From 2c4ff2909119e4c6583c68d9a408156c5d59c134 Mon Sep 17 00:00:00 2001 From: Barry O'Donovan Date: Fri, 18 Sep 2020 14:55:06 +0100 Subject: [PATCH] update rpki details for ubuntu 20.04 - closes #16 --- docs/features/rpki.md | 20 +-- docs/features/rpki/cloudflare.md | 142 ++++++--------------- docs/features/rpki/routinator.md | 62 +++++----- site/features/layer2-addresses/index.html | 2 +- site/features/rpki/cloudflare/index.html | 143 ++++++--------------- site/features/rpki/index.html | 19 +-- site/features/rpki/routinator/index.html | 64 +++++----- site/sitemap.xml | 144 +++++++++++----------- site/sitemap.xml.gz | Bin 708 -> 707 bytes 9 files changed, 224 insertions(+), 372 deletions(-) diff --git a/docs/features/rpki.md b/docs/features/rpki.md index 4cc372e3..9118215f 100644 --- a/docs/features/rpki.md +++ b/docs/features/rpki.md @@ -47,25 +47,27 @@ Start by installing two local caches / validator services as linked above. INEX Once your maintenance window starts, stop the target route server you plan to upgrade. You'll then need to to remove the Bird v1 package (`dpkg -r bird` on Ubuntu). Once the Bird package is removed, you can perform a distribution upgrade if you wish. -At time of writing (May 2019), there are no Bird v2 packages for Debian or Ubuntu. As such, you need to install from source. Rather than installing a build environment and compiling on each server, you can do this on a single server (a dedicated build box / admin server / etc) and then distribute the package across your route servers / collector: +Bird v2 is available as a prebuilt package with Ubuntu 20.04 LTS and can be installed with `apt install bird2`. + +There are no Bird v2 packages for Ubuntu 18.04 LTS. As such, you need to install from source if using that older platform. Rather than installing a build environment and compiling on each server, you can do this on a single server (a dedicated build box / admin server / etc) and then distribute the package across your route servers / collector: ```sh # Install Ubuntu build packages and libraries Bird requires: apt install -y build-essential libssh-dev libreadline-dev \ libncurses-dev flex bison checkinstall -# At time of writing, the latest release was v2.0.6. +# At time of writing, the latest release was v2.0.7. # Check for newer versions! cd /usr/src -wget ftp://bird.network.cz/pub/bird/bird-2.0.6.tar.gz -tar zxf bird-2.0.6.tar.gz -cd bird-2.0.6/ +wget ftp://bird.network.cz/pub/bird/bird-2.0.7.tar.gz +tar zxf bird-2.0.7.tar.gz +cd bird-2.0.7/ ./configure --prefix=/usr --sysconfdir=/etc make -j2 checkinstall -y ``` -The `checkinstall` tool creates a deb package file: `/usr/local/src/bird-2.0.6/bird_2.0.6-1_amd64.deb` +The `checkinstall` tool creates a deb package file: `/usr/local/src/bird-2.0.7/bird_2.0.7-1_amd64.deb` **NB: for this method to work, you must be running the same operating system and version on the target servers as the build box.** For us, it was Ubuntu 18.04 LTS on all systems. @@ -73,11 +75,11 @@ To install on a target machine: ```sh # from build machine -scp bird_2.0.6-1_amd64.deb target-machine:/tmp +scp bird_2.0.7-1_amd64.deb target-machine:/tmp # on target machine apt install -y libssh-dev libreadline-dev libncurses-dev -dpkg -i /tmp/bird_2.0.6-1_amd64.deb +dpkg -i /tmp/bird_2.0.7-1_amd64.deb ``` You now need to update your route server record in IXP Manager: @@ -86,7 +88,7 @@ You now need to update your route server record in IXP Manager: * check *Enable RPKI filtering*; * update the template to `api/v4/router/server/bird2/standard`. -Note that the Bird v2 template uses large BGP communities extensively internally. The option *Enable Large BGP Communities / RFC8092* only controls whether your members can use large communities for filtering. *It's 2019 - you should really enable this.* +Note that the Bird v2 template uses large BGP communities extensively internally. The option *Enable Large BGP Communities / RFC8092* only controls whether your members can use large communities for filtering. *It's 2020 - you should really enable this.* As mentioned above, you need to let IXP Manager know where your local caching / validators are by setting the following `.env` settings: diff --git a/docs/features/rpki/cloudflare.md b/docs/features/rpki/cloudflare.md index fbbb8bde..b72bbf7e 100644 --- a/docs/features/rpki/cloudflare.md +++ b/docs/features/rpki/cloudflare.md @@ -3,157 +3,85 @@ Cloudflare created their own RPKI toolkit which, similar to RIPE's, is split into two elements: -1. **GoRTR** is the damon that implements the RPKI-RTR protocol to distribute validated ROAs to your routers. +1. **GoRTR** is the daemon that implements the RPKI-RTR protocol to distribute validated ROAs to your routers. 2. **OctoRPKI** is the validator which pulls the signed ROAs from the trust anchors and validates them and then makes them available to GoRTR. **NB:** Before you proceed further, you should [read Cloudflare's own introduction to this toolkit](https://blog.cloudflare.com/cloudflares-rpki-toolkit/). -We use a standard Ubuntu 18.04 installation (selecting the minimal virtual server option), 2 vCPUs, 2GB RAM, 10GB LVM hard drive. Not that INEX at this point has not embraced Docker for production services so our install does not use Cloudflare's docker options. +We use a standard Ubuntu 20.04 installation (selecting the minimal virtual server option), 2 vCPUs, 2GB RAM, 20GB LVM hard drive. -Rather than running these daemons as the root user, we create a dedicated user: +Cloudflare provide pre-built packages for installation - visit the following URLs and download the appropriate packages for your operating system: -```sh -useradd -c 'cloudflare' -d /srv/cloudflare -m -s /bin/bash -u 1102 cloudflare -``` +* https://github.com/cloudflare/cfrpki/releases +* https://github.com/cloudflare/gortr/releases -We now install packages we need: +In my case, with Ubuntu 20.04 in September 2020, I ended up installing the following: ```sh -apt install golang git rsync ca-certificates +wget https://github.com/cloudflare/cfrpki/releases/download/v1.1.4/octorpki_1.1.4_amd64.deb +wget https://github.com/cloudflare/gortr/releases/download/v0.14.6/gortr_0.14.6_amd64.deb +dpkg -i gortr_0.14.6_amd64.deb octorpki_1.1.4_amd64.deb ``` -Note that in the following, we are not signing the JSON file or ROAs that OctoRPKI generates and this not validating this in GoRTR. The reason for this as primarily that it *just wouldn't work* (May 2019) but also as this is a same server operation and no other tools are using the JSON. ## OctoRPKI -To install OctoRPKI, su to the target user and proceed as follows (we assume all commands are executed from `/srv/cloudflare`): - -```sh -sudo su - cloudflare - -go get github.com/cloudflare/cfrpki/cmd/octorpki - -# test: -./go/bin/octorpki -h - -# create the directories we need: -mkdir tals && mkdir cache && touch rrdp.json - -# copy files we need from the OctoRPKI repository: -cp go/src/github.com/cloudflare/cfrpki/cmd/octorpki/tals/* tals/ -``` - You now need to install the ARIN file manually, sigh: 1. Visiting https://www.arin.net/resources/rpki/tal.html 2. Downloading the TAL in RFC 7730 format -3. Place it in `/srv/cloudflare/tals/arin.tal` +3. Place it in `/usr/share/tals/arin.tal` -You can now run the validator via the following command *(and I'm showing the start of some of the sample output)*: +You can now run the validator via the following command *(and I'm also showing how to see the log)*: ```sh -$ ./go/bin/octorpki -mode server -output.sign=0 -INFO[0000] Validator started -INFO[0000] Serving HTTP on :8080/output.json -... -``` - -As it starts up, there is some info available as JSON under http://localhost:8080/infos and the ROAs can be seen as JSON via http://localhost:8080/output.json after ~5mins. - - - -## GoRTR +# start the service: +systemctl start octorpki -To install GoRTR (once OctoRPKI is installed and running), we proceed as follows and assume you are su'd to `cloudflare` and your current directory is `/srv/cloudflare`: +# see and tail the logs +journalctl -fu octorpki -```sh -go get github.com/cloudflare/gortr/cmd/gortr +# enable to start on server boot: +systemctl enable octorpki.service ``` -You can run it now with: +At the time of writing with the above mentioned versions, we have the following error in the -```sh -./go/bin/gortr -bind :3323 \ - -verify=0 \ - -cache http://localhost:8080/output.json \ - -metrics.addr :8081 ``` - -Once GoRTR starts up, metrics are available from http://127.0.0.1:8081/metrics. - -## Starting on Boot - -To have these services start at boot, we create systemd service files: - - -```sh -cat </etc/systemd/system/cloudflare-octorpki.service -[Unit] -Description=Cloudflare OctoRPKI Validator - -[Service] -Restart=always -RestartSec=60 - -WorkingDirectory=/srv/cloudflare - -User=cloudflare - -StandardOutput=syslog -StandardError=syslog -SyslogIdentifier=cloudflare-octorpki - -ExecStart=/srv/cloudflare/go/bin/octorpki -mode server -output.sign=0 - - - -[Install] -WantedBy=multi-user.target - -ENDL +Error adding Resource tals/arin.tal: illegal base64 data at input byte 4 ``` -```sh -cat </etc/systemd/system/cloudflare-gortr.service -[Unit] -Description=Cloudflare GoRTR -After=cloudflare-octorpki.service +This is referenced in the follow [GitHub issue for octorpki #53](https://github.com/cloudflare/cfrpki/issues/53) and is solved by editing `/usr/share/tals/arin.tal` and removing the line starting `https://...` and then restart (`systemctl restart octorpki`). -[Service] -Restart=always -RestartSec=60 +As it starts up, there is some info available as JSON under `http://[hostname/ip address]:8080/infos` and the ROAs can be seen as JSON via `http://[hostname/ip address]:8080/output.json` after ~5mins. -WorkingDirectory=/srv/cloudflare -User=cloudflare +## GoRTR -StandardOutput=syslog -StandardError=syslog -SyslogIdentifier=cloudflare-gortr +To start GoRTR (once OctoRPKI is configured and running), we first edit `/etc/default/gortr`: -ExecStartPre=/bin/sleep 30 +``` +GORTR_ARGS=-bind :3323 -verify=false -cache http://localhost:8080/output.json -metrics.addr :8081 +``` -ExecStart=/srv/cloudflare/go/bin/gortr -bind :3323 -verify=0 -cache http://localhost:8080/output.json -metrics.addr :8081 -refresh=120 +You can now run the GoRTR daemon via the following command *(and I'm also showing how to see the log)*: +```sh +# start the service: +systemctl start gortr -[Install] -WantedBy=multi-user.target +# see and tail the logs +journalctl -fu gortr -ENDL +# enable to start on server boot: +systemctl enable gortr.service ``` -And then we enable for start on boot with: -```sh -systemctl enable cloudflare-octorpki.service -systemctl enable cloudflare-gortr.service -``` +Once GoRTR starts up, metrics are available from http://[hostname/ip address]:8081/metrics. -Note that: -* we have a sleep on gortr of 30 seconds to give OctoRPKI a chance to start; -* even still, it may not be ready in which case gortr will retry every two minutes (`-refresh=120`). ## Monitoring diff --git a/docs/features/rpki/routinator.md b/docs/features/rpki/routinator.md index a412ca20..b893d303 100644 --- a/docs/features/rpki/routinator.md +++ b/docs/features/rpki/routinator.md @@ -1,9 +1,9 @@ # Routinator 3000 -**Routinator 3000** is a [RPKI](/features/rpki.md) relying party software (aka RPKI Validator) written in Rust by the good folks at [NLnet Labs](https://www.nlnetlabs.nl/projects/rpki/routinator/). These instructions reflect Routinator 0.4, which is set up and started differently than older versions. This mostly follows [their own GitHub instructions](https://github.com/NLnetLabs/routinator) and [documentation](https://rpki.readthedocs.io/en/latest/routinator/). +**Routinator 3000** is a [RPKI](/features/rpki.md) relying party software (aka RPKI Validator) written in Rust by the good folks at [NLnet Labs](https://www.nlnetlabs.nl/projects/rpki/routinator/). These instructions reflect Routinator 0.7.1 (on Ubuntu 20.04). This mostly follows [their own GitHub instructions](https://github.com/NLnetLabs/routinator) and [documentation](https://rpki.readthedocs.io/en/latest/routinator/). -We use a standard Ubuntu 18.04 installation (selecting the minimal virtual server option), 2 vCPUs, 2GB RAM, 10GB LVM hard drive. +We use a standard Ubuntu 20.04 installation (selecting the minimal virtual server option), 2 vCPUs, 2GB RAM, 20GB LVM hard drive. Rather than running Routinator as the root user, we create a dedicated user: @@ -17,21 +17,22 @@ We then install the required software. `build-essential` is a Ubuntu alias packa apt install -y build-essential cargo rsync ``` -You should have rust version >=1.36.0 installed (check with `rustc -V`). +You should have rust version >=1.43.0 installed (check with `rustc -V`). To install Routinator, we then switch to the `routinator` user and use Cargo to build and install it: ```sh sudo su - routinator -cargo install routinator +cargo install --locked routinator ``` To check if this works, run the following (and note the path to the `routinator` binary): ```sh routinator@rpki01:~$ /srv/routinator/.cargo/bin/routinator -V -Routinator 0.6.1 +Routinator 0.7.1 ``` + Routinator needs to prepare its working environment via the `init` command, which will set up both the directory for the local RPKI cache as well as the TAL directory. Running it will prompt you to agree to the [ARIN Relying Party Agreement (RPA)](https://www.arin.net/resources/manage/rpki/tal/) @@ -57,7 +58,7 @@ and increases the log level to show the process in detail at least once): To upgrade Routinator, you reinstall it (`-f` to overwrite the older version): ```sh -cargo install -f routinator +cargo install --locked --force routinator ``` After you upgrade, kill the running version of Routinator and start it again. @@ -80,7 +81,9 @@ When it starts, there is a webserver on port 8080 - see [the documentation for t ## Starting on Boot -To have this service start at boot, we create systemd service files: +To have this service start at boot, we create systemd service files. + +**Edit this to reflect your correct IP address(es).** ```sh @@ -126,52 +129,47 @@ The following is copied [from Routinator's man page](https://nlnetlabs.nl/docume ``` HTTP SERVICE - Routinator can provide an HTTP service allowing to fetch the Validated - ROA Payload in various formats. The service does not support HTTPS and + Routinator can provide an HTTP service allowing to fetch the Validated + ROA Payload in various formats. The service does not support HTTPS and should only be used within the local network. The service only supports GET requests with the following paths: - /csv Returns the current set of VRPs in csv output format. - - /json Returns the current set of VRPs in json output format. - /metrics - Returns a set of monitoring metrics in the format used by + Returns a set of monitoring metrics in the format used by Prometheus. - /openbgpd - Returns the current set of VRPs in openbgpd output format. - - /rpsl Returns the current set of VRPs in rpsl output format. - /status - Returns the current status of the Routinator instance. This is - similar to the output of the /metrics endpoint but in a more + Returns the current status of the Routinator instance. This is + similar to the output of the /metrics endpoint but in a more human friendly format. /version Returns the version of the Routinator instance. /api/v1/validity/as-number/prefix - Returns a JSON object describing whether the route announcement - given by its origin AS number and address preifx is RPKI valid, - invalid, or not found. The returned object is compatible with - that provided by the RIPE NCC RPKI Validator. For more informa- - tion, see https://www.ripe.net/support/documentation/developer- + Returns a JSON object describing whether the route announcement + given by its origin AS number and address prefix is RPKI valid, + invalid, or not found. The returned object is compatible with + that provided by the RIPE NCC RPKI Validator. For more informa- + tion, see https://www.ripe.net/support/documentation/developer- documentation/rpki-validator-api - /validity?asn=as-number&prefix;=prefix + /validity?asn=as-number&prefix=prefix Same as above but with a more form-friendly calling convention. - The paths that output the current set of VRPs accept filter expressions - to limit the VRPs returned in the form of a query string. The field - filter-asn can be used to filter for ASNs and the field filter-prefix - can be used to filter for prefixes. The fields can be repeated multiple - times. + In addition, the current set of VRPs is available for each output for- + mat at a path with the same name as the output format. E.g., the CSV + output is available at /csv. + + These paths accept filter expressions to limit the VRPs returned in the + form of a query string. The field filter-asn can be used to filter for + ASNs and the field filter-prefix can be used to filter for prefixes. + The fields can be repeated multiple times. This works in the same way as the options of the same name to the vrps command. + ``` diff --git a/site/features/layer2-addresses/index.html b/site/features/layer2-addresses/index.html index 1a3d4f5e..d05cfaa1 100644 --- a/site/features/layer2-addresses/index.html +++ b/site/features/layer2-addresses/index.html @@ -1643,7 +1643,7 @@

End User Access - Last update: August 20, 2020 + Last update: September 13, 2020 diff --git a/site/features/rpki/cloudflare/index.html b/site/features/rpki/cloudflare/index.html index 7601e2d0..effd3d04 100644 --- a/site/features/rpki/cloudflare/index.html +++ b/site/features/rpki/cloudflare/index.html @@ -1318,13 +1318,6 @@ GoRTR - - -
  • - - Starting on Boot - -
  • @@ -1357,129 +1350,63 @@

    Cloudflare's RPKI Toolkit

    Cloudflare created their own RPKI toolkit which, similar to RIPE's, is split into two elements:

      -
    1. GoRTR is the damon that implements the RPKI-RTR protocol to distribute validated ROAs to your routers.
      2. +
    2. GoRTR is the daemon that implements the RPKI-RTR protocol to distribute validated ROAs to your routers.
    3. OctoRPKI is the validator which pulls the signed ROAs from the trust anchors and validates them and then makes them available to GoRTR.

    NB: Before you proceed further, you should read Cloudflare's own introduction to this toolkit.

    -

    We use a standard Ubuntu 18.04 installation (selecting the minimal virtual server option), 2 vCPUs, 2GB RAM, 10GB LVM hard drive. Not that INEX at this point has not embraced Docker for production services so our install does not use Cloudflare's docker options.

    -

    Rather than running these daemons as the root user, we create a dedicated user:

    -
    useradd -c 'cloudflare' -d /srv/cloudflare -m -s /bin/bash -u 1102 cloudflare
-
    - -

    We now install packages we need:

    -
    apt install golang git rsync ca-certificates
+
    We use a standard Ubuntu 20.04 installation (selecting the minimal virtual server option), 2 vCPUs, 2GB RAM, 20GB LVM hard drive.
    
+
    Cloudflare provide pre-built packages for installation - visit the following URLs and download the appropriate packages for your operating system:
    
+
      
+
    • https://github.com/cloudflare/cfrpki/releases
      • 
+
    • https://github.com/cloudflare/gortr/releases
      • 
+
    
+
    In my case, with Ubuntu 20.04 in September 2020, I ended up installing the following:
    
+
    wget https://github.com/cloudflare/cfrpki/releases/download/v1.1.4/octorpki_1.1.4_amd64.deb
+wget https://github.com/cloudflare/gortr/releases/download/v0.14.6/gortr_0.14.6_amd64.deb
+dpkg -i gortr_0.14.6_amd64.deb octorpki_1.1.4_amd64.deb
 
    
 
-
    Note that in the following, we are not signing the JSON file or ROAs that OctoRPKI generates and this not validating this in GoRTR. The reason for this as primarily that it just wouldn't work (May 2019) but also as this is a same server operation and no other tools are using the JSON.
    
 
    OctoRPKI
    
-
    To install OctoRPKI, su to the target user and proceed as follows (we assume all  commands are executed from /srv/cloudflare):
    
-
    sudo su - cloudflare
-
-go get github.com/cloudflare/cfrpki/cmd/octorpki
-
-# test:
-./go/bin/octorpki -h
-
-# create the directories we need:
-mkdir tals && mkdir cache && touch rrdp.json
-
-# copy files we need from the OctoRPKI repository:
-cp go/src/github.com/cloudflare/cfrpki/cmd/octorpki/tals/* tals/
-
    
-
 
    You now need to install the ARIN file manually, sigh:
    
 
      
 
    1. Visiting https://www.arin.net/resources/rpki/tal.html
      2. 
 
    2. Downloading the TAL in RFC 7730 format
      3. 
-
    3. Place it in /srv/cloudflare/tals/arin.tal
      4. 
+
    4. Place it in /usr/share/tals/arin.tal
      5. 
 
    
-
    You can now run the validator via the following command (and I'm showing the start of some of the sample output):
    
-
    $ ./go/bin/octorpki -mode server -output.sign=0
-INFO[0000] Validator started
-INFO[0000] Serving HTTP on :8080/output.json
-...
-
    
+
    You can now run the validator via the following command (and I'm also showing how to see the log):
    
+
    # start the service:
+systemctl start octorpki
 
-
    As it starts up, there is some info available as JSON under http://localhost:8080/infos and the ROAs can be seen as JSON via http://localhost:8080/output.json after ~5mins.
    
-
    GoRTR
    
-
    To install GoRTR (once OctoRPKI is installed and running), we proceed as follows and assume you are su'd to cloudflare and your current directory is /srv/cloudflare:
    
-
    go get github.com/cloudflare/gortr/cmd/gortr
-
    
+# see and tail the logs
+journalctl -fu octorpki
 
-
    You can run it now with:
    
-
    ./go/bin/gortr -bind :3323                                \
-               -verify=0                                  \
-               -cache http://localhost:8080/output.json   \
-               -metrics.addr :8081
+# enable to start on server boot:
+systemctl enable octorpki.service
 
    
 
-
    Once GoRTR starts up, metrics are available from http://127.0.0.1:8081/metrics.
    
-
    Starting on Boot
    
-
    To have these services start at boot, we create systemd service files:
    
-
    cat <<ENDL >/etc/systemd/system/cloudflare-octorpki.service
-[Unit]
-Description=Cloudflare OctoRPKI Validator
-
-[Service]
-Restart=always
-RestartSec=60
-
-WorkingDirectory=/srv/cloudflare
-
-User=cloudflare
-
-StandardOutput=syslog
-StandardError=syslog
-SyslogIdentifier=cloudflare-octorpki
-
-ExecStart=/srv/cloudflare/go/bin/octorpki -mode server -output.sign=0
-
-
-
-[Install]
-WantedBy=multi-user.target
-
-ENDL
+
    At the time of writing with the above mentioned versions, we have the following error in the
    
+
    Error adding Resource tals/arin.tal: illegal base64 data at input byte 4
 
    
 
-
    cat <<ENDL >/etc/systemd/system/cloudflare-gortr.service
-[Unit]
-Description=Cloudflare GoRTR
-After=cloudflare-octorpki.service
-
-[Service]
-Restart=always
-RestartSec=60
-
-WorkingDirectory=/srv/cloudflare
-
-User=cloudflare
-
-StandardOutput=syslog
-StandardError=syslog
-SyslogIdentifier=cloudflare-gortr
-
-ExecStartPre=/bin/sleep 30
-
-ExecStart=/srv/cloudflare/go/bin/gortr -bind :3323 -verify=0 -cache http://localhost:8080/output.json -metrics.addr :8081 -refresh=120
-
+
    This is referenced in the follow GitHub issue for octorpki #53 and is solved by editing /usr/share/tals/arin.tal and removing the line starting https://... and then restart (systemctl restart octorpki).
    
+
    As it starts up, there is some info available as JSON under http://[hostname/ip address]:8080/infos and the ROAs can be seen as JSON via http://[hostname/ip address]:8080/output.json after ~5mins.
    
+
    GoRTR
    
+
    To start GoRTR (once OctoRPKI is configured and running), we first edit /etc/default/gortr:
    
+
    GORTR_ARGS=-bind :3323 -verify=false -cache http://localhost:8080/output.json -metrics.addr :8081
+
    
 
-[Install]
-WantedBy=multi-user.target
+
    You can now run the GoRTR daemon via the following command (and I'm also showing how to see the log):
    
+
    # start the service:
+systemctl start gortr
 
-ENDL
-
    
+# see and tail the logs
+journalctl -fu gortr
 
-
    And then we enable for start on boot with:
    
-
    systemctl enable cloudflare-octorpki.service
-systemctl enable cloudflare-gortr.service
+# enable to start on server boot:
+systemctl enable gortr.service
 
    
 
-
    Note that:
    
-
      
-
    • we have a sleep on gortr of 30 seconds to give OctoRPKI a chance to start;
      • 
-
    • even still, it may not be ready in which case gortr will retry every two minutes (-refresh=120).
      • 
-
    
+
    Once GoRTR starts up, metrics are available from http://[hostname/ip address]:8081/metrics.
    
 
    Monitoring
    
 
    We add Nagios http checks for ports 8080 (OctoRPKI) and 8081 (GoRTR) to our monitoring platform. We also add a check_tcp test for GoRTR port 3323.
    
                 
diff --git a/site/features/rpki/index.html b/site/features/rpki/index.html
index e27443ba..66e8b5eb 100644
--- a/site/features/rpki/index.html
+++ b/site/features/rpki/index.html
@@ -1448,31 +1448,32 @@ 
    Enabling RPKIAt INEX we started with our route collector which is a non-service affecting administrative tool. Once we were happy with the stability and results of that, we upgraded our two route servers one week apart in planned announced maintenance windows. We also took the opportunity to perform a distribution upgrade from Ubuntu 16.04 to 18.04.
    
 
    Start by installing two local caches / validator services as linked above. INEX uses Cloudflare's and Routinator 3000. You should also add these to your production monitoring service.
    
 
    Once your maintenance window starts, stop the target route server you plan to upgrade. You'll then need to to remove the Bird v1 package (dpkg -r bird on Ubuntu). Once the Bird package is removed, you can perform a distribution upgrade if you wish.
    
-
    At time of writing (May 2019), there are no Bird v2 packages for Debian or Ubuntu. As such, you need to install from source. Rather than installing a build environment and compiling on each server, you can do this on a single server (a dedicated build box / admin server / etc) and then distribute the package across your route servers / collector:
    
+
    Bird v2 is available as a prebuilt package with Ubuntu 20.04 LTS and can be installed with apt install bird2.
    
+
    There are no Bird v2 packages for Ubuntu 18.04 LTS. As such, you need to install from source if using that older platform. Rather than installing a build environment and compiling on each server, you can do this on a single server (a dedicated build box / admin server / etc) and then distribute the package across your route servers / collector:
    
 
    # Install Ubuntu build packages and libraries Bird requires:
 apt install -y build-essential libssh-dev libreadline-dev \
     libncurses-dev flex bison checkinstall
 
-# At time of writing, the latest release was v2.0.6.
+# At time of writing, the latest release was v2.0.7.
 # Check for newer versions!
 cd /usr/src
-wget ftp://bird.network.cz/pub/bird/bird-2.0.6.tar.gz
-tar zxf  bird-2.0.6.tar.gz
-cd bird-2.0.6/
+wget ftp://bird.network.cz/pub/bird/bird-2.0.7.tar.gz
+tar zxf  bird-2.0.7.tar.gz
+cd bird-2.0.7/
 ./configure  --prefix=/usr --sysconfdir=/etc
 make -j2
 checkinstall -y
 
    
 
-
    The checkinstall tool creates a deb package file: /usr/local/src/bird-2.0.6/bird_2.0.6-1_amd64.deb
    
+
    The checkinstall tool creates a deb package file: /usr/local/src/bird-2.0.7/bird_2.0.7-1_amd64.deb
    
 
    NB: for this method to work, you must be running the same operating system and version on the target servers as the build box. For us, it was Ubuntu 18.04 LTS on all systems.
    
 
    To install on a target machine:
    
 
    # from build machine
-scp bird_2.0.6-1_amd64.deb target-machine:/tmp
+scp bird_2.0.7-1_amd64.deb target-machine:/tmp
 
 # on target machine
 apt install -y libssh-dev libreadline-dev libncurses-dev
-dpkg -i /tmp/bird_2.0.6-1_amd64.deb
+dpkg -i /tmp/bird_2.0.7-1_amd64.deb
 
    
 
 
    You now need to update your route server record in IXP Manager:
    
@@ -1481,7 +1482,7 @@ 
    Enabling RPKIcheck Enable RPKI filtering;
  • update the template to api/v4/router/server/bird2/standard.
    • -

    Note that the Bird v2 template uses large BGP communities extensively internally. The option Enable Large BGP Communities / RFC8092 only controls whether your members can use large communities for filtering. It's 2019 - you should really enable this.

    +

    Note that the Bird v2 template uses large BGP communities extensively internally. The option Enable Large BGP Communities / RFC8092 only controls whether your members can use large communities for filtering. It's 2020 - you should really enable this.

    As mentioned above, you need to let IXP Manager know where your local caching / validators are by setting the following .env settings:

    # IP address and port of the first RPKI local cache:
 IXP_RPKI_RTR1_HOST=192.0.2.11
diff --git a/site/features/rpki/routinator/index.html b/site/features/rpki/routinator/index.html
index 9f7a6e67..24a9f3c9 100644
--- a/site/features/rpki/routinator/index.html
+++ b/site/features/rpki/routinator/index.html
@@ -1348,8 +1348,8 @@
                 
                 
                 
    Routinator 3000
    
-
    Routinator 3000 is a RPKI relying party software (aka RPKI Validator) written in Rust by the good folks at NLnet Labs. These instructions reflect Routinator 0.4, which is set up and started differently than older versions. This mostly follows their own GitHub instructions and documentation.
    
-
    We use a standard Ubuntu 18.04 installation (selecting the minimal virtual server option), 2 vCPUs, 2GB RAM, 10GB LVM hard drive.
    
+
    Routinator 3000 is a RPKI relying party software (aka RPKI Validator) written in Rust by the good folks at NLnet Labs. These instructions reflect Routinator 0.7.1 (on Ubuntu 20.04). This mostly follows their own GitHub instructions and documentation.
    
+
    We use a standard Ubuntu 20.04 installation (selecting the minimal virtual server option), 2 vCPUs, 2GB RAM, 20GB LVM hard drive.
    
 
    Rather than running Routinator as the root user, we create a dedicated user:
    
 
    useradd -c 'Routinator 3000' -d /srv/routinator -m -s /bin/bash -u 1100 routinator
 
    
@@ -1358,17 +1358,18 @@ 
    Routinator 3000
    apt install -y build-essential cargo rsync
    -

    You should have rust version >=1.36.0 installed (check with rustc -V).

    +

    You should have rust version >=1.43.0 installed (check with rustc -V).

    To install Routinator, we then switch to the routinator user and use Cargo to build and install it:

    sudo su - routinator
-cargo install routinator
+cargo install --locked routinator

    To check if this works, run the following (and note the path to the routinator binary):

    -

    routinator@rpki01:~$ /srv/routinator/.cargo/bin/routinator -V
-Routinator 0.6.1
+
    routinator@rpki01:~$ /srv/routinator/.cargo/bin/routinator -V
+Routinator 0.7.1
 
    
-Routinator needs to prepare its working environment via the init command, which will set up both
+
+
    Routinator needs to prepare its working environment via the init command, which will set up both
 the directory for the local RPKI cache as well as the TAL directory. Running it will prompt you to
 agree to the ARIN Relying Party Agreement (RPA)
 so it can install the ARIN TAL along with the other four RIR TALs:
    
@@ -1385,7 +1386,7 @@ 
    Routinator 3000
    cargo install -f routinator
+
    cargo install --locked --force routinator
 
    
 
 
    After you upgrade, kill the running version of Routinator and start it again.
    
@@ -1400,7 +1401,8 @@ 
    Routinator 3000the documentation for the available endpoints.
    
 
    Starting on Boot
    
-
    To have this service start at boot, we create systemd service files:
    
+
    To have this service start at boot, we create systemd service files.
    
+
    Edit this to reflect your correct IP address(es).
    
 
    cat <<ENDL >/etc/systemd/system/rpki-routinator.service
 [Unit]
 Description=RPKI Routinator
@@ -1436,51 +1438,45 @@ 
    MonitoringHTTP Interface
    
 
    The following is copied from Routinator's man page. As a future work fixme, this should be used for better monitoring that just check_tcp above.
    
 
    HTTP SERVICE
-       Routinator can provide an HTTP service allowing to fetch the  Validated
-       ROA  Payload in various formats. The service does not support HTTPS and
+       Routinator  can provide an HTTP service allowing to fetch the Validated
+       ROA Payload in various formats. The service does not support HTTPS  and
        should only be used within the local network.
 
        The service only supports GET requests with the following paths:
 
 
-       /csv   Returns the current set of VRPs in csv output format.
-
-       /json  Returns the current set of VRPs in json output format.
-
        /metrics
-              Returns a set of  monitoring  metrics  in  the  format  used  by
+              Returns  a  set  of  monitoring  metrics  in  the format used by
               Prometheus.
 
-       /openbgpd
-              Returns the current set of VRPs in openbgpd output format.
-
-       /rpsl  Returns the current set of VRPs in rpsl output format.
-
        /status
-              Returns  the  current status of the Routinator instance. This is
-              similar to the output of the /metrics endpoint  but  in  a  more
+              Returns the current status of the Routinator instance.  This  is
+              similar  to  the  output  of the /metrics endpoint but in a more
               human friendly format.
 
        /version
               Returns the version of the Routinator instance.
 
        /api/v1/validity/as-number/prefix
-              Returns  a JSON object describing whether the route announcement
-              given by its origin AS number and address preifx is RPKI  valid,
-              invalid,  or  not found.  The returned object is compatible with
-              that provided by the RIPE NCC RPKI Validator. For more  informa-
-              tion,  see https://www.ripe.net/support/documentation/developer-
+              Returns a JSON object describing whether the route  announcement
+              given  by its origin AS number and address prefix is RPKI valid,
+              invalid, or not found.  The returned object is  compatible  with
+              that  provided by the RIPE NCC RPKI Validator. For more informa-
+              tion, see  https://www.ripe.net/support/documentation/developer-
               documentation/rpki-validator-api
 
-       /validity?asn=as-number&prefix;=prefix
+       /validity?asn=as-number&prefix=prefix
               Same as above but with a more form-friendly calling convention.
 
 
-       The paths that output the current set of VRPs accept filter expressions
-       to  limit  the  VRPs  returned in the form of a query string. The field
-       filter-asn can be used to filter for ASNs and the  field  filter-prefix
-       can be used to filter for prefixes. The fields can be repeated multiple
-       times.
+       In  addition, the current set of VRPs is available for each output for-
+       mat at a path with the same name as the output format.  E.g.,  the  CSV
+       output is available at /csv.
+
+       These paths accept filter expressions to limit the VRPs returned in the
+       form of a query string. The field filter-asn can be used to filter  for
+       ASNs  and  the  field filter-prefix can be used to filter for prefixes.
+       The fields can be repeated multiple times.
 
        This works in the same way as the options of the same name to the  vrps
        command.
diff --git a/site/sitemap.xml b/site/sitemap.xml
index 4cf851ce..7325662e 100644
--- a/site/sitemap.xml
+++ b/site/sitemap.xml
@@ -1,291 +1,291 @@
 
 
      https://docs.ixpmanager.org/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/install/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/install/automated-script/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/install/maint-mode/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/install/manually/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/install/upgrading/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/install/runtime/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/install/next-steps/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/usage/operational-notes/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/usage/authentication/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/usage/contacts/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/usage/customers/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/usage/customer-notes/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/usage/customer-tags/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/usage/interfaces/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/usage/users/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/usage/switches/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/usage/email/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/api/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/as112/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/console-servers/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/cronjobs/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/patch-panels/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/dns-arpa/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/docstore/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/grapher/introduction/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/helpdesk/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/irrdb/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/ixf-export/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/looking-glass/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/layer2-addresses/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/manrs/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/member-export/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/mailing-lists/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/nagios/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/patch-panels/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/peering-manager/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/peering-matrix/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/peeringdb/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/rir-objects/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/reseller/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/route-collectors/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/route-servers/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/routers/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/rpki/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/skinning/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/grapher/smokeping/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/static-content/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/tacacs/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/grapher/introduction/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/grapher/api/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/grapher/mrtg/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/grapher/sflow/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/grapher/smokeping/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/sflow/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/features/sflow-p2p/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/dev/introduction/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/dev/api/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/dev/authentication/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/dev/ci/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/dev/cla/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/dev/docker/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/dev/docs/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/dev/forms/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/dev/frontend-crud/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/dev/grapher/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/dev/helpders/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/dev/looking-glass/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/dev/release-procedure/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/dev/telescope/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/dev/users/
-     2020-09-13
+     2020-09-18
      daily
     
      https://docs.ixpmanager.org/dev/vagrant/
-     2020-09-13
+     2020-09-18
      daily
     
 
\ No newline at end of file
diff --git a/site/sitemap.xml.gz b/site/sitemap.xml.gz
index e632e4deabdd3507f1f828f00e0b94aa76eece1d..c2860216e07b1f1313958ec440156ed0a37c2c05 100644
GIT binary patch
literal 707
zcmV;!0zCa6iwFoaykuVj|8r?{Wo=<_E_iKh0PUL1avCuV$M1OxhPzqdlynHW^$FSs
zFkS&JUfY$lK;FLc7LxXs9y;?sgc)XcWgGuSmi6If^Ku>1>`W}NAK71vXH1W_$rIShfc!L9;CYoyXE3(zHMW-
z53}~!q!PAmu-NFn1X;vu9enl&;^_xAUF&i0>_vytZ`aH9(k-9d>d~5SvRjvM^!Y%0
zrk~s1$Mm}C{*X+4HeH+kUl?K*^(jHI_)*K?m3k+EV^t`)!N;u5CL=JcJlgdY3Tmte
z_HA=PQSq2H4p_^V>8ehYsz6|kVz*tX#9qx+`s8v^LSi!?aU@&EFaZLAg_6|=MbcFm
z#T=?dJwPTn!+HZ#e?a20s6)K>0ZLh;U|E%1qFPplgk-5<#7M99o~s9=vPLb8k%(HNUXR2r%y8+)
z0Fza{sq09o_9Q1Ps>s~$z>uzcN7q_dvA9wxC#wbB!6pTB5Xrw1ubuCEdlCYpGa*_8
z8fe&Aj*Mt#E#GQpmZB(_)=U)3XVm^E84uP(a(3_NA22
zER4&jTt(m_^76B-;;J%JV7V#!!WIh((iA2O5^RTQdsU8&a?TszyP43_Vx
z4?f6e5&01?l#{PJ&%g?{|Msa|K0U$*JOYfO{zh_jT_Lb~I^+3)28H4SCKkN6m<=o7
zXecBP!(#FiNR@EI5g3?#;Q@$-r%bJPfyW+(>K@Wicz&O#GtRQ%oe(!FrbJ%IRW5=0
p5#)tUBU2-jP$~`)&L09A&DqS2(N|d%-ggoX_8{F&*ew^2^S+Jk
zA7<^dNhS1cu-NFK1X;vO9ewtD;_DA=y4K^~*^7>4=-12j(k&m|>XS9!WVbHi;Pak#
zOh5a<$Mmx4{*YYzY`Ql6zc9os>QjPZ@spO(D-BKp$Er|pqmNmgO-5i?d9v#Z6x3Ar
z?AzvoqT(rQ9I=)!(?y*qRe`{o#BRG%iM^Vu^vUI-gv4e(;y|{J;R*-@7D`qh6iHWM
z5_6~)^#GaR4C@t4{T_+Sq7L!S2PkDtf@M{5j%ryM5|X8c5hK0Yk=Kb$Ile|PAX%-}
zSV-o^r6h7@;3pIte}m(af0Qj4RrR*_T=kg}7}=1;d9EIe${MvWMj~p7dOZ-gFvDe-
z0!&u*s;&d2I*=T(s3P;Q1w*>*99?Q*#o|h(9IX~~dz%!@K_ve|ymo#V>`4fW&V*=-B+Luy7
zvoJ1`k_*Mif~ARqNC#ORUD4p6>JhBy7E8u5%GvzA{E)F6siIK5=}NuE;M&k5H2&a4N9D#w^6&`_T_?oE=F7PzKP~Afs3eWEob;emXyc6O^#gxbkxymKb
qFoC?VX=G|-5=zA(!udl$qd9roa{sYjd$?YNwEqR~;rawxDgXdqm}Q9o