search

NLnetLabs / krill

RPKI Certificate Authority and Publication Server written in Rust
https://nlnetlabs.nl/projects/routing/krill/
Mozilla Public License 2.0
294 stars 41 forks source link

Import delegated ca 1133 #1136

Closed timbru closed 11 months ago

timbru commented 12 months ago

Note that this extends the API with functions to export (for testing) and, more importantly, import a delegated child from another CA. However, the CLI was not extended - the expectation is that this is only needed in specific one-off migration scenarios, so it seems not worth complicating the CLI.

Koenvh1 commented 12 months ago

Every once in a while (~1 out of 5 times) the test seems to fail.

thread 'functional_delegated_ca_import' panicked at 'assertion failed: ca_contains_resources(&child, &child_res_2).await', tests/functional_delegated_ca_import.rs:82:5
stack backtrace:
   0: rust_begin_unwind
             at /rustc/eb26296b556cef10fb713a38f3d16b9886080f26/library/std/src/panicking.rs:593:5
   1: core::panicking::panic_fmt
             at /rustc/eb26296b556cef10fb713a38f3d16b9886080f26/library/core/src/panicking.rs:67:14
   2: core::panicking::panic
             at /rustc/eb26296b556cef10fb713a38f3d16b9886080f26/library/core/src/panicking.rs:117:5
   3: functional_delegated_ca_import::functional_delegated_ca_import::{{closure}}
             at ./tests/functional_delegated_ca_import.rs:82:5
   4: <core::pin::Pin<P> as core::future::future::Future>::poll
             at /rustc/eb26296b556cef10fb713a38f3d16b9886080f26/library/core/src/future/future.rs:125:9
   5: <core::pin::Pin<P> as core::future::future::Future>::poll
             at /rustc/eb26296b556cef10fb713a38f3d16b9886080f26/library/core/src/future/future.rs:125:9
   6: tokio::runtime::scheduler::current_thread::CoreGuard::block_on::{{closure}}::{{closure}}::{{closure}}
             at /home/koen/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.27.0/src/runtime/scheduler/current_thread.rs:541:57
   7: tokio::runtime::coop::with_budget
             at /home/koen/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.27.0/src/runtime/coop.rs:107:5
   8: tokio::runtime::coop::budget
             at /home/koen/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.27.0/src/runtime/coop.rs:73:5
   9: tokio::runtime::scheduler::current_thread::CoreGuard::block_on::{{closure}}::{{closure}}
             at /home/koen/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.27.0/src/runtime/scheduler/current_thread.rs:541:25
  10: tokio::runtime::scheduler::current_thread::Context::enter
             at /home/koen/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.27.0/src/runtime/scheduler/current_thread.rs:350:19
  11: tokio::runtime::scheduler::current_thread::CoreGuard::block_on::{{closure}}
             at /home/koen/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.27.0/src/runtime/scheduler/current_thread.rs:540:36
  12: tokio::runtime::scheduler::current_thread::CoreGuard::enter::{{closure}}
             at /home/koen/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.27.0/src/runtime/scheduler/current_thread.rs:615:57
  13: tokio::macros::scoped_tls::ScopedKey<T>::set
             at /home/koen/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.27.0/src/macros/scoped_tls.rs:61:9
  14: tokio::runtime::scheduler::current_thread::CoreGuard::enter
             at /home/koen/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.27.0/src/runtime/scheduler/current_thread.rs:615:27
  15: tokio::runtime::scheduler::current_thread::CoreGuard::block_on
             at /home/koen/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.27.0/src/runtime/scheduler/current_thread.rs:530:19
  16: tokio::runtime::scheduler::current_thread::CurrentThread::block_on
             at /home/koen/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.27.0/src/runtime/scheduler/current_thread.rs:154:24
  17: tokio::runtime::runtime::Runtime::block_on
             at /home/koen/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.27.0/src/runtime/runtime.rs:302:47
  18: functional_delegated_ca_import::functional_delegated_ca_import
             at ./tests/functional_delegated_ca_import.rs:85:5
  19: functional_delegated_ca_import::functional_delegated_ca_import::{{closure}}
             at ./tests/functional_delegated_ca_import.rs:25:43
  20: core::ops::function::FnOnce::call_once
             at /rustc/eb26296b556cef10fb713a38f3d16b9886080f26/library/core/src/ops/function.rs:250:5
  21: core::ops::function::FnOnce::call_once
             at /rustc/eb26296b556cef10fb713a38f3d16b9886080f26/library/core/src/ops/function.rs:250:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
test functional_delegated_ca_import ... FAILED

failures:

failures:
    functional_delegated_ca_import

Still looking into why exactly, but as it seems to be something with removing the residual files it is probably not related to the actual functionality.

timbru commented 12 months ago

It feels like the CI environment is too slow somehow. It all works consistently on my laptop. I saw a log entry saying that the child thought it did not need to request a new certificate because resources had not changed. After trying triggering re-syncing in a loop (which seems to cause another error in the test environment), I now added a short delay between updating the resources for the child and telling the child to sync. Hopefully that works here.

timbru commented 12 months ago

Ok, so running two concurrent servers was too much for the CI environment and does not play well with using pkcs11 and softhsm.