NASP/rpki
63
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加环境变量

Browse Source
This commit is contained in:
xiuting.xu 2026-05-18 11:42:33 +08:00
parent a11f2bc864
commit cdf9372929
18 changed files with 210 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
deploy/bird/.env Normal file
View File

@ -0,0 +1,33 @@
# Build-time image knob.
RPKI_BIRD_VERSION=3.2.1
# TCP mode target endpoint.
RPKI_BIRD_RPKI_HOST=rpki-rtr-tcp
RPKI_BIRD_RPKI_PORT=323
# SSH mode target endpoint.
RPKI_BIRD_SSH_RPKI_HOST=rpki-rtr
RPKI_RTR_SSH_PORT=22
# Config template paths in container.
RPKI_BIRD_CONFIG_TEMPLATE_PATH=/config/bird.conf.template
RPKI_BIRD_SSH_CONFIG_TEMPLATE_PATH=/config/bird.conf.ssh.template
# Observation and output knobs.
RPKI_BIRD_OBSERVE_PROTO=rpki_tcp
RPKI_BIRD_OBSERVE_MODE=interval
RPKI_BIRD_OBSERVE_DEBOUNCE_SECS=1
RPKI_BIRD_OBSERVE_INTERVAL=30
RPKI_BIRD_OBSERVE_ASPA_TABLE=rtr_aspa
RPKI_BIRD_OBSERVE_ROA4_TABLE=rtr_roa_v4
RPKI_BIRD_OBSERVE_ROA6_TABLE=rtr_roa_v6
RPKI_BIRD_OBSERVE_ASPA_COUNT=3
RPKI_BIRD_OBSERVE_ROA4_COUNT=3
RPKI_BIRD_OBSERVE_ROA6_COUNT=3
RPKI_BIRD_SHOW_ASPA=1
RPKI_BIRD_SHOW_ROA4=1
RPKI_BIRD_SHOW_ROA6=1
# Host volume mounts.
RPKI_BIRD_LOG_HOST_DIR=../../logs/bird
RPKI_BIRD_SSH_CERTS_HOST_DIR=../../certs

6
deploy/bird/docker-compose.ssh.yml
View File

@ -1,13 +1,13 @@
services:
bird-rpki-client:
environment:
BIRD_CONFIG_TEMPLATE_PATH: "/config/bird.conf.ssh.template"
RPKI_HOST: "rpki-rtr"
BIRD_CONFIG_TEMPLATE_PATH: "${RPKI_BIRD_SSH_CONFIG_TEMPLATE_PATH:-/config/bird.conf.ssh.template}"
RPKI_HOST: "${RPKI_BIRD_SSH_RPKI_HOST:-rpki-rtr}"
RPKI_PORT: "${RPKI_RTR_SSH_PORT:-22}"
OBSERVE_PROTO: "rpki_ssh"
volumes:
- ./bird.conf.ssh.template:/config/bird.conf.ssh.template:ro
- ../../certs:/config/ssh:ro
- ${RPKI_BIRD_SSH_CERTS_HOST_DIR:-../../certs}:/config/ssh:ro
networks:
- rpki_net

36
deploy/bird/docker-compose.yml
View File

@ -4,34 +4,34 @@ services:
context: .
dockerfile: Dockerfile
args:
BIRD_VERSION: "3.2.1"
BIRD_VERSION: "${RPKI_BIRD_VERSION:-3.2.1}"
container_name: bird-rpki-client
restart: unless-stopped
environment:
BIRD_CONFIG_TEMPLATE_PATH: "/config/bird.conf.template"
BIRD_CONFIG_TEMPLATE_PATH: "${RPKI_BIRD_CONFIG_TEMPLATE_PATH:-/config/bird.conf.template}"
RPKI_HOST: "rpki-rtr-tcp"
RPKI_PORT: "323"
RPKI_HOST: "${RPKI_BIRD_RPKI_HOST:-rpki-rtr-tcp}"
RPKI_PORT: "${RPKI_BIRD_RPKI_PORT:-323}"
OBSERVE_PROTO: "rpki_tcp"
OBSERVE_MODE: "interval"
OBSERVE_DEBOUNCE_SECS: "1"
OBSERVE_INTERVAL: "30"
OBSERVE_PROTO: "${RPKI_BIRD_OBSERVE_PROTO:-rpki_tcp}"
OBSERVE_MODE: "${RPKI_BIRD_OBSERVE_MODE:-interval}"
OBSERVE_DEBOUNCE_SECS: "${RPKI_BIRD_OBSERVE_DEBOUNCE_SECS:-1}"
OBSERVE_INTERVAL: "${RPKI_BIRD_OBSERVE_INTERVAL:-30}"
OBSERVE_ASPA_TABLE: "rtr_aspa"
OBSERVE_ROA4_TABLE: "rtr_roa_v4"
OBSERVE_ROA6_TABLE: "rtr_roa_v6"
OBSERVE_ASPA_TABLE: "${RPKI_BIRD_OBSERVE_ASPA_TABLE:-rtr_aspa}"
OBSERVE_ROA4_TABLE: "${RPKI_BIRD_OBSERVE_ROA4_TABLE:-rtr_roa_v4}"
OBSERVE_ROA6_TABLE: "${RPKI_BIRD_OBSERVE_ROA6_TABLE:-rtr_roa_v6}"
OBSERVE_ASPA_COUNT: "3"
OBSERVE_ROA4_COUNT: "3"
OBSERVE_ROA6_COUNT: "3"
OBSERVE_ASPA_COUNT: "${RPKI_BIRD_OBSERVE_ASPA_COUNT:-3}"
OBSERVE_ROA4_COUNT: "${RPKI_BIRD_OBSERVE_ROA4_COUNT:-3}"
OBSERVE_ROA6_COUNT: "${RPKI_BIRD_OBSERVE_ROA6_COUNT:-3}"
SHOW_ASPA: "1"
SHOW_ROA4: "1"
SHOW_ROA6: "1"
SHOW_ASPA: "${RPKI_BIRD_SHOW_ASPA:-1}"
SHOW_ROA4: "${RPKI_BIRD_SHOW_ROA4:-1}"
SHOW_ROA6: "${RPKI_BIRD_SHOW_ROA6:-1}"
volumes:
- ./bird.conf.template:/config/bird.conf.template:ro
- ../../logs/bird:/app/logs
- ${RPKI_BIRD_LOG_HOST_DIR:-../../logs/bird}:/app/logs
networks:
- rpki_net

18
deploy/client/.env
View File

@ -4,18 +4,24 @@
# SSH example: 10.0.0.12:22
RPKI_RTR_SERVER_ADDR=rpki-rtr-tcp:323
# RTR protocol version used as client command second argument (supported: 0,1,2)
RPKI_RTR_PROTOCOL_VERSION=2
# TLS server name used by --server-name in TLS mode
# Must match server certificate SAN dNSName.
RPKI_RTR_TLS_SERVER_NAME=localhost
RPKI_RTR_TLS_CA_CERT_PATH=/app/certs/client-ca.crt
RPKI_RTR_TLS_CLIENT_CERT_PATH=/app/certs/client-good.crt
RPKI_RTR_TLS_CLIENT_KEY_PATH=/app/certs/client-good.key
RPKI_RTR_TLS_CERTS_HOST_DIR=../../tests/fixtures/tls
# Shared client logs mount on host.
RPKI_RTR_CLIENT_LOG_HOST_DIR=../../logs/client
# SSH mode examples:
# RPKI_RTR_SERVER_ADDR=10.0.0.12:2222
# RPKI_RTR_CLIENT_KEYS_VOLUME=../../certs:/app/certs:ro
# RPKI_RTR_CLIENT_KEY_PATH=/app/certs/rtr-client.key
# RPKI_RTR_SSH_SERVER_PUBKEY_PATH=/app/certs/ssh_host_rsa_key.pub
# RPKI_RTR_SSH_USERNAME=rpki-rtr
# RPKI_RTR_SSH_PASSWORD=your-password
RPKI_RTR_CLIENT_KEYS_VOLUME=../../certs:/app/certs:ro
RPKI_RTR_CLIENT_KEY_PATH=/app/certs/rtr-client.key
RPKI_RTR_SSH_SERVER_PUBKEY_PATH=/app/certs/ssh_host_rsa_key.pub
RPKI_RTR_SSH_USERNAME=rpki-rtr
RPKI_RTR_SSH_PASSWORD=

10
deploy/client/docker-compose.clients.yml
View File

@ -5,7 +5,7 @@ services:
image: rpki-rtr-debug-client:latest
command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "${RPKI_RTR_PROTOCOL_VERSION:-2}", "reset", "--keep-after-error", "--summary-only"]
volumes:
- ../../logs/client:/app/logs
- ${RPKI_RTR_CLIENT_LOG_HOST_DIR:-../../logs/client}:/app/logs
restart: no
networks:
- rpki_net
@ -14,7 +14,7 @@ services:
image: rpki-rtr-debug-client:latest
command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "${RPKI_RTR_PROTOCOL_VERSION:-2}", "reset", "--keep-after-error", "--summary-only"]
volumes:
- ../../logs/client:/app/logs
- ${RPKI_RTR_CLIENT_LOG_HOST_DIR:-../../logs/client}:/app/logs
restart: no
networks:
- rpki_net
@ -23,7 +23,7 @@ services:
image: rpki-rtr-debug-client:latest
command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "${RPKI_RTR_PROTOCOL_VERSION:-2}", "reset", "--keep-after-error", "--summary-only"]
volumes:
- ../../logs/client:/app/logs
- ${RPKI_RTR_CLIENT_LOG_HOST_DIR:-../../logs/client}:/app/logs
restart: no
networks:
- rpki_net
@ -32,7 +32,7 @@ services:
image: rpki-rtr-debug-client:latest
command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "${RPKI_RTR_PROTOCOL_VERSION:-2}", "reset", "--keep-after-error", "--summary-only"]
volumes:
- ../../logs/client:/app/logs
- ${RPKI_RTR_CLIENT_LOG_HOST_DIR:-../../logs/client}:/app/logs
restart: no
networks:
- rpki_net
@ -41,7 +41,7 @@ services:
image: rpki-rtr-debug-client:latest
command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "${RPKI_RTR_PROTOCOL_VERSION:-2}", "reset", "--keep-after-error", "--summary-only"]
volumes:
- ../../logs/client:/app/logs
- ${RPKI_RTR_CLIENT_LOG_HOST_DIR:-../../logs/client}:/app/logs
restart: no
networks:
- rpki_net

2
deploy/client/docker-compose.ssh.password.yml
View File

@ -23,7 +23,7 @@ services:
]
volumes:
- ${RPKI_RTR_CLIENT_KEYS_VOLUME:-../../certs:/app/certs:ro}
- ../../logs/client:/app/logs
- ${RPKI_RTR_CLIENT_LOG_HOST_DIR:-../../logs/client}:/app/logs
restart: no
stdin_open: true
tty: true

2
deploy/client/docker-compose.ssh.yml
View File

@ -23,7 +23,7 @@ services:
]
volumes:
- ${RPKI_RTR_CLIENT_KEYS_VOLUME:-../../certs:/app/certs:ro}
- ../../logs/client:/app/logs
- ${RPKI_RTR_CLIENT_LOG_HOST_DIR:-../../logs/client}:/app/logs
restart: no
stdin_open: true
tty: true

2
deploy/client/docker-compose.tcp.yml
View File

@ -6,7 +6,7 @@ services:
image: rpki-rtr-debug-client:latest
command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "${RPKI_RTR_PROTOCOL_VERSION:-2}", "reset", "--keep-after-error", "--summary-only"]
volumes:
- ../../logs/client:/app/logs
- ${RPKI_RTR_CLIENT_LOG_HOST_DIR:-../../logs/client}:/app/logs
restart: no
stdin_open: true
tty: true

10
deploy/client/docker-compose.tls.yml
View File

@ -13,19 +13,19 @@ services:
"reset",
"--tls",
"--ca-cert",
"/app/certs/client-ca.crt",
"${RPKI_RTR_TLS_CA_CERT_PATH:-/app/certs/client-ca.crt}",
"--server-name",
"${RPKI_RTR_TLS_SERVER_NAME:-localhost}",
"--client-cert",
"/app/certs/client-good.crt",
"${RPKI_RTR_TLS_CLIENT_CERT_PATH:-/app/certs/client-good.crt}",
"--client-key",
"/app/certs/client-good.key",
"${RPKI_RTR_TLS_CLIENT_KEY_PATH:-/app/certs/client-good.key}",
"--keep-after-error",
"--summary-only"
]
volumes:
- ../../tests/fixtures/tls:/app/certs:ro
- ../../logs/client:/app/logs
- ${RPKI_RTR_TLS_CERTS_HOST_DIR:-../../tests/fixtures/tls}:/app/certs:ro
- ${RPKI_RTR_CLIENT_LOG_HOST_DIR:-../../logs/client}:/app/logs
restart: no
stdin_open: true
tty: true

2
deploy/client/docker-compose.yml
View File

@ -6,7 +6,7 @@ services:
image: rpki-rtr-debug-client:latest
command: ["${RPKI_RTR_SERVER_ADDR:-rpki-rtr-tcp:323}", "${RPKI_RTR_PROTOCOL_VERSION:-2}", "reset", "--keep-after-error", "--summary-only"]
volumes:
- ../../logs/client:/app/logs
- ${RPKI_RTR_CLIENT_LOG_HOST_DIR:-../../logs/client}:/app/logs
restart: no
stdin_open: true
tty: true

38
deploy/server/.env
View File

@ -1,8 +1,40 @@
# Host directory containing CCR files to mount into the server container.
# Data source directories on host.
RPKI_RTR_CCR_HOST_DIR=../../data
RPKI_RTR_SLURM_HOST_DIR=../../data
# In-container directory used by rpki_rtr as CCR input directory.
# In-container data source directories.
RPKI_RTR_CCR_DIR=/app/data
RPKI_RTR_SLURM_DIR=/app/slurm
# Max retained delta count in RTR cache.
# Persistent directories on host.
RPKI_RTR_DB_HOST_DIR=../../rtr-db
RPKI_RTR_LOG_HOST_DIR=../../logs/server
# In-container runtime paths.
RPKI_RTR_DB_PATH=/app/rtr-db
# Core runtime knobs.
RPKI_RTR_STRICT_CCR_VALIDATION=false
RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS=300
RPKI_RTR_MAX_DELTA=10
RPKI_RTR_MAX_CONNECTIONS=100000
RPKI_RTR_MAX_CONCURRENT_HANDSHAKES=128
RUST_LOG=info
# TLS mode knobs.
RPKI_RTR_ENFORCE_TLS_CLIENT_SAN_IP_MATCH=false
RPKI_RTR_TLS_CERT_PATH=/app/certs/server-dns.crt
RPKI_RTR_TLS_KEY_PATH=/app/certs/server-dns.key
RPKI_RTR_TLS_CLIENT_CA_PATH=/app/certs/client-ca.crt
RPKI_RTR_TLS_CERTS_HOST_DIR=../../tests/fixtures/tls
# SSH mode knobs.
RPKI_RTR_SSH_HOST_PORT=2222
RPKI_RTR_SSH_CONTAINER_PORT=22
RPKI_RTR_SSH_AUTH_MODE=key
RPKI_RTR_SSH_USERNAME=rpki-rtr
RPKI_RTR_SSH_SUBSYSTEM_NAME=rpki-rtr
RPKI_RTR_SSH_HOST_KEY_PATH=/host-ssh/ssh_host_ed25519_key
RPKI_RTR_SSH_AUTHORIZED_KEYS_PATH=/app/certs/rtr-authorized_keys
RPKI_RTR_SSH_KEYS_VOLUME=/etc/ssh:/host-ssh:ro
RPKI_RTR_SSH_CERTS_HOST_DIR=../../certs

17
deploy/server/DEPLOYMENT.md
View File

@ -20,6 +20,23 @@ The container runs `rpki` directly as PID 1.
- SLURM directory: `/app/slurm`
- TLS cert directory (optional): `/app/certs`
## Path Configuration via `.env`
- `RPKI_RTR_CCR_HOST_DIR`: host CCR directory mounted into container
- `RPKI_RTR_SLURM_HOST_DIR`: host SLURM directory mounted into container
- `RPKI_RTR_CCR_DIR`: in-container CCR directory path
- `RPKI_RTR_SLURM_DIR`: in-container SLURM directory path
- `RPKI_RTR_DB_HOST_DIR`: host RocksDB directory
- `RPKI_RTR_LOG_HOST_DIR`: host log directory
- `RPKI_RTR_DB_PATH`: in-container RocksDB directory
## Runtime Configuration via `.env`
- Core: `RPKI_RTR_STRICT_CCR_VALIDATION`, `RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS`, `RPKI_RTR_MAX_DELTA`, `RPKI_RTR_MAX_CONCURRENT_HANDSHAKES`, `RUST_LOG`
- TCP mode: `RPKI_RTR_MAX_CONNECTIONS`
- TLS mode: `RPKI_RTR_ENFORCE_TLS_CLIENT_SAN_IP_MATCH`, `RPKI_RTR_TLS_CERT_PATH`, `RPKI_RTR_TLS_KEY_PATH`, `RPKI_RTR_TLS_CLIENT_CA_PATH`, `RPKI_RTR_TLS_CERTS_HOST_DIR`
- SSH mode: `RPKI_RTR_SSH_HOST_PORT`, `RPKI_RTR_SSH_CONTAINER_PORT`, `RPKI_RTR_SSH_AUTH_MODE`, `RPKI_RTR_SSH_USERNAME`, `RPKI_RTR_SSH_SUBSYSTEM_NAME`, `RPKI_RTR_SSH_HOST_KEY_PATH`, `RPKI_RTR_SSH_AUTHORIZED_KEYS_PATH`, `RPKI_RTR_SSH_KEYS_VOLUME`, `RPKI_RTR_SSH_CERTS_HOST_DIR`
## Start
```bash

20
deploy/server/docker-compose.ssh.yml
View File

@ -24,21 +24,21 @@ services:
RPKI_RTR_SSH_AUTH_MODE: "${RPKI_RTR_SSH_AUTH_MODE:-key}"
# Optional: enable password authentication in addition to publickey
# RPKI_RTR_SSH_PASSWORD: "test-password"
RPKI_RTR_DB_PATH: "/app/rtr-db"
RPKI_RTR_DB_PATH: "${RPKI_RTR_DB_PATH:-/app/rtr-db}"
RPKI_RTR_CCR_DIR: "${RPKI_RTR_CCR_DIR:-/app/data}"
RPKI_RTR_SLURM_DIR: "/app/slurm"
RPKI_RTR_STRICT_CCR_VALIDATION: "false"
RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS: "300"
RPKI_RTR_SLURM_DIR: "${RPKI_RTR_SLURM_DIR:-/app/slurm}"
RPKI_RTR_STRICT_CCR_VALIDATION: "${RPKI_RTR_STRICT_CCR_VALIDATION:-false}"
RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS: "${RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS:-300}"
RPKI_RTR_MAX_DELTA: "${RPKI_RTR_MAX_DELTA:-10}"
RPKI_RTR_MAX_CONCURRENT_HANDSHAKES: "128"
RUST_LOG: "info"
RPKI_RTR_MAX_CONCURRENT_HANDSHAKES: "${RPKI_RTR_MAX_CONCURRENT_HANDSHAKES:-128}"
RUST_LOG: "${RUST_LOG:-info}"
volumes:
- ${RPKI_RTR_CCR_HOST_DIR:-../../data}:${RPKI_RTR_CCR_DIR:-/app/data}:ro
- ../../rtr-db:/app/rtr-db
- ../../data:/app/slurm:ro
- ${RPKI_RTR_DB_HOST_DIR:-../../rtr-db}:${RPKI_RTR_DB_PATH:-/app/rtr-db}
- ${RPKI_RTR_SLURM_HOST_DIR:-../../data}:${RPKI_RTR_SLURM_DIR:-/app/slurm}:ro
- ${RPKI_RTR_SSH_KEYS_VOLUME:-/etc/ssh:/host-ssh:ro}
- ../../certs:/app/certs:ro
- ../../logs/server:/app/logs
- ${RPKI_RTR_SSH_CERTS_HOST_DIR:-../../certs}:/app/certs:ro
- ${RPKI_RTR_LOG_HOST_DIR:-../../logs/server}:/app/logs
networks:
- rpki_net

20
deploy/server/docker-compose.tcp.yml
View File

@ -14,20 +14,20 @@ services:
RPKI_RTR_ENABLE_TLS: "false"
RPKI_RTR_ENABLE_SSH: "false"
RPKI_RTR_TCP_ADDR: "0.0.0.0:323"
RPKI_RTR_DB_PATH: "/app/rtr-db"
RPKI_RTR_DB_PATH: "${RPKI_RTR_DB_PATH:-/app/rtr-db}"
RPKI_RTR_CCR_DIR: "${RPKI_RTR_CCR_DIR:-/app/data}"
RPKI_RTR_SLURM_DIR: "/app/slurm"
RPKI_RTR_STRICT_CCR_VALIDATION: "false"
RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS: "60"
RPKI_RTR_SLURM_DIR: "${RPKI_RTR_SLURM_DIR:-/app/slurm}"
RPKI_RTR_STRICT_CCR_VALIDATION: "${RPKI_RTR_STRICT_CCR_VALIDATION:-false}"
RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS: "${RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS:-60}"
RPKI_RTR_MAX_DELTA: "${RPKI_RTR_MAX_DELTA:-10}"
RPKI_RTR_MAX_CONNECTIONS: "100000"
RPKI_RTR_MAX_CONCURRENT_HANDSHAKES: "128"
RUST_LOG: "info"
RPKI_RTR_MAX_CONNECTIONS: "${RPKI_RTR_MAX_CONNECTIONS:-100000}"
RPKI_RTR_MAX_CONCURRENT_HANDSHAKES: "${RPKI_RTR_MAX_CONCURRENT_HANDSHAKES:-128}"
RUST_LOG: "${RUST_LOG:-info}"
volumes:
- ${RPKI_RTR_CCR_HOST_DIR:-../../data}:${RPKI_RTR_CCR_DIR:-/app/data}:ro
- ../../rtr-db:/app/rtr-db
- ../../data:/app/slurm:ro
- ../../logs/server:/app/logs
- ${RPKI_RTR_DB_HOST_DIR:-../../rtr-db}:${RPKI_RTR_DB_PATH:-/app/rtr-db}
- ${RPKI_RTR_SLURM_HOST_DIR:-../../data}:${RPKI_RTR_SLURM_DIR:-/app/slurm}:ro
- ${RPKI_RTR_LOG_HOST_DIR:-../../logs/server}:/app/logs
networks:
- rpki_net

28
deploy/server/docker-compose.tls.yml
View File

@ -16,24 +16,24 @@ services:
RPKI_RTR_ENABLE_SSH: "false"
RPKI_RTR_TCP_ADDR: "0.0.0.0:323"
RPKI_RTR_TLS_ADDR: "0.0.0.0:324"
RPKI_RTR_TLS_CERT_PATH: "/app/certs/server-dns.crt"
RPKI_RTR_TLS_KEY_PATH: "/app/certs/server-dns.key"
RPKI_RTR_TLS_CLIENT_CA_PATH: "/app/certs/client-ca.crt"
RPKI_RTR_ENFORCE_TLS_CLIENT_SAN_IP_MATCH: "false"
RPKI_RTR_DB_PATH: "/app/rtr-db"
RPKI_RTR_TLS_CERT_PATH: "${RPKI_RTR_TLS_CERT_PATH:-/app/certs/server-dns.crt}"
RPKI_RTR_TLS_KEY_PATH: "${RPKI_RTR_TLS_KEY_PATH:-/app/certs/server-dns.key}"
RPKI_RTR_TLS_CLIENT_CA_PATH: "${RPKI_RTR_TLS_CLIENT_CA_PATH:-/app/certs/client-ca.crt}"
RPKI_RTR_ENFORCE_TLS_CLIENT_SAN_IP_MATCH: "${RPKI_RTR_ENFORCE_TLS_CLIENT_SAN_IP_MATCH:-false}"
RPKI_RTR_DB_PATH: "${RPKI_RTR_DB_PATH:-/app/rtr-db}"
RPKI_RTR_CCR_DIR: "${RPKI_RTR_CCR_DIR:-/app/data}"
RPKI_RTR_SLURM_DIR: "/app/slurm"
RPKI_RTR_STRICT_CCR_VALIDATION: "false"
RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS: "300"
RPKI_RTR_SLURM_DIR: "${RPKI_RTR_SLURM_DIR:-/app/slurm}"
RPKI_RTR_STRICT_CCR_VALIDATION: "${RPKI_RTR_STRICT_CCR_VALIDATION:-false}"
RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS: "${RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS:-300}"
RPKI_RTR_MAX_DELTA: "${RPKI_RTR_MAX_DELTA:-10}"
RPKI_RTR_MAX_CONCURRENT_HANDSHAKES: "128"
RUST_LOG: "info"
RPKI_RTR_MAX_CONCURRENT_HANDSHAKES: "${RPKI_RTR_MAX_CONCURRENT_HANDSHAKES:-128}"
RUST_LOG: "${RUST_LOG:-info}"
volumes:
- ${RPKI_RTR_CCR_HOST_DIR:-../../data}:${RPKI_RTR_CCR_DIR:-/app/data}:ro
- ../../rtr-db:/app/rtr-db
- ../../data:/app/slurm:ro
- ../../tests/fixtures/tls:/app/certs:ro
- ../../logs/server:/app/logs
- ${RPKI_RTR_DB_HOST_DIR:-../../rtr-db}:${RPKI_RTR_DB_PATH:-/app/rtr-db}
- ${RPKI_RTR_SLURM_HOST_DIR:-../../data}:${RPKI_RTR_SLURM_DIR:-/app/slurm}:ro
- ${RPKI_RTR_TLS_CERTS_HOST_DIR:-../../tests/fixtures/tls}:/app/certs:ro
- ${RPKI_RTR_LOG_HOST_DIR:-../../logs/server}:/app/logs
networks:
- rpki_net

18
deploy/server/docker-compose.yml
View File

@ -17,14 +17,14 @@ services:
RPKI_RTR_ENABLE_TLS: "false"
RPKI_RTR_TCP_ADDR: "0.0.0.0:323"
RPKI_RTR_TLS_ADDR: "0.0.0.0:324"
RPKI_RTR_DB_PATH: "/app/rtr-db"
RPKI_RTR_DB_PATH: "${RPKI_RTR_DB_PATH:-/app/rtr-db}"
RPKI_RTR_CCR_DIR: "${RPKI_RTR_CCR_DIR:-/app/data}"
RPKI_RTR_SLURM_DIR: "/app/slurm"
RPKI_RTR_STRICT_CCR_VALIDATION: "false"
RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS: "300"
RPKI_RTR_SLURM_DIR: "${RPKI_RTR_SLURM_DIR:-/app/slurm}"
RPKI_RTR_STRICT_CCR_VALIDATION: "${RPKI_RTR_STRICT_CCR_VALIDATION:-false}"
RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS: "${RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS:-300}"
RPKI_RTR_MAX_DELTA: "${RPKI_RTR_MAX_DELTA:-10}"
RPKI_RTR_MAX_CONCURRENT_HANDSHAKES: "128"
RUST_LOG: "info"
RPKI_RTR_MAX_CONCURRENT_HANDSHAKES: "${RPKI_RTR_MAX_CONCURRENT_HANDSHAKES:-128}"
RUST_LOG: "${RUST_LOG:-info}"
# SSH mode example:
# RPKI_RTR_ENABLE_SSH: "true"
# RPKI_RTR_SSH_ADDR: "0.0.0.0:22"
@ -37,9 +37,9 @@ services:
# RPKI_RTR_SSH_PASSWORD: "test-password"
volumes:
- ${RPKI_RTR_CCR_HOST_DIR:-../../data}:${RPKI_RTR_CCR_DIR:-/app/data}:ro
- ../../rtr-db:/app/rtr-db
- ../../data:/app/slurm:ro
- ../../logs/server:/app/logs
- ${RPKI_RTR_DB_HOST_DIR:-../../rtr-db}:${RPKI_RTR_DB_PATH:-/app/rtr-db}
- ${RPKI_RTR_SLURM_HOST_DIR:-../../data}:${RPKI_RTR_SLURM_DIR:-/app/slurm}:ro
- ${RPKI_RTR_LOG_HOST_DIR:-../../logs/server}:/app/logs
# TLS mode example:
# - ../../certs:/app/certs:ro
networks:

22
src/source/ccr.rs
View File

@ -49,7 +49,7 @@ pub fn load_ccr_payloads_from_file_with_options(
pub fn find_latest_ccr_file(dir: impl AsRef<Path>) -> Result<PathBuf> {
let dir = dir.as_ref();
let latest_date_dir = find_latest_subdir_by_name(dir)?;
let latest_date_dir = find_latest_subdir_with_ccr_by_name(dir)?;
let scan_dir = latest_date_dir.as_deref().unwrap_or(dir);
let mut latest: Option<PathBuf> = None;
@ -356,7 +356,7 @@ fn file_name_key(path: &Path) -> String {
.unwrap_or_default()
}
fn find_latest_subdir_by_name(dir: &Path) -> Result<Option<PathBuf>> {
fn find_latest_subdir_with_ccr_by_name(dir: &Path) -> Result<Option<PathBuf>> {
let mut latest: Option<PathBuf> = None;
for entry in
@ -368,6 +368,9 @@ fn find_latest_subdir_by_name(dir: &Path) -> Result<Option<PathBuf>> {
if !path.is_dir() {
continue;
}
if !contains_ccr_file(&path)? {
continue;
}
if latest
.as_ref()
@ -379,3 +382,18 @@ fn find_latest_subdir_by_name(dir: &Path) -> Result<Option<PathBuf>> {
Ok(latest)
}
fn contains_ccr_file(dir: &Path) -> Result<bool> {
for entry in
fs::read_dir(dir).with_context(|| format!("failed to read CCR directory: {}", dir.display()))?
{
let entry =
entry.with_context(|| format!("failed to iterate CCR directory: {}", dir.display()))?;
let path = entry.path();
if path.is_file() && path.extension().and_then(|ext| ext.to_str()) == Some("ccr") {
return Ok(true);
}
}
Ok(false)
}

15
tests/test_ccr.rs
View File

@ -62,6 +62,21 @@ fn find_latest_ccr_file_picks_latest_date_dir_first() {
assert_eq!(latest, newer);
}
#[test]
fn find_latest_ccr_file_skips_latest_empty_dir() {
let root = tempdir().expect("create temp root dir");
let older_dir = root.path().join("run_0011");
let newer_empty_dir = root.path().join("run_0012");
fs::create_dir_all(&older_dir).expect("create older dir");
fs::create_dir_all(&newer_empty_dir).expect("create newer empty dir");
let expected = older_dir.join("20260401T000001Z-a.ccr");
fs::write(&expected, b"older").expect("write older ccr");
let latest = find_latest_ccr_file(root.path()).expect("find latest ccr");
assert_eq!(latest, expected);
}
#[test]
fn snapshot_to_payloads_with_options_skips_invalid_aspa_when_not_strict() {
let snapshot = ParsedCcrSnapshot {