search

NLnetLabs / routinator

An RPKI Validator and RTR server written in Rust
https://nlnetlabs.nl/projects/routing/routinator/
BSD 3-Clause "New" or "Revised" License
465 stars 70 forks source link

can not add testbed tal #948

Closed randyqx closed 7 months ago

randyqx commented 7 months ago

Debian 12 on amd64 routen8or.rg.net:/var/lib/routinator/tals# routinator --version Routinator 0.13.1

routen8or.rg.net:/var/lib/routinator/tals# cat rgnet-testbed.tal
https://krill.rg.net/ta/ta.cer
rsync://krill.rg.net/ta/ta.cer

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwKWT79sQ8B+p2gRHVaxF
KMrAnUl4sR9vLzL8T1zDGNlQsHo3vC8Md95FPGNPPRTcyqYVBnbv6WxpnShwWdg/
fobWOAQaDTxj6GfgoPT/1dgx0OM0vhiez7mw82H3bmngHp5G7XQ8Db9xuiW37l5W
chrvJN6RLvX4oPdY0VxkZ1kvvT9sRKuqX/bxU1VBHevY2J2QSvKkMPUQeoA9IcNe
IyKJZOCCfoXjrWPJ8dedq5qX/l3UoQ8KHp9Yl0VT9y4Eij5r6XXb/94z6GQfrK7D
bjysNeJUYeUzdYCakPnsP/DrQmbVH2SN8ScpMf/XuvNZ1yeXCAqKeF0t88CLoglA
oQIDAQAB

routen8or.rg.net:/var/lib/routinator/tals# routinator --extra-tals-dir="/var/lib/routinator/tals"  --tal=rgnet-testbed  config
repository-dir = "/home/randy/.rpki-cache/repository"
extra-tals-dir = "/var/lib/routinator/tals"
exceptions = []
strict = false
stale = "reject"
unsafe-vrps = "accept"
unknown-objects = "warn"
allow-dubious-hosts = false
disable-rsync = false
rsync-command = "rsync"
rsync-timeout = 300
disable-rrdp = false
rrdp-fallback = "stale"
rrdp-fallback-time = 3600
rrdp-max-delta-count = 100
rrdp-timeout = 300
rrdp-tcp-keepalive = 60
rrdp-root-certs = []
rrdp-proxies = []
max-object-size = 20000000
max-ca-depth = 32
enable-bgpsec = false
dirty = false
validation-threads = 1
refresh = 600
retry = 600
expire = 7200
history-size = 10
rtr-listen = []
rtr-tls-listen = []
http-listen = []
http-tls-listen = []
systemd-listen = false
rtr-tcp-keepalive = 60
rtr-client-metrics = false
log-level = "WARN"
log = "default"
syslog-facility = "daemon"

routen8or.rg.net:/var/lib/routinator/tals# routinator --tal=list
 .---- RIR TALs
 |  .- RIR test TALs
 V  V

 X      afrinic             AFRINIC production TAL
 X      apnic               APNIC production TAL
 X      arin                ARIN production TAL
 X      lacnic              LACNIC production TAL
 X      ripe                RIPE production TAL
    X   apnic-testbed       APNIC RPKI Testbed
    X   arin-ote            ARIN Operational Test and Evaluation Environment
    X   ripe-pilot          RIPE NCC RPKI Test Environment
        nlnetlabs-testbed   NLnet Labs RPKI Testbed
partim commented 7 months ago

If you set the extra-tals-dir option, Routinator will pick up all the tal files in that directory. Conversely, the --tal option is only for the bundled TALs – and that’s also what --tal=list will show.

If you start a validation run with debug level at least info (-v once will do the trick), it’ll list the TALs it has actually found:

m@smaug:~/git/routinator$ ./target/release/routinator -v update
[INFO] Using the following TALs:
[INFO]   * afrinic
[INFO]   * apnic
[INFO]   * arin
[INFO]   * lacnic
[INFO]   * rgnet-testbed
[INFO]   * ripe
randyqx commented 7 months ago

i added

no-rir-tals = true
extra-tals-dir = "/var/lib/routinator/tals"

to /etc/routinator/routinator.conf

i did systemctl restart routinator.service and checked status

routen8or.rg.net:/var/lib/routinator/tals# routinator -v update
[INFO] Using the following TALs:
[INFO]   * afrinic
[INFO]   * apnic
[INFO]   * arin
[INFO]   * lacnic
[INFO]   * ripe
[WARN] rsync://rpki.afrinic.net/repository/arin/e9fVVRg6gfgLprfZNoeRJF7Y0z4.cer: no valid manifest rsync://rpki.afrinic.net/repository/member_repository/F36432B6/0E94184AB75911EDA15F2C90F1222468/e9fVVRg6gfgLprfZNoeRJF7Y0z4.mft found.
[WARN] rsync://rpki.afrinic.net/repository/arin/mxi9dO1YDbl9W9qdlXDKFpcMy8w.cer: no valid manifest rsync://rpki.afrinic.net/repository/member_repository/F36886B3/5A411F9EB8EF11EDA5B09DDAF1222468/mxi9dO1YDbl9W9qdlXDKFpcMy8w.mft found.
...
randyqx commented 7 months ago

we now have a small tree of krills hanging off one testbed krill. want routenator to ONLY use that testbed CA, the TAL of which is in var/lib/routinator/tals

routen8or.rg.net:/home/randy# ls -l /var/lib/routinator/tals/rgnet-testbed.tal
-rw-r--r-- 1 routinator routinator 462 Mar 29 19:38 /var/lib/routinator/tals/rgnet-testbed.tal

routen8or.rg.net:/home/randy# cat /var/lib/routinator/tals/rgnet-testbed.tal 
https://krill.rg.net/ta/ta.cer
rsync://krill.rg.net/ta/ta.cer

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6GVvBHYZnplKtVA0OywJ
ih8tz4i0GcZF2A5YcAk7uN8USj2rWptBavCGozd+KduRWkr5mcHe5vy+BNbNebds
/OaCqahv3TwVF/axa8MDR7DMCkZz/VeVEr4iuz8sOC/KiVYJHxmiY3g7DrzRhKSD
RRyvr4HCQym7XuY+yqw3Z4YxQ/RenTTHfGj87eN424T1TWMZ3YGn5fj9NZI969yp
gNccKOrWdNfNAwABun62g1TW+1NFQIGNEsuBHdzckGWJyZxAbvvXNKFUYaQ4Nlcs
IJtKSv1MLUMcVwbwtNmRYojk0TsVI9FMaBwMIQQ0Y/8QZG/6M8MgIVgYPk3XiPhY
cQIDAQAB

routen8or.rg.net:/home/randy# routinator --extra-tals-dir="/var/lib/routinator/tals"  --tal=rgnet-testbed  config
repository-dir = "/home/randy/.rpki-cache/repository"
extra-tals-dir = "/var/lib/routinator/tals"
exceptions = []
strict = false
stale = "reject"
unsafe-vrps = "accept"
unknown-objects = "warn"
allow-dubious-hosts = false
disable-rsync = false
rsync-command = "rsync"
rsync-timeout = 300
disable-rrdp = false
rrdp-fallback = "stale"
rrdp-fallback-time = 3600
rrdp-max-delta-count = 100
rrdp-timeout = 300
rrdp-tcp-keepalive = 60
rrdp-root-certs = []
rrdp-proxies = []
max-object-size = 20000000
max-ca-depth = 32
enable-bgpsec = false
dirty = false
validation-threads = 1
refresh = 600
retry = 600
expire = 7200
history-size = 10
rtr-listen = []
rtr-tls-listen = []
http-listen = []
http-tls-listen = []
systemd-listen = false
rtr-tcp-keepalive = 60
rtr-client-metrics = false
log-level = "WARN"
log = "default"
syslog-facility = "daemon"

routen8or.rg.net:/home/randy# grep tals /etc/routinator/routinator.conf
no-rir-tals = true
extra-tals-dir = "/var/lib/routinator/tals"

routen8or.rg.net:/home/randy# routinator --tal=list
 .---- RIR TALs
 |  .- RIR test TALs
 V  V

 X      afrinic             AFRINIC production TAL
 X      apnic               APNIC production TAL
 X      arin                ARIN production TAL
 X      lacnic              LACNIC production TAL
 X      ripe                RIPE production TAL
    X   apnic-testbed       APNIC RPKI Testbed
    X   arin-ote            ARIN Operational Test and Evaluation Environment
    X   ripe-pilot          RIPE NCC RPKI Test Environment
        nlnetlabs-testbed   NLnet Labs RPKI Testbed

routen8or.rg.net:/home/randy# routinator -v update
[INFO] Using the following TALs:
[INFO]   * afrinic
[INFO]   * apnic
[INFO]   * arin
[INFO]   * lacnic
[INFO]   * ripe
[WARN] rsync://rpki.afrinic.net/repository/arin/e9fVVRg6gfgLprfZNoeRJF7Y0z4.cer: no valid manifest rsync://rpki.afrinic.net/repository/member_repository/F36432B6/0E94184AB75911EDA15F2C90F1222468/e9fVVRg6gfgLprfZNoeRJF7Y0z4.mft found.
[WARN] rsync://rpki.afrinic.net/repository/arin/mxi9dO1YDbl9W9qdlXDKFpcMy8w.cer: no valid manifest rsync://rpki.afrinic.net/repository/member_repository/F36886B3/5A411F9EB8EF11EDA5B09DDAF1222468/mxi9dO1YDbl9W9qdlXDKFpcMy8w.mft found.
randyqx commented 7 months ago

i recant. the routinator -v update lies. if i actually use the routinator GUI, only the testbed krills show in the "Repositories" tab.

partim commented 7 months ago

It doesn’t quite lie, just mislead. The default config if you don’t specify one is $HOME/.routinator.conf. The binary packages are specifically set up to use /etc/routinator/routinator.conf. We can’t really use that as a default since as a normal user you can’t write to /var/lib/routinator so everything would fail.

This keeps tripping up people so we need to come up with some solution, but the options are all kind of bad.

partim commented 7 months ago

Oh, and the config command doesn’t configure Routinator, it only prints the configuration it would use with the given options. You will have to repeat the options you’ve given to config when running update or anything else.

randyqx commented 7 months ago

my ill-informed guess is that 90.42% of folk who run routinator have root.

i would hope that

# grep tal /etc/routinator/routinator.conf
no-rir-tals = true
extra-tals-dir = "/var/lib/routinator/tals"

would keep the puppy from running around the whole world. but systemctl status routinator tells me otherwise

Mar 30 19:30:39 routen8or.rg.net routinator[12746]: RRDP https://feo.tla.org/rr>
Mar 30 19:30:39 routen8or.rg.net routinator[12746]: rsync://feo.tla.org/repo/: >
Mar 30 19:30:39 routen8or.rg.net routinator[12746]: rsync://feo.tla.org/repo/: >
Mar 30 19:30:39 routen8or.rg.net routinator[12746]: rsync://krill.rg.net/repo/t>
Mar 30 19:30:39 routen8or.rg.net routinator[12746]: RRDP https://orca.rg.net/rr>
Mar 30 19:40:40 routen8or.rg.net routinator[12746]: RRDP https://feo.tla.org/rr>
Mar 30 19:40:40 routen8or.rg.net routinator[12746]: rsync://feo.tla.org/repo/: >
Mar 30 19:40:40 routen8or.rg.net routinator[12746]: rsync://feo.tla.org/repo/: >
Mar 30 19:40:40 routen8or.rg.net routinator[12746]: rsync://krill.rg.net/repo/t>
Mar 30 19:40:40 routen8or.rg.net routinator[12746]: RRDP https://orca.rg.net/rr>
partim commented 7 months ago

Unless your CA points to these places, this shouldn’t happen. Unfortunately, I cannot now test as your CA seems to be down.