diff --git a/deploy/bird/.env b/deploy/bird/.env new file mode 100644 index 0000000..ac60e9a --- /dev/null +++ b/deploy/bird/.env @@ -0,0 +1,33 @@ +# Build-time image knob. +RPKI_BIRD_VERSION=3.2.1 + +# TCP mode target endpoint. +RPKI_BIRD_RPKI_HOST=rpki-rtr-tcp +RPKI_BIRD_RPKI_PORT=323 + +# SSH mode target endpoint. +RPKI_BIRD_SSH_RPKI_HOST=rpki-rtr +RPKI_RTR_SSH_PORT=22 + +# Config template paths in container. +RPKI_BIRD_CONFIG_TEMPLATE_PATH=/config/bird.conf.template +RPKI_BIRD_SSH_CONFIG_TEMPLATE_PATH=/config/bird.conf.ssh.template + +# Observation and output knobs. +RPKI_BIRD_OBSERVE_PROTO=rpki_tcp +RPKI_BIRD_OBSERVE_MODE=interval +RPKI_BIRD_OBSERVE_DEBOUNCE_SECS=1 +RPKI_BIRD_OBSERVE_INTERVAL=30 +RPKI_BIRD_OBSERVE_ASPA_TABLE=rtr_aspa +RPKI_BIRD_OBSERVE_ROA4_TABLE=rtr_roa_v4 +RPKI_BIRD_OBSERVE_ROA6_TABLE=rtr_roa_v6 +RPKI_BIRD_OBSERVE_ASPA_COUNT=3 +RPKI_BIRD_OBSERVE_ROA4_COUNT=3 +RPKI_BIRD_OBSERVE_ROA6_COUNT=3 +RPKI_BIRD_SHOW_ASPA=1 +RPKI_BIRD_SHOW_ROA4=1 +RPKI_BIRD_SHOW_ROA6=1 + +# Host volume mounts. +RPKI_BIRD_LOG_HOST_DIR=../../logs/bird +RPKI_BIRD_SSH_CERTS_HOST_DIR=../../certs diff --git a/deploy/bird/docker-compose.ssh.yml b/deploy/bird/docker-compose.ssh.yml index 5ec2c4f..fc818be 100644 --- a/deploy/bird/docker-compose.ssh.yml +++ b/deploy/bird/docker-compose.ssh.yml @@ -1,13 +1,13 @@ services: bird-rpki-client: environment: - BIRD_CONFIG_TEMPLATE_PATH: "/config/bird.conf.ssh.template" - RPKI_HOST: "rpki-rtr" + BIRD_CONFIG_TEMPLATE_PATH: "${RPKI_BIRD_SSH_CONFIG_TEMPLATE_PATH:-/config/bird.conf.ssh.template}" + RPKI_HOST: "${RPKI_BIRD_SSH_RPKI_HOST:-rpki-rtr}" RPKI_PORT: "${RPKI_RTR_SSH_PORT:-22}" OBSERVE_PROTO: "rpki_ssh" volumes: - ./bird.conf.ssh.template:/config/bird.conf.ssh.template:ro - - ../../certs:/config/ssh:ro + - ${RPKI_BIRD_SSH_CERTS_HOST_DIR:-../../certs}:/config/ssh:ro networks: - rpki_net diff --git a/deploy/bird/docker-compose.yml b/deploy/bird/docker-compose.yml index 02244fd..35a5d2c 100644 --- a/deploy/bird/docker-compose.yml +++ b/deploy/bird/docker-compose.yml @@ -4,34 +4,34 @@ services: context: . dockerfile: Dockerfile args: - BIRD_VERSION: "3.2.1" + BIRD_VERSION: "${RPKI_BIRD_VERSION:-3.2.1}" container_name: bird-rpki-client restart: unless-stopped environment: - BIRD_CONFIG_TEMPLATE_PATH: "/config/bird.conf.template" + BIRD_CONFIG_TEMPLATE_PATH: "${RPKI_BIRD_CONFIG_TEMPLATE_PATH:-/config/bird.conf.template}" - RPKI_HOST: "rpki-rtr-tcp" - RPKI_PORT: "323" + RPKI_HOST: "${RPKI_BIRD_RPKI_HOST:-rpki-rtr-tcp}" + RPKI_PORT: "${RPKI_BIRD_RPKI_PORT:-323}" - OBSERVE_PROTO: "rpki_tcp" - OBSERVE_MODE: "interval" - OBSERVE_DEBOUNCE_SECS: "1" - OBSERVE_INTERVAL: "30" + OBSERVE_PROTO: "${RPKI_BIRD_OBSERVE_PROTO:-rpki_tcp}" + OBSERVE_MODE: "${RPKI_BIRD_OBSERVE_MODE:-interval}" + OBSERVE_DEBOUNCE_SECS: "${RPKI_BIRD_OBSERVE_DEBOUNCE_SECS:-1}" + OBSERVE_INTERVAL: "${RPKI_BIRD_OBSERVE_INTERVAL:-30}" - OBSERVE_ASPA_TABLE: "rtr_aspa" - OBSERVE_ROA4_TABLE: "rtr_roa_v4" - OBSERVE_ROA6_TABLE: "rtr_roa_v6" + OBSERVE_ASPA_TABLE: "${RPKI_BIRD_OBSERVE_ASPA_TABLE:-rtr_aspa}" + OBSERVE_ROA4_TABLE: "${RPKI_BIRD_OBSERVE_ROA4_TABLE:-rtr_roa_v4}" + OBSERVE_ROA6_TABLE: "${RPKI_BIRD_OBSERVE_ROA6_TABLE:-rtr_roa_v6}" - OBSERVE_ASPA_COUNT: "3" - OBSERVE_ROA4_COUNT: "3" - OBSERVE_ROA6_COUNT: "3" + OBSERVE_ASPA_COUNT: "${RPKI_BIRD_OBSERVE_ASPA_COUNT:-3}" + OBSERVE_ROA4_COUNT: "${RPKI_BIRD_OBSERVE_ROA4_COUNT:-3}" + OBSERVE_ROA6_COUNT: "${RPKI_BIRD_OBSERVE_ROA6_COUNT:-3}" - SHOW_ASPA: "1" - SHOW_ROA4: "1" - SHOW_ROA6: "1" + SHOW_ASPA: "${RPKI_BIRD_SHOW_ASPA:-1}" + SHOW_ROA4: "${RPKI_BIRD_SHOW_ROA4:-1}" + SHOW_ROA6: "${RPKI_BIRD_SHOW_ROA6:-1}" volumes: - ./bird.conf.template:/config/bird.conf.template:ro - - ../../logs/bird:/app/logs + - ${RPKI_BIRD_LOG_HOST_DIR:-../../logs/bird}:/app/logs networks: - rpki_net diff --git a/deploy/client/.env b/deploy/client/.env index b6e9ce8..0833959 100644 --- a/deploy/client/.env +++ b/deploy/client/.env @@ -4,18 +4,24 @@ # SSH example: 10.0.0.12:22 RPKI_RTR_SERVER_ADDR=rpki-rtr-tcp:323 - # RTR protocol version used as client command second argument (supported: 0,1,2) RPKI_RTR_PROTOCOL_VERSION=2 # TLS server name used by --server-name in TLS mode # Must match server certificate SAN dNSName. RPKI_RTR_TLS_SERVER_NAME=localhost +RPKI_RTR_TLS_CA_CERT_PATH=/app/certs/client-ca.crt +RPKI_RTR_TLS_CLIENT_CERT_PATH=/app/certs/client-good.crt +RPKI_RTR_TLS_CLIENT_KEY_PATH=/app/certs/client-good.key +RPKI_RTR_TLS_CERTS_HOST_DIR=../../tests/fixtures/tls + +# Shared client logs mount on host. +RPKI_RTR_CLIENT_LOG_HOST_DIR=../../logs/client # SSH mode examples: # RPKI_RTR_SERVER_ADDR=10.0.0.12:2222 -# RPKI_RTR_CLIENT_KEYS_VOLUME=../../certs:/app/certs:ro -# RPKI_RTR_CLIENT_KEY_PATH=/app/certs/rtr-client.key -# RPKI_RTR_SSH_SERVER_PUBKEY_PATH=/app/certs/ssh_host_rsa_key.pub -# RPKI_RTR_SSH_USERNAME=rpki-rtr -# RPKI_RTR_SSH_PASSWORD=your-password +RPKI_RTR_CLIENT_KEYS_VOLUME=../../certs:/app/certs:ro +RPKI_RTR_CLIENT_KEY_PATH=/app/certs/rtr-client.key +RPKI_RTR_SSH_SERVER_PUBKEY_PATH=/app/certs/ssh_host_rsa_key.pub +RPKI_RTR_SSH_USERNAME=rpki-rtr +RPKI_RTR_SSH_PASSWORD= diff --git a/deploy/client/docker-compose.clients.yml b/deploy/client/docker-compose.clients.yml index c5c9a26..51bb780 100644 --- a/deploy/client/docker-compose.clients.yml +++ b/deploy/client/docker-compose.clients.yml @@ -5,7 +5,7 @@ services: image: rpki-rtr-debug-client:latest command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "${RPKI_RTR_PROTOCOL_VERSION:-2}", "reset", "--keep-after-error", "--summary-only"] volumes: - - ../../logs/client:/app/logs + - ${RPKI_RTR_CLIENT_LOG_HOST_DIR:-../../logs/client}:/app/logs restart: no networks: - rpki_net @@ -14,7 +14,7 @@ services: image: rpki-rtr-debug-client:latest command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "${RPKI_RTR_PROTOCOL_VERSION:-2}", "reset", "--keep-after-error", "--summary-only"] volumes: - - ../../logs/client:/app/logs + - ${RPKI_RTR_CLIENT_LOG_HOST_DIR:-../../logs/client}:/app/logs restart: no networks: - rpki_net @@ -23,7 +23,7 @@ services: image: rpki-rtr-debug-client:latest command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "${RPKI_RTR_PROTOCOL_VERSION:-2}", "reset", "--keep-after-error", "--summary-only"] volumes: - - ../../logs/client:/app/logs + - ${RPKI_RTR_CLIENT_LOG_HOST_DIR:-../../logs/client}:/app/logs restart: no networks: - rpki_net @@ -32,7 +32,7 @@ services: image: rpki-rtr-debug-client:latest command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "${RPKI_RTR_PROTOCOL_VERSION:-2}", "reset", "--keep-after-error", "--summary-only"] volumes: - - ../../logs/client:/app/logs + - ${RPKI_RTR_CLIENT_LOG_HOST_DIR:-../../logs/client}:/app/logs restart: no networks: - rpki_net @@ -41,7 +41,7 @@ services: image: rpki-rtr-debug-client:latest command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "${RPKI_RTR_PROTOCOL_VERSION:-2}", "reset", "--keep-after-error", "--summary-only"] volumes: - - ../../logs/client:/app/logs + - ${RPKI_RTR_CLIENT_LOG_HOST_DIR:-../../logs/client}:/app/logs restart: no networks: - rpki_net diff --git a/deploy/client/docker-compose.ssh.password.yml b/deploy/client/docker-compose.ssh.password.yml index 4e28c34..ecf809e 100644 --- a/deploy/client/docker-compose.ssh.password.yml +++ b/deploy/client/docker-compose.ssh.password.yml @@ -23,7 +23,7 @@ services: ] volumes: - ${RPKI_RTR_CLIENT_KEYS_VOLUME:-../../certs:/app/certs:ro} - - ../../logs/client:/app/logs + - ${RPKI_RTR_CLIENT_LOG_HOST_DIR:-../../logs/client}:/app/logs restart: no stdin_open: true tty: true diff --git a/deploy/client/docker-compose.ssh.yml b/deploy/client/docker-compose.ssh.yml index 73755ae..24d1fda 100644 --- a/deploy/client/docker-compose.ssh.yml +++ b/deploy/client/docker-compose.ssh.yml @@ -23,7 +23,7 @@ services: ] volumes: - ${RPKI_RTR_CLIENT_KEYS_VOLUME:-../../certs:/app/certs:ro} - - ../../logs/client:/app/logs + - ${RPKI_RTR_CLIENT_LOG_HOST_DIR:-../../logs/client}:/app/logs restart: no stdin_open: true tty: true diff --git a/deploy/client/docker-compose.tcp.yml b/deploy/client/docker-compose.tcp.yml index b7e8519..dd24dec 100644 --- a/deploy/client/docker-compose.tcp.yml +++ b/deploy/client/docker-compose.tcp.yml @@ -6,7 +6,7 @@ services: image: rpki-rtr-debug-client:latest command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "${RPKI_RTR_PROTOCOL_VERSION:-2}", "reset", "--keep-after-error", "--summary-only"] volumes: - - ../../logs/client:/app/logs + - ${RPKI_RTR_CLIENT_LOG_HOST_DIR:-../../logs/client}:/app/logs restart: no stdin_open: true tty: true diff --git a/deploy/client/docker-compose.tls.yml b/deploy/client/docker-compose.tls.yml index 0de5bf5..cc49cde 100644 --- a/deploy/client/docker-compose.tls.yml +++ b/deploy/client/docker-compose.tls.yml @@ -13,19 +13,19 @@ services: "reset", "--tls", "--ca-cert", - "/app/certs/client-ca.crt", + "${RPKI_RTR_TLS_CA_CERT_PATH:-/app/certs/client-ca.crt}", "--server-name", "${RPKI_RTR_TLS_SERVER_NAME:-localhost}", "--client-cert", - "/app/certs/client-good.crt", + "${RPKI_RTR_TLS_CLIENT_CERT_PATH:-/app/certs/client-good.crt}", "--client-key", - "/app/certs/client-good.key", + "${RPKI_RTR_TLS_CLIENT_KEY_PATH:-/app/certs/client-good.key}", "--keep-after-error", "--summary-only" ] volumes: - - ../../tests/fixtures/tls:/app/certs:ro - - ../../logs/client:/app/logs + - ${RPKI_RTR_TLS_CERTS_HOST_DIR:-../../tests/fixtures/tls}:/app/certs:ro + - ${RPKI_RTR_CLIENT_LOG_HOST_DIR:-../../logs/client}:/app/logs restart: no stdin_open: true tty: true diff --git a/deploy/client/docker-compose.yml b/deploy/client/docker-compose.yml index b7e8519..dd24dec 100644 --- a/deploy/client/docker-compose.yml +++ b/deploy/client/docker-compose.yml @@ -6,7 +6,7 @@ services: image: rpki-rtr-debug-client:latest command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "${RPKI_RTR_PROTOCOL_VERSION:-2}", "reset", "--keep-after-error", "--summary-only"] volumes: - - ../../logs/client:/app/logs + - ${RPKI_RTR_CLIENT_LOG_HOST_DIR:-../../logs/client}:/app/logs restart: no stdin_open: true tty: true diff --git a/deploy/server/.env b/deploy/server/.env index dc4fb98..069487e 100644 --- a/deploy/server/.env +++ b/deploy/server/.env @@ -1,8 +1,40 @@ -# Host directory containing CCR files to mount into the server container. +# Data source directories on host. RPKI_RTR_CCR_HOST_DIR=../../data +RPKI_RTR_SLURM_HOST_DIR=../../data -# In-container directory used by rpki_rtr as CCR input directory. +# In-container data source directories. RPKI_RTR_CCR_DIR=/app/data +RPKI_RTR_SLURM_DIR=/app/slurm -# Max retained delta count in RTR cache. +# Persistent directories on host. +RPKI_RTR_DB_HOST_DIR=../../rtr-db +RPKI_RTR_LOG_HOST_DIR=../../logs/server + +# In-container runtime paths. +RPKI_RTR_DB_PATH=/app/rtr-db + +# Core runtime knobs. +RPKI_RTR_STRICT_CCR_VALIDATION=false +RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS=300 RPKI_RTR_MAX_DELTA=10 +RPKI_RTR_MAX_CONNECTIONS=100000 +RPKI_RTR_MAX_CONCURRENT_HANDSHAKES=128 +RUST_LOG=info + +# TLS mode knobs. +RPKI_RTR_ENFORCE_TLS_CLIENT_SAN_IP_MATCH=false +RPKI_RTR_TLS_CERT_PATH=/app/certs/server-dns.crt +RPKI_RTR_TLS_KEY_PATH=/app/certs/server-dns.key +RPKI_RTR_TLS_CLIENT_CA_PATH=/app/certs/client-ca.crt +RPKI_RTR_TLS_CERTS_HOST_DIR=../../tests/fixtures/tls + +# SSH mode knobs. +RPKI_RTR_SSH_HOST_PORT=2222 +RPKI_RTR_SSH_CONTAINER_PORT=22 +RPKI_RTR_SSH_AUTH_MODE=key +RPKI_RTR_SSH_USERNAME=rpki-rtr +RPKI_RTR_SSH_SUBSYSTEM_NAME=rpki-rtr +RPKI_RTR_SSH_HOST_KEY_PATH=/host-ssh/ssh_host_ed25519_key +RPKI_RTR_SSH_AUTHORIZED_KEYS_PATH=/app/certs/rtr-authorized_keys +RPKI_RTR_SSH_KEYS_VOLUME=/etc/ssh:/host-ssh:ro +RPKI_RTR_SSH_CERTS_HOST_DIR=../../certs diff --git a/deploy/server/DEPLOYMENT.md b/deploy/server/DEPLOYMENT.md index 3adbfca..30ce369 100644 --- a/deploy/server/DEPLOYMENT.md +++ b/deploy/server/DEPLOYMENT.md @@ -20,6 +20,23 @@ The container runs `rpki` directly as PID 1. - SLURM directory: `/app/slurm` - TLS cert directory (optional): `/app/certs` +## Path Configuration via `.env` + +- `RPKI_RTR_CCR_HOST_DIR`: host CCR directory mounted into container +- `RPKI_RTR_SLURM_HOST_DIR`: host SLURM directory mounted into container +- `RPKI_RTR_CCR_DIR`: in-container CCR directory path +- `RPKI_RTR_SLURM_DIR`: in-container SLURM directory path +- `RPKI_RTR_DB_HOST_DIR`: host RocksDB directory +- `RPKI_RTR_LOG_HOST_DIR`: host log directory +- `RPKI_RTR_DB_PATH`: in-container RocksDB directory + +## Runtime Configuration via `.env` + +- Core: `RPKI_RTR_STRICT_CCR_VALIDATION`, `RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS`, `RPKI_RTR_MAX_DELTA`, `RPKI_RTR_MAX_CONCURRENT_HANDSHAKES`, `RUST_LOG` +- TCP mode: `RPKI_RTR_MAX_CONNECTIONS` +- TLS mode: `RPKI_RTR_ENFORCE_TLS_CLIENT_SAN_IP_MATCH`, `RPKI_RTR_TLS_CERT_PATH`, `RPKI_RTR_TLS_KEY_PATH`, `RPKI_RTR_TLS_CLIENT_CA_PATH`, `RPKI_RTR_TLS_CERTS_HOST_DIR` +- SSH mode: `RPKI_RTR_SSH_HOST_PORT`, `RPKI_RTR_SSH_CONTAINER_PORT`, `RPKI_RTR_SSH_AUTH_MODE`, `RPKI_RTR_SSH_USERNAME`, `RPKI_RTR_SSH_SUBSYSTEM_NAME`, `RPKI_RTR_SSH_HOST_KEY_PATH`, `RPKI_RTR_SSH_AUTHORIZED_KEYS_PATH`, `RPKI_RTR_SSH_KEYS_VOLUME`, `RPKI_RTR_SSH_CERTS_HOST_DIR` + ## Start ```bash diff --git a/deploy/server/docker-compose.ssh.yml b/deploy/server/docker-compose.ssh.yml index 87f7672..2e5c0d4 100644 --- a/deploy/server/docker-compose.ssh.yml +++ b/deploy/server/docker-compose.ssh.yml @@ -24,21 +24,21 @@ services: RPKI_RTR_SSH_AUTH_MODE: "${RPKI_RTR_SSH_AUTH_MODE:-key}" # Optional: enable password authentication in addition to publickey # RPKI_RTR_SSH_PASSWORD: "test-password" - RPKI_RTR_DB_PATH: "/app/rtr-db" + RPKI_RTR_DB_PATH: "${RPKI_RTR_DB_PATH:-/app/rtr-db}" RPKI_RTR_CCR_DIR: "${RPKI_RTR_CCR_DIR:-/app/data}" - RPKI_RTR_SLURM_DIR: "/app/slurm" - RPKI_RTR_STRICT_CCR_VALIDATION: "false" - RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS: "300" + RPKI_RTR_SLURM_DIR: "${RPKI_RTR_SLURM_DIR:-/app/slurm}" + RPKI_RTR_STRICT_CCR_VALIDATION: "${RPKI_RTR_STRICT_CCR_VALIDATION:-false}" + RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS: "${RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS:-300}" RPKI_RTR_MAX_DELTA: "${RPKI_RTR_MAX_DELTA:-10}" - RPKI_RTR_MAX_CONCURRENT_HANDSHAKES: "128" - RUST_LOG: "info" + RPKI_RTR_MAX_CONCURRENT_HANDSHAKES: "${RPKI_RTR_MAX_CONCURRENT_HANDSHAKES:-128}" + RUST_LOG: "${RUST_LOG:-info}" volumes: - ${RPKI_RTR_CCR_HOST_DIR:-../../data}:${RPKI_RTR_CCR_DIR:-/app/data}:ro - - ../../rtr-db:/app/rtr-db - - ../../data:/app/slurm:ro + - ${RPKI_RTR_DB_HOST_DIR:-../../rtr-db}:${RPKI_RTR_DB_PATH:-/app/rtr-db} + - ${RPKI_RTR_SLURM_HOST_DIR:-../../data}:${RPKI_RTR_SLURM_DIR:-/app/slurm}:ro - ${RPKI_RTR_SSH_KEYS_VOLUME:-/etc/ssh:/host-ssh:ro} - - ../../certs:/app/certs:ro - - ../../logs/server:/app/logs + - ${RPKI_RTR_SSH_CERTS_HOST_DIR:-../../certs}:/app/certs:ro + - ${RPKI_RTR_LOG_HOST_DIR:-../../logs/server}:/app/logs networks: - rpki_net diff --git a/deploy/server/docker-compose.tcp.yml b/deploy/server/docker-compose.tcp.yml index 15018bd..2345f97 100644 --- a/deploy/server/docker-compose.tcp.yml +++ b/deploy/server/docker-compose.tcp.yml @@ -14,20 +14,20 @@ services: RPKI_RTR_ENABLE_TLS: "false" RPKI_RTR_ENABLE_SSH: "false" RPKI_RTR_TCP_ADDR: "0.0.0.0:323" - RPKI_RTR_DB_PATH: "/app/rtr-db" + RPKI_RTR_DB_PATH: "${RPKI_RTR_DB_PATH:-/app/rtr-db}" RPKI_RTR_CCR_DIR: "${RPKI_RTR_CCR_DIR:-/app/data}" - RPKI_RTR_SLURM_DIR: "/app/slurm" - RPKI_RTR_STRICT_CCR_VALIDATION: "false" - RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS: "60" + RPKI_RTR_SLURM_DIR: "${RPKI_RTR_SLURM_DIR:-/app/slurm}" + RPKI_RTR_STRICT_CCR_VALIDATION: "${RPKI_RTR_STRICT_CCR_VALIDATION:-false}" + RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS: "${RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS:-60}" RPKI_RTR_MAX_DELTA: "${RPKI_RTR_MAX_DELTA:-10}" - RPKI_RTR_MAX_CONNECTIONS: "100000" - RPKI_RTR_MAX_CONCURRENT_HANDSHAKES: "128" - RUST_LOG: "info" + RPKI_RTR_MAX_CONNECTIONS: "${RPKI_RTR_MAX_CONNECTIONS:-100000}" + RPKI_RTR_MAX_CONCURRENT_HANDSHAKES: "${RPKI_RTR_MAX_CONCURRENT_HANDSHAKES:-128}" + RUST_LOG: "${RUST_LOG:-info}" volumes: - ${RPKI_RTR_CCR_HOST_DIR:-../../data}:${RPKI_RTR_CCR_DIR:-/app/data}:ro - - ../../rtr-db:/app/rtr-db - - ../../data:/app/slurm:ro - - ../../logs/server:/app/logs + - ${RPKI_RTR_DB_HOST_DIR:-../../rtr-db}:${RPKI_RTR_DB_PATH:-/app/rtr-db} + - ${RPKI_RTR_SLURM_HOST_DIR:-../../data}:${RPKI_RTR_SLURM_DIR:-/app/slurm}:ro + - ${RPKI_RTR_LOG_HOST_DIR:-../../logs/server}:/app/logs networks: - rpki_net diff --git a/deploy/server/docker-compose.tls.yml b/deploy/server/docker-compose.tls.yml index 985234b..cdd7119 100644 --- a/deploy/server/docker-compose.tls.yml +++ b/deploy/server/docker-compose.tls.yml @@ -16,24 +16,24 @@ services: RPKI_RTR_ENABLE_SSH: "false" RPKI_RTR_TCP_ADDR: "0.0.0.0:323" RPKI_RTR_TLS_ADDR: "0.0.0.0:324" - RPKI_RTR_TLS_CERT_PATH: "/app/certs/server-dns.crt" - RPKI_RTR_TLS_KEY_PATH: "/app/certs/server-dns.key" - RPKI_RTR_TLS_CLIENT_CA_PATH: "/app/certs/client-ca.crt" - RPKI_RTR_ENFORCE_TLS_CLIENT_SAN_IP_MATCH: "false" - RPKI_RTR_DB_PATH: "/app/rtr-db" + RPKI_RTR_TLS_CERT_PATH: "${RPKI_RTR_TLS_CERT_PATH:-/app/certs/server-dns.crt}" + RPKI_RTR_TLS_KEY_PATH: "${RPKI_RTR_TLS_KEY_PATH:-/app/certs/server-dns.key}" + RPKI_RTR_TLS_CLIENT_CA_PATH: "${RPKI_RTR_TLS_CLIENT_CA_PATH:-/app/certs/client-ca.crt}" + RPKI_RTR_ENFORCE_TLS_CLIENT_SAN_IP_MATCH: "${RPKI_RTR_ENFORCE_TLS_CLIENT_SAN_IP_MATCH:-false}" + RPKI_RTR_DB_PATH: "${RPKI_RTR_DB_PATH:-/app/rtr-db}" RPKI_RTR_CCR_DIR: "${RPKI_RTR_CCR_DIR:-/app/data}" - RPKI_RTR_SLURM_DIR: "/app/slurm" - RPKI_RTR_STRICT_CCR_VALIDATION: "false" - RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS: "300" + RPKI_RTR_SLURM_DIR: "${RPKI_RTR_SLURM_DIR:-/app/slurm}" + RPKI_RTR_STRICT_CCR_VALIDATION: "${RPKI_RTR_STRICT_CCR_VALIDATION:-false}" + RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS: "${RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS:-300}" RPKI_RTR_MAX_DELTA: "${RPKI_RTR_MAX_DELTA:-10}" - RPKI_RTR_MAX_CONCURRENT_HANDSHAKES: "128" - RUST_LOG: "info" + RPKI_RTR_MAX_CONCURRENT_HANDSHAKES: "${RPKI_RTR_MAX_CONCURRENT_HANDSHAKES:-128}" + RUST_LOG: "${RUST_LOG:-info}" volumes: - ${RPKI_RTR_CCR_HOST_DIR:-../../data}:${RPKI_RTR_CCR_DIR:-/app/data}:ro - - ../../rtr-db:/app/rtr-db - - ../../data:/app/slurm:ro - - ../../tests/fixtures/tls:/app/certs:ro - - ../../logs/server:/app/logs + - ${RPKI_RTR_DB_HOST_DIR:-../../rtr-db}:${RPKI_RTR_DB_PATH:-/app/rtr-db} + - ${RPKI_RTR_SLURM_HOST_DIR:-../../data}:${RPKI_RTR_SLURM_DIR:-/app/slurm}:ro + - ${RPKI_RTR_TLS_CERTS_HOST_DIR:-../../tests/fixtures/tls}:/app/certs:ro + - ${RPKI_RTR_LOG_HOST_DIR:-../../logs/server}:/app/logs networks: - rpki_net diff --git a/deploy/server/docker-compose.yml b/deploy/server/docker-compose.yml index 351f6ef..c7a2cd2 100644 --- a/deploy/server/docker-compose.yml +++ b/deploy/server/docker-compose.yml @@ -17,14 +17,14 @@ services: RPKI_RTR_ENABLE_TLS: "false" RPKI_RTR_TCP_ADDR: "0.0.0.0:323" RPKI_RTR_TLS_ADDR: "0.0.0.0:324" - RPKI_RTR_DB_PATH: "/app/rtr-db" + RPKI_RTR_DB_PATH: "${RPKI_RTR_DB_PATH:-/app/rtr-db}" RPKI_RTR_CCR_DIR: "${RPKI_RTR_CCR_DIR:-/app/data}" - RPKI_RTR_SLURM_DIR: "/app/slurm" - RPKI_RTR_STRICT_CCR_VALIDATION: "false" - RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS: "300" + RPKI_RTR_SLURM_DIR: "${RPKI_RTR_SLURM_DIR:-/app/slurm}" + RPKI_RTR_STRICT_CCR_VALIDATION: "${RPKI_RTR_STRICT_CCR_VALIDATION:-false}" + RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS: "${RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS:-300}" RPKI_RTR_MAX_DELTA: "${RPKI_RTR_MAX_DELTA:-10}" - RPKI_RTR_MAX_CONCURRENT_HANDSHAKES: "128" - RUST_LOG: "info" + RPKI_RTR_MAX_CONCURRENT_HANDSHAKES: "${RPKI_RTR_MAX_CONCURRENT_HANDSHAKES:-128}" + RUST_LOG: "${RUST_LOG:-info}" # SSH mode example: # RPKI_RTR_ENABLE_SSH: "true" # RPKI_RTR_SSH_ADDR: "0.0.0.0:22" @@ -37,9 +37,9 @@ services: # RPKI_RTR_SSH_PASSWORD: "test-password" volumes: - ${RPKI_RTR_CCR_HOST_DIR:-../../data}:${RPKI_RTR_CCR_DIR:-/app/data}:ro - - ../../rtr-db:/app/rtr-db - - ../../data:/app/slurm:ro - - ../../logs/server:/app/logs + - ${RPKI_RTR_DB_HOST_DIR:-../../rtr-db}:${RPKI_RTR_DB_PATH:-/app/rtr-db} + - ${RPKI_RTR_SLURM_HOST_DIR:-../../data}:${RPKI_RTR_SLURM_DIR:-/app/slurm}:ro + - ${RPKI_RTR_LOG_HOST_DIR:-../../logs/server}:/app/logs # TLS mode example: # - ../../certs:/app/certs:ro networks: diff --git a/src/source/ccr.rs b/src/source/ccr.rs index a57661e..3936880 100644 --- a/src/source/ccr.rs +++ b/src/source/ccr.rs @@ -49,7 +49,7 @@ pub fn load_ccr_payloads_from_file_with_options( pub fn find_latest_ccr_file(dir: impl AsRef) -> Result { let dir = dir.as_ref(); - let latest_date_dir = find_latest_subdir_by_name(dir)?; + let latest_date_dir = find_latest_subdir_with_ccr_by_name(dir)?; let scan_dir = latest_date_dir.as_deref().unwrap_or(dir); let mut latest: Option = None; @@ -356,7 +356,7 @@ fn file_name_key(path: &Path) -> String { .unwrap_or_default() } -fn find_latest_subdir_by_name(dir: &Path) -> Result> { +fn find_latest_subdir_with_ccr_by_name(dir: &Path) -> Result> { let mut latest: Option = None; for entry in @@ -368,6 +368,9 @@ fn find_latest_subdir_by_name(dir: &Path) -> Result> { if !path.is_dir() { continue; } + if !contains_ccr_file(&path)? { + continue; + } if latest .as_ref() @@ -379,3 +382,18 @@ fn find_latest_subdir_by_name(dir: &Path) -> Result> { Ok(latest) } + +fn contains_ccr_file(dir: &Path) -> Result { + for entry in + fs::read_dir(dir).with_context(|| format!("failed to read CCR directory: {}", dir.display()))? + { + let entry = + entry.with_context(|| format!("failed to iterate CCR directory: {}", dir.display()))?; + let path = entry.path(); + if path.is_file() && path.extension().and_then(|ext| ext.to_str()) == Some("ccr") { + return Ok(true); + } + } + + Ok(false) +} diff --git a/tests/test_ccr.rs b/tests/test_ccr.rs index 27b5381..d676b0f 100644 --- a/tests/test_ccr.rs +++ b/tests/test_ccr.rs @@ -62,6 +62,21 @@ fn find_latest_ccr_file_picks_latest_date_dir_first() { assert_eq!(latest, newer); } +#[test] +fn find_latest_ccr_file_skips_latest_empty_dir() { + let root = tempdir().expect("create temp root dir"); + let older_dir = root.path().join("run_0011"); + let newer_empty_dir = root.path().join("run_0012"); + fs::create_dir_all(&older_dir).expect("create older dir"); + fs::create_dir_all(&newer_empty_dir).expect("create newer empty dir"); + + let expected = older_dir.join("20260401T000001Z-a.ccr"); + fs::write(&expected, b"older").expect("write older ccr"); + + let latest = find_latest_ccr_file(root.path()).expect("find latest ccr"); + assert_eq!(latest, expected); +} + #[test] fn snapshot_to_payloads_with_options_skips_invalid_aspa_when_not_strict() { let snapshot = ParsedCcrSnapshot {