Ref
https://www.ripe.net/manage-ips-and-asns/resource-management/rpki/tools-and-resources/
Routinator
mkdir -p /opt/routinator cd /opt/routinator vi docker-compose.yml docker compose up -d
/opt/routinator/docker-compose.yml
services:
routinator:
image: nlnetlabs/routinator
container_name: routinator
restart: unless-stopped
ports:
- 3323:3323 # RTR port
- 8323:8323 # HTTP port
volumes:
- cache:/home/routinator/.rpki-cache
environment:
- TZ=Asia/Seoul
volumes:
cache:
# docker logs -f routinator [WARN] rsync://repository.lacnic.net/rpki/: @ERROR: max connections (300) reached -- try again later [WARN] rsync://repository.lacnic.net/rpki/: rsync error: error starting client-server protocol (code 5) at main.c(1859) [Receiver=3.2.7] [WARN] No valid trust anchor for TAL lacnic [WARN] rsync://rpki.afrinic.net/repository/member_repository/F368F2D0/92F86E1C6E0511E8A1B5854BF8AEA228/ACCD9BA21FE611EFA3C32B487DDC24C2.roa: certificate has expired. [WARN] rsync://rpki.afrinic.net/repository/member_repository/F368F2D0/92F86E1C6E0511E8A1B5854BF8AEA228/409A3962171811EFA4D9B319017001B1.roa: certificate has expired. ... [WARN] RRDP https://rov-measurements.nlnetlabs.net/rrdp/notification.xml: error sending request for url (https://rov-measurements.nlnetlabs.net/rrdp/notification.xml): connection closed before message completed [WARN] rsync://rpki.qs.nu/repo/cyntest/2/FF0595CB477C33B6B94C7E477213C842A6067D6B.mft: certificate has expired. ...
(HOST) # docker exec -it routinator /bin/sh.
(CONTAINER) / $ ps auxf
PID USER TIME COMMAND
1 routinat 0:00 /sbin/tini -- routinator server --rtr 0.0.0.0:3323 --http 0.0.0.0:8323 --http 0.0.0.0:9556
7 routinat 0:58 routinator server --rtr 0.0.0.0:3323 --http 0.0.0.0:8323 --http 0.0.0.0:9556
46 routinat 0:00 rsync --contimeout=10 --max-size=20000000 -rltz --delete rsync://rpki.netiface.net/repo/ /home/routinator/.rpki-cache/repository/rsync/rpki.netiface.net/repo/
~/.zshrc
alias routinator='docker exec -it routinator routinator'
# routinator config repository-dir = "/home/routinator/.rpki-cache/repository" exceptions = [] strict = false stale = "reject" unsafe-vrps = "accept" unknown-objects = "warn" allow-dubious-hosts = false disable-rsync = false rsync-command = "rsync" rsync-timeout = 300 disable-rrdp = false rrdp-fallback = "stale" rrdp-fallback-time = 3600 rrdp-max-delta-count = 100 rrdp-timeout = 300 rrdp-tcp-keepalive = 60 rrdp-root-certs = [] rrdp-proxies = [] max-object-size = 20000000 max-ca-depth = 32 enable-bgpsec = false dirty = false validation-threads = 4 refresh = 600 retry = 600 expire = 7200 history-size = 10 rtr-listen = [] rtr-tls-listen = [] http-listen = [] http-tls-listen = [] systemd-listen = false rtr-tcp-keepalive = 60 rtr-client-metrics = false log-level = "WARN" log = "default" syslog-facility = "daemon"
# routinator --tal=list
.---- RIR TALs
| .- RIR test TALs
V V
X afrinic AFRINIC production TAL
X apnic APNIC production TAL
X arin ARIN production TAL
X lacnic LACNIC production TAL
X ripe RIPE production TAL
X apnic-testbed APNIC RPKI Testbed
X arin-ote ARIN Operational Test and Evaluation Environment
X ripe-pilot RIPE NCC RPKI Test Environment
nlnetlabs-testbed NLnet Labs RPKI Testbed
Fort
mkdir -p /opt/fort cd /opt/fort vi docker-compose.yml docker compose up -d
/opt/fort/docker-compose.yml
services:
rpki-client:
image: nicmx/fort-validator
container_name: fort-validator
restart: unless-stopped
volumes:
- ./config.json:/etc/fort/fort.conf
- tals:/etc/fort/tal
- cache:/var/local/fort
ports:
- 3323:323 # RTR port
environment:
- TZ=Asia/Seoul
volumes:
tals:
cache:
https://nicmx.github.io/FORT-validator/usage.html#--configuration-file
/opt/fort/config.json
{
"tal":"/etc/fort/tal",
"local-repository":"/var/local/fort"
"mode": "server",
"work-offline": false,
"daemon": false,
"log": {
"enabled": true,
"output": "console",
"level": "info",
"tag": "Operation",
"facility": "daemon",
"file-name-format": "global-url",
"color-output": false
},
"validation-log": {
"enabled": false,
"output": "console",
"level": "warning",
"tag": "Validation",
"facility": "daemon",
"file-name-format": "global-url",
"color-output": false
}
}
(HOST) # docker exec -it fort-validator /bin/sh
(CONTAINER) / # ps auxf
PID USER TIME COMMAND
1 root 0:00 tini -g -- fort --configuration-file /etc/fort/fort.conf
7 root 1:21 fort --configuration-file /etc/fort/fort.conf
# docker logs -f fort-validator
Jun 11 08:50:37 INF [Operation]: fort 1.6.2
Jun 11 08:50:37 INF [Operation]: Configuration {
Jun 11 08:50:37 INF [Operation]: tal: /etc/fort/tal
Jun 11 08:50:37 INF [Operation]: local-repository: /var/local/fort
Jun 11 08:50:37 INF [Operation]: shuffle-uris: false
Jun 11 08:50:37 INF [Operation]: maximum-certificate-depth: 32
Jun 11 08:50:37 INF [Operation]: slurm: (null)
Jun 11 08:50:37 INF [Operation]: mode: server
Jun 11 08:50:37 INF [Operation]: work-offline: false
...
Jun 11 08:50:37 INF [Operation]: }
Jun 11 08:50:37 INF [Operation]: Main loop: Starting...
Jun 11 08:50:37 INF [Operation]: [::]:323: Setting up socket...
Jun 11 08:50:37 INF [Operation]: [::]:323: Success.
Jun 11 08:50:37 INF [Operation]: The cache appears to have been built by a different version of Fort. I'm going to clear it, just to be safe.
RPKI-client
https://academy-training-wiki-media.storage.googleapis.com/_media/rpki20211109/rpki-client_lab.pdf
mkdir -p /opt/rpki-client cd /opt/rpki-client vi docker-compose.yml docker compose up -d
/opt/rpki-client/docker-compose.yml
services:
rpki-client:
image: rpki/rpki-client
container_name: rpki-client
restart: unless-stopped
ports:
- 9099:9099
volumes:
- tals:/etc/tals
- output:/var/lib/rpki-client
- cache:/var/cache/rpki-client
environment:
- TZ=Asia/Seoul
volumes:
tals:
output:
cache:
(HOST) # docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3bd59461cc28 rpki/rpki-client "/entrypoint.sh rpki…" 8 minutes ago Up 8 minutes (healthy) 9099/tcp rpki-client
(HOST) # docker exec -it rpki-client /bin/sh
(CONTAINER) / # ps auxf
PID USER TIME COMMAND
1 root 0:00 multirun /rpki-client.sh rpki-client -B -c -j -m -o -v haproxy -f /etc/haproxy/haproxy.cfg -q -W -S /run/haproxy.sock
13 root 0:00 {rpki-client.sh} /bin/sh /rpki-client.sh rpki-client -B -c -j -m -o -v
14 root 0:00 haproxy -f /etc/haproxy/haproxy.cfg -q -W -S /run/haproxy.sock
84 haproxy 0:00 haproxy -sf 22 -x sockpair@4 -f /etc/haproxy/haproxy.cfg -q -W -S /run/haproxy.sock
89 root 0:00 sleep 600
(HOST) # cd /var/lib/docker/volumes/rpki-client_output/_data (HOST) # ls -alh total 116M drwxr-sr-x 2 900 900 4.0K 2024-06-10 Mon 17:30:38 . drwx-----x 3 root root 4.0K 2024-06-10 Mon 16:56:15 .. -rw-r--r-- 1 900 900 17M 2024-06-10 Mon 17:30:37 bird -rw-r--r-- 1 900 900 13M 2024-06-10 Mon 17:30:37 bird1v4 -rw-r--r-- 1 900 900 3.3M 2024-06-10 Mon 17:30:37 bird1v6 -rw-r--r-- 1 900 900 18M 2024-06-10 Mon 17:30:37 csv -rw-r--r-- 1 900 900 43M 2024-06-10 Mon 17:30:38 json -rw-r--r-- 1 900 900 469K 2024-06-10 Mon 17:30:38 metrics -rw-r--r-- 1 900 900 23M 2024-06-10 Mon 17:30:36 openbgpd (HOST) # tail -n 10 csv AS37100,2c0f:feb1::/32,48,afrinic,1718150685 AS36959,2c0f:feb8::/32,32,afrinic,1718150685 AS22822,2c0f:fed8::/32,48,afrinic,1718150685 AS37277,2c0f:fed8::/32,48,afrinic,1718150685 AS26506,2c0f:fed8:2::/48,48,afrinic,1718150685 AS36958,2c0f:fef0::/32,48,afrinic,1718150685 AS37334,2c0f:ff30::/32,64,afrinic,1718150685 AS3741,2c0f:ff40::/26,48,afrinic,1718150685 AS10474,2c0f:ff40::/26,48,afrinic,1718150685 AS37105,2c0f:ffd8::/32,32,afrinic,1718150685
etc
https://github.com/inex/IXP-Manager
https://github.com/inex/IXP-Manager/blob/master/docker-compose.yml
https://academy.apnic.net/en/events?id=a0B2e000000dWAW
https://blog.apnic.net/2022/04/06/how-to-installing-an-rpki-validator-2/
https://academy.apnic.net/en/virtual-labs