{"id":51300173,"url":"https://github.com/4q4r/arti-docker","last_synced_at":"2026-06-30T18:32:51.976Z","repository":{"id":341563175,"uuid":"1170572670","full_name":"4q4r/arti-docker","owner":"4q4r","description":"🐳 Production-ready Docker image for Arti (Rust Tor client). Fully static binary, distroless runtime, non-root, multi-arch (amd64/arm64). Auto-updated from upstream releases.","archived":false,"fork":false,"pushed_at":"2026-03-11T04:16:02.000Z","size":72,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-06-13T01:33:14.116Z","etag":null,"topics":["anonymity","arti","container","distroless","dns-proxy","docker","docker-image","dockerfile","hidden-services","multi-arch","onion-services","privacy","rust","security","socks5","socks5-proxy","static-binary","tor","tor-client","tor-proxy"],"latest_commit_sha":null,"homepage":"","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/4q4r.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-02T09:20:54.000Z","updated_at":"2026-03-11T04:16:06.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/4q4r/arti-docker","commit_stats":null,"previous_names":["an0nx/arti-docker","4q4r/arti-docker"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/4q4r/arti-docker","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/4q4r%2Farti-docker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/4q4r%2Farti-docker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/4q4r%2Farti-docker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/4q4r%2Farti-docker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/4q4r","download_url":"https://codeload.github.com/4q4r/arti-docker/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/4q4r%2Farti-docker/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34979577,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-30T02:00:05.919Z","response_time":92,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anonymity","arti","container","distroless","dns-proxy","docker","docker-image","dockerfile","hidden-services","multi-arch","onion-services","privacy","rust","security","socks5","socks5-proxy","static-binary","tor","tor-client","tor-proxy"],"created_at":"2026-06-30T18:32:51.463Z","updated_at":"2026-06-30T18:32:51.967Z","avatar_url":"https://github.com/4q4r.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🐳 arti-docker\n\n[![Docker Image Size](https://img.shields.io/docker/image-size/whn0thacked/arti-docker?style=flat-square\u0026logo=docker\u0026color=blue)](https://hub.docker.com/r/whn0thacked/arti-docker)\n[![Docker Pulls](https://img.shields.io/docker/pulls/whn0thacked/arti-docker?style=flat-square\u0026logo=docker)](https://hub.docker.com/r/whn0thacked/arti-docker)\n[![Architecture](https://img.shields.io/badge/arch-amd64%20%7C%20arm64-important?style=flat-square)](#)\n[![Security: non-root](https://img.shields.io/badge/security-non--root-success?style=flat-square)](#)\n[![Base Image](https://img.shields.io/badge/base-distroless%2Fstatic%3Anonroot-blue?style=flat-square)](https://github.com/GoogleContainerTools/distroless)\n[![Upstream](https://img.shields.io/badge/upstream-Arti%20(Tor%20Project)-7D4698?style=flat-square)](https://gitlab.torproject.org/tpo/core/arti)\n\nA minimal, secure, and production-oriented Docker image for **Arti** — a complete rewrite of the Tor client in **Rust**, developed by [The Tor Project](https://www.torproject.org/).\n\nBuilt as a **fully static** binary with **all features enabled** and shipped in a **distroless** runtime image, running as **non-root** by default.\n\n---\n\n## ✨ Features\n\n- **🔐 Secure by default:** Distroless runtime + non-root user + static binary.\n- **🏗 Multi-arch:** Supports `amd64` and `arm64`.\n- **📦 Fully static binary:** Built for `gcr.io/distroless/static:nonroot` — no libc, no dynamic linker.\n- **🌐 Full-featured:** Built with `--all-features` — SOCKS proxy, DNS resolver, onion services (client \u0026 server), pluggable transports, RPC, key management.\n- **🧾 Config-driven:** Mount a TOML config or configure entirely via CLI flags.\n- **🔄 Auto-updated:** CI checks for new upstream commits every hour and rebuilds automatically.\n- **🧰 Build-time pinning:** Upstream repo/ref are configurable via build args.\n\n---\n\n## ⚠️ Important Notice\n\nArti is a Tor client. Using Tor may be restricted, monitored, or illegal depending on your jurisdiction. Operating Tor relays, bridges, or onion services carries additional legal and operational considerations.\n\n**You are responsible for compliance with local laws** and for safe deployment (firewalling, access control, logging, monitoring).\n\nArti is under **active development** by The Tor Project. While functional, it may not yet have full feature parity with the C Tor implementation. Check the [upstream status](https://gitlab.torproject.org/tpo/core/arti) before production use.\n\n---\n\n## 🚀 Quick Start\n\n### Docker Compose (recommended)\n\nCreate `docker-compose.yml`:\n\n```yaml\nservices:\n  arti:\n    image: whn0thacked/arti-docker:latest\n    container_name: arti\n    restart: unless-stopped\n    environment:\n      RUST_LOG: \"info\"\n    ports:\n      - \"127.0.0.1:9050:9050/tcp\"\n      # - \"127.0.0.1:9053:9053/tcp\"\n      # - \"127.0.0.1:9053:9053/udp\"\n    volumes:\n      - arti-data:/tmp/arti\n    tmpfs:\n      - /tmp:rw,nosuid,nodev,noexec,size=16m\n    security_opt:\n      - no-new-privileges:true\n    cap_drop:\n      - ALL\n    deploy:\n      resources:\n        limits:\n          cpus: \"1.0\"\n          memory: 512M\n        reservations:\n          cpus: \"0.1\"\n          memory: 128M\n    logging:\n      driver: json-file\n      options:\n        max-size: \"10m\"\n        max-file: \"5\"\n        compress: \"true\"\n    stop_grace_period: 30s\n\nvolumes:\n  arti-data:\n```\n\n```bash\ndocker compose up -d\n```\n\nVerify:\n\n```bash\ncurl --socks5-hostname 127.0.0.1:9050 https://check.torproject.org/api/ip\n# {\"IsTor\":true,\"IP\":\"xxx.xxx.xxx.xxx\"}\n```\n\n### Docker Run (one-liner)\n\n```bash\ndocker run -d --name arti \\\n  -p 127.0.0.1:9050:9050 \\\n  -v arti-data:/var/lib/arti \\\n  --read-only --tmpfs /tmp:rw,nosuid,nodev,noexec,size=64m \\\n  --security-opt no-new-privileges:true --cap-drop ALL \\\n  --memory 512m --cpus 1.0 \\\n  --restart unless-stopped \\\n  whn0thacked/arti-docker:latest\n```\n\n---\n\n## ⚙️ Configuration Reference\n\n### Environment Variables\n\n| Variable | Required | Default | Description |\n|---|:---:|---|---|\n| `RUST_LOG` | No | `info` (built-in) | Log level filter. Supports per-module granularity. |\n\n**`RUST_LOG` examples:**\n\n| Value | Effect |\n|---|---|\n| `info` | Default — recommended for production |\n| `debug` | Verbose — troubleshooting |\n| `warn` | Quiet — only problems |\n| `arti=debug,tor_proto=info` | Per-module granularity |\n| `trace` | Extreme verbosity (development only) |\n\n### CLI Parameters (Global)\n\n| Parameter | Short | Description |\n|---|---|---|\n| `--config FILE` | `-c` | Load configuration from file. Can be specified multiple times. |\n| `--option KEY=VALUE` | `-o` | Override config values using TOML syntax. Can be specified multiple times. |\n| `--log-level LEVEL` | `-l` | Override log level (`trace`, `debug`, `info`, `warn`, `error`). |\n| `--disable-fs-permission-checks` | — | Disable filesystem permission checks (enabled by default in this image). |\n\n### CLI Parameters (`proxy` subcommand)\n\n| Parameter | Short | Description |\n|---|---|---|\n| `--socks-port PORT` | `-p` | Override SOCKS listen port (default: `9050`). |\n| `--dns-port PORT` | — | Override DNS listen port (default: `9053`). |\n\n### Subcommands\n\n| Subcommand | Description |\n|---|---|\n| `proxy` | Run the SOCKS/DNS proxy **(default)**. |\n| `keys list` | List all keys. |\n| `keys list-keystores` | List key storage backends. |\n| `keys check-integrity` | Verify key integrity. |\n| `hsc key get` | Get onion service key. |\n| `hsc key list` | List onion service keys. |\n| `hss` | Hidden service server operations. |\n\n### Ports\n\n| Port | Protocol | Purpose |\n|---:|---|---|\n| `9050` | TCP | SOCKS5 proxy — main Tor entry point. |\n| `9053` | TCP/UDP | DNS resolver — anonymized DNS queries over Tor. |\n| `9150` | TCP | Alternative SOCKS5 port (Tor Browser convention). |\n\n### Volumes\n\n| Container Path | Purpose | Backup |\n|---|---|---|\n| `/var/lib/arti` | Persistent state: consensus cache, descriptors, guard state. Safe to delete — re-bootstraps in 30s–2min. | Optional |\n| `/var/lib/arti/keys` | Cryptographic keys: onion service identity, client auth. **Losing = losing .onion address.** | **Critical** |\n| `/etc/arti.toml` | Configuration file (optional — mount from host as read-only). | Optional |\n\n---\n\n## 🧠 Container Behavior\n\n- **ENTRYPOINT:** `/usr/local/bin/arti`\n- **CMD (default):**\n\n```text\nproxy --disable-fs-permission-checks \\\n  -o \"proxy.socks_listen=[\\\"0.0.0.0:9050\\\"]\" \\\n  -o \"proxy.dns_listen=[\\\"0.0.0.0:9053\\\"]\"\n```\n\nThe container runs a SOCKS5 proxy on `9050` and a DNS resolver on `9053`, listening on all interfaces inside the container.\n\nOverride by passing your own arguments:\n\n```bash\ndocker run ... whn0thacked/arti-docker:latest proxy -c /etc/arti.toml\ndocker run ... whn0thacked/arti-docker:latest proxy --socks-port 1080\ndocker run ... whn0thacked/arti-docker:latest keys list\n```\n\n---\n\n## 📝 Advanced Usage\n\n### Custom config file\n\n```bash\ndocker run -d --name arti \\\n  -p 127.0.0.1:9050:9050 \\\n  -v ./arti.toml:/etc/arti.toml:ro \\\n  -v arti-data:/var/lib/arti \\\n  --read-only --tmpfs /tmp:rw,nosuid,nodev,noexec,size=64m \\\n  --security-opt no-new-privileges:true --cap-drop ALL \\\n  whn0thacked/arti-docker:latest \\\n  proxy --disable-fs-permission-checks -c /etc/arti.toml\n```\n\n### CLI overrides (no config file needed)\n\n```bash\ndocker run -d --name arti \\\n  -p 127.0.0.1:9050:9050 \\\n  -p 127.0.0.1:9053:9053 \\\n  whn0thacked/arti-docker:latest \\\n  proxy \\\n  --disable-fs-permission-checks \\\n  -o 'proxy.socks_listen=[\"0.0.0.0:9050\"]' \\\n  -o 'proxy.dns_listen=[\"0.0.0.0:9053\"]' \\\n  -l debug\n```\n\n### DNS resolution over Tor\n\n```bash\n# Enable DNS port in compose or docker run:\n# -p 127.0.0.1:9053:9053/tcp -p 127.0.0.1:9053:9053/udp\n\ndig @127.0.0.1 -p 9053 torproject.org\nnslookup torproject.org 127.0.0.1 -port=9053\n```\n\n### Use with applications\n\n```bash\n# curl\ncurl --socks5-hostname 127.0.0.1:9050 https://example.onion\n\n# Environment variable (works with many apps)\nALL_PROXY=socks5h://127.0.0.1:9050 curl https://check.torproject.org/api/ip\n\n# proxychains\necho \"socks5 127.0.0.1 9050\" \u003e\u003e /etc/proxychains.conf\nproxychains curl https://check.torproject.org/api/ip\n\n# Firefox: Settings → Network → Manual Proxy → SOCKS Host: 127.0.0.1:9050\n# ✅ Check \"Proxy DNS when using SOCKS v5\"\n```\n\n---\n\n## 🧅 Onion Services\n\n### Running an onion service\n\nCreate `arti.toml` with onion service config (see [upstream docs](https://tpo.pages.torproject.net/core/arti/)):\n\n```bash\ndocker run -d --name arti-hs \\\n  -v ./arti.toml:/etc/arti.toml:ro \\\n  -v arti-keys:/var/lib/arti/keys \\\n  -v arti-data:/var/lib/arti \\\n  --read-only --tmpfs /tmp:rw,nosuid,nodev,noexec,size=64m \\\n  --security-opt no-new-privileges:true --cap-drop ALL \\\n  whn0thacked/arti-docker:latest \\\n  proxy --disable-fs-permission-checks -c /etc/arti.toml\n```\n\n### Key management\n\n```bash\ndocker run --rm whn0thacked/arti-docker:latest keys list\ndocker run --rm whn0thacked/arti-docker:latest keys list-keystores\ndocker run --rm whn0thacked/arti-docker:latest keys check-integrity\n\n# With mounted keys volume:\ndocker run --rm -v arti-keys:/var/lib/arti/keys:ro \\\n  whn0thacked/arti-docker:latest hsc key list\n```\n\n---\n\n## 🛡️ Security Hardening\n\nThis image applies the following hardening measures:\n\n| Measure | Description |\n|---|---|\n| **Distroless base** | No shell, no package manager, no utilities — minimal attack surface |\n| **Non-root** | Runs as UID 65534 (`nonroot`) |\n| **Static binary** | No dynamic linker, no shared libraries |\n| **Read-only FS** | Root filesystem is read-only; `/tmp` via tmpfs |\n| **No capabilities** | All Linux capabilities dropped (`cap_drop: ALL`) |\n| **No privilege escalation** | `no-new-privileges` prevents setuid/setgid abuse |\n| **Resource limits** | CPU and memory limits prevent DoS |\n| **Log rotation** | Prevents disk exhaustion |\n| **SIGINT shutdown** | Graceful shutdown via `STOPSIGNAL SIGINT` |\n| **Localhost binding** | Ports bound to `127.0.0.1` by default in examples |\n\n---\n\n## 🛠 Build\n\nThis Dockerfile supports pinning upstream Arti source:\n\n- `ARTI_REPO` (default: `https://gitlab.torproject.org/tpo/core/arti.git`)\n- `ARTI_REF` (default: `main`)\n\n### Multi-arch build\n\n```bash\ndocker buildx build \\\n  --platform linux/amd64,linux/arm64 \\\n  -t whn0thacked/arti-docker:latest \\\n  --push .\n```\n\n### Build a specific commit\n\n```bash\ndocker buildx build \\\n  --build-arg ARTI_REF=ba4163ed943a67cd8a55f7291797fb22a788f950 \\\n  -t whn0thacked/arti-docker:dev \\\n  --push .\n```\n\n### Local test build\n\n```bash\ndocker buildx build --load -t arti:test .\ndocker run --rm arti:test --version\n```\n\n\u003e **Note:** First build takes **15–40 minutes** due to LTO, `build-std`, and all features. Subsequent builds are faster thanks to BuildKit cache.\n\n---\n\n## 🔗 Useful Links\n\n- **Arti upstream:** https://gitlab.torproject.org/tpo/core/arti\n- **Arti documentation:** https://tpo.pages.torproject.net/core/arti/\n- **Arti example config:** https://gitlab.torproject.org/tpo/core/arti/-/raw/main/crates/arti/src/arti-example-config.toml\n- **Tor Project:** https://www.torproject.org/\n- **Distroless images:** https://github.com/GoogleContainerTools/distroless\n\n---\n\n## 📄 License\n\nThis Dockerfile, CI pipeline, and associated documentation are licensed under the [GNU General Public License v3.0](https://www.gnu.org/licenses/gpl-3.0.html).\n\nArti itself is licensed under **MIT OR Apache-2.0** by [The Tor Project](https://www.torproject.org/).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F4q4r%2Farti-docker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F4q4r%2Farti-docker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F4q4r%2Farti-docker/lists"}