Setting up a Tor Bridge Relay on illumos

Times are getting rough again. There are regimes out there that censor the ability of their citizens to express themselves or communicate with each other, sometimes even lives are at stake. Communication isn't a luxury, it's what makes us human, it empowers us, tears down walls between people and helps us to understand each other. Censorship and total surveillance is a violation of human rights, it's something we need to fight. One way of doing this is to support the Tor Project. In this blogpost I will show how to set up a so called bridge relay on illumos, an entry point to the tor network which empowers people that suffer under the influence of censorship and surveillance to access the internet.

Step 1: Building Tor under illumos

Building Tor is easy as pie. All you need is the libevent src and the Tor src.

Step 2: Setting up an illumos zone

Since illumos inherits all the awesome features of OpenSolaris we can isolate our Tor bridge inside of a zone. We will create a zone with the name "tor".

Before we start we need to create a zfs dataset for our zone. I usually put mine in /export/zones (which itself is a dataset) like so:

[root@lain:~]> zfs create rpool/export/zones/tor

Now, let's set up the zone:

[root@lain:~]> zonecfg -z tor

tor: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:test> create
zonecfg:test> set zonepath=/export/zones/tor

zonecfg:test> verify
zonecfg:test> commit
zonecfg:test> exit
[root@lain:~]> zoneadm list -cv                      
  ID NAME             STATUS     PATH                           BRAND    IP    
   0 global           running    /                              native   shared
   - test             configured /export/zones/tor              ipkg     shared

Now we install our virtual illumos inside of the zone, this might take a few minutes.

[root@lain:~]> zoneadm -z tor install

And boot the bugger.

[root@lain:~]> zoneadm -z tor boot

Everything is set up and ready to go. We have a virtual instance of illumos running inside of a container. Time to log into it.

[root@lain:~]> zlogin -C tor

Step 3: Setup TOR

Time to get serious. After building Tor and putting it into our zone we now need to configure Tor to function as a Bridge Relay. Here we set up our bridge to listen on port 443. Since Tor traffic looks a lot like SSL it's a good place to run. Our torrc should look like this:

SocksPort 0
ORPort 443
BridgeRelay 1
Exitpolicy reject *:*

I recommend that you set up a tor user to avoid running as root. The problem is that you cannot run run a server on a privileged port when you are a mere user. We can use RBAC to give the tor user a profile that allows it to run services on such ports.

[root@tor:~]> usermod -K defaultpriv=basic,net_privaddr tor

To start up tor simple we simply issue:

[tor@tor:~]> pfexec tor -f torrc

We are ready to go! If you've got questions or more ideas, leave me a comment.

If you want to know more about the Tor Project, I recommend you this talk:

Building GHC under Illumos

I like the bleeding edge, that's why I always want to have the newest compilers for my favorite languages and Haskell is one of those languages. In this blogpost I'm going to show you how to build the latest and greatest GHC on the Illumos distribution OpenIndiana. If you don't want to build it yourself you can pick up a fairly recent version of GHC from the SFE Repository.

To make things easier let's get our hand on a GHC binary from which we can bootstrap our environment, luckily there is a package for GHC 7.0.3 for Solaris which works just fine under Illumos. Just install it and put it in your PATH environment variable.

Due to it's Solaris heritage, Illumos currently ships with a pretty outdated version of GCC. I recommend that you install the GCC provided by the SFE Repository since the shipped version causes some linking problems when dealing with the hidden attribute. If you have to use the old compiler you can get rid of this issue by using this quick and dirty patch which just gets rid of some pragmas and macros:

diff --git a/includes/Rts.h b/includes/Rts.h
index 91ec76d..adbbe54 100644
--- a/includes/Rts.h
+++ b/includes/Rts.h
@@ -52,7 +52,7 @@ extern "C" {
 // with visibility "hidden" to hide them outside the RTS shared
 // library.
 #if defined(HAS_VISIBILITY_HIDDEN)
-#define RTS_PRIVATE  GNUC3_ATTRIBUTE(visibility("hidden"))
+#define RTS_PRIVATE  //GNUC3_ATTRIBUTE(visibility("hidden"))
 #else
 #define RTS_PRIVATE  /* disabled: RTS_PRIVATE */
 #endif
diff --git a/rts/BeginPrivate.h b/rts/BeginPrivate.h
index 6471b92..1af4c90 100644
--- a/rts/BeginPrivate.h
+++ b/rts/BeginPrivate.h
@@ -6,5 +6,5 @@
        error: visibility attribute not supported in this configuration; ignored
    */
 #if defined(HAS_VISIBILITY_HIDDEN) && !defined(freebsd_HOST_OS)
-#pragma GCC visibility push(hidden)
+//#pragma GCC visibility push(hidden)
 #endif
diff --git a/rts/EndPrivate.h b/rts/EndPrivate.h
index 4cfb68f..c2e3154 100644
--- a/rts/EndPrivate.h
+++ b/rts/EndPrivate.h
@@ -1,3 +1,3 @@
 #if defined(HAS_VISIBILITY_HIDDEN) && !defined(freebsd_HOST_OS)
-#pragma GCC visibility pop
+//#pragma GCC visibility pop
 #endif

Now we are good to go. Get your hands on some fresh tarball, perhaps the latest and greatest RC. To configure your future GHC just run something like:

./configure --prefix=~/Library/GHC/version --with-gmp-includes=/usr/include/gmp

I usually install self compiled software in ~/Library/program/version. From here I can manage everything using softlinks but feel free to use any other prefix.

Be sure to run the GNU Make (gmake) command and not the Illumos one. Sadly gmake seems to be unable to handle multiple jobs when compiling GHC so our final step looks like this:

gmake && gmake install

From here on you should be able to build pretty much every version you wish for. If you pick a version that is supported by cabal-install installing additional packages from hackage is a piece of cake. I usually have more than one GHC installed, the one that is shipped with the current Haskell Platform and the latest version with all the hot new features.

Illumos has the potential to be one of the best platforms for developing Haskell since it has exquisite DTrace support. If you want to help to improve the Haskell experience on Illumos, feel free to contact me in #openindiana on freenode.