Installation Notes

In certain scenarios and on some platforms specific steps are needed in order to get Routinator working as desired.

Enabling or Disabling Features

When you build Routinator yourself using Cargo, “features” provide a mechanism to express conditional compilation and optional dependencies. The Routinator package defines a set of named features in the [features] table of Cargo.toml. The table also defines if a feature is enabled or disabled by default.

Routinator currently has the following features:

socksEnabled by default

Allow the configuration of a SOCKS proxy.

uiEnabled by default

Download and build the the routinator-ui crate to run the user interface.

native-tlsDisabled by default

Use the native TLS implementation of your system instead of rustls.

rtaDisabled by default

Let Routinator validate Resource Tagged Attestations (RTAs).

To disable the features that are enabled by default, use the --no-default-features option. You can then choose which features you want using the --features option, listing each feature separated by commas.

For example, if you want to build Routinator without the user interface, make sure SOCKS support is retained and use the native TLS implementation, enter the following command:

cargo install --locked --no-default-features --features socks,native-tls routinator

Statically Linked Routinator

While Rust binaries are mostly statically linked, they depend on libc which, as least as glibc that is standard on Linux systems, is somewhat difficult to link statically. This is why Routinator binaries are actually dynamically linked on glibc systems and can only be transferred between systems with the same glibc versions.

However, Rust can build binaries based on the alternative implementation named musl that can easily be statically linked. Building such binaries is easy with rustup. You need to install musl and the correct musl target such as x86_64-unknown-linux-musl for x86_64 Linux systems. Then you can just build Routinator for that target.

On a Debian (and presumably Ubuntu) system, enter the following:

sudo apt-get install musl-tools
rustup target add x86_64-unknown-linux-musl
cargo build --target=x86_64-unknown-linux-musl --release

Using Tmpfs for the RPKI Cache

The full RPKI data set consists of hundreds of thousands of small files. This causes a considerable amount of disk I/O with each validation run. If this is undesirable in your setup, you can choose to store the cache in volatile memory using the tmpfs file system.

When setting this up, you should make sure to only put the directory for the local RPKI cache in tmpfs and not the directory where the Trust Anchor Locators reside. Both locations are set in the configuration file with the repository-dir and tal-dir options, respectively.

If you have installed Routinator using a package, by default the RPKI cache directory will be /var/lib/routinator/rpki-cache, so we’ll use that as an example. Note that the directory you choose must exist before the mount can be done. You should allocate at least 3GB for the cache, but giving it 4GB will allow ample margin for future growth:

sudo mount -t tmpfs -o size=4G tmpfs /var/lib/routinator/rpki-cache

Tmpfs will behave just like a regular disk, so if it runs out of space Routinator will do a clean crash, stopping validation, the API, HTTP server and most importantly the RTR server, ensuring that no stale data will be served to your routers.

Also keep in mind that every time you restart the machine, the contents of the tmpfs file system will be lost. This means that Routinator will have to rebuild its cache from scratch. This is not a problem, other than it having to download several gigabytes of data, which usually takes about ten minutes to complete. During this time all services will be unavailble.

Note that your routers should be configured to have a secondary relying party instance available at all times.

Platform Specific Instructions


GÉANT has created an Ansible playbook defining a role to deploy Routinator on Ubuntu.

For some platforms, rustup cannot provide binary releases to install directly. The Rust Platform Support page lists several platforms where official binary releases are not available, but Rust is still guaranteed to build. For these platforms, automated tests are not run so it’s not guaranteed to produce a working build, but they often work to quite a good degree.


On OpenBSD, patches are required to get Rust running correctly, but these are well maintained and offer the latest version of Rust quite quickly.

Rust can be installed on OpenBSD by running:

pkg_add rust

CentOS 6

The standard installation method does not work when using CentOS 6. Here, you will end up with a long list of error messages about missing assembler instructions. This is because the assembler shipped with CentOS 6 is too old.

You can get the necessary version by installing the Developer Toolset 6 from the Software Collections repository. On a virgin system, you can install Rust using these steps:

sudo yum install centos-release-scl
sudo yum install devtoolset-6
scl enable devtoolset-6 bash
curl -sSf | sh
source $HOME/.cargo/env

SELinux using CentOS 7

This guide, contributed by Rich Compton, describes how to run Routinator on Security Enhanced Linux (SELinux) using CentOS 7.

  1. Start by setting the hostname:

sudo nmtui-hostname
Hostname will be set
  1. Set the interface and connect it:


Ensure that “Automatically connect” and “Available to all users” are checked.

sudo nmtui-edit
  1. Install the required packages:

sudo yum check-update
sudo yum upgrade -y
sudo yum install -y epel-release
sudo yum install -y vim wget curl net-tools lsof bash-completion yum-utils \
    htop nginx httpd-tools tcpdump rust cargo rsync policycoreutils-python
  1. Set the timezone to UTC:

sudo timedatectl set-timezone UTC
  1. Remove postfix as it is unneeded:

sudo systemctl stop postfix
sudo systemctl disable postfix
  1. Create a self-signed certificate for NGINX:

sudo mkdir /etc/ssl/private
sudo chmod 700 /etc/ssl/private
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -keyout /etc/ssl/private/nginx-selfsigned.key \
    -out /etc/ssl/certs/nginx-selfsigned.crt
# Populate the relevant information to generate a self signed certificate
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
  1. Add in the ssl.conf file to /etc/nginx/conf.d/ssl.conf and edit the ssl.conf file to provide the IP of the host in the server_name field.

  2. Replace /etc/nginx/nginx.conf with the nginx.conf file.

  3. Set the username and password for the web interface authentication:

sudo htpasswd -c /etc/nginx/.htpasswd <username>
  1. Start Nginx and set it up so it starts at boot:

sudo systemctl start nginx
sudo systemctl enable nginx
  1. Add the user routinator, create the /opt/routinator directory and assign it to the routinator user and group:

sudo useradd routinator
sudo mkdir /opt/routinator
sudo chown routinator:routinator /opt/routinator
  1. Sudo into the routinator user:

sudo su - routinator
  1. Install Routinator and add it to the $PATH for user routinator:

cargo install --locked routinator
vi /home/routinator/.bash_profile
Edit the PATH line to include "/home/routinator/.cargo/bin"
  1. Initialise Routinator, accept the ARIN TAL and exit back to the user with sudo:

/home/routinator/.cargo/bin/routinator -b /opt/routinator init -f --accept-arin-rpa
  1. Create a routinator systemd script using the template below:

sudo vi /etc/systemd/system/routinator.service
Description=Routinator RPKI Validator and RTR Server
ExecStart=/home/routinator/.cargo/bin/routinator -v -b /opt/routinator server \
    --http --rtr <IPv4 IP>:8323 --rtr [<IPv6 IP>]:8323


You must populate the IPv4 and IPv6 addresses. In addition, the IPv6 address needs to have brackets ‘[ ]’ around it. For example:

/home/routinator/.cargo/bin/routinator -v -b /opt/routinator server \
--http --rtr --rtr [2001:db8::43]:8323
  1. Configure SELinux to allow connections to localhost and to allow rsync to write to the /opt/routinator directory:

sudo setsebool -P httpd_can_network_connect 1
sudo semanage permissive -a rsync_t
  1. Reload the systemd daemon and set the routinator service to start at boot:

sudo systemctl daemon-reload
sudo systemctl enable routinator.service
sudo systemctl start routinator.service
  1. Set up the firewall to permit ssh, HTTPS and port 8323 for the RTR protocol:

sudo firewall-cmd --permanent --remove-service=ssh --zone=public
sudo firewall-cmd --permanent --zone public --add-rich-rule='rule family="ipv4" \
    source address="<IPv4 management subnet>" service name=ssh accept'
sudo firewall-cmd --permanent --zone public --add-rich-rule='rule family="ipv6" \
    source address="<IPv6 management subnet>" service name=ssh accept'
sudo firewall-cmd --permanent --zone public --add-rich-rule='rule family="ipv4" \
    source address="<IPv4 management subnet>" service name=https accept'
sudo firewall-cmd --permanent --zone public --add-rich-rule='rule family="ipv6" \
    source address="<IPv6 management subnet>" service name=https accept'
sudo firewall-cmd --permanent --zone public --add-rich-rule='rule family="ipv4" \
    source address="<peering router IPv4 loopback subnet>" port port=8323 protocol=tcp accept'
sudo firewall-cmd --permanent --zone public --add-rich-rule='rule family="ipv6" \
    source address="<peering router IPv6 loopback subnet>" port port=8323 protocol=tcp accept'
sudo firewall-cmd --reload
  1. Navigate to https://<IP-address>/metrics to see if it’s working. You should authenticate with the username and password that you provided in step 10 of setting up the RPKI Validation Server.