Opened 14 months ago

Closed 5 months ago

#18828 closed enhancement (fixed)

Regenerate fallback list for 0.2.9

Reported by: teor Owned by: teor
Priority: Medium Milestone: Tor: 0.3.0.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: TorCoreTeam201612, 029-accepted
Cc: Actual Points: 5
Parent ID: #20172 Points: 3
Reviewer: Sponsor: SponsorU-can

Description (last modified by teor)

We need to regenerate the fallback directory mirror list in 0.2.9 in case any of the 0.2.8 fallbacks have changed details or gone down.

This should not require another opt-in mailout, as we had ~70 additional fallbacks in 0.2.8 that were suitable but not selected.

We should also:

  • restore the 120 day stability period and 99% uptime requirement that were reduced in 0.2.8 due to #18050
  • check the bandwdith range in the script's generated C comments
  • check the IP version, netblock, port, and Exit flag proportions in the script's stderr output

Over the longer term, we could:

  • reconsider whether to allow 2 fallbacks per operator (contact, family), while keeping 1 per IP
  • decide whether to change to an opt-out system, where we includes fallbacks unless operators specifically opt-out

Child Tickets

TicketTypeStatusOwnerSummary
#20010enhancementclosedteormodifications of relay(s) on fallback whitelist
#20170defectclosedteorBackport latest fallback list to 0.2.8 and 0.2.9
#20173taskclosedteorTell 0.2.9 fallback directory operators that their relays are on the list
#20539defectclosedMake sure fallback directories aren't running buggy versions / can deliver a recent consensus
#20877defectclosedteorFix a bug in updateFallbackDirs.py's comment handling
#20878enhancementclosedteorAdd bandwidth to fallback comments
#20880enhancementclosedteorMake minimum fallback stability 6 months
#20881enhancementclosedteorSelect 200 fallbacks for each release
#20882enhancementclosedteorMake output sort order of fallbacks configurable
#20908enhancementclosedDisplay the fingerprint when downloading consensuses from fallbacks
#20912enhancementclosedteorAllow 2 fallbacks per operator
#20914enhancementclosedteorConsider switching to 3 fallbacks per operator
#20926defectclosedteorAvoid checking fallback candidates' DirPorts if they are down in OnionOO
#20945defectclosedteorAvoid an error in the fallback script when a fallback doesn't have any uptime

Attachments (5)

potential_extra_fallbacks_2016-12-04 (27.6 KB) - added by teor 6 months ago.
relays for the opt-in request 2016-12-04
potential_extra_fallbacks_2016-12-04.log (350.6 KB) - added by teor 6 months ago.
log for selection of relays for the opt-in request 2016-12-04
draft_fallback_dirs_20161210_1121_2594b7b (17.5 KB) - added by teor 6 months ago.
Draft fallback list 10 Dec 2016 generated from commit 2594b7b
draft_fallback_dirs_20161210_1121_2594b7b.log (473.0 KB) - added by teor 6 months ago.
Selection log for draft fallback list 10 Dec 2016 generated from commit 2594b7b
fallback_dirs_final_201612190411_fcf19f8b545a30a6cc9e6adde66e8ca2cb6b3bca.log (464.0 KB) - added by teor 5 months ago.
Log file for final fallback list generation

Download all attachments as: .zip

Change History (41)

comment:1 Changed 13 months ago by teor

  • Description modified (diff)

comment:2 follow-up: Changed 13 months ago by nickm

  • Keywords 029-accepted added; 029-proposed removed
  • Milestone changed from Tor: 0.2.??? to Tor: 0.2.9.x-final

agreed; we should do this about once per release series. (Also perhaps you can recruit somebody else to do it together with you this time, so that two people have experience doing it?)

comment:3 in reply to: ↑ 2 Changed 13 months ago by teor

Replying to nickm:

agreed; we should do this about once per release series. (Also perhaps you can recruit somebody else to do it together with you this time, so that two people have experience doing it?)

Sure. It would also help if that person reviewed #17158, #17905, and #18749 in 0.2.8.

comment:4 Changed 13 months ago by teor

I've started a branch with some more fallback whitelist / blacklist changes: fallbacks-201605 on https://github/com/teor2345/tor.git

We should merge it when we next regenerate the hard-coded list.

comment:5 Changed 12 months ago by isabela

  • Points changed from medium to 3

comment:6 Changed 11 months ago by teor

The latest fallback whitelist / blacklist changes are based on maint-0.2.8 (shortly after 0.2.8.4-rc) and are in fallbacks-201606 on ​https://github/com/teor2345/tor.git

comment:7 Changed 11 months ago by teor

I've merged the changes in the above branch into bug19071 (targeted at 0.2.8), because there's no way I'm keeping two concurrent whitelist/blacklist versions.

So there's nothing extra that needs to be merged into 0.2.9 at this point in time.

comment:8 Changed 11 months ago by teor

I'm now collecting new fallback whitelist entries on my branch fallbacks-201607 on https://github.com/teor2345/tor.git

comment:9 Changed 11 months ago by teor

We need to rebuild the fallback list entirely in 0.2.9 to make sure we've fixed #19163 - as of July 2016, every recommended tor version supports ntor.

comment:10 Changed 11 months ago by teor

Since #19610 causes IPv6-only clients to ask 15 IPv6 fallback directories for microdescriptors, we should increase the fallback numbers to 200 or 300, so we have a reasonable number of IPv6 fallbacks.

comment:11 Changed 10 months ago by teor

  • Keywords TorCoreTeam201608 added; TorCoreTeam201609 removed

What I'd like to do in August is:

  • generate a draft list of 200 fallbacks,
  • find relays that are not whitelisted, but have high enough bandwidth and stability to have been included in the list, and
  • if the operators of these relays have not been contacted already, email them an opt-in request

What I'd like to do in September is:

  • add any new entries to the whitelist/blacklist,
  • generate an alpha list of 200 fallbacks,

What I'd like to do as our alphas start to stabilise (December 2016?) is:

  • check each fallback on the existing list to see if it's still working (same key, IP, and delivers a consensus)
  • comment-out the ones that aren't working

comment:12 Changed 9 months ago by teor

It's likely that #19989 applies to IPv6-only clients fetching microdescriptors from fallback directories (#19608). So we should make sure there are some non-Exit IPv6-capable relays in the set.

comment:13 Changed 9 months ago by teor

I've updated the fallbacks-201607 branch on https://github.com/teor2345/tor.git based on #20010 and an operator email.

[fallbacks-201607 e7ed8bb] Update fallback addresses based on operator emails and tickets

comment:14 Changed 9 months ago by teor

  • Keywords TorCoreTeam201609 added; TorCoreTeam201608 removed

We have extended the 0.2.9 release deadline, and so I can afford to do some of this in September.

I also want to:

  • make a wiki page so someone else can update fallbacks if needed (and so I don't forget)
  • change the fallback script so it has an "exclude existing" mode (exclude both the whitelist and blacklist), to make finding new potential fallbacks easier

comment:15 Changed 8 months ago by nickm

  • Status changed from new to assigned

comment:16 Changed 8 months ago by teor

  • Parent ID set to #20172

comment:17 Changed 8 months ago by teor

And I made an updated whitelist and blacklist branch: fallbacks-029 on my github.
The changes to the 0.2.8 list are in #20170.

comment:18 Changed 8 months ago by teor

I am up to step 2 of https://trac.torproject.org/projects/tor/wiki/doc/UpdatingFallbackDirectoryMirrors , but I can't seem to get a good OnionOO uptime document (#20193), so I'm kind of stuck.

comment:19 follow-up: Changed 7 months ago by arma

Still stuck? Or #20193 is not-a-bug so it's ok, and the remaining issue is to find time to proceed?

comment:20 in reply to: ↑ 19 Changed 7 months ago by teor

Replying to arma:

Still stuck? Or #20193 is not-a-bug so it's ok, and the remaining issue is to find time to proceed?

Finding time is one issue, because I have to update the script, do a mass email, collate responses, run the script again, and then have the list backported to 0.2.8 onwards.

Also, the current list is working fine, so there's not much urgency here. I would like to get an update in 0.2.9 though.

Changed 6 months ago by teor

relays for the opt-in request 2016-12-04

Changed 6 months ago by teor

log for selection of relays for the opt-in request 2016-12-04

comment:21 Changed 6 months ago by teor

  • Status changed from assigned to needs_information

My branch fallbacks-029-v2 on github https://github.com/teor2345/ has the changes I used to generate the lists I just attached.

I will send out an email to tor-relays asking operators on the list to opt-in, wait a week or two, collate the responses, and generate the final list.

comment:22 Changed 6 months ago by teor

I still need to fix #20539, we don't need to exclude the bad 0.2.9 alpha versions until the final list.

comment:24 Changed 6 months ago by teor

#20539 is done, and I am contacting operators based on the results.

comment:25 Changed 6 months ago by teor

  • Keywords TorCoreTeam201612 added; TorCoreTeam201609 removed
  • Status changed from needs_information to needs_revision

My draft branch for this is fallbacks-201612-v2 on github.
https://github.com/teor2345/tor/tree/fallbacks-201612-v2

comment:26 follow-up: Changed 6 months ago by teor

  • restore the 120 day stability period and 99% uptime requirement that were reduced in 0.2.8 due to #18050

I initially tried 183 days stability and 99% uptime, but that excluded too many good relays.
Instead, I am switching it back to 120 days (4 months) and 98%.

120 days is a compromise between the 6-monthly major tor release cycle, and actual relay stability.

98% still gives us (0.98)^3 = 94% of clients bootstrapping in the first 5 seconds, before contacting an authority.
8/(200*10 + 8) * 3 = 1.2% of clients try an authority in their first 3 attempts anyway, as the authorities are also in the fallback list (but with lower weight).

This works with 0.2.8, which has:
Fallback 0, 1, 5, 16, ...
Authority 6, 17, ...
https://gitweb.torproject.org/tor.git/tree/src/or/config.c#n550
(The schedules are delays, which are additive.)

And 0.2.9 and later, which have:
Fallback 0, 2, 5, 13, 33, ...
Authority 6, 11, 27, ...
https://trac.torproject.org/projects/tor/ticket/20534#comment:19

comment:27 in reply to: ↑ 26 Changed 6 months ago by teor

  • Status changed from needs_revision to needs_review

Replying to teor:

  • restore the 120 day stability period and 99% uptime requirement that were reduced in 0.2.8 due to #18050

I initially tried 183 days stability and 99% uptime, but that excluded too many good relays.
Instead, I am switching it back to 120 days (4 months) and 98%.

120 days is a compromise between the 6-monthly major tor release cycle, and actual relay stability.

98% still gives us (0.98)^3 = 94% of clients bootstrapping in the first 5 seconds, before contacting an authority.
8/(200*10 + 8) * 3 = 1.2% of clients try an authority in their first 3 attempts anyway, as the authorities are also in the fallback list (but with lower weight).

We can't require this level of stability, because so many relays are being excluded due to the recommended versions and #20539.

Instead, I chose 7 days and 90%, which means at least 73% of fallbacks can bootstrap without contacting an authority.

We can merge the latest version of my github fallbacks-201612-* branch containing the script, whitelist, and blacklist to master in this ticket.

The current draft branch used to build the list in #20170 is fallbacks-201612-v3 on my github:
https://github.com/teor2345/tor/tree/fallbacks-201612-v3

If someone likes reading python, I'd love a review.

comment:28 Changed 6 months ago by teor

Updated the branch: fallbacks-201612-v4
https://github.com/teor2345/tor/tree/fallbacks-201612-v4

comment:29 Changed 6 months ago by nickm

Link not found?

comment:30 Changed 6 months ago by teor

Fixed

Changed 6 months ago by teor

Draft fallback list 10 Dec 2016 generated from commit 2594b7b

Changed 6 months ago by teor

Selection log for draft fallback list 10 Dec 2016 generated from commit 2594b7b

comment:31 Changed 5 months ago by teor

I sent an email to tor-relays and to all the relay operators on the draft list.
I'll leave it another week, then create the final list.
Details in #20173.

comment:32 Changed 5 months ago by teor

  • Actual Points set to 5
  • Milestone changed from Tor: 0.2.9.x-final to Tor: 0.3.0.x-final

The final script and fallback whitelist and blacklist are in fallbacks-20161219 commit fcf19f8b545a30a6cc9e6adde66e8ca2cb6b3bca.

The final list is in #20170.

Changed 5 months ago by teor

Log file for final fallback list generation

comment:33 Changed 5 months ago by nickm

Hi! Is there a master branch I can merge here to get all the fallback directory script changes into mainline Tor?

comment:34 Changed 5 months ago by teor

Branch fallbacks-20161219 on my github.
(Sorry, I thought I'd posted that somewhere already.)

All the child tickets can close as well.

comment:35 Changed 5 months ago by nickm

Merged! Thanks!

comment:36 Changed 5 months ago by nickm

  • Resolution set to fixed
  • Status changed from needs_review to closed

All the child tickets can close as well.

Done!

Note: See TracTickets for help on using tickets.