NASP/rpki
63
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rpki/scripts/local_repo_replay/templates
History

README.md

Local Repository Tree Replay Package

This package replays already prepared local RPKI repository trees with Routinator and rpki-client.

It is intentionally independent from CIR:

  • it does not read .cir;
  • it does not read repo-bytes.db;
  • it does not call cir_materialize;
  • it does not generate a local repository tree.

The caller must prepare the local repository/cache tree before running these scripts.

Contents

local-repo-replay-package/
  scripts/
    run_routinator_from_local_tree.sh
    run_rpki_client_from_local_tree.sh
    run_dual_local_tree_replay.sh
    prepare_tals.py
    cir-rsync-wrapper
    cir-local-link-sync.py
    normalize_rp_outputs.py
    compare_normalized_sets.py
    summarize_replay.py
  docs/
    input_tree_requirements.md
    offline_replay_limits.md
    output_files.md
  examples/
    routinator_example.sh
    rpki_client_example.sh
    dual_compare_example.sh
  env.example

Routinator replay

./scripts/run_routinator_from_local_tree.sh \
  --routinator-bin /opt/routinator/target/release/routinator \
  --mirror-root /data/replay/mirror \
  --tal-dir /data/replay/tals \
  --out-dir /data/replay/out/routinator \
  --enable-aspa

The script uses --disable-rrdp, --rsync-command ./scripts/cir-rsync-wrapper, and the local mirror root to satisfy rsync fetches from the local filesystem. The wrapper name is historical; in this package it is only a generic rsync:// to local-path mapper.

If --validation-time is needed for Routinator, set FAKETIME_LIB to a working libfaketime shared library. Otherwise Routinator validates at wall-clock time.

On Ubuntu, install and use faketime like this:

sudo apt-get install -y libfaketime
export FAKETIME_LIB=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1
./scripts/run_routinator_from_local_tree.sh \
  --routinator-bin /opt/routinator/target/release/routinator \
  --mirror-root /data/replay/mirror \
  --tal-dir /data/replay/tals \
  --out-dir /data/replay/out/routinator \
  --validation-time 2026-05-14T06:48:00Z \
  --enable-aspa

Without FAKETIME_LIB, old local trees can produce empty or smaller output because Routinator validates manifests and CRLs against current wall-clock time.

rpki-client replay

./scripts/run_rpki_client_from_local_tree.sh \
  --rpki-client-bin /opt/rpki-client/src/rpki-client \
  --mirror-root /data/replay/mirror \
  --tal-dir /data/replay/tals \
  --out-dir /data/replay/out/rpki-client \
  --parser-workers 4

The script uses rpki-client -R -e ./scripts/cir-rsync-wrapper so RRDP is disabled and rsync fetches are served from the local mirror. --cache-dir is an optional working cache directory used by rpki-client during this local replay.

Dual replay

./scripts/run_dual_local_tree_replay.sh \
  --routinator-bin /opt/routinator/target/release/routinator \
  --routinator-mirror-root /data/replay/mirror \
  --rpki-client-bin /opt/rpki-client/src/rpki-client \
  --rpki-client-mirror-root /data/replay/mirror \
  --tal-dir /data/replay/tals \
  --out-dir /data/replay/out/dual

If --validation-time is passed to dual replay, remember to export FAKETIME_LIB first so Routinator and rpki-client use the same logical validation time.

Outputs

Each run writes normalized output:

  • vrps.normalized.txt
  • vaps.normalized.txt
  • summary.json
  • raw RP output and logs
  • process-time.txt

See docs/output_files.md.