Skip to content

relayor v23.1.0
Compare
Choose a tag to compare
@nusenu nusenu released this 12 Feb 16:39
· 17 commits to master since this release
v23.1.0
This tag was signed with the committer’s verified signature. The key has expired.
nusenu
GPG key ID: 8CBE52BD4D705DE9
Expired
Learn about vigilant mode.
92cb3a9

Changes since v23.0.0

This release contains backward incompatible changes for prometheus integration users. They are flagged with ⚠️
If you used prometheus integration with older releases, the easiest way to upgrade to v23.1.0 is to delete previously generated scrape configs and nginx config files and start with a minimal set of variables to make use of defaults as much as possible according to this guide.

Security: MetricsPort htpasswd Authentication Password Rollover (Low Risk)

Implement a workaround for ansible-collections/community.general#5975 by moving from a random username to a static username. This change will be reverted once upstream implements the "exclusive" parameter.

This issue affects you if all of these points apply to your environment:

  • you use relayor's prometheus integration and the htpasswd file generation for nginx
  • you attempted to do a password rollover by removing the folder ~/.tor/prometheus/scrape-usernames or individual files in that folder without also removing ~/.tor/prometheus/metrics_path.

Impact: A new user gets added but the old user is not removed.

Manual steps recommended for all users of the htpasswd file feature: Update to v23.1.0 or newer, remove the htpasswd file and run your playbook again.

Prometheus Integration Changes

  • usability improvements: simplification of how users enable prometheus integration
    • ship a default value for tor_prometheus_scrape_file and change its semantic from abs. filepath to filename ⚠️
    • simplify nginx config by shipping a default value for tor_metricsport_nginx_config_file
  • implement conf.d style support for prometheus configuration and generate global prometheus.yml
  • remove default value of tor_prometheus_host so we can use it as the signal to enable prometheus integration ⚠️
  • remove the default of tor_blackbox_exporter_host so we can use it as a signal to enable blackbox_exporter integration ⚠️
    • tor_gen_blackbox_scrape_config is obsolete and ignored ⚠️
  • ship some prometheus alert rules for tor relays (off by default)
  • support user defined prometheus alert rules
  • change default value of tor_gen_metricsport_htpasswd: False -> True ⚠️
  • reload prometheus on config changes
  • reload nginx on config changes
  • add service label with value "torrelay"
  • document prometheus security considerations
  • rename tor_prometheus_scrape_file_group -> tor_prometheus_group ⚠️

Misc

  • support more than two tor instances per IP address. We do not change the default of two tor instance per IP though. If you want to run more than two relays per IP set tor_ports accordingly. Make sure to not go over the limit at the time. The limit of relays per IP is at 4 as of this release and expected to increase in the near future. Check the linked gitlab issue.

  • ⚠️ remove the tor_dedicatedExitIP feature. You can set OutboundBindAddressExit via
    the tor_config variable on a per server level.

  • add some more example playbooks:

    • 4 tor instances per IP
    • prometheus integration

  • README improvements

Known issue: Test-kitchen for prometheus suites fail due to the reload nginx handler.

Assets 2
Loading