Re: [tor-relays] Single IP multiple OR Ports
Hi, On 03/04/2014 08:19 AM, toxi roxi wrote: With an upgrade to ubuntu 13.10 x64 there seem to be no more support for aesni module - so it doesnt seem to be usable any more. With older ubuntu releases it works. https://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration Does this help already? I've recognized that some configurations are running easily with an higher throughput - but could not figure out whats the reason for it. My VPS'es are almost running in an KVM environment - but the 2 fastest ones running on OpenVZ hypervisor. I tried KVM and OpenVZ some years ago for high bandwidth relays, and couldn't get it to make decent throughput at all. I now run all our fast relays on bare metal. But anyway im interested on reactivating that function as it seems to really speedup relay's speed. Unless you max out /all/ your CPU cores, you can and should simply spin up more Tor processes in parallel, one per CPU core, and limit their bandwidth so they never hit 100% CPU usage. -- Moritz Bartl https://www.torservers.net/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Exit Relay on VPS by WEDOS
Hi, Thanks for going through the trouble of running an exit relay! On 03/04/2014 08:49 AM, dope457 wrote: Today, few weeks from last incident, they just pulled out ethernet cable from my VPS and I am not sure what to do. Looks like this ISP is not suitable for Tor exit relays. Please add it to the https://trac.torproject.org/projects/tor/wiki/doc/GoodBadISPs page, and find a better one. I'm afraid there's not much else you can do. Make sure to inform the ISP beforehand about the risks, be fast and polite in answering abuse complaints, and as long as the ISP doesn't know you well enough make sure the ISP of all places understands how you handled the complaint and why. For example, for the POP3 case, you could have offered to block POP3 altogether. In case you haven't seen it already, this is a must-read for exit operators: https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines -- Moritz Bartl https://www.torservers.net/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Single IP multiple OR Ports
Hi Moritz, i know that link and thats what i have done to setup intel aesni acceleration - but it seems that this tweak is not available anymore on ubuntu 13.10 thats what i've meant. i found also some hints in google that this is no longer working now. this is in my startup log: Mar 04 11:54:24.000 [warn] Unable to load dynamic OpenSSL engine aesni. Mar 04 11:54:24.000 [notice] Default OpenSSL engine for RSA is RSAX engine support [rsax] Mar 04 11:54:24.000 [warn] TLS error while generating certificate: could not load the shared library (in DSO support routines:DLFCN_LOAD:---) Mar 04 11:54:24.000 [warn] TLS error while generating certificate: could not load the shared library (in DSO support routines:DSO_load:---) Mar 04 11:54:24.000 [warn] TLS error while generating certificate: dso not found (in engine routines:DYNAMIC_LOAD:---) Mar 04 11:54:24.000 [warn] TLS error while generating certificate: no such engine (in engine routines:ENGINE_by_id:---) but as you can see aesni_intel is activated: lsmod | grep aes aesni_intel55624 0 aes_x86_64 17131 1 aesni_intel lrw13286 1 aesni_intel glue_helper13990 1 aesni_intel ablk_helper13597 1 aesni_intel cryptd 20359 3 ghash_clmulni_intel,aesni_intel,ablk_helper i found some information on 2 pages that aesni_intel is no longer available to openssl 1.0.1 so this accelleration is not usable anymore - as ubuntu 13.10 is delivered with that openssl version im also affected of that change. i found some informations here: https://trac.torproject.org/projects/tor/ticket/6158 with a hint for reading here https://lists.torproject.org/pipermail/tor-relays/2012-March/001260.html is there any other way to get this acceleration working? thanks for your support! 2014-03-04 9:10 GMT+01:00 Moritz Bartl mor...@torservers.net: Hi, On 03/04/2014 08:19 AM, toxi roxi wrote: With an upgrade to ubuntu 13.10 x64 there seem to be no more support for aesni module - so it doesnt seem to be usable any more. With older ubuntu releases it works. https://www.torservers.net/wiki/setup/server#aes-ni_crypto_acceleration Does this help already? I've recognized that some configurations are running easily with an higher throughput - but could not figure out whats the reason for it. My VPS'es are almost running in an KVM environment - but the 2 fastest ones running on OpenVZ hypervisor. I tried KVM and OpenVZ some years ago for high bandwidth relays, and couldn't get it to make decent throughput at all. I now run all our fast relays on bare metal. But anyway im interested on reactivating that function as it seems to really speedup relay's speed. Unless you max out /all/ your CPU cores, you can and should simply spin up more Tor processes in parallel, one per CPU core, and limit their bandwidth so they never hit 100% CPU usage. -- Moritz Bartl https://www.torservers.net/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] (no subject)
howdy i am interested in helping updating and patching the tor code van one of the developers contact me off list or some of you i am interested ih helping updating all parts of tor and any project of tor -- the wyer ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Single IP multiple OR Ports
On Tue, Mar 04, 2014 at 01:00:15PM +0100, toxi roxi wrote: i know that link and thats what i have done to setup intel aesni acceleration - but it seems that this tweak is not available anymore on ubuntu 13.10 thats what i've meant. As Moritz says, the *config* is removed, because aes-ni is no longer a *separate* module, it's built in to core openssl. i found also some hints in google that this is no longer working now. this is in my startup log: Mar 04 11:54:24.000 [warn] Unable to load dynamic OpenSSL engine aesni. Mar 04 11:54:24.000 [notice] Default OpenSSL engine for RSA is RSAX engine support [rsax] Mar 04 11:54:24.000 [warn] TLS error while generating certificate: could not load the shared library (in DSO support routines:DLFCN_LOAD:---) Mar 04 11:54:24.000 [warn] TLS error while generating certificate: could not load the shared library (in DSO support routines:DSO_load:---) Mar 04 11:54:24.000 [warn] TLS error while generating certificate: dso not found (in engine routines:DYNAMIC_LOAD:---) Mar 04 11:54:24.000 [warn] TLS error while generating certificate: no such engine (in engine routines:ENGINE_by_id:---) but as you can see aesni_intel is activated: lsmod | grep aes aesni_intel55624 0 Note that the kernel module is not required for openssl, instead you just need to verify that aes is in /proc/cpuinfo: grep --color aes /proc/cpuinfo (The aesni_intel kernel module gives you faster encrypted disks and similar in-kernel cryptography systems. The aes cpuflag ensures that the AES-NI instructions are available to applications.) -andy ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays