rpkic initialize blows

[sraustein]

{{{ rpkic> version 0.6320 }}}

{{{ rpkic> initialize Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/rpki/cli.py", line 70, in onecmd return cmd.Cmd.onecmd(self, line) File "/usr/lib/python2.7/cmd.py", line 221, in onecmd return func(arg) File "/usr/lib/python2.7/dist-packages/rpki/cli.py", line 262, in wrapped return func(self, parser.parse_args(shlex.split(arg))) File "/usr/lib/python2.7/dist-packages/rpki/rpkic.py", line 228, in do_initialize None if rootd_case else sys.stdout) File "/usr/lib/python2.7/dist-packages/rpki/irdb/zookeeper.py", line 188, in save ElementTree(self.etree).write(tempname) File "lxml.etree.pyx", line 1949, in lxml.etree._ElementTree.write (src/lxml/lxml.etree.c:55919) File "serializer.pxi", line 477, in lxml.etree._tofilelike (src/lxml/lxml.etree.c:117874) File "serializer.pxi", line 523, in lxml.etree._create_output_buffer (src/lxml/lxml.etree.c:118373) File "serializer.pxi", line 512, in lxml.etree._create_output_buffer (src/lxml/lxml.etree.c:118218) IOError: [Errno 13] Permission denied }}}

Trac ticket #789 component testbed priority blocker, owner None, created by randy on 2016-03-20T00:02:47Z, last modified 2016-03-21T05:41:43Z

[sraustein]

Workaround (not claiming this is the fix):

{{{ chown rpki . }}}

or, equivalently:

{{{ chgrp rpki . chmod g+w . }}}

Obviously you should do this in a dedicated directory, but that's probably a good idea with all the XML junk it spits out anyway.

The underlying problem here is that we have to change UID to make PostgreSQL happy while talking to the database, which, from your point of view, means we've dropped privs by the time we try to write out the XML, so that fails.

Real fix is some kind of complex dance bouncing from UID to another, which probably has the side effect or requiring root to run rpkic (which the current scheme does not), sigh.

Let me know if the workaround gets you past initialization.

Trac comment by sra on 2016-03-20T00:20:51Z

[sraustein]

chown rpki .

in what directoey? the python dump is not suggestive

Trac comment by randy on 2016-03-20T00:24:58Z

[sraustein]

{{{ ca.rg.net:/root# mkdir foo ca.rg.net:/root# cd foo ca.rg.net:/root/foo# chown rpki . ca.rg.net:/root/foo# ls -ld . drwxr-xr-x 2 rpki root 4096 Mar 20 00:26 ./ ca.rg.net:/root/foo# rpkic initialize Traceback (most recent call last): File "/usr/sbin/rpkic", line 25, in rpki.rpkic.main() File "/usr/lib/python2.7/dist-packages/rpki/rpkic.py", line 107, in init self.main(args) File "/usr/lib/python2.7/dist-packages/rpki/rpkic.py", line 115, in main args.func(self, args) File "/usr/lib/python2.7/dist-packages/rpki/rpkic.py", line 228, in do_initialize None if rootd_case else sys.stdout) File "/usr/lib/python2.7/dist-packages/rpki/irdb/zookeeper.py", line 188, in save ElementTree(self.etree).write(tempname) File "lxml.etree.pyx", line 1949, in lxml.etree._ElementTree.write (src/lxml/lxml.etree.c:55919) File "serializer.pxi", line 477, in lxml.etree._tofilelike (src/lxml/lxml.etree.c:117874) File "serializer.pxi", line 523, in lxml.etree._create_output_buffer (src/lxml/lxml.etree.c:118373) File "serializer.pxi", line 512, in lxml.etree._create_output_buffer (src/lxml/lxml.etree.c:118218) IOError: [Errno 13] Permission denied }}}

Trac comment by randy on 2016-03-20T00:27:44Z

[sraustein]

chown rpki .

in what directoey? the python dump is not suggestive

rpkic always writes its .xml output files to the current directory (".").

Trac comment by sra on 2016-03-20T00:28:28Z

[sraustein]

Sigh. OK, thanks. Currently trying to finish the fix for #786, which has my test environment tied up (no, another test environment wouldn't help, I don't have a spare brain...). Will look into this after I have that one put to bed.

Trac comment by sra on 2016-03-20T00:50:36Z

[sraustein]

you could have a dedicated directory for rpkis to use to drop files. or put it in the docs.

Trac comment by randy on 2016-03-20T01:21:30Z

[sraustein]

you could have a dedicated directory for rpkis to use to drop files.

That's somewhat plausible.

Unfortunately, the test you ran suggests that it wouldn't work. Which is odd because I think that's what I did when setting up rrdp.rpki.net. Will try to reproduce when I have time.

put it in the docs.

If necessary, but it's kind of icky.

Trac comment by sra on 2016-03-20T01:25:17Z

[sraustein]

total blocker. but i realize it is a pita

{{{ ca.rg.net:/root# rpkic version 0.6321 }}}

{{{ ca.rg.net:/root# rpkic initialize Traceback (most recent call last): File "/usr/sbin/rpkic", line 25, in rpki.rpkic.main() File "/usr/lib/python2.7/dist-packages/rpki/rpkic.py", line 107, in init self.main(args) File "/usr/lib/python2.7/dist-packages/rpki/rpkic.py", line 115, in main args.func(self, args) File "/usr/lib/python2.7/dist-packages/rpki/rpkic.py", line 228, in do_initialize None if rootd_case else sys.stdout) File "/usr/lib/python2.7/dist-packages/rpki/irdb/zookeeper.py", line 188, in save ElementTree(self.etree).write(tempname) File "lxml.etree.pyx", line 1949, in lxml.etree._ElementTree.write (src/lxml/lxml.etree.c:55919) File "serializer.pxi", line 477, in lxml.etree._tofilelike (src/lxml/lxml.etree.c:117874) File "serializer.pxi", line 523, in lxml.etree._create_output_buffer (src/lxml/lxml.etree.c:118373) File "serializer.pxi", line 512, in lxml.etree._create_output_buffer (src/lxml/lxml.etree.c:118218) IOError: [Errno 13] Permission denied }}}

Trac comment by randy on 2016-03-20T05:43:45Z

[sraustein]

Doesn't fail for me. Haven't changed anything on CA side recently.

What am I doing right here?

{{{ sra@testy-tahir:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04.4 LTS Release: 14.04 Codename: trusty

sra@testy-tahir:~$ mkdir blarg

sra@testy-tahir:~$ sudo chgrp rpki blarg

sra@testy-tahir:~$ cd blarg/

sra@testy-tahir:~/blarg$ ls -ld . drwxrwxr-x 2 sra rpki 4096 Mar 20 06:20 .

sra@testy-tahir:~/blarg$ rpkic [sudo] password for sra:

rpkic> version 0.6321

rpkic> initialize Wrote /home/sra/blarg/testy-tahir_test_hactrn_net.identity.xml This is the "identity" file you will need to send to your parent

rpkic> }}}

Trac comment by sra on 2016-03-20T06:26:41Z

[sraustein]

sra@testy-tahir:~$ sudo chgrp rpki blarg

ahh, you still expect me to hack perms.

{{{ ca.rg.net:/root# rpkic version 0.6321 ca.rg.net:/root# mkdir foo ca.rg.net:/root# chown rpki foo ca.rg.net:/root# cd foo

ca.rg.net:/root/foo# rpkic initialize Traceback (most recent call last): File "/usr/sbin/rpkic", line 25, in rpki.rpkic.main() File "/usr/lib/python2.7/dist-packages/rpki/rpkic.py", line 107, in init self.main(args) File "/usr/lib/python2.7/dist-packages/rpki/rpkic.py", line 115, in main args.func(self, args) File "/usr/lib/python2.7/dist-packages/rpki/rpkic.py", line 228, in do_initialize None if rootd_case else sys.stdout) File "/usr/lib/python2.7/dist-packages/rpki/irdb/zookeeper.py", line 188, in save ElementTree(self.etree).write(tempname) File "lxml.etree.pyx", line 1949, in lxml.etree._ElementTree.write (src/lxml/lxml.etree.c:55919) File "serializer.pxi", line 477, in lxml.etree._tofilelike (src/lxml/lxml.etree.c:117874) File "serializer.pxi", line 523, in lxml.etree._create_output_buffer (src/lxml/lxml.etree.c:118373) File "serializer.pxi", line 512, in lxml.etree._create_output_buffer (src/lxml/lxml.etree.c:118218) IOError: [Errno 13] Permission denied }}}

{{{ ca.rg.net:/root/foo# chgrp rpki . ca.rg.net:/root/foo# ls -ld . drwxr-xr-x 2 rpki rpki 4096 Mar 20 06:33 ./ ca.rg.net:/root/foo# rpkic initialize Traceback (most recent call last): File "/usr/sbin/rpkic", line 25, in rpki.rpkic.main() File "/usr/lib/python2.7/dist-packages/rpki/rpkic.py", line 107, in init self.main(args) File "/usr/lib/python2.7/dist-packages/rpki/rpkic.py", line 115, in main args.func(self, args) File "/usr/lib/python2.7/dist-packages/rpki/rpkic.py", line 228, in do_initialize None if rootd_case else sys.stdout) File "/usr/lib/python2.7/dist-packages/rpki/irdb/zookeeper.py", line 188, in save ElementTree(self.etree).write(tempname) File "lxml.etree.pyx", line 1949, in lxml.etree._ElementTree.write (src/lxml/lxml.etree.c:55919) File "serializer.pxi", line 477, in lxml.etree._tofilelike (src/lxml/lxml.etree.c:117874) File "serializer.pxi", line 523, in lxml.etree._create_output_buffer (src/lxml/lxml.etree.c:118373) File "serializer.pxi", line 512, in lxml.etree._create_output_buffer (src/lxml/lxml.etree.c:118218) IOError: [Errno 13] Permission denied }}}

Trac comment by randy on 2016-03-20T06:36:24Z

[sraustein]

note that i am sshed in as root. you ssh in as sra and sudo

Trac comment by randy on 2016-03-20T06:41:20Z

[sraustein]

note that i am sshed in as root. you ssh in as sra and sudo

{{{ sra@testy-tahir:~/2nd.try$ sudo apt-get purge rpki-ca Reading package lists... Done Building dependency tree
Reading state information... Done The following packages were automatically installed and are no longer required: libapache2-mod-wsgi python-dateutil python-netifaces python-vobject Use 'apt-get autoremove' to remove them. The following packages will be REMOVED: rpki-ca* 0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded. After this operation, 421 kB disk space will be freed. Do you want to continue? [Y/n](Reading database ... 74288 files and directories currently installed.) Removing rpki-ca (0.6321~trusty) ... RPKI Apache configuration: platform "Ubuntu", action "remove" Removing /etc/rpki/apache.conf.sample Removing /etc/rpki/apache.conf Removing /etc/apache2/sites-available/rpki.conf Running a2dissite rpki removing dangling symlink /etc/apache2/sites-enabled/rpki.conf Running service apache2 restart

• Restarting web server apache2 ...done. Purging configuration files for rpki-ca (0.6321~trusty) ...

sra@testy-tahir:~/2nd.try$ sudo apt-get purge rpki-rp Reading package lists... Done Building dependency tree
Reading state information... Done The following packages were automatically installed and are no longer required: apache2 apache2-bin apache2-data fonts-dejavu fonts-dejavu-extra libapache2-mod-wsgi libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libdbi1 libfile-copy-recursive-perl libjs-jquery librrd4 libxslt1.1 libyaml-0-2 postgresql python-dateutil python-django python-django-common python-egenix-mxdatetime python-egenix-mxtools python-lxml python-netifaces python-psycopg2 python-pycurl python-sqlparse python-tornado python-tz python-vobject python-yaml rrdtool ttf-dejavu ttf-dejavu-core ttf-dejavu-extra update-inetd xinetd Use 'apt-get autoremove' to remove them. The following packages will be REMOVED: rpki-rp* 0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded. After this operation, 3,577 kB disk space will be freed. Do you want to continue? [Y/n](Reading database ... 74253 files and directories currently installed.) Removing rpki-rp (0.6321~trusty) ... Initialized PostgreSQL driver, pw pwd.struct_passwd(pw_name='postgres', pw_passwd='x', pw_uid=106, pw_gid=115, pw_gecos='PostgreSQL administrator,,,', pw_dir='/var/lib/postgresql', pw_shell='/bin/bash') Purging configuration files for rpki-rp (0.6321~trusty) ... DROP DATABASE DO

sra@testy-tahir:~/2nd.try$ sudo sudo -u postgres psql psql (9.3.11) Type "help" for help.

postgres=# \l List of databases Name | Owner | Encoding | Collate | Ctype | Access privileges
-----------+----------+----------+-------------+-------------+----------------------- postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres + | | | | | postgres=CTc/postgres template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres + | | | | | postgres=CTc/postgres (3 rows)

postgres=# \du List of roles Role name | Attributes | Member of -----------+------------------------------------------------+----------- postgres | Superuser, Create role, Create DB, Replication | {}

postgres=# \q

sra@testy-tahir:~/2nd.try$ ls -l /var/rcynic* /etc/rpki* /usr/share/rpki ls: cannot access /var/rcynic: No such file or directory ls: cannot access /etc/rpki: No such file or directory ls: cannot access /usr/share/rpki: No such file or directory

sra@testy-tahir:~/2nd.try$ sudo apt-get install rpki-rp rpki-ca Reading package lists... Done Building dependency tree
Reading state information... Done The following NEW packages will be installed: rpki-ca rpki-rp 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/980 kB of archives. After this operation, 3,998 kB of additional disk space will be used. Selecting previously unselected package rpki-rp. (Reading database ... 74015 files and directories currently installed.) Preparing to unpack .../rpki-rp_0.6321~trusty_i386.deb ... Unpacking rpki-rp (0.6321~trusty) ... Selecting previously unselected package rpki-ca. Preparing to unpack .../rpki-ca_0.6321~trusty_i386.deb ... Unpacking rpki-ca (0.6321~trusty) ... Processing triggers for ureadahead (0.100.0-16) ... Setting up rpki-rp (0.6321~trusty) ... Initialized PostgreSQL driver, pw pwd.struct_passwd(pw_name='postgres', pw_passwd='x', pw_uid=106, pw_gid=115, pw_gecos='PostgreSQL administrator,,,', pw_dir='/var/lib/postgresql', pw_shell='/bin/bash') PostgreSQL driver changing EUID from 0 to 1001 PostgreSQL driver changing EUID from 1001 to 0 PostgreSQL driver opening connection to database postgres PostgreSQL driver changing EUID from 0 to 106 PostgreSQL driver changing EUID from 106 to 0 PostgreSQL driver executing SELECT COUNT(*) FROM pg_database JOIN pg_roles ON pg_database.datdba = pg_roles.oid WHERE pg_roles.rolname = 'rpki'

PostgreSQL driver executing CREATE ROLE rpki LOGIN PASSWORD 'MWNchulNOIBdkIb_3aUILaCk7X-DIWrSfoKMJ_FzBw0IOOMMsAVToxDW58P5HNZ2U0gvx5fjU0hpLITmI2p65XHc' PostgreSQL driver executing SELECT COUNT(*) FROM pg_database WHERE datname = 'rpki' PostgreSQL driver executing CREATE DATABASE rpki OWNER rpki Operations to perform: Apply all migrations: rcynicdb Running migrations: Rendering model states... DONE Applying rcynicdb.0001_initial... OK Applying rcynicdb.0002_auto_20160227_2003... OK Applying rcynicdb.0003_auto_20160301_0333... OK Setting up rpki-ca (0.6321~trusty) ... RPKI Apache configuration: platform "Ubuntu", action "install" Writing /etc/rpki/apache.conf.sample Would have removed /etc/rpki/apache.conf if it existed Writing /etc/rpki/apache.conf Would have removed /etc/apache2/sites-available/rpki.conf if it existed Symlinking /etc/apache2/sites-available/rpki.conf to /etc/rpki/apache.conf Would have removed /etc/rpki/apache.cer if it existed Would have removed /etc/rpki/apache.key if it existed Running a2enmod ssl Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Module socache_shmcb already enabled Module ssl already enabled Running a2enmod expires Module expires already enabled Running a2ensite rpki Enabling site rpki. To activate the new configuration, you need to run: service apache2 reload Running a2dismod deflate Module deflate already disabled Running service apache2 restart

• Restarting web server apache2 ...done. Initialized PostgreSQL driver, pw pwd.struct_passwd(pw_name='postgres', pw_passwd='x', pw_uid=106, pw_gid=115, pw_gecos='PostgreSQL administrator,,,', pw_dir='/var/lib/postgresql', pw_shell='/bin/bash') PostgreSQL driver changing EUID from 0 to 1001 PostgreSQL driver changing EUID from 1001 to 0 PostgreSQL driver opening connection to database postgres PostgreSQL driver changing EUID from 0 to 106 PostgreSQL driver changing EUID from 106 to 0 PostgreSQL driver executing SELECT COUNT(*) FROM pg_database JOIN pg_roles ON pg_database.datdba = pg_roles.oid WHERE pg_roles.rolname = 'rpki'

PostgreSQL driver executing SELECT COUNT(_) FROM pgdatabase WHERE datname = 'rpki' PostgreSQL driver changing EUID from 0 to 1001 PostgreSQL driver changing EUID from 1001 to 0 PostgreSQL driver executing SELECT COUNT() FROM pg_database JOIN pg_roles ON pg_database.datdba = pg_roles.oid WHERE pg_roles.rolname = 'rpki'

PostgreSQL driver executing SELECT COUNT(_) FROM pgdatabase WHERE datname = 'rpki' PostgreSQL driver changing EUID from 0 to 1001 PostgreSQL driver changing EUID from 1001 to 0 PostgreSQL driver executing SELECT COUNT() FROM pg_database JOIN pg_roles ON pg_database.datdba = pg_roles.oid WHERE pg_roles.rolname = 'rpki'

PostgreSQL driver executing SELECT COUNT(_) FROM pgdatabase WHERE datname = 'rpki' PostgreSQL driver changing EUID from 0 to 1001 PostgreSQL driver changing EUID from 1001 to 0 PostgreSQL driver executing SELECT COUNT() FROM pg_database JOIN pg_roles ON pg_database.datdba = pg_roles.oid WHERE pg_roles.rolname = 'rpki'

PostgreSQL driver executing SELECT COUNT(*) FROM pg_database WHERE datname = 'rpki' Operations to perform: Apply all migrations: rpkidb Running migrations: Rendering model states... DONE Applying rpkidb.0001_initial... OK Operations to perform: Apply all migrations: pubdb Running migrations: Rendering model states... DONE Applying pubdb.0001_initial... OK Applying pubdb.0002_auto_20160221_0617... OK Applying pubdb.0003_remove_delta_xml... OK Operations to perform: Apply all migrations: irdb Running migrations: Rendering model states... DONE Applying irdb.0001_initial... OK System check identified some issues:

WARNINGS: cacheview.SignedObject.repo: (fields.W342) Setting unique=True on a ForeignKey has the same effect as using a OneToOneField. HINT: ForeignKey(unique=True) is usually better served by a OneToOneField. Operations to perform: Synchronize unmigrated apps: staticfiles, cacheview, routeview Apply all migrations: app, irdb, contenttypes, auth, sessions Synchronizing apps without migrations: Creating tables... Creating table cacheview_addressrange Creating table cacheview_addressrangev6 Creating table cacheview_asrange Creating table cacheview_validationlabel Creating table cacheview_repositoryobject Creating table cacheview_validationstatus Creating table cacheview_signedobject Creating table cacheview_cert Creating table cacheview_roaprefixv4 Creating table cacheview_roaprefixv6 Creating table cacheview_roa Creating table cacheview_ghostbuster Creating table routeview_routeorigin Creating table routeview_routeoriginv6 Running deferred SQL... Installing custom SQL... Running migrations: Rendering model states... DONE Applying contenttypes.0001_initial... OK Applying auth.0001_initial... OK Applying app.0001_initial... OK Applying contenttypes.0002_remove_content_type_name... OK Applying auth.0002_alter_permission_name_max_length... OK Applying auth.0003_alter_user_email_max_length... OK Applying auth.0004_alter_user_username_opts... OK Applying auth.0005_alter_user_last_login_null... OK Applying auth.0006_require_contenttypes_0002... OK Applying sessions.0001_initial... OK Writing /usr/share/rpki/bpki/ca.cer Writing /usr/share/rpki/bpki/rpkid.key Writing /usr/share/rpki/bpki/rpkid.cer Writing /usr/share/rpki/bpki/irdbd.cer Writing /usr/share/rpki/bpki/irbe.cer Writing /usr/share/rpki/bpki/ca.crl Writing /usr/share/rpki/bpki/pubd.key Writing /usr/share/rpki/bpki/pubd.cer Processing triggers for ureadahead (0.100.0-16) ...

sra@testy-tahir:~/2nd.try$ ls -ld . drwxrwxr-x 2 sra sra 4096 Mar 20 06:53 .

sra@testy-tahir:~/2nd.try$ sudo chgrp rpki .

sra@testy-tahir:~/2nd.try$ ls -ld . drwxrwxr-x 2 sra rpki 4096 Mar 20 06:53 .

sra@testy-tahir:~/2nd.try$ sudo -s

root@testy-tahir:~/2nd.try# rpkic initialize Wrote /home/sra/2nd.try/testy-tahir_test_hactrn_net.identity.xml This is the "identity" file you will need to send to your parent

root@testy-tahir:~/2nd.try# ls -l total 20 -rw-rw-r-- 1 sra sra 14411 Mar 20 06:57 screenlog.0 -rw-r--r-- 1 rpki rpki 1258 Mar 20 06:57 testy-tahir_test_hactrn_net.identity.xml

root@testy-tahir:~/2nd.try# exit

sra@testy-tahir:~/2nd.try$ exit }}}

Trac comment by sra on 2016-03-20T07:08:27Z

[sraustein]

should i create a user and do the sudo thing?

{{{ ca.rg.net:/root/foo# apt-get purge rpki-ca Reading package lists... Done Building dependency tree
Reading state information... Done The following packages were automatically installed and are no longer required: libapache2-mod-wsgi python-dateutil python-netifaces python-vobject Use 'apt-get autoremove' to remove them. The following packages will be REMOVED rpki-ca 0 to upgrade, 0 to newly install, 1 to remove and 0 not to upgrade. After this operation, 421 kB disk space will be freed. Do you want to continue? [Y/n] Abort. ca.rg.net:/root/foo# apt-get purge rpki-ca Reading package lists... Done Building dependency tree
Reading state information... Done The following packages were automatically installed and are no longer required: libapache2-mod-wsgi python-dateutil python-netifaces python-vobject Use 'apt-get autoremove' to remove them. The following packages will be REMOVED rpki-ca 0 to upgrade, 0 to newly install, 1 to remove and 0 not to upgrade. After this operation, 421 kB disk space will be freed. Do you want to continue? [Y/n](Reading database ... 104648 files and directories currently installed.) Removing rpki-ca (0.6321~trusty) ...

RPKI Apache configuration: platform "Ubuntu", action "remove" Removing /etc/rpki/apache.conf.sample Removing /etc/rpki/apache.conf Removing /etc/apache2/sites-available/rpki.conf Running a2dissite rpki removing dangling symlink /etc/apache2/sites-enabled/rpki.conf Running service apache2 restart

• Restarting web server apache2

Purging configuration files for rpki-ca (0.6321~trusty) ... dpkg: warning: while removing rpki-ca, directory '/usr/share/rpki/publication' not empty so not removed

ca.rg.net:/root/foo# apt-get purge rpki-ca Reading package lists... Done Building dependency tree
Reading state information... Done Package 'rpki-ca' is not installed, so not removed The following packages were automatically installed and are no longer required: libapache2-mod-wsgi python-dateutil python-netifaces python-vobject Use 'apt-get autoremove' to remove them. 0 to upgrade, 0 to newly install, 0 to remove and 0 not to upgrade. ca.rg.net:/root/foo# apt-get autoremove Reading package lists... Done Building dependency tree
Reading state information... Done The following packages will be REMOVED libapache2-mod-wsgi python-dateutil python-netifaces python-vobject 0 to upgrade, 0 to newly install, 4 to remove and 0 not to upgrade. After this operation, 751 kB disk space will be freed. Do you want to continue? [Y/n](Reading database ... 104613 files and directories currently installed.) Removing libapache2-mod-wsgi (3.4-4ubuntu2.1.14.04.2) ... Module wsgi disabled. apache2_invoke prerm: Disable module wsgi

• Restarting web server apache2 [ OK ] Removing python-vobject (0.8.1c-4ubuntu1) ... Removing python-dateutil (1.5+dfsg-1ubuntu1) ... Removing python-netifaces (0.8-3build1) ... ca.rg.net:/root/foo# apt-get purge rpki-rp Reading package lists... Done Building dependency tree
  Reading state information... Done The following packages were automatically installed and are no longer required: apache2 apache2-bin apache2-data fontconfig fontconfig-config fonts-dejavu-core libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libcairo2 libdatrie1 libfile-copy-recursive-perl libfontconfig1 libgraphite2-3 libharfbuzz0b libpango-1.0-0 libpangocairo-1.0-0 libpangoft2-1.0-0 libpixman-1-0 librrd4 libthai-data libthai0 libxcb-render0 libxcb-shm0 libxrender1 libxslt1.1 libyaml-0-2 postgresql python-django python-django-common python-lxml python-psycopg2 python-pycurl python-tornado python-yaml rrdtool update-inetd xinetd Use 'apt-get autoremove' to remove them. The following packages will be REMOVED rpki-rp* 0 to upgrade, 0 to newly install, 1 to remove and 0 not to upgrade. After this operation, 3,577 kB disk space will be freed. Do you want to continue? [Y/n](Reading database ... 104533 files and directories currently installed.) Removing rpki-rp (0.6321~trusty) ... Initialized PostgreSQL driver, pw pwd.struct_passwd(pw_name='postgres', pw_passwd='x', pw_uid=108, pw_gid=116, pw_gecos='PostgreSQL administrator,,,', pw_dir='/var/lib/postgresql', pw_shell='/bin/bash') Purging configuration files for rpki-rp (0.6321~trusty) ... DROP DATABASE DO psql:/etc/rpki/drop_databases.sql:10: NOTICE: database "rpki" does not exist, skipping DROP DATABASE psql:/etc/rpki/drop_databases.sql:18: NOTICE: role "rpki" does not exist, skipping CONTEXT: SQL statement "DROP ROLE IF EXISTS rpki" PL/pgSQL function inline_code_block line 6 at SQL statement DO psql:/etc/rpki/drop_databases.sql:19: NOTICE: database "rpki" does not exist, skipping DROP DATABASE psql:/etc/rpki/drop_databases.sql:27: NOTICE: role "rpki" does not exist, skipping CONTEXT: SQL statement "DROP ROLE IF EXISTS rpki" PL/pgSQL function inline_code_block line 6 at SQL statement DO psql:/etc/rpki/drop_databases.sql:28: NOTICE: database "rpki" does not exist, skipping DROP DATABASE psql:/etc/rpki/drop_databases.sql:36: NOTICE: role "rpki" does not exist, skipping CONTEXT: SQL statement "DROP ROLE IF EXISTS rpki" PL/pgSQL function inline_code_block line 6 at SQL statement DO

postgres@ca:/root/foo$ psql could not change directory to "/root/foo": Permission denied psql (9.3.11) Type "help" for help.

postgres=# \l

                              List of databases

Name | Owner | Encoding | Collate | Ctype | Access privileges
-----------+----------+----------+-------------+-------------+----------------------- postgres | postgres | UTF8 | en_GB.UTF-8 | en_GB.UTF-8 | template0 | postgres | UTF8 | en_GB.UTF-8 | en_GB.UTF-8 | =c/postgres + | | | | | postgres=CTc/postgres template1 | postgres | UTF8 | en_GB.UTF-8 | en_GB.UTF-8 | =c/postgres + | | | | | postgres=CTc/postgres (3 rows)

postgres=# \du List of roles Role name | Attributes | Member of -----------+------------------------------------------------+----------- postgres | Superuser, Create role, Create DB, Replication | {}

postgres=# \q

postgres@ca:/root/foo$ exit

ca.rg.net:/root/foo# ls -l /var/rcynic* /etc/rpki* /usr/share/rpki ls: cannot access /var/rcynic: No such file or directory -rw-r--r-- 1 root root 27152 Mar 19 23:45 /etc/rpki.conf~

/usr/share/rpki: total 4 drwxr-xr-x 2 rpki rpki 4096 Mar 19 05:09 publication/

ca.rg.net:/root/foo# apt-get install rpki-rp rpki-ca Reading package lists... Done Building dependency tree
Reading state information... Done The following extra packages will be installed: libapache2-mod-wsgi python-dateutil python-netifaces python-vobject The following NEW packages will be installed libapache2-mod-wsgi python-dateutil python-netifaces python-vobject rpki-ca rpki-rp 0 to upgrade, 6 to newly install, 0 to remove and 0 not to upgrade. Need to get 0 B/1,153 kB of archives. After this operation, 4,748 kB of additional disk space will be used. Do you want to continue? [Y/n] Selecting previously unselected package libapache2-mod-wsgi. (Reading database ... 104295 files and directories currently installed.) Preparing to unpack .../libapache2-mod-wsgi_3.4-4ubuntu2.1.14.04.2_i386.deb ... Unpacking libapache2-mod-wsgi (3.4-4ubuntu2.1.14.04.2) ... Selecting previously unselected package python-dateutil. Preparing to unpack .../python-dateutil_1.5+dfsg-1ubuntu1_all.deb ... Unpacking python-dateutil (1.5+dfsg-1ubuntu1) ... Selecting previously unselected package python-netifaces. Preparing to unpack .../python-netifaces_0.8-3build1_i386.deb ... Unpacking python-netifaces (0.8-3build1) ... Selecting previously unselected package python-vobject. Preparing to unpack .../python-vobject_0.8.1c-4ubuntu1_all.deb ... Unpacking python-vobject (0.8.1c-4ubuntu1) ... Selecting previously unselected package rpki-rp. Preparing to unpack .../rpki-rp_0.6321~trusty_i386.deb ... Unpacking rpki-rp (0.6321~trusty) ... Selecting previously unselected package rpki-ca. Preparing to unpack .../rpki-ca_0.6321~trusty_i386.deb ... Unpacking rpki-ca (0.6321~trusty) ... Processing triggers for ureadahead (0.100.0-16) ... Setting up libapache2-mod-wsgi (3.4-4ubuntu2.1.14.04.2) ... apache2_invoke: Enable module wsgi

• Restarting web server apache2 [ OK ] Setting up python-dateutil (1.5+dfsg-1ubuntu1) ... Setting up python-netifaces (0.8-3build1) ... Setting up python-vobject (0.8.1c-4ubuntu1) ... Setting up rpki-rp (0.6321~trusty) ... Initialized PostgreSQL driver, pw pwd.struct_passwd(pw_name='postgres', pw_passwd='x', pw_uid=108, pw_gid=116, pw_gecos='PostgreSQL administrator,,,', pw_dir='/var/lib/postgresql', pw_shell='/bin/bash') PostgreSQL driver changing EUID from 0 to 1000 PostgreSQL driver changing EUID from 1000 to 0 PostgreSQL driver opening connection to database postgres PostgreSQL driver changing EUID from 0 to 108 PostgreSQL driver changing EUID from 108 to 0 PostgreSQL driver executing SELECT COUNT(*) FROM pg_database JOIN pg_roles ON pg_database.datdba = pg_roles.oid WHERE pg_roles.rolname = 'rpki'

PostgreSQL driver executing CREATE ROLE rpki LOGIN PASSWORD 'urrH9hXpUDwcU2y93Fik5UUpTUazCSLVOAs8VFgPfttJ4qzLJbVAnweVoDtw9-X4eOBD6UmOGv608TG6XFxNYkIp' PostgreSQL driver executing SELECT COUNT(*) FROM pg_database WHERE datname = 'rpki' PostgreSQL driver executing CREATE DATABASE rpki OWNER rpki Operations to perform: Apply all migrations: rcynicdb Running migrations: Rendering model states... DONE Applying rcynicdb.0001_initial... OK Applying rcynicdb.0002_auto_20160227_2003... OK Applying rcynicdb.0003_auto_20160301_0333... OK Setting up rpki-ca (0.6321~trusty) ... RPKI Apache configuration: platform "Ubuntu", action "install" Writing /etc/rpki/apache.conf.sample Would have removed /etc/rpki/apache.conf if it existed Writing /etc/rpki/apache.conf Would have removed /etc/apache2/sites-available/rpki.conf if it existed Symlinking /etc/apache2/sites-available/rpki.conf to /etc/rpki/apache.conf Would have removed /etc/rpki/apache.cer if it existed Would have removed /etc/rpki/apache.key if it existed Running a2enmod ssl Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Module socache_shmcb already enabled Module ssl already enabled Running a2enmod expires Module expires already enabled Running a2ensite rpki Enabling site rpki. To activate the new configuration, you need to run: service apache2 reload Running a2dismod deflate Module deflate already disabled Running service apache2 restart

• Restarting web server apache2 [ OK ] Initialized PostgreSQL driver, pw pwd.struct_passwd(pw_name='postgres', pw_passwd='x', pw_uid=108, pw_gid=116, pw_gecos='PostgreSQL administrator,,,', pw_dir='/var/lib/postgresql', pw_shell='/bin/bash') PostgreSQL driver changing EUID from 0 to 1000 PostgreSQL driver changing EUID from 1000 to 0 PostgreSQL driver opening connection to database postgres PostgreSQL driver changing EUID from 0 to 108 PostgreSQL driver changing EUID from 108 to 0 PostgreSQL driver executing SELECT COUNT(*) FROM pg_database JOIN pg_roles ON pg_database.datdba = pg_roles.oid WHERE pg_roles.rolname = 'rpki'

PostgreSQL driver executing SELECT COUNT(_) FROM pgdatabase WHERE datname = 'rpki' PostgreSQL driver changing EUID from 0 to 1000 PostgreSQL driver changing EUID from 1000 to 0 PostgreSQL driver executing SELECT COUNT() FROM pg_database JOIN pg_roles ON pg_database.datdba = pg_roles.oid WHERE pg_roles.rolname = 'rpki'

PostgreSQL driver executing SELECT COUNT(_) FROM pgdatabase WHERE datname = 'rpki' PostgreSQL driver changing EUID from 0 to 1000 PostgreSQL driver changing EUID from 1000 to 0 PostgreSQL driver executing SELECT COUNT() FROM pg_database JOIN pg_roles ON pg_database.datdba = pg_roles.oid WHERE pg_roles.rolname = 'rpki'

PostgreSQL driver executing SELECT COUNT(_) FROM pgdatabase WHERE datname = 'rpki' PostgreSQL driver changing EUID from 0 to 1000 PostgreSQL driver changing EUID from 1000 to 0 PostgreSQL driver executing SELECT COUNT() FROM pg_database JOIN pg_roles ON pg_database.datdba = pg_roles.oid WHERE pg_roles.rolname = 'rpki'

PostgreSQL driver executing SELECT COUNT(*) FROM pg_database WHERE datname = 'rpki' Operations to perform: Apply all migrations: rpkidb Running migrations: Rendering model states... DONE Applying rpkidb.0001_initial... OK Operations to perform: Apply all migrations: pubdb Running migrations: Rendering model states... DONE Applying pubdb.0001_initial... OK Applying pubdb.0002_auto_20160221_0617... OK Applying pubdb.0003_remove_delta_xml... OK Operations to perform: Apply all migrations: irdb Running migrations: Rendering model states... DONE Applying irdb.0001_initial... OK System check identified some issues:

WARNINGS: cacheview.SignedObject.repo: (fields.W342) Setting unique=True on a ForeignKey has the same effect as using a OneToOneField. HINT: ForeignKey(unique=True) is usually better served by a OneToOneField. Operations to perform: Synchronize unmigrated apps: staticfiles, cacheview, routeview Apply all migrations: app, irdb, contenttypes, auth, sessions Synchronizing apps without migrations: Creating tables... Creating table cacheview_addressrange Creating table cacheview_addressrangev6 Creating table cacheview_asrange Creating table cacheview_validationlabel Creating table cacheview_repositoryobject Creating table cacheview_validationstatus Creating table cacheview_signedobject Creating table cacheview_cert Creating table cacheview_roaprefixv4 Creating table cacheview_roaprefixv6 Creating table cacheview_roa Creating table cacheview_ghostbuster Creating table routeview_routeorigin Creating table routeview_routeoriginv6 Running deferred SQL... Installing custom SQL... Running migrations: Rendering model states... DONE Applying contenttypes.0001_initial... OK Applying auth.0001_initial... OK Applying app.0001_initial... OK Applying contenttypes.0002_remove_content_type_name... OK Applying auth.0002_alter_permission_name_max_length... OK Applying auth.0003_alter_user_email_max_length... OK Applying auth.0004_alter_user_username_opts... OK Applying auth.0005_alter_user_last_login_null... OK Applying auth.0006_require_contenttypes_0002... OK Applying sessions.0001_initial... OK Writing /usr/share/rpki/bpki/ca.cer Writing /usr/share/rpki/bpki/rpkid.key Writing /usr/share/rpki/bpki/rpkid.cer Writing /usr/share/rpki/bpki/irdbd.cer Writing /usr/share/rpki/bpki/irbe.cer Writing /usr/share/rpki/bpki/ca.crl Writing /usr/share/rpki/bpki/pubd.key Writing /usr/share/rpki/bpki/pubd.cer Processing triggers for ureadahead (0.100.0-16) ...

ca.rg.net:/root/foo# ls -ld drwxr-xr-x 2 rpki rpki 4096 Mar 20 06:33 ./

ca.rg.net:/root/foo# rpkic initialize Traceback (most recent call last): File "/usr/sbin/rpkic", line 25, in rpki.rpkic.main() File "/usr/lib/python2.7/dist-packages/rpki/rpkic.py", line 107, in init self.main(args) File "/usr/lib/python2.7/dist-packages/rpki/rpkic.py", line 115, in main args.func(self, args) File "/usr/lib/python2.7/dist-packages/rpki/rpkic.py", line 228, in do_initialize None if rootd_case else sys.stdout) File "/usr/lib/python2.7/dist-packages/rpki/irdb/zookeeper.py", line 188, in save ElementTree(self.etree).write(tempname) File "lxml.etree.pyx", line 1949, in lxml.etree._ElementTree.write (src/lxml/lxml.etree.c:55919) File "serializer.pxi", line 477, in lxml.etree._tofilelike (src/lxml/lxml.etree.c:117874) File "serializer.pxi", line 523, in lxml.etree._create_output_buffer (src/lxml/lxml.etree.c:118373) File "serializer.pxi", line 512, in lxml.etree._create_output_buffer (src/lxml/lxml.etree.c:118218) IOError: [Errno 13] Permission denied }}}

Trac comment by randy on 2016-03-20T07:26:35Z

[sraustein]

OK, [6322] has somewhat saner setuid() behavior, and should no longer require chown of the directory into which you wish to write XML files, etc.

Works for me, anyway. You seem to have a talent for this. :)

Oh, and rpkic initialize is obsolete, even says so in the --help output. You want:

{{{ rpkic create_identity foo }}}

to create an identity with handle foo, oddly enough.

Trac comment by sra on 2016-03-21T04:04:34Z

[sraustein]

should i do the remove/install cycle?

Trac comment by randy on 2016-03-21T04:33:21Z

[sraustein]

You want:

{{{ rpkic create_identity foo }}}

to create an identity with handle foo, oddly enough.

wait! how does this work with the handle in rpki.conf?

Trac comment by randy on 2016-03-21T04:36:26Z

[sraustein]

{{{ rpkic> version 0.6323 rpkic> create_identity usage: create_identity handle create_identity: error: too few arguments

rpkic> create_identity RGnetCA Wrote /root/RGnetCA.identity.xml This is the "identity" file you will need to send to your parent }}}

i chose the same identity as the handle in /etc/rpki.conf, though i do not understand the relationship between the two.

Trac comment by randy on 2016-03-21T04:39:24Z

[sraustein]

rpkic initialize put a file a the publication point

ryuu.psg.com:/Users/randy> rsync rsync://ca.rg.net/rpki/RGnetCA.identity.xml -rw-r--r-- 1181 2016/03/19 14:09:02 RGnetCA.identity.xml

create_identity seems not to do so (see date)

Trac comment by randy on 2016-03-21T04:43:11Z

[sraustein]

rpkic initialize put a file a the publication point

false. that was where i happened to be when i invoked rpkic

Trac comment by randy on 2016-03-21T04:47:21Z

[sraustein]

{{{ rpkic create_identity foo }}}

to create an identity with handle foo, oddly enough.

wait! how does this work with the handle in rpki.conf?

The handle in rpkic.conf is a historical relic dating back to the myrpki.xml interface, circa 2008. It's not quite dead, but it's on its way out, and will eventually become just the default for -i / --identity / select_identity or go away completely.

Trac comment by sra on 2016-03-21T05:02:42Z

[sraustein]

{{{ rpkic> create_identity RGnetCA Wrote /root/RGnetCA.identity.xml This is the "identity" file you will need to send to your parent }}}

There's a reason why it tells you the complete filename.

i chose the same identity as the handle in /etc/rpki.conf, though i do not understand the relationship between the two.

The handle in /etc/rpki.conf is a bad idea which should go away :)

Trac comment by sra on 2016-03-21T05:04:43Z

[sraustein]

what do i document? handle should be the same as create_identity for the moment?

Trac comment by randy on 2016-03-21T05:09:27Z

[sraustein]

what do i document? handle should be the same as create_identity for the moment?

Doesn't matter much, but that's probably safest.

Trac comment by sra on 2016-03-21T05:19:55Z

[sraustein]

Closed with resolution fixed