GNU bug report logs - #54370
guix.gnu.org is inaccessible from Russia

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 54370 in the body.
You can then email your comments to 54370 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: poiNt_3D <point4d <at> gmail.com>
To: bug-guix <at> gnu.org
Subject: network problem or intentional blocking?
Date: Sun, 13 Mar 2022 09:14:04 +0300

[Message part 1 (text/plain, inline)]

Hello. I would like to request a clarification on the issue of
inaccessibility of guix.gnu org from the Russian Federation.
Is the blocking intentional or is there some kind of networking problem?

Here's my traceroute output:

>  6  ge-4-0-0-10g.m320-2-vlgd.nwtelecom.ru (212.48.195.41)  15.660 ms
>  13.065 ms  15.545 ms
>  7  109.172.24.67 (109.172.24.67)  32.341 ms 87.226.183.61 (87.226.183.61)
>  31.027 ms  28.507 ms
>  8  ae53.edge4.stockholm2.level3.net (213.249.107.129)  37.298 ms  29.497
> ms  35.571 ms
>  9  ae1.5.bar1.hamburg1.level3.net (4.69.142.209)  73.587 ms
> s-bb1-link.ip.twelve99.net (62.115.139.180)  27.296 ms
> ae1.5.bar1.hamburg1.level3.net (4.69.142.209)  74.064 ms
> 10  195.122.181.62 (195.122.181.62)  64.682 ms  66.071 ms  68.254 ms
> 11  ffm-b5-link.ip.twelve99.net (62.115.114.89)  51.213 ms
> cr-tub2-be13.x-win.dfn.de (188.1.144.58)  67.156 ms  61.032 ms
> 12  kr-mdcbln1.x-win.dfn.de (188.1.238.78)  65.546 ms
> dfn-ic357399-ffm-b5.ip.twelve99-cust.net (213.248.97.41)  50.044 ms
>  49.354 ms
> 13  cr-erl2-be8.x-win.dfn.de (188.1.144.221)  50.629 ms * *
> 14  cr-tub2-be10.x-win.dfn.de (188.1.146.210)  64.584 ms  56.154 ms *
> 15  kr-mdcbln1.x-win.dfn.de (188.1.238.78)  59.972 ms *  64.541 ms16  * *
> *
> 16  * * *
> 17  * * *
> 18  * * *
> 19  * * *
> 20  * * *
> 21  * * *
> 22  * * *
> 23  * * *
> 24  * * *
> 25  * * *
>


Thanks.

[Message part 2 (text/html, inline)]

Message #8 received at 54370 <at> debbugs.gnu.org (full text, mbox):

From: Evgeny Pisemsky <evgeny <at> pisemsky.com>
To: 54370 <at> debbugs.gnu.org
Subject: Guix in Russia
Date: Sun, 13 Mar 2022 12:05:48 +0300

Hello!

Check out this discussion:

https://lists.gnu.org/archive/html/help-guix/2022-03/msg00004.html

Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: bug-guix <at> gnu.org, poiNt_3D <point4d <at> gmail.com>, 54370 <at> debbugs.gnu.org,
 54370-done <at> debbugs.gnu.org
Subject: Re: bug#54370: network problem or intentional blocking?
Date: Sun, 13 Mar 2022 11:43:23 +0000

Hi Point4d,

Specifically, from the thread linked by Evgeny:

  "At the MDC level there’s an unrelated recent ban of some Russian IP ranges in place due to massively increased port scans and intrusion attempts since about one week. I hope you can use the Chinese mirror for the time being."

That mirror is at https://mirrors.sjtug.sjtu.edu.cn/guix .  Let us know if it works.

Kind regards,

T G-R

Sent on the go.  Excuse or enjoy my brevity.

Message #22 received at 54370 <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: 54370 <at> debbugs.gnu.org
Subject: Re: bug#54370: network problem or intentional blocking?
Date: Sun, 13 Mar 2022 12:15:11 +0000

Hm,

I didn't address guix.gnu.org beyond ci.guix.gnu.org.

Everyone: should we ask SJTUG to mirror the Web site as well?

I'm generally weary of that.

Kind regards,

T G-R

Sent on the go.  Excuse or enjoy my brevity.

Kind regards,

T G-R

Sent on the go.  Excuse or enjoy my brevity.

Message #27 received at 54370 <at> debbugs.gnu.org (full text, mbox):

From: Christopher Baines <mail <at> cbaines.net>
To: Tobias Geerinckx-Rice <me <at> tobias.gr>
Cc: 54370 <at> debbugs.gnu.org
Subject: Re: bug#54370: network problem or intentional blocking?
Date: Sun, 13 Mar 2022 12:36:49 +0000

[Message part 1 (text/plain, inline)]

Tobias Geerinckx-Rice via Bug reports for GNU Guix <bug-guix <at> gnu.org> writes:

> I didn't address guix.gnu.org beyond ci.guix.gnu.org.
>
> Everyone: should we ask SJTUG to mirror the Web site as well?
>
> I'm generally weary of that.

I believe bayfront was being setup to serve the website (see [1]), but
I'm not sure on how that's progressing.

1: https://git.savannah.gnu.org/cgit/guix/maintenance.git/commit/?id=8250a46b2fa178d1cdd37986028d5a07e3db65ed

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 54370 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Christopher Baines <mail <at> cbaines.net>
Cc: Tobias Geerinckx-Rice <me <at> tobias.gr>, 54370 <at> debbugs.gnu.org
Subject: Re: bug#54370: network problem or intentional blocking?
Date: Sun, 13 Mar 2022 15:30:27 +0100

Hi,

Christopher Baines <mail <at> cbaines.net> skribis:

> I believe bayfront was being setup to serve the website (see [1]), but
> I'm not sure on how that's progressing.
>
> 1: https://git.savannah.gnu.org/cgit/guix/maintenance.git/commit/?id=8250a46b2fa178d1cdd37986028d5a07e3db65ed

Indeed.  The plan we discussed during the “sysadmin hackathon” a couple
of months ago was to, for instance, have the DNS entry point to these
two machines.

The problem we keep stumbling upon and that I don’t know how yet how to
solve is how to make it work for HTTPS: do we copy raw certificates to
bayfront, or is there a way to have separate certificates?  How about
Let’s Encrypt challenges?

These are the last issues to solve and I’d welcome expertise here.  Any
ideas?

Everything else is addressed: the web site gets built on bayfront just
like it is on berlin, static data such as videos and PDFs are
automatically mirrored to bayfront.

  https://git.savannah.gnu.org/cgit/guix/maintenance.git/commit/?id=601691e7ea07c999d60993464b27d4cba2621f05

Thanks,
Ludo’.

Message #33 received at 54370 <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Christopher Baines <mail <at> cbaines.net>, 54370 <at> debbugs.gnu.org
Subject: Re: bug#54370: network problem or intentional blocking?
Date: Sun, 13 Mar 2022 16:30:25 +0100

Hi!

On 2022-03-13 15:30, Ludovic Courtès wrote:
> The plan we discussed during the “sysadmin hackathon” a couple
> of months ago was to, for instance, have the DNS entry point to these
> two machines.

Uhm, quick but:

Apparently some browsers (OK, one, and we all know which one) embraces & 
extends the DNS in such a way that this provides the fall-back behaviour 
you seem to expect.  But this is not standard and it won't fly with most 
software.  I checked.

It doesn't in Firefox/IceCat.  Even if it does in current Chrom{e,ium}, 
it might just be an unreliable side-effect.

Kind regards,

T G-R

Sent from a Web browser.  Excuse or enjoy my brevity.

Message #36 received at 54370 <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: 54370 <at> debbugs.gnu.org
Subject: Re: bug#54370: network problem or intentional blocking?
Date: Sun, 13 Mar 2022 20:50:39 +0100

[Resending to the proper address, sorry; I'm mu4e-less and hence 
incompetent :-]

Hi!

On 2022-03-13 20:00, poiNt_3D wrote:

> Is it possible to set the firewall to allow only public services to be 
> accessed from these IP ranges?

I'm afraid we don't control the berlin firewall or have much sway in how 
it's managed, so there's little point in discussing such actions.

> can be easily interpreted as a political decision

With Russia waging war, it seems likely that these Russian ISPs tolerate 
abusive traffic for political reasons.  There are probably political 
consequences for those who refuse.

The Internet was and still is built on ISP accountability and gives 
targets few other tools to effectively defend themselves, short of 
blocking such IP ranges.

I wish there were a better answer than 'use Tor' for those stuck in the 
cross-fire :-(

Kind regards,

T G-R

Sent from a Web browser.  Excuse or enjoy my brevity.

Message #39 received at 54370 <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Christopher Baines <mail <at> cbaines.net>, 54370 <at> debbugs.gnu.org
Subject: Re: bug#54370: network problem or intentional blocking?
Date: Sun, 13 Mar 2022 21:03:16 +0100

Pending expertise, is it feasible to serve the copy as-is without trying 
to impersonate berlin?  E.g. mirror.guix.gnu.org?

Hm, maybe that's not worth the effort…

I've asked around and short of pointing guix.gnu.org to bayfront — 
working around the issue & hoping that it will continue to be unaffected 
— or using a CDN that has points of presence in Russia — which can 
easily be taken down in a future wave of sanctions — the situation seems 
to be quite disappointing.

For proper fail-over you (ironically) need one box sitting in front of 
the boxes you want to fail over to.

Kind regards,

T G-R

Sent from a Web browser.  Excuse or enjoy my brevity.

Message #42 received at 54370 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: Tobias Geerinckx-Rice <me <at> tobias.gr>, 54370 <at> debbugs.gnu.org
Subject: Re: bug#54370: network problem or intentional blocking?
Date: Sun, 13 Mar 2022 21:36:16 +0100

[Message part 1 (text/plain, inline)]

Tobias Geerinckx-Rice via Bug reports for GNU Guix schreef op zo 13-03-
2022 om 20:50 [+0100]:
> I wish there were a better answer than 'use Tor' for those stuck in the 
> cross-fire :-(

For the website, publishing the website not only over HTTP/S but also
over IPFS might help?  The website is static and Guix has an IPFS
service, so it should be feasible I think.  The browser extension
(https://docs.ipfs.io/install/ipfs-companion/) would need to be
packaged though, and a DNS link record
(https://docs.ipfs.io/concepts/dnslink/#resolve-dnslink-name) would
need to be set up.

Greetings,
Maxime.

[signature.asc (application/pgp-signature, inline)]

Message #45 received at 54370 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Maxime Devos <maximedevos <at> telenet.be>
Cc: Tobias Geerinckx-Rice <me <at> tobias.gr>, 54370 <at> debbugs.gnu.org
Subject: Re: bug#54370: network problem or intentional blocking?
Date: Tue, 15 Mar 2022 08:57:59 +0100

Hi Maxime,

Maxime Devos <maximedevos <at> telenet.be> skribis:

> For the website, publishing the website not only over HTTP/S but also
> over IPFS might help?  The website is static and Guix has an IPFS
> service, so it should be feasible I think.  The browser extension
> (https://docs.ipfs.io/install/ipfs-companion/) would need to be
> packaged though, and a DNS link record
> (https://docs.ipfs.io/concepts/dnslink/#resolve-dnslink-name) would
> need to be set up.

That and/or publishing as an onion service would be great.

Ludo’.

Message #50 received at 54370 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Tobias Geerinckx-Rice <me <at> tobias.gr>,  54370 <at> debbugs.gnu.org, poiNt_3D
 <point4d <at> gmail.com>, Evgeny Pisemsky <evgeny <at> pisemsky.com>, Maxime Devos
 <maximedevos <at> telenet.be>
Subject: Re: bug#54370: guix.gnu.org is inaccessible from Russia
Date: Sat, 19 Mar 2022 12:04:45 +0100

Hi,

I updated the onion address in the section of the cookbook that explains
how to get substitutes from ci.guix over Tor:

  https://guix.gnu.org/cookbook/en/html_node/Getting-substitutes-from-Tor.html

Copying the text inline below.

Next step is to publish an Onion service for the web site.

HTH,
Ludo’.

3.8 Getting substitutes from Tor
================================

Guix daemon can use a HTTP proxy to get substitutes, here we are
configuring it to get them via Tor.

     Warning: _Not all_ Guix daemon’s traffic will go through Tor!  Only
     HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc
     connections will still go through the clearnet.  Again, this
     configuration isn’t foolproof some of your traffic won’t get routed
     by Tor at all.  Use it at your own risk.

     Also note that the procedure described here applies only to package
     substitution.  When you update your guix distribution with ‘guix
     pull’, you still need to use ‘torsocks’ if you want to route the
     connection to guix’s git repository servers through Tor.

   Guix’s substitute server is available as a Onion service, if you want
to use it to get your substitutes through Tor configure your system as
follow:

     (use-modules (gnu))
     (use-service-module base networking)

     (operating-system
       …
       (services
         (cons
           (service tor-service-type
                   (tor-configuration
                     (config-file (plain-file "tor-config"
                                              "HTTPTunnelPort 127.0.0.1:9250"))))
           (modify-services %base-services
             (guix-service-type
               config => (guix-configuration
                           (inherit config)
                           ;; ci.guix.gnu.org's Onion service
                           (substitute-urls
                            "https://4zwzi66wwdaalbhgnix55ea3ab4pvvw66ll2ow53kjub6se4q2bclcyd.onion")
                           (http-proxy "http://localhost:9250")))))))

   This will keep a tor process running that provides a HTTP CONNECT
tunnel which will be used by ‘guix-daemon’.  The daemon can use other
protocols than HTTP(S) to get remote resources, request using those
protocols won’t go through Tor since we are only setting a HTTP tunnel
here.  Note that ‘substitutes-urls’ is using HTTPS and not HTTP or it
won’t work, that’s a limitation of Tor’s tunnel; you may want to use
‘privoxy’ instead to avoid such limitations.

   If you don’t want to always get substitutes through Tor but using it
just some of the times, then skip the ‘guix-configuration’.  When you
want to get a substitute from the Tor tunnel run:

     sudo herd set-http-proxy guix-daemon http://localhost:9250
     guix build \
       --substitute-urls=https://4zwzi66wwdaalbhgnix55ea3ab4pvvw66ll2ow53kjub6se4q2bclcyd.onion ...

Message #57 received at 54370-close <at> debbugs.gnu.org (full text, mbox):

From: Christopher Baines <mail <at> cbaines.net>
To: poiNt_3D <point4d <at> gmail.com>
Cc: 54370-close <at> debbugs.gnu.org, bug-guix <at> gnu.org
Subject: Re: bug#54370: network problem or intentional blocking?
Date: Tue, 07 Feb 2023 16:33:04 +0100

[Message part 1 (text/plain, inline)]

poiNt_3D <point4d <at> gmail.com> writes:

> Hello. I would like to request a clarification on the issue of
> inaccessibility of guix.gnu org from the Russian Federation.  Is the
> blocking intentional or is there some kind of networking problem?

Now that the website is hosted on bayfront, which wasn't changed
specifically to address this, but should do anyway, I'm going to close
this issue.

Things like ci.guix.gnu.org will still be inaccessible, so feel free to
open issues about those if you wish.

Thanks,

Chris

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.