, and hopefully Intel's builtin hardware coprocessors can
 save our bottoms for crypto. (or backdoor us, of course.)

 > Please give this host a DNS name, and do not change any of the existing
 DNS names for the old service at this time.

 the name is `check-01.torproject.org`. previous DNS not changed.

 > Please install the following packages from Debian:
 >
 > python-dnspython
 > python-stem
 > python3-stem
 > git

 done.

 > Please allow users in the check and tordnsel groups to log in, they
 should also have home directories.

 done.

 > Please install Apache, configure a virtualhost with the name
 check.torproject.org, and an alias of the server's hostname for initial
 setup.

 done, although the latter might not have verifiable HTTPS for now. let me
 know if that's a requirement.

 > Reverse proxy all requests to port 8080 on that virtualhost, except for
 /exit-addresses which should be a symlink to
 /srv/?.torproject.org/lists/latest and /lists which should be an autoindex
 with a document root of that same lists directory that latest lives in.

 something like this, right?

 {{{
 Alias /exit-addresses /srv/check.torproject.org/lists/latest
 Alias /lists /srv/check.torproject.org/lists

 ProxyPass / http://127.0.0.1:8080/
 ProxyPassReverse / http://127.0.0.1:8080/
 }}}

 ... done. :)

 > Let me know if anything needs clarification.

 i'll note that check.torproject.org currently has the following apache
 configuration:

 {{{
 Use common-tor-vhost-https-redirect  check.torproject.org

 
 ServerName check.torproject.org
 ServerAdmin torproject-ad...@torproject.org

 #Use common-ssl-wildcard.tpo
 Use common-ssl-service check.torproject.org
 Use common-ssl-HSTS
 Use http-pkp-check.torproject.org

 
 UserDir disabled
 

 ErrorLog ${APACHE_LOG_DIR}/check.torproject.org--error.log
 CustomLog ${APACHE_LOG_DIR}/check.torproject.org-access.log
 privacy

 ServerSignature On

 DocumentRoot /srv/check.torproject.org/htdocs

 
 Require all granted
 

 RewriteEngine On
 RewriteRule ^/$ /torcheck/ [PT]
 RewriteRule  ^/cgi-bin/TorBulkExitList.py$ /torbulkexitlist  [PT]
 
 ProxyRequests On
 ProxyVia On
 
 Order deny,allow
 Allow from all
 
 ProxyPass /api http://127.0.0.1:8000/api retry=10
 ProxyPass /torcheck/ http://127.0.0.1:8000/ retry=10
 ProxyPass /torbulkexitlist
 http://127.0.0.1:8000/torbulkexitlist retry=10
 ProxyPassReverse /torcheck/ http://127.0.0.1:8000/
 
 
 }}}

 ie.

  1. / redirects to /torcheck
  2. /cgi-bin/TorBulkExitList.py to /torbulkexitlist (go figure, but we
 might want to keep that?)
  3. /api goes to port 8000/api
  4. /torcheck goes to port 8000/
  5. /torbulkexitlist goes to port 8000/torbulkexitlist

 ... shouldn't we also have aliases for those eventually?

 > I could also review the puppet if you point me at where to find it.

 the profile looks like:

 {{{
 # rewrite of the exit scanner
 #
 # not to be confused with the old roles::check that is now deprecated.
 class profile::check {
   include apache2
   include apache2::ssl
   include apache2::proxy_http

   file { '/srv/check.torproject.org':
 ensure => directory,
 mode   => '0755',
 owner  => 'check',
 group  => 'check',
   }
   file { '/srv/check.torproject.org/home':
 ensure => directory,
 mode   => '0775',
 owner  => 'check',
 group  => 

Re: [tor-bugs] #33362 [Internal Services/Tor Sysadmin Team]: Please provision a VM for the new exit scanner

[Tor Bug Tracker & Wiki]

#33362: Please provision a VM for the new exit scanner
-+-
 Reporter:  irl  |  Owner:  anarcat
 Type:  task | Status:
 |  assigned
 Priority:  Medium   |  Milestone:
Component:  Internal Services/Tor Sysadmin Team  |Version:
 Severity:  Normal   | Resolution:
 Keywords:   |  Actual Points:
Parent ID:   | Points:  0.5
 Reviewer:   |Sponsor:
-+-

Comment (by anarcat):

 i hope to be able to set you up with this machine early next week, sorry
 for the delays.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33362 [Internal Services/Tor Sysadmin Team]: Please provision a VM for the new exit scanner

[Tor Bug Tracker & Wiki]

#33362: Please provision a VM for the new exit scanner
-+-
 Reporter:  irl  |  Owner:  anarcat
 Type:  task | Status:
 |  assigned
 Priority:  Medium   |  Milestone:
Component:  Internal Services/Tor Sysadmin Team  |Version:
 Severity:  Normal   | Resolution:
 Keywords:   |  Actual Points:
Parent ID:   | Points:  0.5
 Reviewer:   |Sponsor:
-+-

Comment (by irl):

 I can probably read puppet, but no idea how to write it.

 One other issue I just thought of, please do not configure any 
 records on the DNS name. It's OK to have it on the host, but clients
 should never use IPv6 to connect, we don't have a way to handle IPv6
 addresses.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33362 [Internal Services/Tor Sysadmin Team]: Please provision a VM for the new exit scanner

[Tor Bug Tracker & Wiki]

#33362: Please provision a VM for the new exit scanner
-+-
 Reporter:  irl  |  Owner:  anarcat
 Type:  task | Status:
 |  assigned
 Priority:  Medium   |  Milestone:
Component:  Internal Services/Tor Sysadmin Team  |Version:
 Severity:  Normal   | Resolution:
 Keywords:   |  Actual Points:
Parent ID:   | Points:  0.5
 Reviewer:   |Sponsor:
-+-
Changes (by anarcat):

 * status:  new => assigned
 * owner:  tpa => anarcat
 * points:   => 0.5


Comment:

 > Let me know if anything needs clarification. I could also review the
 puppet if you point me at where to find it.

 I'd be happy to take a Puppet manifest and coerce it into our stuff if you
 have that lying around ;) But to be fair we don't use a lot of standard
 modules so there's a limit of how far you could go. I'll definitely share
 the code once I have it written up to see if it matches the spec.

 I need to setup a new machine today, but I hope to get back to you on this
 shortly.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #33362 [Internal Services/Tor Sysadmin Team]: Please provision a VM for the new exit scanner

[Tor Bug Tracker & Wiki]

#33362: Please provision a VM for the new exit scanner
-+-
 Reporter:  irl  |  Owner:  tpa
 Type:  task | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Internal Services/Tor Sysadmin Team  |Version:
 Severity:  Normal   |   Keywords:
Actual Points:   |  Parent ID:
   Points:   |   Reviewer:
  Sponsor:   |
-+-
 * At least 2 CPU cores
 * 1.5GB RAM
 * 50GB disk

 This host will generate a lot of network activity, and will do a lot of
 crypto operations. I'm afraid I don't have the data to quantify "a lot"
 yet.

 Please give this host a DNS name, and do not change any of the existing
 DNS names for the old service at this time.

 Please install the following packages from Debian:

 python-dnspython
 python-stem
 python3-stem
 git

 Please allow users in the check and tordnsel groups to log in, they should
 also have home directories.

 Please install Apache, configure a virtualhost with the name
 check.torproject.org, and an alias of the server's hostname for initial
 setup.

 Reverse proxy all requests to port 8080 on that virtualhost, except for
 /exit-addresses which should be a symlink to
 /srv/?.torproject.org/lists/latest and /lists which should be an autoindex
 with a document root of that same lists directory that latest lives in.

 Let me know if anything needs clarification. I could also review the
 puppet if you point me at where to find it.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs