Closed randyqx closed 7 months ago
If you set the extra-tals-dir
option, Routinator will pick up all the tal files in that directory. Conversely, the --tal
option is only for the bundled TALs – and that’s also what --tal=list
will show.
If you start a validation run with debug level at least info (-v
once will do the trick), it’ll list the TALs it has actually found:
m@smaug:~/git/routinator$ ./target/release/routinator -v update
[INFO] Using the following TALs:
[INFO] * afrinic
[INFO] * apnic
[INFO] * arin
[INFO] * lacnic
[INFO] * rgnet-testbed
[INFO] * ripe
i added
no-rir-tals = true
extra-tals-dir = "/var/lib/routinator/tals"
to /etc/routinator/routinator.conf
i did systemctl restart routinator.service
and checked status
routen8or.rg.net:/var/lib/routinator/tals# routinator -v update
[INFO] Using the following TALs:
[INFO] * afrinic
[INFO] * apnic
[INFO] * arin
[INFO] * lacnic
[INFO] * ripe
[WARN] rsync://rpki.afrinic.net/repository/arin/e9fVVRg6gfgLprfZNoeRJF7Y0z4.cer: no valid manifest rsync://rpki.afrinic.net/repository/member_repository/F36432B6/0E94184AB75911EDA15F2C90F1222468/e9fVVRg6gfgLprfZNoeRJF7Y0z4.mft found.
[WARN] rsync://rpki.afrinic.net/repository/arin/mxi9dO1YDbl9W9qdlXDKFpcMy8w.cer: no valid manifest rsync://rpki.afrinic.net/repository/member_repository/F36886B3/5A411F9EB8EF11EDA5B09DDAF1222468/mxi9dO1YDbl9W9qdlXDKFpcMy8w.mft found.
...
we now have a small tree of krills hanging off one testbed krill. want routenator to ONLY use that testbed CA, the TAL of which is in var/lib/routinator/tals
routen8or.rg.net:/home/randy# ls -l /var/lib/routinator/tals/rgnet-testbed.tal
-rw-r--r-- 1 routinator routinator 462 Mar 29 19:38 /var/lib/routinator/tals/rgnet-testbed.tal
routen8or.rg.net:/home/randy# cat /var/lib/routinator/tals/rgnet-testbed.tal
https://krill.rg.net/ta/ta.cer
rsync://krill.rg.net/ta/ta.cer
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6GVvBHYZnplKtVA0OywJ
ih8tz4i0GcZF2A5YcAk7uN8USj2rWptBavCGozd+KduRWkr5mcHe5vy+BNbNebds
/OaCqahv3TwVF/axa8MDR7DMCkZz/VeVEr4iuz8sOC/KiVYJHxmiY3g7DrzRhKSD
RRyvr4HCQym7XuY+yqw3Z4YxQ/RenTTHfGj87eN424T1TWMZ3YGn5fj9NZI969yp
gNccKOrWdNfNAwABun62g1TW+1NFQIGNEsuBHdzckGWJyZxAbvvXNKFUYaQ4Nlcs
IJtKSv1MLUMcVwbwtNmRYojk0TsVI9FMaBwMIQQ0Y/8QZG/6M8MgIVgYPk3XiPhY
cQIDAQAB
routen8or.rg.net:/home/randy# routinator --extra-tals-dir="/var/lib/routinator/tals" --tal=rgnet-testbed config
repository-dir = "/home/randy/.rpki-cache/repository"
extra-tals-dir = "/var/lib/routinator/tals"
exceptions = []
strict = false
stale = "reject"
unsafe-vrps = "accept"
unknown-objects = "warn"
allow-dubious-hosts = false
disable-rsync = false
rsync-command = "rsync"
rsync-timeout = 300
disable-rrdp = false
rrdp-fallback = "stale"
rrdp-fallback-time = 3600
rrdp-max-delta-count = 100
rrdp-timeout = 300
rrdp-tcp-keepalive = 60
rrdp-root-certs = []
rrdp-proxies = []
max-object-size = 20000000
max-ca-depth = 32
enable-bgpsec = false
dirty = false
validation-threads = 1
refresh = 600
retry = 600
expire = 7200
history-size = 10
rtr-listen = []
rtr-tls-listen = []
http-listen = []
http-tls-listen = []
systemd-listen = false
rtr-tcp-keepalive = 60
rtr-client-metrics = false
log-level = "WARN"
log = "default"
syslog-facility = "daemon"
routen8or.rg.net:/home/randy# grep tals /etc/routinator/routinator.conf
no-rir-tals = true
extra-tals-dir = "/var/lib/routinator/tals"
routen8or.rg.net:/home/randy# routinator --tal=list
.---- RIR TALs
| .- RIR test TALs
V V
X afrinic AFRINIC production TAL
X apnic APNIC production TAL
X arin ARIN production TAL
X lacnic LACNIC production TAL
X ripe RIPE production TAL
X apnic-testbed APNIC RPKI Testbed
X arin-ote ARIN Operational Test and Evaluation Environment
X ripe-pilot RIPE NCC RPKI Test Environment
nlnetlabs-testbed NLnet Labs RPKI Testbed
routen8or.rg.net:/home/randy# routinator -v update
[INFO] Using the following TALs:
[INFO] * afrinic
[INFO] * apnic
[INFO] * arin
[INFO] * lacnic
[INFO] * ripe
[WARN] rsync://rpki.afrinic.net/repository/arin/e9fVVRg6gfgLprfZNoeRJF7Y0z4.cer: no valid manifest rsync://rpki.afrinic.net/repository/member_repository/F36432B6/0E94184AB75911EDA15F2C90F1222468/e9fVVRg6gfgLprfZNoeRJF7Y0z4.mft found.
[WARN] rsync://rpki.afrinic.net/repository/arin/mxi9dO1YDbl9W9qdlXDKFpcMy8w.cer: no valid manifest rsync://rpki.afrinic.net/repository/member_repository/F36886B3/5A411F9EB8EF11EDA5B09DDAF1222468/mxi9dO1YDbl9W9qdlXDKFpcMy8w.mft found.
i recant. the routinator -v update
lies. if i actually use the routinator GUI, only the testbed krills show in the "Repositories" tab.
It doesn’t quite lie, just mislead. The default config if you don’t specify one is $HOME/.routinator.conf
. The binary packages are specifically set up to use /etc/routinator/routinator.conf
. We can’t really use that as a default since as a normal user you can’t write to /var/lib/routinator
so everything would fail.
This keeps tripping up people so we need to come up with some solution, but the options are all kind of bad.
Oh, and the config
command doesn’t configure Routinator, it only prints the configuration it would use with the given options. You will have to repeat the options you’ve given to config when running update or anything else.
my ill-informed guess is that 90.42% of folk who run routinator have root.
i would hope that
# grep tal /etc/routinator/routinator.conf
no-rir-tals = true
extra-tals-dir = "/var/lib/routinator/tals"
would keep the puppy from running around the whole world. but systemctl status routinator
tells me otherwise
Mar 30 19:30:39 routen8or.rg.net routinator[12746]: RRDP https://feo.tla.org/rr>
Mar 30 19:30:39 routen8or.rg.net routinator[12746]: rsync://feo.tla.org/repo/: >
Mar 30 19:30:39 routen8or.rg.net routinator[12746]: rsync://feo.tla.org/repo/: >
Mar 30 19:30:39 routen8or.rg.net routinator[12746]: rsync://krill.rg.net/repo/t>
Mar 30 19:30:39 routen8or.rg.net routinator[12746]: RRDP https://orca.rg.net/rr>
Mar 30 19:40:40 routen8or.rg.net routinator[12746]: RRDP https://feo.tla.org/rr>
Mar 30 19:40:40 routen8or.rg.net routinator[12746]: rsync://feo.tla.org/repo/: >
Mar 30 19:40:40 routen8or.rg.net routinator[12746]: rsync://feo.tla.org/repo/: >
Mar 30 19:40:40 routen8or.rg.net routinator[12746]: rsync://krill.rg.net/repo/t>
Mar 30 19:40:40 routen8or.rg.net routinator[12746]: RRDP https://orca.rg.net/rr>
Unless your CA points to these places, this shouldn’t happen. Unfortunately, I cannot now test as your CA seems to be down.
Debian 12 on amd64 routen8or.rg.net:/var/lib/routinator/tals# routinator --version Routinator 0.13.1