* [bug#70341] [PATCH v2] services: tor: Add support for pluggable transports.
2024-04-11 14:48 [bug#70341] [PATCH] gnu: Add support for pluggable transports to tor-service-type Nigko Yerden
@ 2024-04-20 14:43 ` Nigko Yerden
2024-04-22 3:58 ` [bug#70341] [PATCH v3] " Nigko Yerden
` (6 subsequent siblings)
7 siblings, 0 replies; 18+ messages in thread
From: Nigko Yerden @ 2024-04-20 14:43 UTC (permalink / raw)
To: 70341; +Cc: Nigko Yerden
Pluggable transports are programs that disguise Tor traffic, which
can be useful in cases when Tor is censored. Pluggable transports
cannot be configured by #:config-file file exclusively because Tor
process is run via 'least-authority-wrapper' and cannot have access
to transport plugin, which is a separate executable (Bug:#70302,
Bug:#70332).
* doc/guix.texi (Networking Services): Document 'transport-plugin' and
'pluggable-transport' options for 'tor-configuration'.
* gnu/services/networking.scm (<tor-configuration>): Add 'transport-plugin'
and 'pluggable-transport' fields.
(tor-configuration->torrc)[transport-plugin]: Add content to 'torrc'
computed-file.
(tor-shepherd-service)[transport-plugin-path]: Add file-system-mapping.
Change-Id: I64e7632729287ea0ab27818bb7322fddae43de48
---
doc/guix.texi | 11 ++++++++
gnu/services/networking.scm | 52 +++++++++++++++++++++++++------------
2 files changed, 47 insertions(+), 16 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 65af136e61..9fbe928484 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -127,6 +127,7 @@
Copyright @copyright{} 2024 Herman Rimm@*
Copyright @copyright{} 2024 Matthew Trzcinski@*
Copyright @copyright{} 2024 Richard Sent@*
+Copyright @copyright{} 2024 Nigko Yerden@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -21849,6 +21850,16 @@ Networking Services
@file{/var/run/tor/control-sock}, which will be made writable by members of the
@code{tor} group.
+@item @code{transport-plugin} (default: @code{#f})
+This must be either @code{#f}, in which case the pluggable transports are
+not used by Tor, or a ``file-like'' object pointing to the pluggable transport
+plugin executable. In the latter case the @code{#:config-file} file
+should contain line(s) configuring one or more bridges.
+
+@item @code{pluggable-transport} (default: @code{"obfs4"})
+A string that specifies the type of the pluggable transport in
+case @code{#:transport-plugin} is not @code{#f}.
+
@end table
@end deftp
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 8e64e529ab..e47f7ca61a 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -22,6 +22,7 @@
;;; Copyright © 2023 Declan Tsien <declantsien@riseup.net>
;;; Copyright © 2023 Bruno Victal <mirai@makinata.eu>
;;; Copyright © 2023 muradm <mail@muradm.net>
+;;; Copyright © 2024 Nigko Yerden <nigko.yerden@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -955,7 +956,11 @@ (define-record-type* <tor-configuration>
(socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix
(default 'tcp))
(control-socket? tor-configuration-control-socket-path
- (default #f)))
+ (default #f))
+ (transport-plugin tor-configuration-transport-plugin-path
+ (default #f))
+ (pluggable-transport tor-configuration-pluggable-transport
+ (default "obfs4")))
(define %tor-accounts
;; User account and groups for Tor.
@@ -988,7 +993,8 @@ (define-configuration/no-serialization tor-onion-service-configuration
(define (tor-configuration->torrc config)
"Return a 'torrc' file for CONFIG."
(match-record config <tor-configuration>
- (tor config-file hidden-services socks-socket-type control-socket?)
+ (tor config-file hidden-services socks-socket-type control-socket?
+ transport-plugin pluggable-transport)
(computed-file
"torrc"
(with-imported-modules '((guix build utils))
@@ -1027,6 +1033,13 @@ (define (tor-configuration->torrc config)
(cons name mapping)))
hidden-services))
+ (when #$transport-plugin
+ (format port "\
+UseBridges 1
+ClientTransportPlugin ~a exec ~a~%"
+ #$pluggable-transport
+ #$transport-plugin))
+
(display "\
### End of automatically generated lines.\n\n" port)
@@ -1039,23 +1052,30 @@ (define (tor-configuration->torrc config)
(define (tor-shepherd-service config)
"Return a <shepherd-service> running Tor."
(let* ((torrc (tor-configuration->torrc config))
+ (transport-plugin-path (tor-configuration-transport-plugin-path config))
(tor (least-authority-wrapper
(file-append (tor-configuration-tor config) "/bin/tor")
#:name "tor"
- #:mappings (list (file-system-mapping
- (source "/var/lib/tor")
- (target source)
- (writable? #t))
- (file-system-mapping
- (source "/dev/log") ;for syslog
- (target source))
- (file-system-mapping
- (source "/var/run/tor")
- (target source)
- (writable? #t))
- (file-system-mapping
- (source torrc)
- (target source)))
+ #:mappings (append
+ (list (file-system-mapping
+ (source "/var/lib/tor")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source "/dev/log") ;for syslog
+ (target source))
+ (file-system-mapping
+ (source "/var/run/tor")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source torrc)
+ (target source)))
+ (if transport-plugin-path
+ (list (file-system-mapping
+ (source transport-plugin-path)
+ (target source)))
+ '()))
#:namespaces (delq 'net %namespaces))))
(list (shepherd-service
(provision '(tor))
base-commit: 0f68306268773f0eaa4327e1f6fdcb39442e4a34
--
2.41.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [bug#70341] [PATCH v3] services: tor: Add support for pluggable transports.
2024-04-11 14:48 [bug#70341] [PATCH] gnu: Add support for pluggable transports to tor-service-type Nigko Yerden
2024-04-20 14:43 ` [bug#70341] [PATCH v2] services: tor: Add support for pluggable transports Nigko Yerden
@ 2024-04-22 3:58 ` Nigko Yerden
2024-04-24 21:11 ` bug#70302: " André Batista
2024-05-10 8:32 ` [bug#70341] [PATCH v4] " Nigko Yerden
` (5 subsequent siblings)
7 siblings, 1 reply; 18+ messages in thread
From: Nigko Yerden @ 2024-04-22 3:58 UTC (permalink / raw)
To: 70341; +Cc: Nigko Yerden
Pluggable transports are programs that disguise Tor traffic, which
can be useful in case Tor is censored. Pluggable transports
cannot be configured by #:config-file file exclusively because Tor
process is run via 'least-authority-wrapper' and cannot have access
to transport plugin, which is a separate executable (Bug#70302,
Bug#70332).
* doc/guix.texi (Networking Services): Document 'transport-plugin' and
'pluggable-transport' options for 'tor-configuration'.
* gnu/services/networking.scm: Export 'tor-configuration-transport-plugin-path',
'tor-configuration-pluggable-transport'.
(<tor-configuration>): Add 'transport-plugin' and 'pluggable-transport'
fields.
(tor-configuration->torrc)[transport-plugin]: Add content to 'torrc'
computed-file.
(tor-shepherd-service)[transport-plugin]: Add file-system-mapping.
Change-Id: I64e7632729287ea0ab27818bb7322fddae43de48
---
doc/guix.texi | 11 ++++++++
gnu/services/networking.scm | 54 ++++++++++++++++++++++++++-----------
2 files changed, 49 insertions(+), 16 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 65af136e61..eb0837860e 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -127,6 +127,7 @@
Copyright @copyright{} 2024 Herman Rimm@*
Copyright @copyright{} 2024 Matthew Trzcinski@*
Copyright @copyright{} 2024 Richard Sent@*
+Copyright @copyright{} 2024 Nigko Yerden@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -21849,6 +21850,16 @@ Networking Services
@file{/var/run/tor/control-sock}, which will be made writable by members of the
@code{tor} group.
+@item @code{transport-plugin} (default: @code{#f})
+This must be either @code{#f} or a ``file-like'' object pointing to the
+pluggable transport plugin executable. In the latter case the
+@code{#:config-file} file should contain line(s) configuring
+one or more bridges.
+
+@item @code{pluggable-transport} (default: @code{"obfs4"})
+A string that specifies the type of the pluggable transport in
+case @code{#:transport-plugin} is not @code{#f}.
+
@end table
@end deftp
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 8e64e529ab..6e535ea8ef 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -22,6 +22,7 @@
;;; Copyright © 2023 Declan Tsien <declantsien@riseup.net>
;;; Copyright © 2023 Bruno Victal <mirai@makinata.eu>
;;; Copyright © 2023 muradm <mail@muradm.net>
+;;; Copyright © 2024 Nigko Yerden <nigko.yerden@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -159,6 +160,8 @@ (define-module (gnu services networking)
tor-configuration-hidden-services
tor-configuration-socks-socket-type
tor-configuration-control-socket-path
+ tor-configuration-transport-plugin-path
+ tor-configuration-pluggable-transport
tor-onion-service-configuration
tor-onion-service-configuration?
tor-onion-service-configuration-name
@@ -955,7 +958,11 @@ (define-record-type* <tor-configuration>
(socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix
(default 'tcp))
(control-socket? tor-configuration-control-socket-path
- (default #f)))
+ (default #f))
+ (transport-plugin tor-configuration-transport-plugin-path
+ (default #f))
+ (pluggable-transport tor-configuration-pluggable-transport
+ (default "obfs4")))
(define %tor-accounts
;; User account and groups for Tor.
@@ -988,7 +995,8 @@ (define-configuration/no-serialization tor-onion-service-configuration
(define (tor-configuration->torrc config)
"Return a 'torrc' file for CONFIG."
(match-record config <tor-configuration>
- (tor config-file hidden-services socks-socket-type control-socket?)
+ (tor config-file hidden-services socks-socket-type control-socket?
+ transport-plugin pluggable-transport)
(computed-file
"torrc"
(with-imported-modules '((guix build utils))
@@ -1027,6 +1035,13 @@ (define (tor-configuration->torrc config)
(cons name mapping)))
hidden-services))
+ (when #$transport-plugin
+ (format port "\
+UseBridges 1
+ClientTransportPlugin ~a exec ~a~%"
+ #$pluggable-transport
+ #$transport-plugin))
+
(display "\
### End of automatically generated lines.\n\n" port)
@@ -1039,23 +1054,30 @@ (define (tor-configuration->torrc config)
(define (tor-shepherd-service config)
"Return a <shepherd-service> running Tor."
(let* ((torrc (tor-configuration->torrc config))
+ (transport-plugin-path (tor-configuration-transport-plugin-path config))
(tor (least-authority-wrapper
(file-append (tor-configuration-tor config) "/bin/tor")
#:name "tor"
- #:mappings (list (file-system-mapping
- (source "/var/lib/tor")
- (target source)
- (writable? #t))
- (file-system-mapping
- (source "/dev/log") ;for syslog
- (target source))
- (file-system-mapping
- (source "/var/run/tor")
- (target source)
- (writable? #t))
- (file-system-mapping
- (source torrc)
- (target source)))
+ #:mappings (append
+ (list (file-system-mapping
+ (source "/var/lib/tor")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source "/dev/log") ;for syslog
+ (target source))
+ (file-system-mapping
+ (source "/var/run/tor")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source torrc)
+ (target source)))
+ (if transport-plugin-path
+ (list (file-system-mapping
+ (source transport-plugin-path)
+ (target source)))
+ '()))
#:namespaces (delq 'net %namespaces))))
(list (shepherd-service
(provision '(tor))
base-commit: 9fa34ad616b94ad881b5ca48ef88bd84f877a0e9
--
2.41.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* bug#70302: [bug#70341] [PATCH v3] services: tor: Add support for pluggable transports.
2024-04-22 3:58 ` [bug#70341] [PATCH v3] " Nigko Yerden
@ 2024-04-24 21:11 ` André Batista
2024-04-25 6:08 ` Nigko Yerden
0 siblings, 1 reply; 18+ messages in thread
From: André Batista @ 2024-04-24 21:11 UTC (permalink / raw)
To: Nigko Yerden; +Cc: 70332, 70302, 70341
Hi Nigko,
seg 22 abr 2024 às 08:58:39 (1713787119), nigko.yerden@gmail.com enviou:
> Pluggable transports are programs that disguise Tor traffic, which
> can be useful in case Tor is censored. Pluggable transports
> cannot be configured by #:config-file file exclusively because Tor
> process is run via 'least-authority-wrapper' and cannot have access
> to transport plugin, which is a separate executable (Bug#70302,
> Bug#70332).
I can confirm that the tor service is unable to fork-exec a
pluggable-transport and the bootstrap process is halted at its start
when trying to use a system wide bridge + PT. However, this patch
does not seem to address the issue at hand, since it just creates
new tor-service-type configuration options that accomplish the
same as configuring on config-file directly. Have you had success
with this? I had no luck.
More comments bellow.
> * doc/guix.texi (Networking Services): Document 'transport-plugin' and
> 'pluggable-transport' options for 'tor-configuration'.
> * gnu/services/networking.scm: Export 'tor-configuration-transport-plugin-path',
> 'tor-configuration-pluggable-transport'.
> (<tor-configuration>): Add 'transport-plugin' and 'pluggable-transport'
> fields.
> (tor-configuration->torrc)[transport-plugin]: Add content to 'torrc'
> computed-file.
> (tor-shepherd-service)[transport-plugin]: Add file-system-mapping.
>
> Change-Id: I64e7632729287ea0ab27818bb7322fddae43de48
> ---
> doc/guix.texi | 11 ++++++++
> gnu/services/networking.scm | 54 ++++++++++++++++++++++++++-----------
> 2 files changed, 49 insertions(+), 16 deletions(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index 65af136e61..eb0837860e 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -127,6 +127,7 @@
> Copyright @copyright{} 2024 Herman Rimm@*
> Copyright @copyright{} 2024 Matthew Trzcinski@*
> Copyright @copyright{} 2024 Richard Sent@*
> +Copyright @copyright{} 2024 Nigko Yerden@*
>
> Permission is granted to copy, distribute and/or modify this document
> under the terms of the GNU Free Documentation License, Version 1.3 or
> @@ -21849,6 +21850,16 @@ Networking Services
> @file{/var/run/tor/control-sock}, which will be made writable by members of the
> @code{tor} group.
>
> +@item @code{transport-plugin} (default: @code{#f})
> +This must be either @code{#f} or a ``file-like'' object pointing to the
> +pluggable transport plugin executable. In the latter case the
> +@code{#:config-file} file should contain line(s) configuring
> +one or more bridges.
> +
> +@item @code{pluggable-transport} (default: @code{"obfs4"})
> +A string that specifies the type of the pluggable transport in
> +case @code{#:transport-plugin} is not @code{#f}.
> +
> @end table
> @end deftp
>
> diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
> index 8e64e529ab..6e535ea8ef 100644
> --- a/gnu/services/networking.scm
> +++ b/gnu/services/networking.scm
> @@ -22,6 +22,7 @@
> ;;; Copyright © 2023 Declan Tsien <declantsien@riseup.net>
> ;;; Copyright © 2023 Bruno Victal <mirai@makinata.eu>
> ;;; Copyright © 2023 muradm <mail@muradm.net>
> +;;; Copyright © 2024 Nigko Yerden <nigko.yerden@gmail.com>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -159,6 +160,8 @@ (define-module (gnu services networking)
> tor-configuration-hidden-services
> tor-configuration-socks-socket-type
> tor-configuration-control-socket-path
> + tor-configuration-transport-plugin-path
> + tor-configuration-pluggable-transport
> tor-onion-service-configuration
> tor-onion-service-configuration?
> tor-onion-service-configuration-name
> @@ -955,7 +958,11 @@ (define-record-type* <tor-configuration>
> (socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix
> (default 'tcp))
> (control-socket? tor-configuration-control-socket-path
> - (default #f)))
> + (default #f))
> + (transport-plugin tor-configuration-transport-plugin-path
> + (default #f))
> + (pluggable-transport tor-configuration-pluggable-transport
> + (default "obfs4")))
>
> (define %tor-accounts
> ;; User account and groups for Tor.
> @@ -988,7 +995,8 @@ (define-configuration/no-serialization tor-onion-service-configuration
> (define (tor-configuration->torrc config)
> "Return a 'torrc' file for CONFIG."
> (match-record config <tor-configuration>
> - (tor config-file hidden-services socks-socket-type control-socket?)
> + (tor config-file hidden-services socks-socket-type control-socket?
> + transport-plugin pluggable-transport)
> (computed-file
> "torrc"
> (with-imported-modules '((guix build utils))
> @@ -1027,6 +1035,13 @@ (define (tor-configuration->torrc config)
> (cons name mapping)))
> hidden-services))
>
> + (when #$transport-plugin
> + (format port "\
> +UseBridges 1
> +ClientTransportPlugin ~a exec ~a~%"
> + #$pluggable-transport
> + #$transport-plugin))
> +
> (display "\
> ### End of automatically generated lines.\n\n" port)
Even if it had succeded though, I'm not sure if this is the best
approach to it, since it would break guix system configuration, right?
How would one know beforehand which binary to point to? One would first
need to install the PT and look to its path on store and then link to
it in a new configuration. And then this link would have to be manualy
updated. Am I missing something here?
Finally, next time, try to keep the issue to a single thread. I'm
replying to #70332 and #70302 just for reference, but let's keep to
#70341 going forward.
Cheers!
^ permalink raw reply [flat|nested] 18+ messages in thread
* [bug#70341] [PATCH v3] services: tor: Add support for pluggable transports.
2024-04-24 21:11 ` bug#70302: " André Batista
@ 2024-04-25 6:08 ` Nigko Yerden
2024-04-30 9:13 ` Nigko Yerden
0 siblings, 1 reply; 18+ messages in thread
From: Nigko Yerden @ 2024-04-25 6:08 UTC (permalink / raw)
To: André Batista; +Cc: 70341
Hi André,
Thank you for the feedback!
> I can confirm that the tor service is unable to fork-exec a
> pluggable-transport and the bootstrap process is halted at its start
> when trying to use a system wide bridge + PT. However, this patch
> does not seem to address the issue at hand, since it just creates new
> tor-service-type configuration options that accomplish the same as
> configuring on config-file directly. Have you had success with this?
> I had no luck.
Yes, I have! This patch not only creates new tor-service-type
configuration options but, which is crucial, adds pluggable transport
(PT) executable, if provided, to #:mappings argument of the
least-authority-wrapper, see 'tor-shepherd-service' chunk. With this
patch Tor process gets access to PT plugin and, if bridges are
configured via config-file field, Tor starts using obfuscated traffic.
> Even if it had succeeded though, I'm not sure if this is the best
> approach to it, since it would break guix system configuration,
> right?
No, the patch does not break any existing tor-service-type
configuration. If PT is not used, 'transport-plugin' defaults to '#f',
and the Tor works exactly as if there wasn't any patch at all.
> How would one know beforehand which binary to point to? One would
> first need to install the PT and look to its path on store and then
> link to it in a new configuration. And then this link would have to
> be manualy updated. Am I missing something here?
There is much simpler and convenient way of doing this. If users want to
bring PT into action, they may simply write
(service tor-service-type
(config-file ".... Bridge obfs4 ...")
(transport-plugin (file-append PT-PACKAGE "/bin/name-of-executable"))
The PT-PACKAGE does not even have to be present in the list of
'operating-system 'packages field, since Guix will find the reference to
PT-package and install it automatically. The only thing which should be
known beforehand is the "name-of-executable".
For
'go-gitlab-torproject-org-tpo-anti-censorship-pluggable-transports-lyrebird
package it is "lyrebird", while for
'go-github-com-operatorfoundation-obfs4 it is "obfs4proxy". It is
unlikely that these names will change with upgrades.
> Finally, next time, try to keep the issue to a single thread. I'm
> replying to #70332 and #70302 just for reference, but let's keep to
> #70341 going forward.
Sorry about that! I have tried not to create new bug issue but was
unsuccessful. Perhaps I shouldn't have touched the email heading.
Regards,
Nigko
André Batista wrote:
> Hi Nigko,
>
> seg 22 abr 2024 às 08:58:39 (1713787119), nigko.yerden@gmail.com
> enviou:
>> Pluggable transports are programs that disguise Tor traffic, which
>> can be useful in case Tor is censored. Pluggable transports cannot
>> be configured by #:config-file file exclusively because Tor process
>> is run via 'least-authority-wrapper' and cannot have access to
>> transport plugin, which is a separate executable (Bug#70302,
>> Bug#70332).
>
> I can confirm that the tor service is unable to fork-exec a
> pluggable-transport and the bootstrap process is halted at its start
> when trying to use a system wide bridge + PT. However, this patch
> does not seem to address the issue at hand, since it just creates new
> tor-service-type configuration options that accomplish the same as
> configuring on config-file directly. Have you had success with this?
> I had no luck.
>
> More comments bellow.
>
>> * doc/guix.texi (Networking Services): Document 'transport-plugin'
>> and 'pluggable-transport' options for 'tor-configuration'. *
>> gnu/services/networking.scm: Export
>> 'tor-configuration-transport-plugin-path',
>> 'tor-configuration-pluggable-transport'. (<tor-configuration>): Add
>> 'transport-plugin' and 'pluggable-transport' fields.
>> (tor-configuration->torrc)[transport-plugin]: Add content to
>> 'torrc' computed-file. (tor-shepherd-service)[transport-plugin]:
>> Add file-system-mapping.
>>
>> Change-Id: I64e7632729287ea0ab27818bb7322fddae43de48 ---
>> doc/guix.texi | 11 ++++++++
>> gnu/services/networking.scm | 54
>> ++++++++++++++++++++++++++----------- 2 files changed, 49
>> insertions(+), 16 deletions(-)
>>
>> diff --git a/doc/guix.texi b/doc/guix.texi index
>> 65af136e61..eb0837860e 100644 --- a/doc/guix.texi +++
>> b/doc/guix.texi @@ -127,6 +127,7 @@ Copyright @copyright{} 2024
>> Herman Rimm@* Copyright @copyright{} 2024 Matthew Trzcinski@*
>> Copyright @copyright{} 2024 Richard Sent@* +Copyright @copyright{}
>> 2024 Nigko Yerden@*
>>
>> Permission is granted to copy, distribute and/or modify this
>> document under the terms of the GNU Free Documentation License,
>> Version 1.3 or @@ -21849,6 +21850,16 @@ Networking Services
>> @file{/var/run/tor/control-sock}, which will be made writable by
>> members of the @code{tor} group.
>>
>> +@item @code{transport-plugin} (default: @code{#f}) +This must be
>> either @code{#f} or a ``file-like'' object pointing to the
>> +pluggable transport plugin executable. In the latter case the
>> +@code{#:config-file} file should contain line(s) configuring +one
>> or more bridges. + +@item @code{pluggable-transport} (default:
>> @code{"obfs4"}) +A string that specifies the type of the pluggable
>> transport in +case @code{#:transport-plugin} is not @code{#f}. +
>> @end table @end deftp
>>
>> diff --git a/gnu/services/networking.scm
>> b/gnu/services/networking.scm index 8e64e529ab..6e535ea8ef 100644
>> --- a/gnu/services/networking.scm +++
>> b/gnu/services/networking.scm @@ -22,6 +22,7 @@ ;;; Copyright ©
>> 2023 Declan Tsien <declantsien@riseup.net> ;;; Copyright © 2023
>> Bruno Victal <mirai@makinata.eu> ;;; Copyright © 2023 muradm
>> <mail@muradm.net> +;;; Copyright © 2024 Nigko Yerden
>> <nigko.yerden@gmail.com> ;;; ;;; This file is part of GNU Guix.
>> ;;; @@ -159,6 +160,8 @@ (define-module (gnu services networking)
>> tor-configuration-hidden-services
>> tor-configuration-socks-socket-type
>> tor-configuration-control-socket-path +
>> tor-configuration-transport-plugin-path +
>> tor-configuration-pluggable-transport
>> tor-onion-service-configuration tor-onion-service-configuration?
>> tor-onion-service-configuration-name @@ -955,7 +958,11 @@
>> (define-record-type* <tor-configuration> (socks-socket-type
>> tor-configuration-socks-socket-type ; 'tcp or 'unix (default
>> 'tcp)) (control-socket? tor-configuration-control-socket-path -
>> (default #f))) + (default #f)) +
>> (transport-plugin tor-configuration-transport-plugin-path +
>> (default #f)) + (pluggable-transport
>> tor-configuration-pluggable-transport + (default
>> "obfs4")))
>>
>> (define %tor-accounts ;; User account and groups for Tor. @@ -988,7
>> +995,8 @@ (define-configuration/no-serialization
>> tor-onion-service-configuration (define (tor-configuration->torrc
>> config) "Return a 'torrc' file for CONFIG." (match-record config
>> <tor-configuration> - (tor config-file hidden-services
>> socks-socket-type control-socket?) + (tor config-file
>> hidden-services socks-socket-type control-socket? +
>> transport-plugin pluggable-transport) (computed-file "torrc"
>> (with-imported-modules '((guix build utils)) @@ -1027,6 +1035,13 @@
>> (define (tor-configuration->torrc config) (cons name mapping)))
>> hidden-services))
>>
>> + (when #$transport-plugin + (format
>> port "\ +UseBridges 1 +ClientTransportPlugin ~a exec ~a~%" +
>> #$pluggable-transport +
>> #$transport-plugin)) + (display "\ ### End of automatically
>> generated lines.\n\n" port)
>
> Even if it had succeded though, I'm not sure if this is the best
> approach to it, since it would break guix system configuration,
> right? How would one know beforehand which binary to point to? One
> would first need to install the PT and look to its path on store and
> then link to it in a new configuration. And then this link would have
> to be manualy updated. Am I missing something here?
>
> Finally, next time, try to keep the issue to a single thread. I'm
> replying to #70332 and #70302 just for reference, but let's keep to
> #70341 going forward.
>
> Cheers!
^ permalink raw reply [flat|nested] 18+ messages in thread
* [bug#70341] [PATCH v3] services: tor: Add support for pluggable transports.
2024-04-25 6:08 ` Nigko Yerden
@ 2024-04-30 9:13 ` Nigko Yerden
0 siblings, 0 replies; 18+ messages in thread
From: Nigko Yerden @ 2024-04-30 9:13 UTC (permalink / raw)
To: André Batista; +Cc: 70341
Hi André,
Here is some additional information about the patched tor-service-type
which reveals:
1) Why it can fail if not properly configured.
2) Its internal workings which I find kind of cool.
First, it is not necessary to use PT-plugin from ready-to-go Guix
package. It is possible to download PT-plugin source code and compile it
directly, say, somewhere in $HOME folder. The corresponding
configuration may look like this
(service tor-service-type
(config-file (plain-file "torrc" ".... Bridge obfs4 ..."))
(transport-plugin
(local-file "/home/..../lyrebird"
#:recursive? #t)))
But this will not necessary work. The reason why it can fail is somewhat
interesting. As we know, the tor process, thanks to the
'least-authority-wrapper', is run inside a container, which, in
particular, means it has very limited view of the file system. But
PT-plugin executable is linked dynamically by default and has its
dependency libraries inaccessible from within the container. However, if
PT-plugin is linked statically, the configuration above will work.
Similarly, if PT-plugin is specified as a direct string path to the
store item like this
(transport-plugin "/gnu/store/..../bin/lyrebird")
it may not work for the same reason.
However, if a file-like object is used instead like this
(transport-plugin (file-append PT-PACKAGE "/bin/lyrebird"))
all the dependencies of PT-PACKAGE are added automatically to the list
of allowed paths inside the container (this is provided by the call to
'references-file' from inside 'least-authority-wrapper' procedure). As
for me this means that the suggested patch fits very well to the guix'y
way of doing things.
Regards,
Nigko
^ permalink raw reply [flat|nested] 18+ messages in thread
* [bug#70341] [PATCH v4] services: tor: Add support for pluggable transports.
2024-04-11 14:48 [bug#70341] [PATCH] gnu: Add support for pluggable transports to tor-service-type Nigko Yerden
2024-04-20 14:43 ` [bug#70341] [PATCH v2] services: tor: Add support for pluggable transports Nigko Yerden
2024-04-22 3:58 ` [bug#70341] [PATCH v3] " Nigko Yerden
@ 2024-05-10 8:32 ` Nigko Yerden
2024-05-23 21:49 ` André Batista
2024-05-31 5:43 ` [bug#70341] [PATCH v5] " Nigko Yerden
` (4 subsequent siblings)
7 siblings, 1 reply; 18+ messages in thread
From: Nigko Yerden @ 2024-05-10 8:32 UTC (permalink / raw)
To: 70341; +Cc: Nigko Yerden, Florian Pelz, Ludovic Courtès
Pluggable transports are programs that disguise Tor traffic, which
can be useful in case Tor is censored. Pluggable transports
cannot be configured by #:config-file file exclusively because Tor
process is run via 'least-authority-wrapper' and cannot have access
to transport plugin, which is a separate executable (Bug#70302,
Bug#70332).
Example configuration snippet to be appended to
operation-system services
(see https://bridges.torproject.org/ to get
full bridge's lines):
(service tor-service-type
(tor-configuration
(config-file (plain-file "torrc"
"\
UseBridges 1
Bridge obfs4 ...
Bridge obfs4 ..."))
(transport-plugins
(list (tor-transport-plugin
(path-to-binary
(file-append
go-gitlab-torproject-org-tpo-anti-censorship-pluggable-transports-lyrebird
"/bin/lyrebird")))))))
* doc/guix.texi (Networking Services): Document 'tor-transport-plugin'
data type and 'transport-plugins' option for 'tor-configuration.
* gnu/services/networking.scm: Export
'tor-configuration-transport-plugins', 'tor-transport-plugin',
'tor-transport-plugin?', 'tor-transport-plugin-role',
'tor-transport-plugin-protocol', and 'tor-transport-plugin-path'.
(<tor-configuration>): Add 'transport-plugins' field.
(<tor-transport-plugin>): New variable.
(tor-configuration->torrc): Add content to 'torrc' computed-file.
(tor-shepherd-service): Add file-system-mapping(s).
Change-Id: I1b0319358778c7aee650bc843e021a6803a1cf3a
---
doc/guix.texi | 48 +++++++++++++++++++++++
gnu/services/networking.scm | 76 +++++++++++++++++++++++++++++--------
2 files changed, 108 insertions(+), 16 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 1c1e0164e7..ae9bd7e290 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -127,6 +127,7 @@
Copyright @copyright{} 2024 Herman Rimm@*
Copyright @copyright{} 2024 Matthew Trzcinski@*
Copyright @copyright{} 2024 Richard Sent@*
+Copyright @copyright{} 2024 Nigko Yerden@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -21877,6 +21878,13 @@ Networking Services
@file{/var/run/tor/control-sock}, which will be made writable by members of the
@code{tor} group.
+@item @code{transport-plugins} (default: @code{'()})
+The list of @code{<tor-transport-plugin>} records to use.
+For any transport plugin you include in this list, appropriate
+configuration line to enable transport plugin will be automatically
+added to the default configuration file.
+
+
@end table
@end deftp
@@ -21905,6 +21913,46 @@ Networking Services
@end table
@end deftp
+@cindex pluggable transports, tor
+@deftp {Data Type} tor-transport-plugin
+Data type representing a Tor pluggable transport plugin in
+@code{tor-configuration}. Plagguble transports are programs
+that disguise Tor traffic, which can be useful in case Tor is
+censored. See the the Tor project's
+@url{https://tb-manual.torproject.org/circumvention/,
+documentation} and
+@url{https://spec.torproject.org/pt-spec/index.html,
+specification} for more information.
+
+Each transport plugin corresponds either to
+``ClientTransportPlugin ...'' or to
+``ServerTransportPlugin ...'' line in the default
+configuration file, see the @code{man tor}.
+Available @code{tor-transport-plugin} fields are:
+
+@table @asis
+@item @code{role} (default: @code{'client})
+This must be either @code{'client} or @code{'server}. Otherwise,
+an error is raised. Set the @code{'server} value if you want to
+run a bridge to help censored users connect to the Tor network, see
+@url{https://community.torproject.org/relay/setup/bridge/,
+the Tor project's brige guide}. Set the @code{'client} value
+if you want to connect to somebody else's bridge, see
+@url{https://bridges.torproject.org/, the Tor project's
+``Get Bridges'' page}. In both cases the required
+additional configuration should be provided via
+@code{#:config-file} option of @code{tor-configuration}.
+@item @code{protocol} (default: @code{"obfs4"})
+A string that specifies a pluggable transport protocol.
+@item @code{path-to-binary}
+This must be a ``file-like'' object or a string
+pointing to the pluggable transport plugin executable.
+This option allows the Tor daemon run inside the container
+to access the executable and all the references
+(e.g. package dependencies) attached to it.
+@end table
+@end deftp
+
The @code{(gnu services rsync)} module provides the following services:
You might want an rsync daemon if you have files that you want available
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 8e64e529ab..cb1749ffe6 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -22,6 +22,7 @@
;;; Copyright © 2023 Declan Tsien <declantsien@riseup.net>
;;; Copyright © 2023 Bruno Victal <mirai@makinata.eu>
;;; Copyright © 2023 muradm <mail@muradm.net>
+;;; Copyright © 2024 Nigko Yerden <nigko.yerden@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -159,10 +160,16 @@ (define-module (gnu services networking)
tor-configuration-hidden-services
tor-configuration-socks-socket-type
tor-configuration-control-socket-path
+ tor-configuration-transport-plugins
tor-onion-service-configuration
tor-onion-service-configuration?
tor-onion-service-configuration-name
tor-onion-service-configuration-mapping
+ tor-transport-plugin
+ tor-transport-plugin?
+ tor-transport-plugin-role
+ tor-transport-plugin-protocol
+ tor-transport-plugin-path
tor-hidden-service ; deprecated
tor-service-type
@@ -955,7 +962,9 @@ (define-record-type* <tor-configuration>
(socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix
(default 'tcp))
(control-socket? tor-configuration-control-socket-path
- (default #f)))
+ (default #f))
+ (transport-plugins tor-configuration-transport-plugins
+ (default '())))
(define %tor-accounts
;; User account and groups for Tor.
@@ -985,10 +994,24 @@ (define-configuration/no-serialization tor-onion-service-configuration
@end lisp
maps ports 22 and 80 of the Onion Service to the local ports 22 and 8080."))
+(define-record-type* <tor-transport-plugin>
+ tor-transport-plugin make-tor-transport-plugin
+ tor-transport-plugin?
+ (role tor-transport-plugin-role
+ (default 'client)
+ (sanitize (lambda (value)
+ (if (memq value '(client server))
+ value
+ (configuration-field-error #f 'role value)))))
+ (protocol tor-transport-plugin-protocol
+ (default "obfs4"))
+ (path-to-binary tor-transport-plugin-path))
+
(define (tor-configuration->torrc config)
"Return a 'torrc' file for CONFIG."
(match-record config <tor-configuration>
- (tor config-file hidden-services socks-socket-type control-socket?)
+ (tor config-file hidden-services socks-socket-type control-socket?
+ transport-plugins)
(computed-file
"torrc"
(with-imported-modules '((guix build utils))
@@ -1027,6 +1050,20 @@ (define (tor-configuration->torrc config)
(cons name mapping)))
hidden-services))
+ (for-each (match-lambda
+ ((role-string protocol path)
+ (format port "\
+~aTransportPlugin ~a exec ~a~%"
+ role-string protocol path)))
+ '#$(map (match-lambda
+ (($ <tor-transport-plugin> role protocol path)
+ (list (if (eq? role 'client)
+ "Client"
+ "Server")
+ protocol
+ path)))
+ transport-plugins))
+
(display "\
### End of automatically generated lines.\n\n" port)
@@ -1039,23 +1076,30 @@ (define (tor-configuration->torrc config)
(define (tor-shepherd-service config)
"Return a <shepherd-service> running Tor."
(let* ((torrc (tor-configuration->torrc config))
+ (transport-plugins (tor-configuration-transport-plugins config))
(tor (least-authority-wrapper
(file-append (tor-configuration-tor config) "/bin/tor")
#:name "tor"
- #:mappings (list (file-system-mapping
- (source "/var/lib/tor")
- (target source)
- (writable? #t))
- (file-system-mapping
- (source "/dev/log") ;for syslog
- (target source))
- (file-system-mapping
- (source "/var/run/tor")
- (target source)
- (writable? #t))
- (file-system-mapping
- (source torrc)
- (target source)))
+ #:mappings (append
+ (list (file-system-mapping
+ (source "/var/lib/tor")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source "/dev/log") ;for syslog
+ (target source))
+ (file-system-mapping
+ (source "/var/run/tor")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source torrc)
+ (target source)))
+ (map (lambda (plugin)
+ (file-system-mapping
+ (source (tor-transport-plugin-path plugin))
+ (target source)))
+ transport-plugins))
#:namespaces (delq 'net %namespaces))))
(list (shepherd-service
(provision '(tor))
base-commit: 360fea15cb25d0cdf55ec55488956257a0219fe4
--
2.41.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [bug#70341] [PATCH v4] services: tor: Add support for pluggable transports.
2024-05-10 8:32 ` [bug#70341] [PATCH v4] " Nigko Yerden
@ 2024-05-23 21:49 ` André Batista
0 siblings, 0 replies; 18+ messages in thread
From: André Batista @ 2024-05-23 21:49 UTC (permalink / raw)
To: Nigko Yerden; +Cc: 70341
Hi Nigko,
I'm sorry for the delay. I can confirm that this patch works as
described and the instructions are clear and provide enough
information to setup a proper configuration.
Maybe my shortcoming regarding '#:mappings' gave you room for
improvement :)
There was only one typo that I should mention:
sex 10 mai 2024 às 13:32:02 (1715358722), nigko.yerden@gmail.com enviou:
> (...)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index 1c1e0164e7..ae9bd7e290 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
>
> (...)
>
> @@ -21905,6 +21913,46 @@ Networking Services
> @end table
> @end deftp
>
> +@cindex pluggable transports, tor
> +@deftp {Data Type} tor-transport-plugin
> +Data type representing a Tor pluggable transport plugin in
> +@code{tor-configuration}. Plagguble transports are programs
You've exchanged 'a' for 'u' here ^ when typing Pluggable.
Other than that, all seem good to me and I find it to be a nice
little touch to Guix.
Let's wait for a maintainer to pick it up.
Cheers!
^ permalink raw reply [flat|nested] 18+ messages in thread
* [bug#70341] [PATCH v5] services: tor: Add support for pluggable transports.
2024-04-11 14:48 [bug#70341] [PATCH] gnu: Add support for pluggable transports to tor-service-type Nigko Yerden
` (2 preceding siblings ...)
2024-05-10 8:32 ` [bug#70341] [PATCH v4] " Nigko Yerden
@ 2024-05-31 5:43 ` Nigko Yerden
2024-07-11 13:27 ` [bug#70341] [PATCH v6] " Nigko Yerden
` (3 subsequent siblings)
7 siblings, 0 replies; 18+ messages in thread
From: Nigko Yerden @ 2024-05-31 5:43 UTC (permalink / raw)
To: 70341
Cc: Nigko Yerden, Florian Pelz, Ludovic Courtès,
Matthew Trzcinski, Maxim Cournoyer
Pluggable transports are programs that disguise Tor traffic, which
can be useful in case Tor is censored. Pluggable transports
cannot be configured by #:config-file file exclusively because Tor
process is run via 'least-authority-wrapper' and cannot have access
to transport plugin, which is a separate executable (Bug#70302,
Bug#70332).
Example configuration snippet to be appended to
operation-system services
(see https://bridges.torproject.org/ to get
full bridge's lines):
(service tor-service-type
(tor-configuration
(config-file (plain-file "torrc"
"\
UseBridges 1
Bridge obfs4 ...
Bridge obfs4 ..."))
(transport-plugins
(list (tor-transport-plugin
(path-to-binary
(file-append
go-gitlab-torproject-org-tpo-anti-censorship-pluggable-transports-lyrebird
"/bin/lyrebird")))))))
* doc/guix.texi (Networking Services): Document 'tor-transport-plugin'
data type and 'transport-plugins' option for 'tor-configuration.
* gnu/services/networking.scm: Export
'tor-configuration-transport-plugins', 'tor-transport-plugin',
'tor-transport-plugin?', 'tor-transport-plugin-role',
'tor-transport-plugin-protocol', and 'tor-transport-plugin-path'.
(<tor-configuration>): Add 'transport-plugins' field.
(<tor-transport-plugin>): New variable.
(tor-configuration->torrc): Add content to 'torrc' computed-file.
(tor-shepherd-service): Add file-system-mapping(s).
Change-Id: I1b0319358778c7aee650bc843e021a6803a1cf3a
---
doc/guix.texi | 48 +++++++++++++++++++++++
gnu/services/networking.scm | 76 +++++++++++++++++++++++++++++--------
2 files changed, 108 insertions(+), 16 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 1224104038..b997e6d4d7 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -128,6 +128,7 @@
Copyright @copyright{} 2024 Matthew Trzcinski@*
Copyright @copyright{} 2024 Richard Sent@*
Copyright @copyright{} 2024 Dariqq@*
+Copyright @copyright{} 2024 Nigko Yerden@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -21960,6 +21961,13 @@ Networking Services
@file{/var/run/tor/control-sock}, which will be made writable by members of the
@code{tor} group.
+@item @code{transport-plugins} (default: @code{'()})
+The list of @code{<tor-transport-plugin>} records to use.
+For any transport plugin you include in this list, appropriate
+configuration line to enable transport plugin will be automatically
+added to the default configuration file.
+
+
@end table
@end deftp
@@ -21988,6 +21996,46 @@ Networking Services
@end table
@end deftp
+@cindex pluggable transports, tor
+@deftp {Data Type} tor-transport-plugin
+Data type representing a Tor pluggable transport plugin in
+@code{tor-configuration}. Plugguble transports are programs
+that disguise Tor traffic, which can be useful in case Tor is
+censored. See the the Tor project's
+@url{https://tb-manual.torproject.org/circumvention/,
+documentation} and
+@url{https://spec.torproject.org/pt-spec/index.html,
+specification} for more information.
+
+Each transport plugin corresponds either to
+``ClientTransportPlugin ...'' or to
+``ServerTransportPlugin ...'' line in the default
+configuration file, see the @code{man tor}.
+Available @code{tor-transport-plugin} fields are:
+
+@table @asis
+@item @code{role} (default: @code{'client})
+This must be either @code{'client} or @code{'server}. Otherwise,
+an error is raised. Set the @code{'server} value if you want to
+run a bridge to help censored users connect to the Tor network, see
+@url{https://community.torproject.org/relay/setup/bridge/,
+the Tor project's brige guide}. Set the @code{'client} value
+if you want to connect to somebody else's bridge, see
+@url{https://bridges.torproject.org/, the Tor project's
+``Get Bridges'' page}. In both cases the required
+additional configuration should be provided via
+@code{#:config-file} option of @code{tor-configuration}.
+@item @code{protocol} (default: @code{"obfs4"})
+A string that specifies a pluggable transport protocol.
+@item @code{path-to-binary}
+This must be a ``file-like'' object or a string
+pointing to the pluggable transport plugin executable.
+This option allows the Tor daemon run inside the container
+to access the executable and all the references
+(e.g. package dependencies) attached to it.
+@end table
+@end deftp
+
The @code{(gnu services rsync)} module provides the following services:
You might want an rsync daemon if you have files that you want available
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 8e64e529ab..cb1749ffe6 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -22,6 +22,7 @@
;;; Copyright © 2023 Declan Tsien <declantsien@riseup.net>
;;; Copyright © 2023 Bruno Victal <mirai@makinata.eu>
;;; Copyright © 2023 muradm <mail@muradm.net>
+;;; Copyright © 2024 Nigko Yerden <nigko.yerden@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -159,10 +160,16 @@ (define-module (gnu services networking)
tor-configuration-hidden-services
tor-configuration-socks-socket-type
tor-configuration-control-socket-path
+ tor-configuration-transport-plugins
tor-onion-service-configuration
tor-onion-service-configuration?
tor-onion-service-configuration-name
tor-onion-service-configuration-mapping
+ tor-transport-plugin
+ tor-transport-plugin?
+ tor-transport-plugin-role
+ tor-transport-plugin-protocol
+ tor-transport-plugin-path
tor-hidden-service ; deprecated
tor-service-type
@@ -955,7 +962,9 @@ (define-record-type* <tor-configuration>
(socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix
(default 'tcp))
(control-socket? tor-configuration-control-socket-path
- (default #f)))
+ (default #f))
+ (transport-plugins tor-configuration-transport-plugins
+ (default '())))
(define %tor-accounts
;; User account and groups for Tor.
@@ -985,10 +994,24 @@ (define-configuration/no-serialization tor-onion-service-configuration
@end lisp
maps ports 22 and 80 of the Onion Service to the local ports 22 and 8080."))
+(define-record-type* <tor-transport-plugin>
+ tor-transport-plugin make-tor-transport-plugin
+ tor-transport-plugin?
+ (role tor-transport-plugin-role
+ (default 'client)
+ (sanitize (lambda (value)
+ (if (memq value '(client server))
+ value
+ (configuration-field-error #f 'role value)))))
+ (protocol tor-transport-plugin-protocol
+ (default "obfs4"))
+ (path-to-binary tor-transport-plugin-path))
+
(define (tor-configuration->torrc config)
"Return a 'torrc' file for CONFIG."
(match-record config <tor-configuration>
- (tor config-file hidden-services socks-socket-type control-socket?)
+ (tor config-file hidden-services socks-socket-type control-socket?
+ transport-plugins)
(computed-file
"torrc"
(with-imported-modules '((guix build utils))
@@ -1027,6 +1050,20 @@ (define (tor-configuration->torrc config)
(cons name mapping)))
hidden-services))
+ (for-each (match-lambda
+ ((role-string protocol path)
+ (format port "\
+~aTransportPlugin ~a exec ~a~%"
+ role-string protocol path)))
+ '#$(map (match-lambda
+ (($ <tor-transport-plugin> role protocol path)
+ (list (if (eq? role 'client)
+ "Client"
+ "Server")
+ protocol
+ path)))
+ transport-plugins))
+
(display "\
### End of automatically generated lines.\n\n" port)
@@ -1039,23 +1076,30 @@ (define (tor-configuration->torrc config)
(define (tor-shepherd-service config)
"Return a <shepherd-service> running Tor."
(let* ((torrc (tor-configuration->torrc config))
+ (transport-plugins (tor-configuration-transport-plugins config))
(tor (least-authority-wrapper
(file-append (tor-configuration-tor config) "/bin/tor")
#:name "tor"
- #:mappings (list (file-system-mapping
- (source "/var/lib/tor")
- (target source)
- (writable? #t))
- (file-system-mapping
- (source "/dev/log") ;for syslog
- (target source))
- (file-system-mapping
- (source "/var/run/tor")
- (target source)
- (writable? #t))
- (file-system-mapping
- (source torrc)
- (target source)))
+ #:mappings (append
+ (list (file-system-mapping
+ (source "/var/lib/tor")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source "/dev/log") ;for syslog
+ (target source))
+ (file-system-mapping
+ (source "/var/run/tor")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source torrc)
+ (target source)))
+ (map (lambda (plugin)
+ (file-system-mapping
+ (source (tor-transport-plugin-path plugin))
+ (target source)))
+ transport-plugins))
#:namespaces (delq 'net %namespaces))))
(list (shepherd-service
(provision '(tor))
base-commit: 8144c587f89641d5976d5b3832297d391d489fbd
--
2.41.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [bug#70341] [PATCH v6] services: tor: Add support for pluggable transports.
2024-04-11 14:48 [bug#70341] [PATCH] gnu: Add support for pluggable transports to tor-service-type Nigko Yerden
` (3 preceding siblings ...)
2024-05-31 5:43 ` [bug#70341] [PATCH v5] " Nigko Yerden
@ 2024-07-11 13:27 ` Nigko Yerden
2024-08-09 9:15 ` [bug#70341] [PATCH v7] " Nigko Yerden
` (2 subsequent siblings)
7 siblings, 0 replies; 18+ messages in thread
From: Nigko Yerden @ 2024-07-11 13:27 UTC (permalink / raw)
To: 70341
Cc: Nigko Yerden, Florian Pelz, Ludovic Courtès,
Matthew Trzcinski, Maxim Cournoyer
Pluggable transports are programs that disguise Tor traffic, which
can be useful in case Tor is censored. Pluggable transports
cannot be configured by #:config-file file exclusively because Tor
process is run via 'least-authority-wrapper' and cannot have access
to transport plugin, which is a separate executable (Bug#70302,
Bug#70332).
Example configuration snippet to be appended to
operation-system services
(see https://bridges.torproject.org/ to get
full bridge's lines):
(service tor-service-type
(tor-configuration
(config-file (plain-file "torrc"
"\
UseBridges 1
Bridge obfs4 ...
Bridge obfs4 ..."))
(transport-plugins
(list (tor-transport-plugin
(path-to-binary
(file-append
go-gitlab-torproject-org-tpo-anti-censorship-pluggable-transports-lyrebird
"/bin/lyrebird")))))))
* doc/guix.texi (Networking Services): Document 'tor-transport-plugin'
data type and 'transport-plugins' option for 'tor-configuration.
* gnu/services/networking.scm: Export
'tor-configuration-transport-plugins', 'tor-transport-plugin',
'tor-transport-plugin?', 'tor-transport-plugin-role',
'tor-transport-plugin-protocol', and 'tor-transport-plugin-path'.
(<tor-configuration>): Add 'transport-plugins' field.
(<tor-transport-plugin>): New variable.
(tor-configuration->torrc): Add content to 'torrc' computed-file.
(tor-shepherd-service): Add file-system-mapping(s).
Change-Id: I1b0319358778c7aee650bc843e021a6803a1cf3a
---
Just rebasing.
doc/guix.texi | 47 +++++++++++++++++++++++++
gnu/services/networking.scm | 69 ++++++++++++++++++++++++++++++-------
2 files changed, 103 insertions(+), 13 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 5b77c84b4a..ccaab5985c 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -22006,6 +22006,13 @@ Networking Services
@file{/var/run/tor/control-sock}, which will be made writable by members of the
@code{tor} group.
+@item @code{transport-plugins} (default: @code{'()})
+The list of @code{<tor-transport-plugin>} records to use.
+For any transport plugin you include in this list, appropriate
+configuration line to enable transport plugin will be automatically
+added to the default configuration file.
+
+
@end table
@end deftp
@@ -22034,6 +22041,46 @@ Networking Services
@end table
@end deftp
+@cindex pluggable transports, tor
+@deftp {Data Type} tor-transport-plugin
+Data type representing a Tor pluggable transport plugin in
+@code{tor-configuration}. Plugguble transports are programs
+that disguise Tor traffic, which can be useful in case Tor is
+censored. See the the Tor project's
+@url{https://tb-manual.torproject.org/circumvention/,
+documentation} and
+@url{https://spec.torproject.org/pt-spec/index.html,
+specification} for more information.
+
+Each transport plugin corresponds either to
+``ClientTransportPlugin ...'' or to
+``ServerTransportPlugin ...'' line in the default
+configuration file, see the @code{man tor}.
+Available @code{tor-transport-plugin} fields are:
+
+@table @asis
+@item @code{role} (default: @code{'client})
+This must be either @code{'client} or @code{'server}. Otherwise,
+an error is raised. Set the @code{'server} value if you want to
+run a bridge to help censored users connect to the Tor network, see
+@url{https://community.torproject.org/relay/setup/bridge/,
+the Tor project's brige guide}. Set the @code{'client} value
+if you want to connect to somebody else's bridge, see
+@url{https://bridges.torproject.org/, the Tor project's
+``Get Bridges'' page}. In both cases the required
+additional configuration should be provided via
+@code{#:config-file} option of @code{tor-configuration}.
+@item @code{protocol} (default: @code{"obfs4"})
+A string that specifies a pluggable transport protocol.
+@item @code{path-to-binary}
+This must be a ``file-like'' object or a string
+pointing to the pluggable transport plugin executable.
+This option allows the Tor daemon run inside the container
+to access the executable and all the references
+(e.g. package dependencies) attached to it.
+@end table
+@end deftp
+
The @code{(gnu services rsync)} module provides the following services:
You might want an rsync daemon if you have files that you want available
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 12d8934e43..4b1b164845 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -160,10 +160,16 @@ (define-module (gnu services networking)
tor-configuration-hidden-services
tor-configuration-socks-socket-type
tor-configuration-control-socket-path
+ tor-configuration-transport-plugins
tor-onion-service-configuration
tor-onion-service-configuration?
tor-onion-service-configuration-name
tor-onion-service-configuration-mapping
+ tor-transport-plugin
+ tor-transport-plugin?
+ tor-transport-plugin-role
+ tor-transport-plugin-protocol
+ tor-transport-plugin-path
tor-hidden-service ; deprecated
tor-service-type
@@ -966,7 +972,9 @@ (define-record-type* <tor-configuration>
(socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix
(default 'tcp))
(control-socket? tor-configuration-control-socket-path
- (default #f)))
+ (default #f))
+ (transport-plugins tor-configuration-transport-plugins
+ (default '())))
(define %tor-accounts
;; User account and groups for Tor.
@@ -996,10 +1004,24 @@ (define-configuration/no-serialization tor-onion-service-configuration
@end lisp
maps ports 22 and 80 of the Onion Service to the local ports 22 and 8080."))
+(define-record-type* <tor-transport-plugin>
+ tor-transport-plugin make-tor-transport-plugin
+ tor-transport-plugin?
+ (role tor-transport-plugin-role
+ (default 'client)
+ (sanitize (lambda (value)
+ (if (memq value '(client server))
+ value
+ (configuration-field-error #f 'role value)))))
+ (protocol tor-transport-plugin-protocol
+ (default "obfs4"))
+ (path-to-binary tor-transport-plugin-path))
+
(define (tor-configuration->torrc config)
"Return a 'torrc' file for CONFIG."
(match-record config <tor-configuration>
- (tor config-file hidden-services socks-socket-type control-socket?)
+ (tor config-file hidden-services socks-socket-type control-socket?
+ transport-plugins)
(computed-file
"torrc"
(with-imported-modules '((guix build utils))
@@ -1038,6 +1060,20 @@ (define (tor-configuration->torrc config)
(cons name mapping)))
hidden-services))
+ (for-each (match-lambda
+ ((role-string protocol path)
+ (format port "\
+~aTransportPlugin ~a exec ~a~%"
+ role-string protocol path)))
+ '#$(map (match-lambda
+ (($ <tor-transport-plugin> role protocol path)
+ (list (if (eq? role 'client)
+ "Client"
+ "Server")
+ protocol
+ path)))
+ transport-plugins))
+
(display "\
### End of automatically generated lines.\n\n" port)
@@ -1050,20 +1086,27 @@ (define (tor-configuration->torrc config)
(define (tor-shepherd-service config)
"Return a <shepherd-service> running Tor."
(let* ((torrc (tor-configuration->torrc config))
+ (transport-plugins (tor-configuration-transport-plugins config))
(tor (least-authority-wrapper
(file-append (tor-configuration-tor config) "/bin/tor")
#:name "tor"
- #:mappings (list (file-system-mapping
- (source "/var/lib/tor")
- (target source)
- (writable? #t))
- (file-system-mapping
- (source "/var/run/tor")
- (target source)
- (writable? #t))
- (file-system-mapping
- (source torrc)
- (target source)))
+ #:mappings (append
+ (list (file-system-mapping
+ (source "/var/lib/tor")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source "/var/run/tor")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source torrc)
+ (target source)))
+ (map (lambda (plugin)
+ (file-system-mapping
+ (source (tor-transport-plugin-path plugin))
+ (target source)))
+ transport-plugins))
#:namespaces (delq 'net %namespaces))))
(list (shepherd-service
(provision '(tor))
base-commit: af4c90dc736295b19fda88cd8652f67f138409a1
--
2.45.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [bug#70341] [PATCH v7] services: tor: Add support for pluggable transports.
2024-04-11 14:48 [bug#70341] [PATCH] gnu: Add support for pluggable transports to tor-service-type Nigko Yerden
` (4 preceding siblings ...)
2024-07-11 13:27 ` [bug#70341] [PATCH v6] " Nigko Yerden
@ 2024-08-09 9:15 ` Nigko Yerden
2024-09-04 14:08 ` Ludovic Courtès
2024-09-17 13:11 ` [bug#70341] [PATCH v8] " Nigko Yerden
2024-10-06 17:39 ` [bug#70341] [PATCH v9] " Nigko Yerden
7 siblings, 1 reply; 18+ messages in thread
From: Nigko Yerden @ 2024-08-09 9:15 UTC (permalink / raw)
To: 70341
Cc: Nigko Yerden, Florian Pelz, Ludovic Courtès,
Matthew Trzcinski, Maxim Cournoyer
Pluggable transports are programs that disguise Tor traffic, which
can be useful in case Tor is censored. Pluggable transports
cannot be configured by #:config-file file exclusively because Tor
process is run via 'least-authority-wrapper' and cannot have access
to transport plugin, which is a separate executable (Bug#70302,
Bug#70332).
Example configuration snippet to be appended to
operation-system services
(see https://bridges.torproject.org/ to get
full bridge's lines):
(service tor-service-type
(tor-configuration
(config-file (plain-file "torrc"
"\
UseBridges 1
Bridge obfs4 ...
Bridge obfs4 ..."))
(transport-plugins
(list (tor-transport-plugin
(path-to-binary
(file-append
go-gitlab-torproject-org-tpo-anti-censorship-pluggable-transports-lyrebird
"/bin/lyrebird")))))))
* doc/guix.texi (Networking Services): Document 'tor-transport-plugin'
data type and 'transport-plugins' option for 'tor-configuration.
* gnu/services/networking.scm: Export
'tor-configuration-transport-plugins', 'tor-transport-plugin',
'tor-transport-plugin?', 'tor-transport-plugin-role',
'tor-transport-plugin-protocol', and 'tor-transport-plugin-path'.
(<tor-configuration>): Add 'transport-plugins' field.
(<tor-transport-plugin>): New variable.
(tor-configuration->torrc): Add content to 'torrc' computed-file.
(tor-shepherd-service): Add file-system-mapping(s).
Change-Id: I1b0319358778c7aee650bc843e021a6803a1cf3a
---
doc/guix.texi | 47 +++++++++++++++++++++++++
gnu/services/networking.scm | 69 ++++++++++++++++++++++++++++++-------
2 files changed, 103 insertions(+), 13 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index b7eb8fd346..0319003b20 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -22006,6 +22006,13 @@ Networking Services
@file{/var/run/tor/control-sock}, which will be made writable by members of the
@code{tor} group.
+@item @code{transport-plugins} (default: @code{'()})
+The list of @code{<tor-transport-plugin>} records to use.
+For any transport plugin you include in this list, appropriate
+configuration line to enable transport plugin will be automatically
+added to the default configuration file.
+
+
@end table
@end deftp
@@ -22034,6 +22041,46 @@ Networking Services
@end table
@end deftp
+@cindex pluggable transports, tor
+@deftp {Data Type} tor-transport-plugin
+Data type representing a Tor pluggable transport plugin in
+@code{tor-configuration}. Plugguble transports are programs
+that disguise Tor traffic, which can be useful in case Tor is
+censored. See the the Tor project's
+@url{https://tb-manual.torproject.org/circumvention/,
+documentation} and
+@url{https://spec.torproject.org/pt-spec/index.html,
+specification} for more information.
+
+Each transport plugin corresponds either to
+``ClientTransportPlugin ...'' or to
+``ServerTransportPlugin ...'' line in the default
+configuration file, see the @code{man tor}.
+Available @code{tor-transport-plugin} fields are:
+
+@table @asis
+@item @code{role} (default: @code{'client})
+This must be either @code{'client} or @code{'server}. Otherwise,
+an error is raised. Set the @code{'server} value if you want to
+run a bridge to help censored users connect to the Tor network, see
+@url{https://community.torproject.org/relay/setup/bridge/,
+the Tor project's brige guide}. Set the @code{'client} value
+if you want to connect to somebody else's bridge, see
+@url{https://bridges.torproject.org/, the Tor project's
+``Get Bridges'' page}. In both cases the required
+additional configuration should be provided via
+@code{#:config-file} option of @code{tor-configuration}.
+@item @code{protocol} (default: @code{"obfs4"})
+A string that specifies a pluggable transport protocol.
+@item @code{path-to-binary}
+This must be a ``file-like'' object or a string
+pointing to the pluggable transport plugin executable.
+This option allows the Tor daemon run inside the container
+to access the executable and all the references
+(e.g. package dependencies) attached to it.
+@end table
+@end deftp
+
The @code{(gnu services rsync)} module provides the following services:
You might want an rsync daemon if you have files that you want available
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 12d8934e43..4b1b164845 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -160,10 +160,16 @@ (define-module (gnu services networking)
tor-configuration-hidden-services
tor-configuration-socks-socket-type
tor-configuration-control-socket-path
+ tor-configuration-transport-plugins
tor-onion-service-configuration
tor-onion-service-configuration?
tor-onion-service-configuration-name
tor-onion-service-configuration-mapping
+ tor-transport-plugin
+ tor-transport-plugin?
+ tor-transport-plugin-role
+ tor-transport-plugin-protocol
+ tor-transport-plugin-path
tor-hidden-service ; deprecated
tor-service-type
@@ -966,7 +972,9 @@ (define-record-type* <tor-configuration>
(socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix
(default 'tcp))
(control-socket? tor-configuration-control-socket-path
- (default #f)))
+ (default #f))
+ (transport-plugins tor-configuration-transport-plugins
+ (default '())))
(define %tor-accounts
;; User account and groups for Tor.
@@ -996,10 +1004,24 @@ (define-configuration/no-serialization tor-onion-service-configuration
@end lisp
maps ports 22 and 80 of the Onion Service to the local ports 22 and 8080."))
+(define-record-type* <tor-transport-plugin>
+ tor-transport-plugin make-tor-transport-plugin
+ tor-transport-plugin?
+ (role tor-transport-plugin-role
+ (default 'client)
+ (sanitize (lambda (value)
+ (if (memq value '(client server))
+ value
+ (configuration-field-error #f 'role value)))))
+ (protocol tor-transport-plugin-protocol
+ (default "obfs4"))
+ (path-to-binary tor-transport-plugin-path))
+
(define (tor-configuration->torrc config)
"Return a 'torrc' file for CONFIG."
(match-record config <tor-configuration>
- (tor config-file hidden-services socks-socket-type control-socket?)
+ (tor config-file hidden-services socks-socket-type control-socket?
+ transport-plugins)
(computed-file
"torrc"
(with-imported-modules '((guix build utils))
@@ -1038,6 +1060,20 @@ (define (tor-configuration->torrc config)
(cons name mapping)))
hidden-services))
+ (for-each (match-lambda
+ ((role-string protocol path)
+ (format port "\
+~aTransportPlugin ~a exec ~a~%"
+ role-string protocol path)))
+ '#$(map (match-lambda
+ (($ <tor-transport-plugin> role protocol path)
+ (list (if (eq? role 'client)
+ "Client"
+ "Server")
+ protocol
+ path)))
+ transport-plugins))
+
(display "\
### End of automatically generated lines.\n\n" port)
@@ -1050,20 +1086,27 @@ (define (tor-configuration->torrc config)
(define (tor-shepherd-service config)
"Return a <shepherd-service> running Tor."
(let* ((torrc (tor-configuration->torrc config))
+ (transport-plugins (tor-configuration-transport-plugins config))
(tor (least-authority-wrapper
(file-append (tor-configuration-tor config) "/bin/tor")
#:name "tor"
- #:mappings (list (file-system-mapping
- (source "/var/lib/tor")
- (target source)
- (writable? #t))
- (file-system-mapping
- (source "/var/run/tor")
- (target source)
- (writable? #t))
- (file-system-mapping
- (source torrc)
- (target source)))
+ #:mappings (append
+ (list (file-system-mapping
+ (source "/var/lib/tor")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source "/var/run/tor")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source torrc)
+ (target source)))
+ (map (lambda (plugin)
+ (file-system-mapping
+ (source (tor-transport-plugin-path plugin))
+ (target source)))
+ transport-plugins))
#:namespaces (delq 'net %namespaces))))
(list (shepherd-service
(provision '(tor))
base-commit: 20dbf225f332ccc707578263ed710dcf2a8fb78e
--
2.45.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [bug#70341] [PATCH v7] services: tor: Add support for pluggable transports.
2024-08-09 9:15 ` [bug#70341] [PATCH v7] " Nigko Yerden
@ 2024-09-04 14:08 ` Ludovic Courtès
0 siblings, 0 replies; 18+ messages in thread
From: Ludovic Courtès @ 2024-09-04 14:08 UTC (permalink / raw)
To: Nigko Yerden; +Cc: Maxim Cournoyer, Florian Pelz, 70341, Matthew Trzcinski
Hi Nigko,
Nigko Yerden <nigko.yerden@gmail.com> skribis:
> Pluggable transports are programs that disguise Tor traffic, which
> can be useful in case Tor is censored. Pluggable transports
> cannot be configured by #:config-file file exclusively because Tor
> process is run via 'least-authority-wrapper' and cannot have access
> to transport plugin, which is a separate executable (Bug#70302,
> Bug#70332).
>
> Example configuration snippet to be appended to
> operation-system services
> (see https://bridges.torproject.org/ to get
> full bridge's lines):
>
> (service tor-service-type
> (tor-configuration
> (config-file (plain-file "torrc"
> "\
> UseBridges 1
> Bridge obfs4 ...
> Bridge obfs4 ..."))
> (transport-plugins
> (list (tor-transport-plugin
> (path-to-binary
> (file-append
> go-gitlab-torproject-org-tpo-anti-censorship-pluggable-transports-lyrebird
> "/bin/lyrebird")))))))
>
> * doc/guix.texi (Networking Services): Document 'tor-transport-plugin'
> data type and 'transport-plugins' option for 'tor-configuration.
> * gnu/services/networking.scm: Export
> 'tor-configuration-transport-plugins', 'tor-transport-plugin',
> 'tor-transport-plugin?', 'tor-transport-plugin-role',
> 'tor-transport-plugin-protocol', and 'tor-transport-plugin-path'.
> (<tor-configuration>): Add 'transport-plugins' field.
> (<tor-transport-plugin>): New variable.
> (tor-configuration->torrc): Add content to 'torrc' computed-file.
> (tor-shepherd-service): Add file-system-mapping(s).
>
> Change-Id: I1b0319358778c7aee650bc843e021a6803a1cf3a
[...]
> +Each transport plugin corresponds either to
> +``ClientTransportPlugin ...'' or to
> +``ServerTransportPlugin ...'' line in the default
Maybe use @code{…} instead of quotes above.
Could you perhaps move the example from the commit log to doc/guix.texi,
enclosed in @lisp, and with one or two sentences explaining what it
does?
> +configuration file, see the @code{man tor}.
Rather: “see @command{man tor}.”
> +(define-record-type* <tor-transport-plugin>
> + tor-transport-plugin make-tor-transport-plugin
> + tor-transport-plugin?
> + (role tor-transport-plugin-role
> + (default 'client)
> + (sanitize (lambda (value)
> + (if (memq value '(client server))
> + value
> + (configuration-field-error #f 'role value)))))
> + (protocol tor-transport-plugin-protocol
> + (default "obfs4"))
> + (path-to-binary tor-transport-plugin-path))
Rather: (program tor-plugin-program)
The doc needs to be updated as well.
(By convention, in Guix and GNU, “path” refers to “search paths” like
$PATH or $PYTHONPATH; to avoid the ambiguity, we use the term “file
name” or something along these lines.)
Apart from that it looks great to me.
Could you send an updated patch?
Thanks, and apologies for the delay!
Ludo’.
^ permalink raw reply [flat|nested] 18+ messages in thread
* [bug#70341] [PATCH v8] services: tor: Add support for pluggable transports.
2024-04-11 14:48 [bug#70341] [PATCH] gnu: Add support for pluggable transports to tor-service-type Nigko Yerden
` (5 preceding siblings ...)
2024-08-09 9:15 ` [bug#70341] [PATCH v7] " Nigko Yerden
@ 2024-09-17 13:11 ` Nigko Yerden
2024-10-06 17:39 ` [bug#70341] [PATCH v9] " Nigko Yerden
7 siblings, 0 replies; 18+ messages in thread
From: Nigko Yerden @ 2024-09-17 13:11 UTC (permalink / raw)
To: 70341
Cc: Ludovic Courtès, Nigko Yerden, Florian Pelz,
Ludovic Courtès, Maxim Cournoyer
Pluggable transports are programs that disguise Tor traffic, which
can be useful in case Tor is censored. Pluggable transports
cannot be configured by #:config-file file exclusively because Tor
process is run via 'least-authority-wrapper' and cannot have access
to transport plugin, which is a separate executable (Bug#70302,
Bug#70332).
;;; Copyright © 2024 Nigko Yerden <nigko.yerden@gmail.com>
* doc/guix.texi (Networking Services): Document 'tor-transport-plugin'
data type and 'transport-plugins' option for 'tor-configuration.
* gnu/services/networking.scm: Export
'tor-configuration-transport-plugins', 'tor-transport-plugin',
'tor-transport-plugin?', 'tor-plugin-role',
'tor-plugin-protocol', and 'tor-plugin-program'.
(<tor-configuration>): Add 'transport-plugins' field.
(<tor-transport-plugin>): New variable.
(tor-configuration->torrc): Add content to 'torrc' computed-file.
(tor-shepherd-service): Add file-system-mapping(s).
Change-Id: I1b0319358778c7aee650bc843e021a6803a1cf3a
---
Hello Ludo,
Thanks for looking at and sorry for delay. I have made corrections
in accordance with your suggestions:
1. Move example from commit message to doc/guix.tex.
2. Replace 'path-to-binary' field with 'program'.
3. Replace 'tor-transport-plugin-{role,protocol,path-to-binary}'
accessors with 'tor-plugin-{role,protocol,program}'.
4. Use @code{ClientTransportPlugin ...} instead of quotes and
@command{man tor} instead of @code{man tor}.
Regards,
Nigko
doc/guix.texi | 68 ++++++++++++++++++++++++++++++++++++
gnu/services/networking.scm | 69 ++++++++++++++++++++++++++++++-------
2 files changed, 124 insertions(+), 13 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index bc4d306c2d..ad785f97e6 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -22045,6 +22045,12 @@ Networking Services
@file{/var/run/tor/control-sock}, which will be made writable by members of the
@code{tor} group.
+@item @code{transport-plugins} (default: @code{'()})
+The list of @code{<tor-transport-plugin>} records to use.
+For any transport plugin you include in this list, appropriate
+configuration line to enable transport plugin will be automatically
+added to the default configuration file.
+
@end table
@end deftp
@@ -22073,6 +22079,68 @@ Networking Services
@end table
@end deftp
+@cindex pluggable transports, tor
+@deftp {Data Type} tor-transport-plugin
+Data type representing a Tor pluggable transport plugin in
+@code{tor-configuration}. Plugguble transports are programs
+that disguise Tor traffic, which can be useful in case Tor is
+censored. See the the Tor project's
+@url{https://tb-manual.torproject.org/circumvention/,
+documentation} and
+@url{https://spec.torproject.org/pt-spec/index.html,
+specification} for more information.
+
+Each transport plugin corresponds either to
+@code{ClientTransportPlugin ...} or to
+@code{ServerTransportPlugin ...} line in the default
+configuration file, see @command{man tor}.
+Available @code{tor-transport-plugin} fields are:
+
+@table @asis
+@item @code{role} (default: @code{'client})
+This must be either @code{'client} or @code{'server}. Otherwise,
+an error is raised. Set the @code{'server} value if you want to
+run a bridge to help censored users connect to the Tor network, see
+@url{https://community.torproject.org/relay/setup/bridge/,
+the Tor project's brige guide}. Set the @code{'client} value
+if you want to connect to somebody else's bridge, see
+@url{https://bridges.torproject.org/, the Tor project's
+``Get Bridges'' page}. In both cases the required
+additional configuration should be provided via
+@code{#:config-file} option of @code{tor-configuration}.
+@item @code{protocol} (default: @code{"obfs4"})
+A string that specifies a pluggable transport protocol.
+@item @code{program}
+This must be a ``file-like'' object or a string
+pointing to the pluggable transport plugin executable.
+This option allows the Tor daemon run inside the container
+to access the executable and all the references
+(e.g. package dependencies) attached to it.
+@end table
+
+Suppose you would like Tor daemon to use obfs4 type obfuscation and
+to connect to Tor network via obfs4 bridge (a nonpublic Tor relay with
+support for obfs4 type obfuscation). Then you may go to
+@url{https://bridges.torproject.org/, https://bridges.torproject.org/}
+and get there a couple of bridge lines (each starts with @code{obfs4 ...})
+and use these lines in tor-service-type configuration as follows:
+@lisp
+(service tor-service-type
+ (tor-configuration
+ (config-file (plain-file "torrc"
+ "\
+UseBridges 1
+Bridge obfs4 ...
+Bridge obfs4 ..."))
+ (transport-plugins
+ (list (tor-transport-plugin
+ (program
+ (file-append
+ go-gitlab-torproject-org-tpo-anti-censorship-pluggable-transports-lyrebird
+ "/bin/lyrebird")))))))
+@end lisp
+@end deftp
+
The @code{(gnu services rsync)} module provides the following services:
You might want an rsync daemon if you have files that you want available
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 12d8934e43..5a4e3a960d 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -160,10 +160,16 @@ (define-module (gnu services networking)
tor-configuration-hidden-services
tor-configuration-socks-socket-type
tor-configuration-control-socket-path
+ tor-configuration-transport-plugins
tor-onion-service-configuration
tor-onion-service-configuration?
tor-onion-service-configuration-name
tor-onion-service-configuration-mapping
+ tor-transport-plugin
+ tor-transport-plugin?
+ tor-plugin-role
+ tor-plugin-protocol
+ tor-plugin-program
tor-hidden-service ; deprecated
tor-service-type
@@ -966,7 +972,9 @@ (define-record-type* <tor-configuration>
(socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix
(default 'tcp))
(control-socket? tor-configuration-control-socket-path
- (default #f)))
+ (default #f))
+ (transport-plugins tor-configuration-transport-plugins
+ (default '())))
(define %tor-accounts
;; User account and groups for Tor.
@@ -996,10 +1004,24 @@ (define-configuration/no-serialization tor-onion-service-configuration
@end lisp
maps ports 22 and 80 of the Onion Service to the local ports 22 and 8080."))
+(define-record-type* <tor-transport-plugin>
+ tor-transport-plugin make-tor-transport-plugin
+ tor-transport-plugin?
+ (role tor-plugin-role
+ (default 'client)
+ (sanitize (lambda (value)
+ (if (memq value '(client server))
+ value
+ (configuration-field-error #f 'role value)))))
+ (protocol tor-plugin-protocol
+ (default "obfs4"))
+ (program tor-plugin-program))
+
(define (tor-configuration->torrc config)
"Return a 'torrc' file for CONFIG."
(match-record config <tor-configuration>
- (tor config-file hidden-services socks-socket-type control-socket?)
+ (tor config-file hidden-services socks-socket-type control-socket?
+ transport-plugins)
(computed-file
"torrc"
(with-imported-modules '((guix build utils))
@@ -1038,6 +1060,20 @@ (define (tor-configuration->torrc config)
(cons name mapping)))
hidden-services))
+ (for-each (match-lambda
+ ((role-string protocol program)
+ (format port "\
+~aTransportPlugin ~a exec ~a~%"
+ role-string protocol program)))
+ '#$(map (match-lambda
+ (($ <tor-transport-plugin> role protocol program)
+ (list (if (eq? role 'client)
+ "Client"
+ "Server")
+ protocol
+ program)))
+ transport-plugins))
+
(display "\
### End of automatically generated lines.\n\n" port)
@@ -1050,20 +1086,27 @@ (define (tor-configuration->torrc config)
(define (tor-shepherd-service config)
"Return a <shepherd-service> running Tor."
(let* ((torrc (tor-configuration->torrc config))
+ (transport-plugins (tor-configuration-transport-plugins config))
(tor (least-authority-wrapper
(file-append (tor-configuration-tor config) "/bin/tor")
#:name "tor"
- #:mappings (list (file-system-mapping
- (source "/var/lib/tor")
- (target source)
- (writable? #t))
- (file-system-mapping
- (source "/var/run/tor")
- (target source)
- (writable? #t))
- (file-system-mapping
- (source torrc)
- (target source)))
+ #:mappings (append
+ (list (file-system-mapping
+ (source "/var/lib/tor")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source "/var/run/tor")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source torrc)
+ (target source)))
+ (map (lambda (plugin)
+ (file-system-mapping
+ (source (tor-plugin-program plugin))
+ (target source)))
+ transport-plugins))
#:namespaces (delq 'net %namespaces))))
(list (shepherd-service
(provision '(tor))
base-commit: 8dae6b47542b906682f83b06b0478fcbd0776fd6
--
2.45.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [bug#70341] [PATCH v9] services: tor: Add support for pluggable transports.
2024-04-11 14:48 [bug#70341] [PATCH] gnu: Add support for pluggable transports to tor-service-type Nigko Yerden
` (6 preceding siblings ...)
2024-09-17 13:11 ` [bug#70341] [PATCH v8] " Nigko Yerden
@ 2024-10-06 17:39 ` Nigko Yerden
2024-10-14 11:41 ` bug#70341: " Ludovic Courtès
7 siblings, 1 reply; 18+ messages in thread
From: Nigko Yerden @ 2024-10-06 17:39 UTC (permalink / raw)
To: 70341; +Cc: Nigko Yerden, Florian Pelz, Ludovic Courtès, Maxim Cournoyer
Pluggable transports are programs that disguise Tor traffic, which
can be useful in case Tor is censored. Pluggable transports
cannot be configured by #:config-file file exclusively because Tor
process is run via 'least-authority-wrapper' and cannot have access
to transport plugin, which is a separate executable (Bug#70302,
Bug#70332).
;;; Copyright © 2024 Nigko Yerden <nigko.yerden@gmail.com>
* doc/guix.texi (Networking Services): Document 'tor-transport-plugin'
data type and 'transport-plugins' option for 'tor-configuration.
* gnu/services/networking.scm: Export
'tor-configuration-transport-plugins', 'tor-transport-plugin',
'tor-transport-plugin?', 'tor-plugin-role',
'tor-plugin-protocol', and 'tor-plugin-program'.
(<tor-configuration>): Add 'transport-plugins' field.
(<tor-transport-plugin>): New variable.
(tor-configuration->torrc): Add content to 'torrc' computed-file.
(tor-shepherd-service): Add file-system-mapping(s).
Change-Id: I1b0319358778c7aee650bc843e021a6803a1cf3a
---
This v9 patch version is exactly the same as v8 one. I submit this
version exclusively because of qa.quix.gnu.org weird behavior.
Regards,
Nigko
doc/guix.texi | 68 ++++++++++++++++++++++++++++++++++++
gnu/services/networking.scm | 69 ++++++++++++++++++++++++++++++-------
2 files changed, 124 insertions(+), 13 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 52e36e4354..0405b1536d 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -22045,6 +22045,12 @@ Networking Services
@file{/var/run/tor/control-sock}, which will be made writable by members of the
@code{tor} group.
+@item @code{transport-plugins} (default: @code{'()})
+The list of @code{<tor-transport-plugin>} records to use.
+For any transport plugin you include in this list, appropriate
+configuration line to enable transport plugin will be automatically
+added to the default configuration file.
+
@end table
@end deftp
@@ -22073,6 +22079,68 @@ Networking Services
@end table
@end deftp
+@cindex pluggable transports, tor
+@deftp {Data Type} tor-transport-plugin
+Data type representing a Tor pluggable transport plugin in
+@code{tor-configuration}. Plugguble transports are programs
+that disguise Tor traffic, which can be useful in case Tor is
+censored. See the the Tor project's
+@url{https://tb-manual.torproject.org/circumvention/,
+documentation} and
+@url{https://spec.torproject.org/pt-spec/index.html,
+specification} for more information.
+
+Each transport plugin corresponds either to
+@code{ClientTransportPlugin ...} or to
+@code{ServerTransportPlugin ...} line in the default
+configuration file, see @command{man tor}.
+Available @code{tor-transport-plugin} fields are:
+
+@table @asis
+@item @code{role} (default: @code{'client})
+This must be either @code{'client} or @code{'server}. Otherwise,
+an error is raised. Set the @code{'server} value if you want to
+run a bridge to help censored users connect to the Tor network, see
+@url{https://community.torproject.org/relay/setup/bridge/,
+the Tor project's brige guide}. Set the @code{'client} value
+if you want to connect to somebody else's bridge, see
+@url{https://bridges.torproject.org/, the Tor project's
+``Get Bridges'' page}. In both cases the required
+additional configuration should be provided via
+@code{#:config-file} option of @code{tor-configuration}.
+@item @code{protocol} (default: @code{"obfs4"})
+A string that specifies a pluggable transport protocol.
+@item @code{program}
+This must be a ``file-like'' object or a string
+pointing to the pluggable transport plugin executable.
+This option allows the Tor daemon run inside the container
+to access the executable and all the references
+(e.g. package dependencies) attached to it.
+@end table
+
+Suppose you would like Tor daemon to use obfs4 type obfuscation and
+to connect to Tor network via obfs4 bridge (a nonpublic Tor relay with
+support for obfs4 type obfuscation). Then you may go to
+@url{https://bridges.torproject.org/, https://bridges.torproject.org/}
+and get there a couple of bridge lines (each starts with @code{obfs4 ...})
+and use these lines in tor-service-type configuration as follows:
+@lisp
+(service tor-service-type
+ (tor-configuration
+ (config-file (plain-file "torrc"
+ "\
+UseBridges 1
+Bridge obfs4 ...
+Bridge obfs4 ..."))
+ (transport-plugins
+ (list (tor-transport-plugin
+ (program
+ (file-append
+ go-gitlab-torproject-org-tpo-anti-censorship-pluggable-transports-lyrebird
+ "/bin/lyrebird")))))))
+@end lisp
+@end deftp
+
The @code{(gnu services rsync)} module provides the following services:
You might want an rsync daemon if you have files that you want available
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 12d8934e43..5a4e3a960d 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -160,10 +160,16 @@ (define-module (gnu services networking)
tor-configuration-hidden-services
tor-configuration-socks-socket-type
tor-configuration-control-socket-path
+ tor-configuration-transport-plugins
tor-onion-service-configuration
tor-onion-service-configuration?
tor-onion-service-configuration-name
tor-onion-service-configuration-mapping
+ tor-transport-plugin
+ tor-transport-plugin?
+ tor-plugin-role
+ tor-plugin-protocol
+ tor-plugin-program
tor-hidden-service ; deprecated
tor-service-type
@@ -966,7 +972,9 @@ (define-record-type* <tor-configuration>
(socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix
(default 'tcp))
(control-socket? tor-configuration-control-socket-path
- (default #f)))
+ (default #f))
+ (transport-plugins tor-configuration-transport-plugins
+ (default '())))
(define %tor-accounts
;; User account and groups for Tor.
@@ -996,10 +1004,24 @@ (define-configuration/no-serialization tor-onion-service-configuration
@end lisp
maps ports 22 and 80 of the Onion Service to the local ports 22 and 8080."))
+(define-record-type* <tor-transport-plugin>
+ tor-transport-plugin make-tor-transport-plugin
+ tor-transport-plugin?
+ (role tor-plugin-role
+ (default 'client)
+ (sanitize (lambda (value)
+ (if (memq value '(client server))
+ value
+ (configuration-field-error #f 'role value)))))
+ (protocol tor-plugin-protocol
+ (default "obfs4"))
+ (program tor-plugin-program))
+
(define (tor-configuration->torrc config)
"Return a 'torrc' file for CONFIG."
(match-record config <tor-configuration>
- (tor config-file hidden-services socks-socket-type control-socket?)
+ (tor config-file hidden-services socks-socket-type control-socket?
+ transport-plugins)
(computed-file
"torrc"
(with-imported-modules '((guix build utils))
@@ -1038,6 +1060,20 @@ (define (tor-configuration->torrc config)
(cons name mapping)))
hidden-services))
+ (for-each (match-lambda
+ ((role-string protocol program)
+ (format port "\
+~aTransportPlugin ~a exec ~a~%"
+ role-string protocol program)))
+ '#$(map (match-lambda
+ (($ <tor-transport-plugin> role protocol program)
+ (list (if (eq? role 'client)
+ "Client"
+ "Server")
+ protocol
+ program)))
+ transport-plugins))
+
(display "\
### End of automatically generated lines.\n\n" port)
@@ -1050,20 +1086,27 @@ (define (tor-configuration->torrc config)
(define (tor-shepherd-service config)
"Return a <shepherd-service> running Tor."
(let* ((torrc (tor-configuration->torrc config))
+ (transport-plugins (tor-configuration-transport-plugins config))
(tor (least-authority-wrapper
(file-append (tor-configuration-tor config) "/bin/tor")
#:name "tor"
- #:mappings (list (file-system-mapping
- (source "/var/lib/tor")
- (target source)
- (writable? #t))
- (file-system-mapping
- (source "/var/run/tor")
- (target source)
- (writable? #t))
- (file-system-mapping
- (source torrc)
- (target source)))
+ #:mappings (append
+ (list (file-system-mapping
+ (source "/var/lib/tor")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source "/var/run/tor")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source torrc)
+ (target source)))
+ (map (lambda (plugin)
+ (file-system-mapping
+ (source (tor-plugin-program plugin))
+ (target source)))
+ transport-plugins))
#:namespaces (delq 'net %namespaces))))
(list (shepherd-service
(provision '(tor))
base-commit: 964c075dc5bcd1875b61c6eafbaab990cf49f69d
--
2.46.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* bug#70341: [PATCH v9] services: tor: Add support for pluggable transports.
2024-10-06 17:39 ` [bug#70341] [PATCH v9] " Nigko Yerden
@ 2024-10-14 11:41 ` Ludovic Courtès
2024-10-14 16:36 ` [bug#70341] " Nigko Yerden
2024-10-15 6:26 ` Nigko Yerden
0 siblings, 2 replies; 18+ messages in thread
From: Ludovic Courtès @ 2024-10-14 11:41 UTC (permalink / raw)
To: Nigko Yerden; +Cc: Maxim Cournoyer, Florian Pelz, 70341-done
Hi,
Nigko Yerden <nigko.yerden@gmail.com> skribis:
> Pluggable transports are programs that disguise Tor traffic, which
> can be useful in case Tor is censored. Pluggable transports
> cannot be configured by #:config-file file exclusively because Tor
> process is run via 'least-authority-wrapper' and cannot have access
> to transport plugin, which is a separate executable (Bug#70302,
> Bug#70332).
>
> ;;; Copyright © 2024 Nigko Yerden <nigko.yerden@gmail.com>
>
> * doc/guix.texi (Networking Services): Document 'tor-transport-plugin'
> data type and 'transport-plugins' option for 'tor-configuration.
> * gnu/services/networking.scm: Export
> 'tor-configuration-transport-plugins', 'tor-transport-plugin',
> 'tor-transport-plugin?', 'tor-plugin-role',
> 'tor-plugin-protocol', and 'tor-plugin-program'.
> (<tor-configuration>): Add 'transport-plugins' field.
> (<tor-transport-plugin>): New variable.
> (tor-configuration->torrc): Add content to 'torrc' computed-file.
> (tor-shepherd-service): Add file-system-mapping(s).
>
> Change-Id: I1b0319358778c7aee650bc843e021a6803a1cf3a
Finally applied, thanks!
Ludo’.
^ permalink raw reply [flat|nested] 18+ messages in thread
* [bug#70341] [PATCH v9] services: tor: Add support for pluggable transports.
2024-10-14 11:41 ` bug#70341: " Ludovic Courtès
@ 2024-10-14 16:36 ` Nigko Yerden
2024-10-15 6:26 ` Nigko Yerden
1 sibling, 0 replies; 18+ messages in thread
From: Nigko Yerden @ 2024-10-14 16:36 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: Maxim Cournoyer, Florian Pelz, 70341-done
It is my first commit in Guix. Thanks!
Regards,
Nigko
Ludovic Courtès wrote:
> Hi,
>
> Nigko Yerden <nigko.yerden@gmail.com> skribis:
>
>> Pluggable transports are programs that disguise Tor traffic, which
>> can be useful in case Tor is censored. Pluggable transports
>> cannot be configured by #:config-file file exclusively because Tor
>> process is run via 'least-authority-wrapper' and cannot have access
>> to transport plugin, which is a separate executable (Bug#70302,
>> Bug#70332).
>>
>> ;;; Copyright © 2024 Nigko Yerden <nigko.yerden@gmail.com>
>>
>> * doc/guix.texi (Networking Services): Document 'tor-transport-plugin'
>> data type and 'transport-plugins' option for 'tor-configuration.
>> * gnu/services/networking.scm: Export
>> 'tor-configuration-transport-plugins', 'tor-transport-plugin',
>> 'tor-transport-plugin?', 'tor-plugin-role',
>> 'tor-plugin-protocol', and 'tor-plugin-program'.
>> (<tor-configuration>): Add 'transport-plugins' field.
>> (<tor-transport-plugin>): New variable.
>> (tor-configuration->torrc): Add content to 'torrc' computed-file.
>> (tor-shepherd-service): Add file-system-mapping(s).
>>
>> Change-Id: I1b0319358778c7aee650bc843e021a6803a1cf3a
>
> Finally applied, thanks!
>
> Ludo’.
^ permalink raw reply [flat|nested] 18+ messages in thread
* [bug#70341] [PATCH v9] services: tor: Add support for pluggable transports.
2024-10-14 11:41 ` bug#70341: " Ludovic Courtès
2024-10-14 16:36 ` [bug#70341] " Nigko Yerden
@ 2024-10-15 6:26 ` Nigko Yerden
2024-10-15 15:43 ` Ludovic Courtès
1 sibling, 1 reply; 18+ messages in thread
From: Nigko Yerden @ 2024-10-15 6:26 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: Maxim Cournoyer, Florian Pelz, 70341-done
Hello,
Ludovic Courtès wrote:
> Hi,
>
> Nigko Yerden <nigko.yerden@gmail.com> skribis:
>
>> Pluggable transports are programs that disguise Tor traffic, which
>> can be useful in case Tor is censored. Pluggable transports
>> cannot be configured by #:config-file file exclusively because Tor
>> process is run via 'least-authority-wrapper' and cannot have access
>> to transport plugin, which is a separate executable (Bug#70302,
>> Bug#70332).
>>
>> ;;; Copyright © 2024 Nigko Yerden <nigko.yerden@gmail.com>
>>
>> * doc/guix.texi (Networking Services): Document 'tor-transport-plugin'
>> data type and 'transport-plugins' option for 'tor-configuration.
>> * gnu/services/networking.scm: Export
>> 'tor-configuration-transport-plugins', 'tor-transport-plugin',
>> 'tor-transport-plugin?', 'tor-plugin-role',
>> 'tor-plugin-protocol', and 'tor-plugin-program'.
>> (<tor-configuration>): Add 'transport-plugins' field.
>> (<tor-transport-plugin>): New variable.
>> (tor-configuration->torrc): Add content to 'torrc' computed-file.
>> (tor-shepherd-service): Add file-system-mapping(s).
>>
>> Change-Id: I1b0319358778c7aee650bc843e021a6803a1cf3a
>
> Finally applied, thanks!
>
> Ludo’.
The files 'doc/guix.texi' and 'gnu/services/networking.scm' miss my copyright messages.
May I send them via a separate patch?
Regards,
Nigko
^ permalink raw reply [flat|nested] 18+ messages in thread