NASP/rpki
64
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rpki/deploy/server/DEPLOYMENT.md
xiuting.xu b105b3b7d0 增加rtr一些必要的api接口
2026-06-23 17:04:00 +08:00

3.9 KiB
Raw Blame History

Deployment (Docker Compose)

This project runs src/main.rs as a long-running server that:

  1. loads latest .ccr from a configured directory,
  2. applies optional SLURM filtering,
  3. starts RTR server.

The container runs rpki directly as PID 1.

Files

  • deploy/server/Dockerfile
  • deploy/server/docker-compose.yml

Runtime Paths in Container

  • CCR directory: /app/data
  • RocksDB directory: /app/rtr-db
  • SLURM directory: /app/slurm
  • Report directory: /app/report
  • TLS cert directory (optional): /app/certs

Path Configuration via .env

  • RPKI_RTR_CCR_HOST_DIR: host CCR directory mounted into container
  • RPKI_RTR_SLURM_HOST_DIR: host SLURM directory mounted into container
  • RPKI_RTR_CCR_DIR: in-container CCR directory path
  • RPKI_RTR_SLURM_DIR: in-container SLURM directory path
  • RPKI_RTR_DB_HOST_DIR: host RocksDB directory
  • RPKI_RTR_LOG_HOST_DIR: host log directory
  • RPKI_RTR_REPORT_HOST_DIR: host directory receiving split RTR JSON reports
  • RPKI_RTR_DB_PATH: in-container RocksDB directory
  • RPKI_RTR_REPORT_DIR: in-container report directory

Runtime Configuration via .env

  • Core: RPKI_RTR_STRICT_CCR_VALIDATION, RPKI_RTR_SOURCE_REFRESH_INTERVAL_SECS, RPKI_RTR_MAX_DELTA, RPKI_RTR_MAX_CONCURRENT_HANDSHAKES, RPKI_RTR_RUNTIME_REPORT_INTERVAL_SECS, RPKI_RTR_REPORT_HISTORY_LIMIT, RPKI_RTR_TIMEZONE, RPKI_RTR_ADMIN_ADDR, RPKI_RTR_ADMIN_TOKEN, RUST_LOG
  • TCP mode: RPKI_RTR_MAX_CONNECTIONS
  • TLS mode: RPKI_RTR_ENFORCE_TLS_CLIENT_SAN_IP_MATCH, RPKI_RTR_TLS_CERT_PATH, RPKI_RTR_TLS_KEY_PATH, RPKI_RTR_TLS_CLIENT_CA_PATH, RPKI_RTR_TLS_CERTS_HOST_DIR
  • SSH mode: RPKI_RTR_SSH_HOST_PORT, RPKI_RTR_SSH_CONTAINER_PORT, RPKI_RTR_SSH_AUTH_MODE, RPKI_RTR_SSH_USERNAME, RPKI_RTR_SSH_SUBSYSTEM_NAME, RPKI_RTR_SSH_HOST_KEY_PATH, RPKI_RTR_SSH_AUTHORIZED_KEYS_PATH, RPKI_RTR_SSH_KEYS_VOLUME, RPKI_RTR_SSH_CERTS_HOST_DIR

Start

docker compose -f deploy/server/docker-compose.yml up -d --build

Stop

docker compose -f deploy/server/docker-compose.yml down

Logs

docker compose -f deploy/server/docker-compose.yml logs -f rpki-rtr

The admin API can also stream the redirected log file:

curl -N "http://127.0.0.1:8323/admin/rtr/logs/tail?stream=stdout&lines=200" \
  -H "Authorization: Bearer $RPKI_RTR_ADMIN_TOKEN"

It reads /app/logs/${HOSTNAME}.stdout.log or .stderr.log by default. Set RPKI_RTR_LOG_DIR and RPKI_RTR_LOG_NAME to override that lookup.

Runtime Report

The server writes split JSON reports. Each report file uses a local-time timestamp suffix and each category keeps RPKI_RTR_REPORT_HISTORY_LIMIT files, defaulting to 10.

  • rtr-source-*.json: CCR and SLURM source metadata, latest refresh status, data quality counts, cache snapshot counts, and delta counts. Written on startup and source refresh events.
  • rtr-clients-*.json: active client connection counts and counts by transport (tcp, tls, ssh). Written on startup, whenever the active connection count changes.
  • rtr-runtime-*.json: service start time, uptime, process RSS, and non-sensitive runtime configuration. Written on startup and every RPKI_RTR_RUNTIME_REPORT_INTERVAL_SECS, defaulting to 300 seconds.

Timestamps in logs and report JSON files use RPKI_RTR_TIMEZONE, which defaults to Asia/Shanghai. Use IANA timezone names such as Asia/Shanghai, Europe/London, America/New_York, or UTC; Shanghai is accepted as a convenience alias for Asia/Shanghai.

Runtime Admin Config

The admin endpoint is disabled by default. Set RPKI_RTR_ADMIN_ADDR to enable POST /admin/rtr/config. If the address is not loopback, RPKI_RTR_ADMIN_TOKEN must also be set and requests must include Authorization: Bearer <token>.

The endpoint accepts partial JSON updates. See docs/rtr-admin-api.md for the complete request/response schema, examples, and runtime apply semantics.