Closed sraustein closed 8 years ago
rcynic-cron updated to run rcynicng. Lightly tested, but I think everything works, with two exceptions:
crontab -u rpki -e
) to
redirect rcynic-cron's output to a log file instead of sending it as
email every hour.Trac comment by sra on 2016-03-20T03:21:31Z
{{{ ca.rg.net:/root# rpkic version 0.6321 }}}
{{{
ca.rg.net:/root# /usr/bin/rcynic-cron
Traceback (most recent call last):
File "/usr/bin/rcynic", line 1457, in
Program /usr/bin/rcynic exited with status 1 }}}
Trac comment by randy on 2016-03-20T05:40:55Z
rcynic-cron
has to run as user rpki
, which is what the crontab
does. If you want to run it manually while root, you need to do something like
{{{ sudo -u rpki rcynic-cron }}}
Trac comment by sra on 2016-03-20T06:14:25Z
Oh, and just to make things more fun, RRDP client code which runs fine on MacOSX gets some kind of SSLv3 (sic, at least, that's how it's reported, but it might be a lie) error on trusty.
Trac comment by sra on 2016-03-20T07:14:29Z
rcynic cron no longer looking for anything!
{{{ ca.rg.net:/root# rpkic version 0.6323 ca.rg.net:/root# crontab -l -u rpki MAILTO=root }}}
but i do not think this is a long-term solution
Trac comment by randy on 2016-03-21T05:46:50Z
rcynic cron no longer looking for anything!
{{{ ca.rg.net:/root# crontab -l -u rpki MAILTO=root }}}
This is some kind of (one-time?) error updating an existing crontab. Not sure what caused it, will chase if reoccurs.
Repair for a single instance of this is simple, do:
{{{ crontab -u rpki -r }}}
before your next apt-get update
and it should just reinstall a good
crontab.
That said, I have not yet resolved the TLS mess talking to
rrdp.ripe.net
. Python/OpenSSL/Ubuntu version dependent Charlie Fox,
not related to our code at all, we're just innocent victims. You can
spot the affected systems by doing:
{{{ python -c 'from urllib import urlopen; urlopen("https://rrdp.ripe.net/notification.xml")' }}}
If this exits without comment, the TLS implementation used by this
Python's ssl
module is OK: if it throws a backtrace that whines
about misnamed OpenSSL API errors (SSLv3, etc), it's borked.
I spent a few minutes looking at a tshark dump of success and failure
cases, and am pretty sure this is a TLS algorithm negotiation error.
Basically, rrdp.ripe.net
is using a TLS configuration that's beyond
the capabilities of the Python 2.7 ssl
module on some systems.
Trusty is borked. Jessie, Mavericks, and FreeBSD are OK. Haven't tested others yet.
Problem doesn't appear to be quite as simple as just "it's an old version of SSL", there's something specific to how Python is using OpenSSL involved here, because w3m on the same systems works.
Options I can think of would be:
1) Use Debian Jessie or a newer version of Ubuntu;
2) Switch the RRDP client to using Tornado's alternate TLS client
based on PyCurl instead of the standard ssl
module;
3) Ask RIPE NCC to tune down the paranoia on this particular server for a few months while software catches up.
None of these are free. (3) is easiest but politically distasteful.
We want to get this code running on platforms other than trusty in any case, so if I have to put work into this that's where I'd prefer to put it.
Trac comment by sra on 2016-03-21T22:29:59Z
crontab -u rpki -r
done. still waiting for propagation.
{{{ ca.rg.net:/root# rpkic version 0.6323
ca.rg.net:/root# python -c 'from urllib import urlopen; urlopen("https://rrdp.ripe.net/notification.xml")'
Traceback (most recent call last):
File "
for the moment, asking tim to deparanoia the pilot may be the most expedient, if disgusting, path.
barring that, personally i would go to ubuntu 16 beta, as that is a path i will be following in the long run. though i was planning it for a month from now when 16 goes release.
Trac comment by randy on 2016-03-21T22:38:41Z
{{{ ca.rg.net:/root# rpkic version 0.6324
ca.rg.net:/root# crontab -l -u rpki MAILTO=root 5 * * * * exec /usr/bin/rcynic-cron }}}
Trac comment by randy on 2016-03-21T22:41:22Z
OK, I can now confirm that
Backporting modern versions of python-django
and python-tornado
to Wheezy is probably more trouble than it's worth.
Backporting those same packages to Jessie is a marginal case: I have not yet encountered anything in principal which would make this impossible, but the number of backports necessary is rather large (transitive closure of original requirements), and some of the packages themselves are rather large. We may have to do this anyway, but it's not going to be fun.
Yes, I know that Randy cares more about Ubuntu than about Debian, but some of the same issues may arise. The current port of the new code to Trusty uses backports from Xenial; in theory that should work for any Ubuntu release since Trusty, but this can spin out of control pretty quickly (see "transitive closure").
At any rate: I think we can consider this confirmation that the TLS problem is what we thought it was, not a subtle bug in our own code.
Remaining unresolved issue: rcynic (probably) should fail over when RRDP bombs out. I don't much care for the model in which the CA gets to list 27 URIs and the RP is require to check each one of them in turn, but we may need to support that, at least as a configurable option. Ick.
Trac comment by sra on 2016-03-22T23:44:06Z
why should i not just run xenial beta?
Trac comment by randy on 2016-03-22T23:48:05Z
why should i not just run xenial beta?
beta-1 out for a while, but i can only find desktop and 'alternate' images, whatever the heck they are.
beta-2, final beta, due out in 24-48 hours
Trac comment by randy on 2016-03-22T23:55:43Z
why should i not just run xenial beta?
beta-1 out for a while, but i can only find desktop and 'alternate' images, whatever the heck they are.
beta-2, final beta, due out in 24-48 hours
OK, I'll plan to test b2.
Trac comment by sra on 2016-03-22T23:57:59Z
Closed with resolution fixed
{{{ ca.rg.net:/root# /usr/bin/rcynic-cron 04:56:21: rcynic: Couldn't load config file /etc/rcynic.conf Program /usr/bin/rcynic -c /etc/rcynic.conf exited with status 1 }}}
Trac ticket #786 component testbed priority minor, owner None, created by randy on 2016-03-19T05:01:22Z, last modified 2016-04-22T01:58:20Z