[Tool] Docker container for guard relays with self-healing and diagnostics - feedback welcome

Support Relay Operator
1

Hi everyone,

I’ve been running Tor guard relays for a while and kept hitting the same setup issues, permission errors, manual restarts after updates, repetitive configuration.

While looking for Docker solutions, I discovered most existing relay containers were abandoned 2–3 years ago. They’re stuck on old Tor versions, lack multi-arch support, and haven’t received any recent security patches. The community deserves better tooling.

Built this container to address both the operational pain points and the maintenance gap.

Project: GitHub - r3bo0tbx1/tor-guard-relay: Hardened Dockerized Tor Middle/Guard Relay 🧅🔁🐋🛡️🔒
License: MIT
Images: Package onion-relay · GitHub
Commitment: Actively maintained with weekly automated builds

What it does

  • One-command deployment: minimal manual configuration
  • Self-healing permissions: automatically fixes DataDirectory ownership issues on boot
  • Built-in diagnostics: relay-status, fingerprint, view-logs commands
  • Multi-architecture support: native builds for amd64 and arm64 (tested on x86 VPS and Raspberry Pi)
  • Deployment templates: Docker Compose, Cosmos Cloud, Portainer
  • CI/CD automation: weekly rebuilds via GitHub Actions for security updates

I’ve been running this on my own guard relays for several months with stable uptime. It follows Tor Project best practices and doesn’t modify core Tor behavior, just handles the container orchestration layer.

Why I’m posting here

I’d appreciate feedback from experienced operators on:

  1. Security concerns: any issues with the container security model or permissions handling?
  2. Configuration defaults: anything missing from the example torrc?
  3. Diagnostic improvements: what would make the status commands more useful?
  4. Bridge relay variant: is there interest in a similar container for bridges?

Technical details

  • Base: Alpine Linux (edge) for latest Tor packages
  • Automated updates: Weekly CI/CD rebuilds (addresses the “abandoned Docker relay” problem)
  • Init: Tini for proper signal handling
  • User: Non-root (tor:tor)
  • Networking: Host mode (required for IPv6 dual-stack)
  • Health checks: Built-in torrc validation
  • Multi-arch: Native amd64 and arm64 builds

Full documentation, example configs, and troubleshooting guide in the repo.

Contributing

Fully open source under MIT license. Issues and PRs welcome. I maintain this in my spare time.

If this helps you run relays, consider supporting the Tor Project directly: https://donate.torproject.org/

Screenshots

b4c02144e5c5192e2e517b5c767b82c7
b4c02144e5c5192e2e517b5c767b82c71780×1023 80 KB

c8bb6c60fd9e67405415e46f27e2252f
c8bb6c60fd9e67405415e46f27e2252f1785×1015 99.8 KB

926c79d6805510970e37a51a925dfd5b
926c79d6805510970e37a51a925dfd5b1770×1015 62 KB

fe714843e8f38e8261736041b0ebdd95
fe714843e8f38e8261736041b0ebdd95665×203 11.7 KB

Closing thought

More relays = stronger network. If this container makes it easier for people to run stable relays with less operational overhead, that’s the goal.

Thanks for looking,
r3bo0tbx1

1 Like