roa created in gui not making it to routers

[sraustein]

using the gui, i created a roa for 98.128.1.0 to asn 3130. it is not getting to the routers which are serving off 198.180.150.1 (srv0)

this is a show-stopper for class in 18 hours

Trac ticket #283 component rpkid priority blocker, owner sra, created by randy on 2012-08-24T11:42:28Z, last modified 2012-08-25T00:44:31Z

[sraustein]

{{{ Aug 24 12:54:34 work0 rpkid[55792]: Found existing <rpki.rpkid.roa_obj {labuser01} 3130 98.128.1.0/24> }}}

{{{ work0.psg.com:/root# find_roa /usr/local/var/rpki/conf/rgnet/publication 98.128.1.0/24 ASN 3130 prefix 98.128.1.0/24 ROA /usr/local/var/rpki/conf/rgnet/publication/rgnet/labuser01/712/3PgZtS4-la4smeNuAbZo3CV6-uE.roa }}}

{{{ srv0.iad.rg.net:/root# find_roa /home/rpki/rcynic/data/authenticated 98.128.1.0/24

srv0.iad.rg.net:/root# date Fri Aug 24 13:13:53 UTC 2012

srv0.iad.rg.net:/root# ls -lt /home/rpki/rcynic/data/ total 3574 -rw-r--r-- 1 rcynic rcynic 3624725 Aug 22 21:44 summary.xml drwxr-xr-x 15 rcynic rcynic 512 Aug 22 21:44 unauthenticated/ lrwxr-xr-x 1 rcynic rcynic 34 Aug 22 21:44 authenticated@ -> authenticated.2012-08-22T21:40:00Z lrwxr-xr-x 1 rcynic rcynic 34 Aug 22 21:44 authenticated.old@ -> authenticated.2012-08-20T22:00:00Z drwxr-xr-x 12 rcynic rcynic 512 Aug 22 21:44 authenticated.2012-08-22T21:40:00Z/ drwxr-xr-x 12 rcynic rcynic 512 Aug 20 22:05 authenticated.2012-08-20T22:00:00Z/

srv0.iad.rg.net:/root# pstree -s rcynic -+= 00001 root /sbin/init -- |-+= 01764 root /usr/sbin/cron -s | -+- 09424 root cron: running job (cron) | -+= 09425 root /bin/sh - /usr/local/bin/do-rcynic | -+- 09426 root /usr/bin/lockf -s -t 0 /usr/home/rpki/lock /bin/sh -cx \n\n jaildir="/usr/home/rpki/rcynic/"\n jailuser="rcynic"\n jailgroup="rcynic"\n html="/usr/local/www/share/rescert/index.html"\n | -+- 09427 root /bin/sh -cx \n\n jaildir="/usr/home/rpki/rcynic/"\n jailuser="rcynic"\n jailgroup="rcynic"\n html="/usr/local/www/share/rescert/index.html"\n log="/usr/local/www/share/rescert/log.t | --- 21384 root /usr/local/sbin/irr_rpsl_submit -D -x -+= 20946 root /usr/sbin/syslogd -l /var/run/log -l /usr/home/rpki/rcynic/var/run/log -s --= 32070 root /usr/local/sbin/sshguard

srv0.iad.rg.net:/root# /bin/ps gxuww21384 USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 21384 0.0 0.1 9832 2756 ?? I Wed09PM 0:02.73 /usr/local/sbin/irr_rpsl_submit -D -x }}}

In English: the RPKI software per se is all working correctly. The frelling IRR software has been hung for two days and is holding the lock, keeping rcynic on srv0 from running.

Killing the irr_rpsl_submit process, see if that clears this.

Trac comment by sra on 2012-08-24T13:18:25Z

[sraustein]

BTW, I don't know when you created the ROA, but FWIW, adrilankha received it well before you created this ticket:

{{{ -rw-r--r-- 3 rcynic rcynic 1710 Aug 24 11:21:34 2012 /var/rcynic/data/authenticated/rgnet.rpki.net/rpki/rgnet/labuser01/712/3PgZtS4-la4smeNuAbZo3CV6-uE.roa }}}

Trac comment by sra on 2012-08-24T13:31:46Z

[sraustein]

srv0 do-rcynic hacked to run irr_rpsl_submit pipeline in background so it will not block rcynic.

Next problem: this rcynic instance had an old set of trust anchors. Updated.

Trac comment by sra on 2012-08-24T14:04:26Z

[sraustein]

Appears to be operating normally now. I've been running

{{{ $ screen -L rtr-origin --client tcp srv0.iad.rg.net 42420 }}}

while debugging this, and it just reported:

{{{ $ fgrep 98.128 screenlog.0 2012-08-24 14:14:16 rtr-origin/client[45642]: + 3130 98.128.0.0/16-16 00:04:00:00:00:00:00:14:01:10:10:00:62:80:00:00:00:00:0C:3A 2012-08-24 14:14:16 rtr-origin/client[45642]: + 3130 98.128.128.0/20-22 00:04:00:00:00:00:00:14:01:14:16:00:62:80:80:00:00:00:0C:3A 2012-08-24 14:14:16 rtr-origin/client[45642]: + 4128 98.128.0.0/24-24 00:04:00:00:00:00:00:14:01:18:18:00:62:80:00:00:00:00:10:20 2012-08-24 14:14:16 rtr-origin/client[45642]: + 3130 98.128.1.0/24-24 00:04:00:00:00:00:00:14:01:18:18:00:62:80:01:00:00:00:0C:3A 2012-08-24 14:14:16 rtr-origin/client[45642]: + 4128 98.128.4.0/24-24 00:04:00:00:00:00:00:14:01:18:18:00:62:80:04:00:00:00:10:20 }}}

Trac comment by sra on 2012-08-24T14:16:27Z

[sraustein]

r0.sea#sh ip bg rpki table | i ^98 98.128.0.0/24 24 4128 0 198.180.150.1/42420 98.128.0.0/16 16 3130 0 198.180.150.1/42420 98.128.1.0/24 24 3130 0 198.180.150.1/42420 98.128.4.0/24 24 4128 0 198.180.150.1/42420 98.128.128.0/20 22 3130 0 198.180.150.1/42420

it works. thank you!

[ of course, now the dynamips seems to be down. but we can hack that in the morning ]

Trac comment by randy on 2012-08-24T14:45:20Z

[sraustein]

You have a few configuration decisions to make on the RPKI stuff. You've seen these questions before, but current state on srv0 suggests confused answers so it's time to think about them again:

1. Do you want current RP software on srv0 or leave it as it is? Software currently installed works fine AFAIK. HTML is old. Do you care?
2. What cycle do you want this on? Right now it's checking every ten minutes, which might be a little slow for a classroom environment.
3. What trust anchors do you want it checking? Right now it's checking all of them, which, given flat RIR repositories, is almost certainly too slow for a classroom environment. Does classroom environment even care about anything outside rpki.net?

I will probably be offline for a few hours doing something outdoors with my son, but will be back eventually. Get some sleep.

Trac comment by sra on 2012-08-24T14:58:40Z

[sraustein]

1. Do you want current RP software on srv0 or leave it as it is? Software currently installed works fine AFAIK. HTML is old. Do you care?

until end of workshop, minimal perturbation

1. What cycle do you want this on? Right now it's checking every ten minutes, which might be a little slow for a classroom environment.

is back to two minutes reasonable?

1. What trust anchors do you want it checking? Right now it's checking all of them, which, given flat RIR repositories, is almost certainly too slow for a classroom environment. Does classroom environment even care about anything outside rpki.net?

no it does not. drop the flatties and keep testbed?

Trac comment by randy on 2012-08-24T15:01:15Z

[sraustein]

1. Do you want current RP software on srv0 or leave it as it is?

until end of workshop, minimal perturbation

1. What cycle do you want this on?

is back to two minutes reasonable?

1. What trust anchors do you want it checking? ... Does classroom environment even care about anything outside rpki.net?

no it does not. drop the flatties and keep testbed?

Oddly enough, these were the answers I would have predicted.

Will make it so, then go kayaking.

Trac comment by sra on 2012-08-24T15:13:39Z

[sraustein]

I'm going to declare this ticket closed. Please reopen if further problems, of course.

Trac comment by sra on 2012-08-25T00:44:31Z

[sraustein]

Closed with resolution fixed