logs archiveIRC Archive / Oftc / #tor / 2010 / February / 5 / 1
arma
i find it interesting because -- for purely technical reasons -- they are forced to try to spread pervasive ssl.
jr__
interesting, how much additional burden does that place on webservers?
coderman
you doing it on die or in sw? (in other words, if you're doing a lot it is no load on the webservers since you're terminating SSL before them. otherwise, ..)
arma
they have a new twist on ssl that requires fewer round-trips. the computation is apparently cheap enough that they don't care.
(i know zero details other than google saying "it is no longer a technical problem. google can handle ssl to all its services."
coderman
fitting that latency of session setup is the biggest concern, with computational overhead an after thought. :)
nsa
or: phobos committed revision 21558 (/website/trunk/docs/de): remove an extra space in the bridges a href. Thanks to barkerjr for
or: finding this.
or: phobos committed revision 21559 (/website/trunk/ja): remove sha1 links from japanese download.wml. Thanks to barkerjr.
or: phobos committed revision 21560 (/website/trunk/pt): remove sha1 links from download, thanks to barkerjr.
or: phobos committed revision 21561 (/website/trunk/ru): remove sha1 links from download-unix, thanks to barkerjr.
jr__
sjmurdoch: I guess Camilo is not acquainted with my efforts :D
arma
is the nat point an issue?
seems like it could work like udp from the nat's perspective
jr__
I don't think so
         

BarkerJr
dun, check: cat /proc/sys/fs/file-nr
the last number is the maximum number of files the kernel can support
don't set ulimit -n higher than that or your system processes will run out of files :)
dun
yeah I know, kernel supports up to 262144, just wondering what value I should set in ulimit for a 800kb/s relay
arma
dun: 32k should do it.
dun
ok
BarkerJr
my kernel only supports 34896 :/
arma
it's a function of physical memory i think?
BarkerJr
ah
arma
unless you're running linux 2.0 or something
BarkerJr
that makes sense now... I was wondering why one of my bigger servers increased its limit after I installed more ram
dun
ok, 32k it is
are there any non-standard torrc options I should set on my relay? I used torrc.sample
Sebastian
no
BarkerJr
you could set NumCPUs to allow tor to use more than one core
Sebastian
dun: [18:47] <Sebastian> dun: you should read the Tor manual like this: "Oh hey, I'm not absolutely positive I need that option. I'm not setting it."
:)
BarkerJr: that's almost useless, alas
BarkerJr
I know, but I still set it :P
it must do /something/
Sebastian
it is a good idea to set it, it might become not useless in the future :)
arma
it's not totally useless
there are several components that max out your cpu. this relieves one of them.
dun
Sebastian: lol, yes I remember this :) I thought there may be something I should have a look at when running an exit node that may use up to 3TB/month. but ok, I won't mess arround with my torrc anymore ;)
BarkerJr
dun: you get on that, right now! :)
but your point being that a 800kb/s relay probably won't use much cpu is probably right
Sebastian
right, 3TB isn't that much
When sprad out across an entire month :)
(I would love to be able to provide that instead of the 2TB fluxe3 has, but hey ;P)
dun
yay, a friend of mine who (I guess) never used his v-server just emailed me his login data and asked me to install a relay there too. another 5TB *g*
         

Sebastian
woo!
BarkerJr
I currently can use 25tb/mo, but tor uses less than 10tb/mo... I think partly cause I max out the CPU
Sebastian
let's hope his vserver isn't crippled like many are
dun
crippled?
Sebastian
BarkerJr: probably
dun: https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#VServer
dun
ah ok
fs-max is 524288, at least this looks good
BarkerJr
cat: /proc/user_beancounters: No such file or directory
dun
same here
BarkerJr
ah, cause I'm on xen
coderman
i forget which hypervisor uses bean counters, but it sucks. (so not having it is good)
jr__
:-/
coderman
openvz, that's right.
BarkerJr
I never buy anything but xen
murb
coderman: it isn't a hypervisor.
jr__
murb: details ...
:)
murb
it is just constrained luserspace.. like jail
jr__
but but
they call it VIRTUAL!
coderman
ok, "OS container'ized cooperative processing" you pedant
murb
pedantry -> #notnor :)
coderman
but yes, not a full or paravirtualized system, and sucks :)
murb
or tor
coderman
iirc Tor just struggles on dies on such things. Xen and others are less constrained in most cases. (perhaps because providers don't cram as many vms on a single host with those systems)
arma
people who like code security, check out https://bugs.torproject.org/flyspray/index.php?do=details&id=1242
i woke up too early today to bring my brain with me, so i have not much of an opinion
jr__
freebsd is moving to 64-bit time_t
but I doubt many allocators can allocate less than a cacheline
In other words - he is right, but I don't know if it matters
sizeof(time_t *) != sizeof(time_t)
arma
sure, but that doesn't mean there's an overrun
jr__
there is if it actually allocates only 4 bytes
but time_t is 8
arma
i can take a uint64_t, allocate a byte, and try to write the value of the 64-bit thing into the byte.
jr__
you could be writing 8 bytes in to a 4 byte space
but the metadata overhead is such
that they probably won't allocate only 4 bytes
arma
maybe i'm just being wrong. but *last_request_ptr = now means to take the value of now, and make it fit (integer overflowing as needed) into the piece of memory that's the size of a pointer.
BarkerJr
why don't we do sizeof(now)?
jr__
heh
no
the compiler doesn't check that the size of the allocation and the assignment match
IOW
foo = malloc(1);
where
uint64_t *foo;
*foo = 10000000000000000000000000000000
BarkerJr
ok, so I think you're right, arma... this is an assignment copy, so the clib should truncate it to fit?
jr__
sigh
BarkerJr
I haven't used C in years, though
but I thought the operators were safe to use :)
jr__
maybe your magical C compiler will truncate to fit the allocation
arma
ah.
jr__
but mine won't
arma
yeah. you're right. man, i need to get my brain back somehow. this crossing continents thing sucks.
jr__
I can imagine
BarkerJr
this is why I moved to Java :P
jr__
(Action) heapsprays BarkerJr's JVM
arma
i wonder what possessed us to write the code that way in the first place.
jr__
but yes, that does dramatically reduce your need to understand the underlying byte representation
arma
jr__: do you know if it's just freebsd that's moving to 64-bit time_t, or other bsd's too? and is it only the bsd's?
Sebastian
OS X too
SL is using 64bit time_t
arma
joy
jr__
:D
BarkerJr
does that mean we're having zillions of overruns all the time?
jr__
uh
no
arma
so the fix would be to take out the * from the malloc?
jr__
yes
arma
(Action) sure isn't going to touch code in this state, but is happy to spec'late
jr__
you want the size of the pointee
not the pointer
arma
bug added in r13250
aka 6b1374556e877
aka 0.2.0.18-alpha
nickm
arma: this wants fixed in 0.2.1.x. 0.2.0.x is dead, yes?
Sebastian
arma: that's a lot of the compile warnings we were getting ;)
arma
0.2.0.x is dead yet it still lives. let me see what's in the 0.2.0.36 changelog
nothing!
0.2.0.x is dead with the small exception of "tell weasel"
since it will live forever inside lenny
nickm
well, it might be time for an 0.2.0.36 with the new server keys and this one fix.
arma
why? weasel already shipped a fixed 0.2.0.x with the new keys
Sebastian
did we officially annunce 0.2.0.x as dead?
If not, we should at least do that.
arma
nope. with 0.2.1.23 we should do that, you're right.
Sebastian
I think announcing end of life without a last version that fixes all known security bugs is not nice.
On the other hand, who pays us to be nice :)
arma
right.
the only people we know who have any reason to still be on 0.2.0.x have a nice debian guy looking out for them
the rest of them should get off their bleeps and upgrade
Sebastian
I guess weasel would call us a terrible upstream if we weren't Tor ;)
but i agree.
arma
0.2.0.30 came out in august 2008
Sebastian
the fewer people on 0.2.0.x, the better.
arma
even if we did promise to maintain it for 18 months, which we didn't, that ends soon
though to be fair (which we don't need to be), 0.2.1.x came out in august 2009,
and if you follow the "don't use the first one" rule, it came out in nov 2009.
Sebastian
hehe
not like apache :)
arma
hm?
jr__
to
no one has a business or operation that relies on Tor
in the way that Apache or Linux do
waltman
My bridge has been hibernating for 8 hours now. Any idea why it might still have 33 sockets open?
It had 27 open 2 1/2 hours ago.
Sebastian
arma: apache, 42 million years and 23 days after the release of 1.3, is now only providing security updates for it. :)
waltman
Is this internal stuff, e.g. keeping cached descriptor and consensus up to date?
jr__
what does netstat show?
waltman
hmm, running it now
Sebastian
waltman: there are two different states of hibernation, soft and hard. Tor should close its ports when it reaches the hard limit
waltman
this is soft
arma
tor should close its ports when it reaches the soft limit, actually
close incoming ports that is
it'll hang up on everybody when it hits the hard limit
waltman
I'm not sure what I'm looking for in netstat
jr__
who the peers aro
are
guess its hard to determine much from that
nm
waltman
there are things like cyberphunk.eu and anonymous.sec.nl
arma
those look like other tor relays. probably you have some circuits open to them still.
waltman
mostly 9001s, but a few https as well
so anyway, it's normal?
arma
yep. so far so good.
waltman
ok
terryg
greetings
I just did the tor polipo vidalia install on my ubuntu 9.10 system. Vidalia gives error msg
tor not running logs show that it can't attache to port 9050
any takers?
seeess
http://www.wired.com/dangerroom/2010/02/from-dont-be-evil-to-spy-on-everyone/
arma
hm. terryg raises a good point.
you have to be an expert tor user (well, ok, really just an expert linux user) to use the current vidalia packages.
specifically, you need to stop your tor before letting vidalia start it.
and then vidalia will run it as a different user, with a diferent torrc, and a different datadir.
jr__
lame
that may be the problem I had on FreeBSD
I spent about 30 minutes on it and then decided to move on
arma
we have a plan for integrating it better on unix, but i don't think anybody has written that plan down.
but then, no need to write it down if you're going to actually do it. but nobody is much doing it either.
jr__
heh
good to at least document that it is a problem
brigadier
hello everyone
need your help in seting up transparent proxy
i am new to linux, that's why the silly questions come up
here is the story
i have linux 2.6.31, ip forwarding disabled, iptables installed
when i try iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp --syn -j REDIRECT --to-ports 9040
the system says iptables: No chain/target/match by that name
moreover the manual assumes that my ip is 192.168.1.1 which is in fact should be the router's one
i am behind nat
and my ip is 192.168.2.101
« prev 1 2 next »