# Deployment (Docker Compose) This project runs `src/main.rs` as a long-running server that: 1. loads latest `.ccr` from a configured directory, 2. applies optional SLURM filtering, 3. starts RTR server. The container runs `rpki` directly as PID 1. ## Files - `deploy/server/Dockerfile` - `deploy/server/docker-compose.yml` ## Runtime Paths in Container - CCR directory: `/app/data` - RocksDB directory: `/app/rtr-db` - SLURM directory: `/app/slurm` - Report directory: `/app/report` - TLS cert directory (optional): `/app/certs` ## Path Configuration via `.env` - `RPKI_RTR_CCR_HOST_DIR`: host CCR directory mounted into container - `RPKI_RTR_SLURM_HOST_DIR`: host SLURM directory mounted into container - `RPKI_RTR_CCR_DIR`: in-container CCR directory path - `RPKI_RTR_SLURM_DIR`: in-container SLURM directory path - `RPKI_RTR_DB_HOST_DIR`: host RocksDB directory - `RPKI_RTR_LOG_HOST_DIR`: host log directory - `RPKI_RTR_REPORT_HOST_DIR`: host directory receiving split RTR JSON reports - `RPKI_RTR_DB_PATH`: in-container RocksDB directory - `RPKI_RTR_REPORT_DIR`: in-container report directory ## Runtime Configuration via `.env` - Core: `RPKI_RTR_STRICT_CCR_VALIDATION`, `RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS`, `RPKI_RTR_MAX_DELTA`, `RPKI_RTR_MAX_CONCURRENT_HANDSHAKES`, `RPKI_RTR_RUNTIME_REPORT_INTERVAL_SECS`, `RPKI_RTR_REPORT_HISTORY_LIMIT`, `RPKI_RTR_TIMEZONE`, `RPKI_RTR_ADMIN_ADDR`, `RPKI_RTR_ADMIN_TOKEN`, `RUST_LOG` - TCP mode: `RPKI_RTR_MAX_CONNECTIONS` - TLS mode: `RPKI_RTR_ENFORCE_TLS_CLIENT_SAN_IP_MATCH`, `RPKI_RTR_TLS_CERT_PATH`, `RPKI_RTR_TLS_KEY_PATH`, `RPKI_RTR_TLS_CLIENT_CA_PATH`, `RPKI_RTR_TLS_CERTS_HOST_DIR` - SSH mode: `RPKI_RTR_SSH_HOST_PORT`, `RPKI_RTR_SSH_CONTAINER_PORT`, `RPKI_RTR_SSH_AUTH_MODE`, `RPKI_RTR_SSH_USERNAME`, `RPKI_RTR_SSH_SUBSYSTEM_NAME`, `RPKI_RTR_SSH_HOST_KEY_PATH`, `RPKI_RTR_SSH_AUTHORIZED_KEYS_PATH`, `RPKI_RTR_SSH_KEYS_VOLUME`, `RPKI_RTR_SSH_CERTS_HOST_DIR` ## Start ```bash docker compose -f deploy/server/docker-compose.yml up -d --build ``` ## Stop ```bash docker compose -f deploy/server/docker-compose.yml down ``` ## Logs ```bash docker compose -f deploy/server/docker-compose.yml logs -f rpki-rtr ``` The admin API can also stream the redirected log file: ```bash curl -N "http://127.0.0.1:8323/admin/rtr/logs/tail?stream=stdout&lines=200" \ -H "Authorization: Bearer $RPKI_RTR_ADMIN_TOKEN" ``` It reads `/app/logs/${HOSTNAME}.stdout.log` or `.stderr.log` by default. Set `RPKI_RTR_LOG_DIR` and `RPKI_RTR_LOG_NAME` to override that lookup. ## Runtime Report The server writes split JSON reports. Each report file uses a local-time timestamp suffix and each category keeps `RPKI_RTR_REPORT_HISTORY_LIMIT` files, defaulting to 10. - `rtr-source-*.json`: CCR and SLURM source metadata, latest refresh status, data quality counts, cache snapshot counts, and delta counts. Written on startup and source refresh events. - `rtr-clients-*.json`: active client connection counts and counts by transport (`tcp`, `tls`, `ssh`). Written on startup, whenever the active connection count changes. - `rtr-runtime-*.json`: service start time, uptime, process RSS, and non-sensitive runtime configuration. Written on startup and every `RPKI_RTR_RUNTIME_REPORT_INTERVAL_SECS`, defaulting to 300 seconds. Timestamps in logs and report JSON files use `RPKI_RTR_TIMEZONE`, which defaults to `Asia/Shanghai`. Use IANA timezone names such as `Asia/Shanghai`, `Europe/London`, `America/New_York`, or `UTC`; `Shanghai` is accepted as a convenience alias for `Asia/Shanghai`. ## Runtime Admin Config The admin endpoint is disabled by default. Set `RPKI_RTR_ADMIN_ADDR` to enable `POST /admin/rtr/config`. If the address is not loopback, `RPKI_RTR_ADMIN_TOKEN` must also be set and requests must include `Authorization: Bearer `. The endpoint accepts partial JSON updates. See `docs/rtr-admin-api.md` for the complete request/response schema, examples, and runtime apply semantics.