In certain scenarios and on some platforms specific steps are needed in order to get Routinator working as desired.
Using Native TLS Instead of Rustls¶
By default Routinator uses the TLS library Rustls, which in most cases is fine. However, if needed you can instead use the native TLS implementation of your system with Routinator.
Build Routinator with the
native-tls feature enabled:
git clone --branch vX.Y.Z --depth 1 https://github.com/NLnetLabs/routinator.git cd routinator cargo build --release --features socks,native-tls
native-tls image tag when running the container:
sudo docker run -d --restart=unless-stopped --name routinator -p 3323:3323 \ -p 9556:9556 -v routinator-tals:/home/routinator/.rpki-cache/tals \ nlnetlabs/routinator:native-tls
Platform Specific Instructions¶
GÉANT has created an Ansible playbook defining a role to deploy Routinator on Ubuntu.
For some platforms, rustup cannot provide binary releases to install directly. The Rust Platform Support page lists several platforms where official binary releases are not available, but Rust is still guaranteed to build. For these platforms, automated tests are not run so it’s not guaranteed to produce a working build, but they often work to quite a good degree.
On OpenBSD, patches are required to get Rust running correctly, but these are well maintained and offer the latest version of Rust quite quickly.
Rust can be installed on OpenBSD by running:
The standard installation method does not work when using CentOS 6. Here, you will end up with a long list of error messages about missing assembler instructions. This is because the assembler shipped with CentOS 6 is too old.
sudo yum install centos-release-scl sudo yum install devtoolset-6 scl enable devtoolset-6 bash curl https://sh.rustup.rs -sSf | sh source $HOME/.cargo/env
SELinux using CentOS 7¶
This guide, contributed by Rich Compton, describes how to run Routinator on Security Enhanced Linux (SELinux) using CentOS 7.
Start by setting the hostname:
sudo nmtui-hostname Hostname will be set
Set the interface and connect it:
Ensure that “Automatically connect” and “Available to all users” are checked.
Install the required packages:
sudo yum check-update sudo yum upgrade -y sudo yum install -y epel-release sudo yum install -y vim wget curl net-tools lsof bash-completion yum-utils \ htop nginx httpd-tools tcpdump rust cargo rsync policycoreutils-python
Set the timezone to UTC:
sudo timedatectl set-timezone UTC
Remove postfix as it is unneeded:
sudo systemctl stop postfix sudo systemctl disable postfix
Create a self-signed certificate for NGINX:
sudo mkdir /etc/ssl/private sudo chmod 700 /etc/ssl/private sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout /etc/ssl/private/nginx-selfsigned.key \ -out /etc/ssl/certs/nginx-selfsigned.crt # Populate the relevant information to generate a self signed certificate sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Add in the
/etc/nginx/conf.d/ssl.confand edit the
ssl.conffile to provide the IP of the host in the
Set the username and password for the web interface authentication:
sudo htpasswd -c /etc/nginx/.htpasswd <username>
Start Nginx and set it up so it starts at boot:
sudo systemctl start nginx sudo systemctl enable nginx
Add the user “routinator”, create the
/opt/routinatordirectory and assign it to the “routinator” user and group:
sudo useradd routinator sudo mkdir /opt/routinator sudo chown routinator:routinator /opt/routinator
Sudo into the routinator user:
sudo su - routinator
Install Routinator and add it to the
$PATHfor user “routinator”:
cargo install --locked routinator vi /home/routinator/.bash_profile Edit the PATH line to include "/home/routinator/.cargo/bin" PATH=$PATH:$HOME/.local/bin:$HOME/bin:/home/routinator/.cargo/bin
Initialise Routinator, accept the ARIN TAL and exit back to the user with
/home/routinator/.cargo/bin/routinator -b /opt/routinator init -f --accept-arin-rpa exit
Create a routinator systemd script using the template below:
sudo vi /etc/systemd/system/routinator.service [Unit] Description=Routinator RPKI Validator and RTR Server After=network.target [Service] Type=simple User=routinator Group=routinator Restart=on-failure RestartSec=90 ExecStart=/home/routinator/.cargo/bin/routinator -v -b /opt/routinator server \ --http 127.0.0.1:8080 --rtr <IPv4 IP>:8323 --rtr [<IPv6 IP>]:8323 TimeoutStartSec=0 [Install] WantedBy=default.target
You must populate the IPv4 and IPv6 addresses. In addition, the IPv6 address needs to have brackets ‘[ ]’ around it. For example:
/home/routinator/.cargo/bin/routinator -v -b /opt/routinator server \ --http 127.0.0.1:8080 --rtr 172.16.47.235:8323 --rtr [2001:db8::43]:8323
Configure SELinux to allow connections to localhost and to allow rsync to write to the
sudo setsebool -P httpd_can_network_connect 1 sudo semanage permissive -a rsync_t
Reload the systemd daemon and set the routinator service to start at boot:
sudo systemctl daemon-reload sudo systemctl enable routinator.service sudo systemctl start routinator.service
Set up the firewall to permit ssh, HTTPS and port 8323 for the RTR protocol:
sudo firewall-cmd --permanent --remove-service=ssh --zone=public sudo firewall-cmd --permanent --zone public --add-rich-rule='rule family="ipv4" \ source address="<IPv4 management subnet>" service name=ssh accept' sudo firewall-cmd --permanent --zone public --add-rich-rule='rule family="ipv6" \ source address="<IPv6 management subnet>" service name=ssh accept' sudo firewall-cmd --permanent --zone public --add-rich-rule='rule family="ipv4" \ source address="<IPv4 management subnet>" service name=https accept' sudo firewall-cmd --permanent --zone public --add-rich-rule='rule family="ipv6" \ source address="<IPv6 management subnet>" service name=https accept' sudo firewall-cmd --permanent --zone public --add-rich-rule='rule family="ipv4" \ source address="<peering router IPv4 loopback subnet>" port port=8323 protocol=tcp accept' sudo firewall-cmd --permanent --zone public --add-rich-rule='rule family="ipv6" \ source address="<peering router IPv6 loopback subnet>" port port=8323 protocol=tcp accept' sudo firewall-cmd --reload
https://<IP address of rpki-validator>/metricsto see if it’s working. You should authenticate with the username and password that you provided in step 10 of setting up the RPKI Validation Server.