Opened 7 months ago

Closed 5 months ago

Last modified 3 months ago

#30708 closed task (implemented)

Create a docker image for obfs4proxy

Reported by: phw Owned by: phw
Priority: Medium Milestone:
Component: Circumvention/Obfs4 Version:
Severity: Normal Keywords: anti-censorship-roadmap, sponsor28, s30-o24a2
Cc: phw, msherr Actual Points:
Parent ID: #30777 Points: 3
Reviewer: cohosh Sponsor: Sponsor28-must

Description

As part of our work for Sponsor 28, we need to create a docker image for obfs4proxy to facilitate the work of the RACE deployment team.

We should coordinate with the deployment team to create a docker image that fits their needs.

Child Tickets

Change History (11)

comment:1 Changed 6 months ago by gaba

Parent ID: #30777

comment:2 Changed 6 months ago by phw

Status: assignedneeds_review

I created a docker image for an obfs4 Tor bridge: https://dip.torproject.org/anti-censorship/docker-obfs4-bridge. You can test it by cloning the repository and, after entering the directory, running:

docker build -t phwinter/obfs4-bridge:0.1 .

Then, you can start the docker image by running:

./deploy-container.sh

I had to work around a docker design issue: we cannot use a static OR port or obfs4 port in the image because that would make it possible to scan the IPv4 address space for these ports and block all bridges you find that way. We therefore need random ports. Docker's build command has a -P switch that picks a random, external port and forwards it to an internal, static port but the issue is that the image has no easy way of learning what external port docker picked. Tor however needs to know because it has to advertise these ports in its descriptor.

My workaround is a shell script that automatically determines a random port and passes it to the image via environment variables. It's not pretty but it works.

comment:3 Changed 6 months ago by cohosh

Reviewer: cohosh

comment:4 Changed 6 months ago by cohosh

Status: needs_reviewmerge_ready

This looks good to me. I left a small comment on one of the commits.

comment:5 in reply to:  4 Changed 6 months ago by phw

Replying to cohosh:

This looks good to me. I left a small comment on one of the commits.


Thanks!

I informed tor-relays@ that we now have a docker image. Let's see if we get some feedback. Then, we can update our installation instructions with the docker image and move forward with #30777.

comment:6 Changed 5 months ago by phw

Status: merge_readyneeds_review

I made some improvements to the container creation progress starting in commit deeb0c83. The tor process now drops privileges and I removed the ugly sed string replacement hack. Could you please review these changes too?

comment:7 Changed 5 months ago by cohosh

Just got around to looking at this. It looks great! I like the instructions :)

comment:8 Changed 5 months ago by cohosh

Status: needs_reviewmerge_ready

comment:9 Changed 5 months ago by msherr

Cc: msherr added

comment:10 Changed 5 months ago by phw

Resolution: implemented
Status: merge_readyclosed

Thanks for the review. I added installation instructions to our setup guide at:
https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/obfs4proxy#Docker

Let's call this done.

comment:11 Changed 3 months ago by phw

Keywords: s30-o24a2 added
Note: See TracTickets for help on using tickets.