Configuration¶
Routinator has a large number of configuration options, but in most cases running it with the defaults will work just fine. You can specify options as command line arguments, but you can also use a configuration file.
Routinator uses the TOML format for specifying options in the configuration file. Its entries are named similarly to the command line options. A complete sample configuration file showing all the default values can be found in the repository.
Routinator can run as a daemon but you can also use it interactively from the command line. However, there are several considerations with regards to how you’ve installed and how you intend to use Routinator, which we’ll cover below.
Routinator Installed From a Package¶
As explained in the Initialisation section, the installation script
will run as the user routinator and refer to the configuration file
/etc/routinator/routinator.conf
which contains the following
pre-configured options:
repository-dir = "/var/lib/routinator/rpki-cache"
tal-dir = "/var/lib/routinator/tals"
rtr-listen = ["127.0.0.1:3323"]
http-listen = ["127.0.0.1:8323"]
For security reasons the HTTP and RTR server will only listen on localhost, so you will have to change these values to make them accessible to other devices on your network.
The service script that starts Routinator uses the --config
option
to explicitly refer to this configuration file, so any desired changes should
be made here. If you would like to know what default settings Routinator runs
with in addition to the settings in the config file, you can check with the
config
subcommand:
routinator --config /etc/routinator/routinator.conf config
This output will also provide you with the correct syntax in case you want to make changes.
Important
Once you have started Routinator as a system service you
should not invoke interactive validation
runs from the command line using routinator vrps
. If there
is specific information you would like to have from
Routinator, you should retrieve it via the
user interface or one of the
HTTP endpoints.
Routinator Built with Cargo¶
If you have built Routinator using Cargo, you have made your own decisions with regards to the user that it runs as and the privileges it has. There is no default configuration file, as it is your choice if you want to use one.
If you run Routinator without referring to a configuration file it will check
if there is a $HOME/.routinator.conf
file and if it exists, use it.
If no configuration file is available, the default values are used.
You can view the default settings Routinator runs with using:
routinator config
It will return the list of defaults in the same notation that is used by the configuration file, which will be largely similar to this and can serve as a starting point for making your own:
allow-dubious-hosts = false
dirty = false
disable-rrdp = false
disable-rsync = false
exceptions = []
expire = 7200
history-size = 10
http-listen = []
log = "default"
log-level = "WARN"
max-object-size = 20000000
refresh = 600
repository-dir = "/Users/routinator/.rpki-cache/repository"
retry = 600
rrdp-fallback-time = 3600
rrdp-proxies = []
rrdp-root-certs = []
rsync-command = "rsync"
rsync-timeout = 300
rtr-client-metrics = false
rtr-listen = []
rtr-tcp-keepalive = 60
stale = "reject"
strict = false
syslog-facility = "daemon"
systemd-listen = false
tal-dir = "/Users/routinator/.rpki-cache/tals"
unknown-objects = "warn"
unsafe-vrps = "warn"
validation-threads = 4
Using Tmpfs for the RPKI Cache¶
The full RPKI data set consists of hundreds of thousands of small files. This causes a considerable amount of disk I/O with each validation run. If this is undesirable in your setup, you can choose to store the cache in volatile memory using the tmpfs file system.
When setting this up, you should make sure to only put the directory for the
local RPKI cache in tmpfs and not the directory where the Trust Anchor
Locators reside. Both locations are set in the configuration file with the repository-dir
and tal-dir
options, respectively.
If you have installed Routinator using a package, by default the RPKI cache
directory will be /var/lib/routinator/rpki-cache
, so we’ll use that
as an example. Note that the directory you choose must exist before the mount
can be done. You should allocate at least 3GB for the cache, but giving it
4GB will allow ample margin for future growth:
sudo mount -t tmpfs -o size=4G tmpfs /var/lib/routinator/rpki-cache
Tmpfs will behave just like a regular disk, so if it runs out of space Routinator will do a clean crash, stopping validation, the API, HTTP server and most importantly the RTR server, ensuring that no stale data will be served to your routers.
Also keep in mind that every time you restart the machine, the contents of the tmpfs file system will be lost. This means that Routinator will have to rebuild its cache from scratch. This is not a problem, other than it having to download several gigabytes of data, which usually takes about ten minutes to complete. During this time all services will be unavailable.
Note that your routers should be configured to have a secondary relying party instance available at all times.