[tor-relays] family-ids

Yay, family key's are live:
Implemented-In: Tor 0.4.9.1-alpha, Arti 1.4.1

Copy the MyFamilyKey.secret_family_key file into the KeyDir of _every_ _one_ of your relay.

Oooh, damn it. No ansible. Happy copy pasting happy-families

I really hope I don't have to copy paste it all given the amount of relays
that I am currently running. Hopefully, nusenu will update the ansible repo
to support it.

Nusenu has not only implemented this in his ansible-relayor, but has also
given hints during development:

Yay, family key's are live:
Implemented-In: Tor 0.4.9.1-alpha

Note that the version number given there is wrong.
tor 0.4.9.1-alpha does not include support for the new happy families feature.

0.4.9.2-alpha will probably be the first tor release with happy families support.
This has been corrected on this page:

but has not found its way to the proposal page yet.

Thanks to early adopters like toralf bugs in happy families are being reported and fixed.

I really hope I don't have to copy paste it all given the amount of relays
that I am currently running. Hopefully, nusenu will update the ansible repo
to support it.

Nusenu has not only implemented this in his ansible-relayor, but has also
given hints during development:
Implement proposal 321 (happy families) (!857) · Merge requests · The Tor Project / Core / Tor · GitLab

The current implementation in tor does not support setting the path to the family key file.
Which is a bit cumbersome for large operators because they need to copy the file
for every tor instance (keys folder) instead of a single time for each server and a single torrc config line.
This is less problematic for ansible-relayor than for operators doing it manually because we can automate that
task in realyor, but the runtime will certainly increase significantly for large operators if we need to copy that file for every tor instance including setting permissions and so on.

I hope a torrc option for specifying the path to the key file is added before the first tor release with happy families is published
to mitigate this overhead.

Here is the related gitlab issue for it:

After this has been clarified/implemented (or rejected) an ansible-relayor release with happy families support will be implemented.

OrNetStats will also get Happy Families support but this depends on onionoo's support for Happy Families:

I found it surprising to learn from the proposal that the old MyFamily design makes up over 80% of microdescriptors size
so this change has significant potential to decrease the bandwidth used for answering directory requests
https://metrics.torproject.org/dirbytes.html
but since both Family designs will co-exist for some time for backward compatibility reasons it will take some time before operators can remove there old
MyFamily lines from their torrc config files.

kind regards,
nusenu

FWIW, any filename should be okay, so long as it ends with
".secret_family_key". But "secret_family_key" on its own is not okay:
the period is required.

Uuh, thanks. Then everything's fine. I created the key with:

tor --quiet --keygen-family ForPrivacyNET

and then copied 'ForPrivacyNET.secret_family_key' into tor's KeyDir

The most annoying thing for me¹ was changing the rights

chown _tor-00:_tor-00 /var/lib/tor-instances/00/keys/ForPrivacyNET.secret_family_key
...
chown _tor-$$:_tor-$$ /var/lib/tor-instances/$$/keys/ForPrivacyNET.secret_family_key

¹because I'm brain-dead and don't use ansible.

>>> Yay, family key's are live:
>>> Implemented-In: Tor 0.4.9.1-alpha

Note that the version number given there is wrong.
tor 0.4.9.1-alpha does not include support for the new happy families
feature.

0.4.9.2-alpha will probably be the first tor release with happy families
support. This has been corrected on this page:
Tor Project | Learn how to configure your relays' FamilyID
but has not found its way to the proposal page yet.

OK, thanks.
With tor-nightly-main-* currently: 0.4.9.1-alpha-dev
I was able to create the family key and id.

Thanks to early adopters like toralf bugs in happy families are being
reported and fixed.
>> I really hope I don't have to copy paste it all given the amount of
>> relays
>> that I am currently running. Hopefully, nusenu will update the ansible
>> repo
>> to support it.
>>
>
>
> Nusenu has not only implemented this in his ansible-relayor, but has also
> given hints during development:
> Implement proposal 321 (happy families) (!857) · Merge requests · The Tor Project / Core / Tor · GitLab
> 07
The current implementation in tor does not support setting the path to the
family key file. Which is a bit cumbersome for large operators because they
need to copy the file for every tor instance (keys folder) instead of a
single time for each server and a single torrc config line. This is less
problematic for ansible-relayor than for operators doing it manually
because we can automate that task in realyor, but the runtime will
certainly increase significantly for large operators if we need to copy
that file for every tor instance including setting permissions and so on.

I hope a torrc option for specifying the path to the key file is added
before the first tor release with happy families is published to mitigate
this overhead.

Yes, I was also looking for the option to specify the path.
Now it doesn't matter, for me. I copied the key in every tor instance and
changed permissions. torrc config is only one file per server. I just have to
comment out 'FamilyId' line with upcoming stable 0.4.9.n

BTW:
I hope 0.4.9 finally includes 'ReevaluateExitPolicy' and 'DoSStreamCreation*'
for exits, in addition to the family keys.

'ReevaluateExitPolicy' on restart breaks tens or hundreds of thousands of
existing connections, and healthy relays lose the HsDir flag.

DoS and DDoS consume power and bandwidth. 'ReevaluateExitPolicy' on reload
can, AFAIK, also help the relays before exits in the circuit.

I really hope I don’t have to copy paste it all given the amount of relays that I am currently running. Hopefully, nusenu will update the ansible repo to support it.