hints:rpki
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
hints:rpki [2024/03/20 22:22] – [RPKI Hints, Top Tips, and FAQs] philip | hints:rpki [2024/03/20 22:23] – [GoRTR] philip | ||
---|---|---|---|
Line 440: | Line 440: | ||
And that's it. Enjoy your new StayRTR installation. | And that's it. Enjoy your new StayRTR installation. | ||
- | ===== GoRTR ===== | ||
- | |||
- | I've included GoRTR here though it is no longer maintained by Cloudflare as the maintainer has moved on to pastures new. All development work is now being carried out on [[rpki# | ||
- | |||
- | I'll be very clear - **please don't use GoRTR**. I still run it for interest sake. For production, [[rpki# | ||
- | |||
- | As with StayRTR, you need a working Go environment. Please consult the [[rpki# | ||
- | |||
- | |||
- | ==== Installing GoRTR ==== | ||
- | |||
- | Easiest way to do this is to build from the [[https:// | ||
- | |||
- | **Note1**: You could download and use the provided [[https:// | ||
- | |||
- | **Note2**: You could even download the [[https:// | ||
- | |||
- | But we will focus on building from the source. | ||
- | < | ||
- | git clone https:// | ||
- | cd gortr | ||
- | make build-gortr build-rtrmon build-rtrdump | ||
- | </ | ||
- | which builds **gortr** as well as **rtrmon** and **rtrdump** (the latter used for testing purposes). | ||
- | |||
- | Copy the resulting binaries to **/ | ||
- | < | ||
- | cd dist | ||
- | sudo cp -p gortr-v0.14.8-5-g9f01dca-linux-x86_64 / | ||
- | sudo cp -p rtrdump-v0.14.8-5-g9f01dca-linux-x86_64 / | ||
- | sudo cp -p rtrmon-v0.14.8-5-g9f01dca-linux-x86_64 / | ||
- | </ | ||
- | |||
- | GoRTR has lots of options, but the ones we need are these: | ||
- | < | ||
- | -bind string | ||
- | Bind address (default ": | ||
- | | ||
- | URL of the cached JSON data (default " | ||
- | | ||
- | Check if file is still valid (default true) | ||
- | | ||
- | Check signature using provided public key (disable by passing -verify=false) | ||
- | </ | ||
- | We don't need to use the Cloudflare JSON source, given we have our own from the newly created RPKI-client. RPKI-client doesn' | ||
- | |||
- | We run GoRTR like this: | ||
- | < | ||
- | / | ||
- | </ | ||
- | which will at least let us test that it works. Run it and see what happens - you should see output at the command line looking like this: | ||
- | < | ||
- | INFO[0001] New update (304138 uniques, 304138 total prefixes). 0 bytes. Updating sha256 hash -> 0592ddc6e9a82666f8ddc5eda8cad76cb61f22640f17199b1bff06b5928b9718 | ||
- | INFO[0002] Updated added, new serial 0 | ||
- | INFO[0002] GoRTR Server started (sessionID: | ||
- | </ | ||
- | And if you check the ports that are listening (**ss -an**) you will see: | ||
- | < | ||
- | tcp LISTEN | ||
- | tcp LISTEN | ||
- | </ | ||
- | Port 3323 is the listening port for Router connections. And Port 8080 is the metrics port, for monitoring systems to connect to. | ||
- | |||
- | But perhaps this isn't good for long term operations as you'd prefer to have this start running automatically when the system starts. And for that we'd need to set up a suitable **systemd** entry. | ||
- | |||
- | First off, let's create a user for GoRTR (it does not have to run as root): | ||
- | < | ||
- | sudo groupadd _gortr | ||
- | sudo useradd –g _gortr –s / | ||
- | </ | ||
- | Next we create a file **/ | ||
- | < | ||
- | # Settings for GoRTR. Consult https:// | ||
- | # more discussion and other available options | ||
- | |||
- | GORTR_ARGS=-bind :3323 -verify=false -cache / | ||
- | # | ||
- | </ | ||
- | Then we go to the **/ | ||
- | < | ||
- | [Unit] | ||
- | Description=GoRTR RPKI to Router Server | ||
- | Documentation=https:// | ||
- | After=network.target | ||
- | |||
- | [Service] | ||
- | EnvironmentFile=/ | ||
- | ExecStart=/ | ||
- | Type=exec | ||
- | User=_gortr | ||
- | Group=_gortr | ||
- | AmbientCapabilities=CAP_NET_BIND_SERVICE | ||
- | CapabilityBoundingSet=CAP_NET_BIND_SERVICE | ||
- | |||
- | [Install] | ||
- | WantedBy=multi-user.target | ||
- | </ | ||
- | We then need to enable it: | ||
- | < | ||
- | sudo systemctl enable gortr | ||
- | </ | ||
- | which then displays: | ||
- | < | ||
- | Created symlink / | ||
- | </ | ||
- | and then we can run GoRTR, like this: | ||
- | < | ||
- | sudo systemctl start gortr | ||
- | </ | ||
- | Once it is running, check that it is working by running: | ||
- | < | ||
- | sudo systemctl status gortr | ||
- | </ | ||
- | and you should see something like this: | ||
- | < | ||
- | * gortr.service - GoRTR RPKI to Router Server | ||
- | | ||
- | Drop-In: / | ||
- | | ||
- | | ||
- | Docs: https:// | ||
- | Main PID: 170962 (gortr) | ||
- | Tasks: 14 (limit: 38463) | ||
- | | ||
- | | ||
- | | ||
- | |||
- | Dec 27 13:14:43 gortr gortr[170962]: | ||
- | Dec 27 13:24:46 gortr gortr[170962]: | ||
- | Dec 27 13:24:50 gortr gortr[170962]: | ||
- | </ | ||
- | and you can also run the more traditional **ps ax** to see something like: | ||
- | < | ||
- | | ||
- | </ | ||
- | |||
- | And that's it. Enjoy your new GoRTR installation. | ||
===== Cisco IOS-XE Hints ===== | ===== Cisco IOS-XE Hints ===== |
hints/rpki.txt · Last modified: 2024/03/20 22:24 by philip