Create a docker image for obfs4proxy

As part of our work for Sponsor 28, we need to create a docker image for obfs4proxy to facilitate the work of the RACE deployment team.

We should coordinate with the deployment team to create a docker image that fits their needs.

Trac:
Parent Ticket: #30777 (moved)

added anti-censorship-roadmap component::circumvention/obfs4 owner::phw parent::30777 points::3 priority::medium resolution::implemented reviewer::cohosh s30-o24a2 severity::normal sponsor28 sponsor::28-must status::closed type::task labels

Trac:
Parent: N/A to #30777 (moved)

I created a docker image for an obfs4 Tor bridge: https://dip.torproject.org/anti-censorship/docker-obfs4-bridge. You can test it by cloning the repository and, after entering the directory, running:

docker build -t phwinter/obfs4-bridge:0.1 .

Then, you can start the docker image by running:

./deploy-container.sh

I had to work around a docker design issue: we cannot use a static OR port or obfs4 port in the image because that would make it possible to scan the IPv4 address space for these ports and block all bridges you find that way. We therefore need random ports. Docker's build command has a -P switch that picks a random, external port and forwards it to an internal, static port but the issue is that the image has no easy way of learning what external port docker picked. Tor however needs to know because it has to advertise these ports in its descriptor.

My workaround is a shell script that automatically determines a random port and passes it to the image via environment variables. It's not pretty but it works.

Trac:
Status: assigned to needs_review

Trac:
Reviewer: N/A to cohosh

This looks good to me. I left a small comment on one of the commits.

Trac:
Status: needs_review to merge_ready

Replying to cohosh:

This looks good to me. I left a small comment on one of the commits.

Thanks!

I informed tor-relays@ that we now have a docker image. Let's see if we get some feedback. Then, we can update our installation instructions with the docker image and move forward with #30777 (moved).

I made some improvements to the container creation progress starting in commit deeb0c83. The tor process now drops privileges and I removed the ugly sed string replacement hack. Could you please review these changes too?

Trac:
Status: merge_ready to needs_review

Just got around to looking at this. It looks great! I like the instructions :)

Trac:
Status: needs_review to merge_ready

Trac:
Cc: phw to phw, msherr

Thanks for the review. I added installation instructions to our setup guide at: https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/obfs4proxy#Docker

Let's call this done.

Trac:
Status: merge_ready to closed
Resolution: N/A to implemented

Trac:
Keywords: N/A deleted, s30-o24a2 added

closed

changed time estimate to 24h

mentioned in issue #30777 (moved)