diff options
| author | Rob Austein <sra@hactrn.net> | 2016-08-03 23:46:44 -0400 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2016-08-03 23:46:44 -0400 |
| commit | 949e9c8358b5259656c02e4a1ada7912d943afd2 (patch) | |
| tree | 4d04acc169abb7d7f7e08790a98736ba8214f97d | |
| parent | 14a9628f0552d3818cd58fb085e7544cdbb3b5eb (diff) | |
Try another conversion pass to salvage more of the links.
29 files changed, 329 insertions, 240 deletions
diff --git a/doc/00.RPKI.md b/doc/00.RPKI.md index b932536d..30a830e1 100644 --- a/doc/00.RPKI.md +++ b/doc/00.RPKI.md @@ -3,32 +3,39 @@ This collection of tools implements both the production (CA) and relying party (RP) sides of an RPKI environment. -Source code for the entire project is available on [GitHub](https://github.com/dragonresearch/rpki.net). +Source code for the entire project is available on [GitHub][]. ## Download and Install Full source code is available, as are binary packages for a few platforms. -See the [installation instructions](01.RPKI.Installation.md) for how +See the [installation instructions][Installation] for how to download the code and install it once you've downloaded it. ## Relying Party Tools If you operate routers and want to use RPKI data to help secure them, you -should look at the [relying party tools](05.RPKI.RP.md). +should look at the [relying party tools][RP]. ## CA Tools If you control RPKI resources and need an engine let you request certificates, issue ROAs, or issue certificates to other entities, you should look at the -[CA tools](11.RPKI.CA.md). +[CA tools][CA]. ## Thanks -From 2006 through 2008, this work was funded by [ARIN](http://www.arin.net/). +From 2006 through 2008, this work was funded by [ARIN][]. -From 2009 through 2016, this work was funded by [DHS](http://www.dhs.gov/). +From 2009 through 2016, this work was funded by [DHS][]. Special thanks to Michael Elkins, who wrote the web GUI and generally served as a second brain and second set of eyeballs on a long list of thorny technical problems. + +[GitHub]: https://github.com/dragonresearch/rpki.net +[Installation]: 01.RPKI.Installation.md +[RP]: 05.RPKI.RP.md +[CA]: 11.RPKI.CA.md +[ARIN]: http://www.arin.net/ +[DHS]: http://www.dhs.gov/ diff --git a/doc/01.RPKI.Installation.md b/doc/01.RPKI.Installation.md index 4af682a3..c530ee7e 100644 --- a/doc/01.RPKI.Installation.md +++ b/doc/01.RPKI.Installation.md @@ -6,7 +6,7 @@ platform on which you're trying to install. ## Debian and Ubuntu On Ubuntu 16.04 LTS ("Xenial") or Debian 8 ("Jessie"), you can use -[Debian binary packages](02.RPKI.Installation.DebianPackages.md). +[Debian binary packages][Debian]. ## Simple RPKI Cache Install @@ -26,16 +26,22 @@ CA. ## FreeBSD -On FreeBSD, you can use [FreeBSD ports](03.RPKI.Installation.FreeBSDPorts.md). +On FreeBSD, you can use [FreeBSD ports][FreeBSD]. ## Other Platforms On all other platforms, or on the above platforms if the pre-packaged versions don't suit your needs, you will have to -[install from source code](04.RPKI.Installation.FromSource.md). +[install from source code][Source]. Once you've finished installing the code, you will need to configure it. Since CAs are generally also relying parties (if only so that they can check the results of their own actions), you will generally want to start by configuring -[the relying party tools](05.RPKI.RP.md), then configure [the CA tools](11.RPKI.CA.md) +[the relying party tools][RP], then configure [the CA tools][CA] if you're planning to use them. + +[Debian]: 02.RPKI.Installation.DebianPackages.md +[FreeBSD]: 03.RPKI.Installation.FreeBSDPorts.md +[Source]: 04.RPKI.Installation.FromSource.md +[RP]: 05.RPKI.RP.md +[CA]: 11.RPKI.CA.md diff --git a/doc/02.RPKI.Installation.DebianPackages.md b/doc/02.RPKI.Installation.DebianPackages.md index bcc858ff..4ac60d65 100644 --- a/doc/02.RPKI.Installation.DebianPackages.md +++ b/doc/02.RPKI.Installation.DebianPackages.md @@ -40,7 +40,7 @@ aptitude should also work. sudo apt-get install rpki-rp rpki-ca - * Customize the default `rpki.conf` for your environment as necessary. In particular, you want to change `handle` and `rpkid_server_host`. There are obsessively detailed instructions. + * Customize the default `rpki.conf` for your environment as necessary. In particular, you want to change `handle` and `rpkid_server_host`. There are [obsessively detailed instructions][Configuration]. sudo emacs /etc/rpki.conf @@ -62,3 +62,5 @@ Or, if you only want to update the RPKI tools: sudo apt-get update sudo apt-get upgrade rpki-ca rpki-rp + +[Configuration]: 12.RPKI.CA.Configuration.md diff --git a/doc/03.RPKI.Installation.FreeBSDPorts.md b/doc/03.RPKI.Installation.FreeBSDPorts.md index 278edb25..d4690425 100644 --- a/doc/03.RPKI.Installation.FreeBSDPorts.md +++ b/doc/03.RPKI.Installation.FreeBSDPorts.md @@ -21,8 +21,8 @@ like this: After performing initial installation, you should customize the default `rpki.conf` for your environment as necessary. In particular, you want to -change `handle` and `rpkid_server_host`. There are obsessively detailed -instructions. +change `handle` and `rpkid_server_host`. There are [obsessively detailed +instructions][Configuration]. emacs /usr/local/etc/rpki.conf @@ -52,9 +52,8 @@ defaults where we can, but if you've done a lot of customization to your ## Automated Download and Install with portmaster -There's a [script](https://download.rpki.net/FreeBSD_Packages/rpki- -portmaster.sh) you can use to automate the download steps above and perform -the updates using portmaster. First, download the script: +There's a [script][portmaster] you can use to automate the download steps above and +perform the updates using portmaster. First, download the script: fetch https://download.rpki.net/FreeBSD_Packages/rpki-portmaster.sh @@ -65,30 +64,5 @@ Then, to install or upgrade, just execute the script: As with manual download (above) you should customize `rpki.conf` after initial installation. -## Automated Download and Install with portupgrade - -There's a [script](https://download.rpki.net/FreeBSD_Packages/rpki- -portupgrade.sh) you can use to automate the download steps above and perform -the updates using portupgrade. First, download the script: - - fetch https://download.rpki.net/FreeBSD_Packages/rpki-portupgrade.sh - -Next, you will need to add information about the RPKI ports to two variables -in `/usr/local/etc/pkgtools.conf` before portupgrade will know how to deal -with these ports: - - EXTRA_CATEGORIES = [ - 'rpki', - ] - - ALT_INDEX = [ - ENV['PORTSDIR'] + '/INDEX.rpki', - ] - -Once you have completed these steps, you can just execute the script to -install or upgrade the RPKI code: - - sh rpki-portupgrade.sh - -As with manual download (above) you should customize `rpki.conf` after initial -installation. +[Configuration]: 12.RPKI.CA.Configuration.md +[portmaster]: https://download.rpki.net/FreeBSD_Packages/rpki-portmaster.sh diff --git a/doc/04.RPKI.Installation.FromSource.md b/doc/04.RPKI.Installation.FromSource.md index fabad2fa..71d77821 100644 --- a/doc/04.RPKI.Installation.FromSource.md +++ b/doc/04.RPKI.Installation.FromSource.md @@ -6,10 +6,9 @@ this means that the build process is essentially the same regardless of which tools one wants to use. Some of the tools have dependencies on external packages, although we've tried to keep this to a minimum. -Most of the tools require an [RFC-3779](http://www.rfc- -editor.org/rfc/rfc3779.txt)-aware version of the -[OpenSSL](http://www.openssl.org/) libraries. If necessary, the build process -will generate its own private copy of the OpenSSL libraries for this purpose. +Most of the tools require an [RFC-3779][]-aware version of the [OpenSSL][] +libraries. If necessary, the build process will generate its own private copy +of the OpenSSL libraries for this purpose. Other than OpenSSL, most of the relying party tools are fairly self-contained. The CA tools have a few additional dependencies, described below. @@ -20,8 +19,8 @@ other platforms, such as Fedora, Ubuntu, Debian, and MacOSX. ## Downloading the Source Code -The recommended way to obtain the source code is via -[subversion](https://subversion.apache.org/). To download, do: +The recommended way to obtain the source code is via [Subversion][]. To +download, do: $ svn checkout https://subvert-rpki.hactrn.net/trunk/ @@ -199,5 +198,11 @@ listed here for completeness. Once you've finished installing the code, you will need to configure it. Since CAs are generally also relying parties (if only so that they can check the results of their own actions), you will generally want to start by configuring -the relying party tools, then configure the CA tools if you're planning to use -them. +the [relying party tools][RP], then configure the [CA tools][CA] if you're +planning to use them. + +[RFC-3779]: http://www.rfc-editor.org/rfc/rfc3779.txt +[OpenSSL]: http://www.openssl.org/ +[Subversion]: https://subversion.apache.org/ +[RP]: 05.RPKI.RP.md +[CA]: 11.RPKI.CA.md diff --git a/doc/05.RPKI.RP.md b/doc/05.RPKI.RP.md index f92c68af..bc42f6f6 100644 --- a/doc/05.RPKI.RP.md +++ b/doc/05.RPKI.RP.md @@ -5,18 +5,19 @@ the entity which retrieves RPKI objects from repositories, validates them, and uses the result of that validation process as input to other processes, such as BGP security. -See the CA tools for programs to help you generate RPKI objects, if you need -to do that. +See the [CA tools][CA] for programs to help you generate RPKI objects, if you +need to do that. -The RP main tools are rcynic and rpki-rtr, each of which is discussed below. +The RP main tools are [rcynic][RP] and [rpki-rtr][RP], each of which is +discussed below. The installation process sets up everything you need for a basic RPKI validation installation. You will, however, need to think at least briefly -about which RPKI trust anchors you are using, and may need to change these -from the defaults. +about which [RPKI trust anchors][RP] you are using, and may need to change +these from the defaults. -The installation process sets up a cron job running running rcynic-cron as -user "`rcynic`" once per hour at a randomly-selected minute. +The installation process sets up a cron job running running [rcynic-cron][RP] +as user "`rcynic`" once per hour at a randomly-selected minute. ## rcynic @@ -25,10 +26,10 @@ validation: checking syntax, signatures, expiration times, and conformance to the profiles for RPKI objects. The other relying party programs take rcynic's output as their input. -The installation process sets up a basic rcynic configuration. See the rcynic -documentation if you need to know more. +The installation process sets up a basic rcynic configuration. See the [rcynic +documentation][rcynic] if you need to know more. -See the discussion of trust anchors. +See the [discussion of trust anchors][RP]. ## rpki-rtr @@ -37,13 +38,13 @@ as its data source. rpki-rtr includes the rpki-rtr server, a test client, and a utiltity for examining the content of the database rpki-rtr generates from the data supplied by rcynic. -See the rpki-rtr documentation for further details. +See the [rpki-rtr documentation][rpki-rtr] for further details. ## rcynic-cron rcynic-cron is a small script to run the most common set of relying party -tools under cron. See the discussion of running relying party tools under cron -for further details. +tools under cron. See the [discussion of running relying party tools under +cron][Cron] for further details. ## Selecting trust anchors @@ -55,7 +56,7 @@ As with most other PKI software, we supply a default set of trust anchors which you are welcome to use if they suit your needs. These are installed as part of the normal installation process, so if you don't do anything, you'll get these. You can, however, override this if you need something different; -see the rcynic documentation for details. +see [the rcynic documentation][rcynic] for details. Remember: It's only a trust anchor if **you** trust it. We can't make that decision for you. @@ -63,8 +64,15 @@ decision for you. Also note that, at least for now, ARIN's trust anchor locator is absent from the default set of trust anchors. This is not an accident: it's the direct result of a deliberate policy decision by ARIN to require anyone using their -trust anchor to [jump through legal -hoops](https://www.arin.net/resources/rpki/faq.html#tal). If you have a -problem with this, [complain to ARIN](http://lists.arin.net/mailman/listinfo -/arin-ppml). If and when ARIN changes this policy, we will be happy to include -their trust anchor locator along with those of the other RIRs. +trust anchor to [jump through legal hoops][ARIN-TAL]. If you have a problem with +this, [complain to ARIN][ARIN-PPML]. If and when ARIN changes this policy, we will be +happy to include their trust anchor locator along with those of the other +RIRs. + +[CA]: 11.RPKI.CA.md +[RP]: 05.RPKI.RP.md +[rcynic]: 06.RPKI.RP.rcynic.md +[rpki-rtr]: 07.RPKI.RP.rpki-rtr.md +[Cron]: 08.RPKI.RP.RunningUnderCron.md +[ARIN-TAL]: https://www.arin.net/resources/rpki/faq.html#tal +[ARIN-PPML]: http://lists.arin.net/mailman/listinfo/arin-ppml diff --git a/doc/06.RPKI.RP.rcynic.md b/doc/06.RPKI.RP.rcynic.md index 38fb17e0..39a05fa9 100644 --- a/doc/06.RPKI.RP.rcynic.md +++ b/doc/06.RPKI.RP.rcynic.md @@ -26,14 +26,15 @@ goes well, this should "just work". be the default configuration, but integrating this properly with platform- specific packaging systems (FreeBSD ports, `apt-get` on Ubuntu and Debian, etc) proved impractical. You can still get this behavior if you need it, by -installing from source and using the `--enable-rcynic-jail` option to +[installing from source][Source] and using the `--enable-rcynic-jail` option to `./configure`. The default configuration set up by `make install` and the various packaging systems will run `rcynic` under `cron` using the `rcynic-cron` wrapper script. -See the instructions for setting up your own cron jobs if you need something -more complicated; also see the instructions for setting up hierarchical rsync -if you need to build a complex topology of rcynic validators. +See the [instructions for setting up your own cron jobs][Cron] if you need +something more complicated; also see the [instructions for setting up +hierarchical rsync][Cron] if you need to build a complex topology of rcynic +validators. ## Overview @@ -76,9 +77,8 @@ objects, but in practice trust anchor locators are more common, as they reduce the amount of locally configured data to the bare minimum and allow the trust anchor itself to be updated without requiring reconfiguration of validators like rcynic. A trust anchor locator is a file in the format specified in -[RFC-6490](http://www.rfc-editor.org/rfc/rfc6490.txt), consisting of the rsync -URI of the trust anchor followed by the Base64 encoding of the trust anchor's -public key. +[RFC-6490][], consisting of the rsync URI of the trust anchor followed by the +Base64 encoding of the trust anchor's public key. Strictly speaking, trust anchors do not need to be self-signed, but many programs (including OpenSSL) assume that trust anchors will be self-signed. @@ -481,10 +481,10 @@ certificate in DER format. Value of this option is the pathname of the file. ### trust-anchor-locator Specify one RPKI trust anchor locator, represented as a local file in the -format specified in [RFC-6490](http://www.rfc-editor.org/rfc/rfc6490.txt). -This a simple text format containing an rsync URI and the RSA public key of -the X.509 object specified by the URI; the first line of the file is the URI, -the remainder is the public key in Base64 encoded DER format. +format specified in [RFC-6490][]. This a simple text format containing an +rsync URI and the RSA public key of the X.509 object specified by the URI; the +first line of the file is the URI, the remainder is the public key in Base64 +encoded DER format. Value of this option is the pathname of the file. @@ -527,10 +527,10 @@ command syntax is: output directory, along with a set of RRD databases. `rcynic-html` will create the output directory if necessary. -`rcynic-html` requires [`rrdtool`](http://www.rrdtool.org/), a specialized -database and graphing engine designed for this sort of work. You can run -`rcynic-html` without `rrdtool` by giving it the `--no-show-graphs` option, -but the result won't be as useful. +`rcynic-html` requires [`rrdtool`][rrdtool], a specialized database and graphing +engine designed for this sort of work. You can run `rcynic-html` without +`rrdtool` by giving it the `--no-show-graphs` option, but the result won't be +as useful. `rcynic-html` gets its idea of where to find the `rrdtool` program from autoconf, which usually works. If for some reason it doesn't work in your @@ -541,10 +541,10 @@ using the `--rrdtool-binary` option: ### rcynic.xsl -`rcynic.xsl` was an earlier attempt at the same kind of HTML output as rcynic- -html generates. XSLT was a convenient language for our initial attempts at -this, but as the processing involved got more complex, it became obvious that -we needed a general purpose programming language. +`rcynic.xsl` was an earlier attempt at the same kind of HTML output as +[rcynic-html][rcynic] generates. XSLT was a convenient language for our initial +attempts at this, but as the processing involved got more complex, it became +obvious that we needed a general purpose programming language. If for some reason XSLT works better in your environment than Python, you might find this stylesheet to be a useful starting point, but be warned that @@ -554,7 +554,7 @@ longer under development. ### rcynic-text `rcynic-text` provides a quick flat text summary of validation results. This -is useful primarily in test scripts (smoketest uses it). +is useful primarily in test scripts ([smoketest][CA] uses it). Usage: @@ -575,12 +575,11 @@ Usage: ### rcynic-svn -`rcynic-svn` is a tool for archiving `rcynic`'s results in a -[Subversion](http://subversion.apache.org/) repository. `rcynic-svn` is not -integrated into `rcynic-cron`, because this is not something that every -relying party is going to want to do. However, for relying parties who want to -analyze `rcynic`'s output over a long period of time, `rcynic-svn` may provide -a useful starting point starting point. +`rcynic-svn` is a tool for archiving `rcynic`'s results in a [Subversion][] +repository. `rcynic-svn` is not integrated into `rcynic-cron`, because this is +not something that every relying party is going to want to do. However, for +relying parties who want to analyze `rcynic`'s output over a long period of +time, `rcynic-svn` may provide a useful starting point starting point. To use `rcynic-svn`, you first must set up a Subversion repository and check out a working directory: @@ -615,3 +614,11 @@ the other arguments are the names of those portions of `rcynic`'s output which you wish to archive. Generally, the above set (`authenticated`, `unauthenticated`, and `rcynic.xml`) are the ones you want, but feel free to experiment. + +[Source]: 04.RPKI.Installation.FromSource.md +[Cron]: 08.RPKI.RP.RunningUnderCron.md +[RFC-6490]: http://www.rfc-editor.org/rfc/rfc6490.txt +[rrdtool]: http://www.rrdtool.org/ +[rcynic]: 06.RPKI.RP.rcynic.md +[CA]: 11.RPKI.CA.md +[Subversion]: http://subversion.apache.org/ diff --git a/doc/07.RPKI.RP.rpki-rtr.md b/doc/07.RPKI.RP.rpki-rtr.md index 017f55ab..59f6fdb0 100644 --- a/doc/07.RPKI.RP.rpki-rtr.md +++ b/doc/07.RPKI.RP.rpki-rtr.md @@ -1,16 +1,15 @@ # rpki-rtr -`rpki-rtr` is an implementation of the ["RPKI-router" protocol -(RFC-6810)](http://www.rfc-editor.org/rfc/rfc6810.txt). +`rpki-rtr` is an implementation of the ["RPKI-router" protocol (RFC-6810)][RFC-6810]. -`rpki-rtr` depends on `rcynic` to collect and validate the RPKI data. `rpki- -rtr`'s's job is to serve up that data in a lightweight format suitable for -routers that want to do prefix origin authentication. +`rpki-rtr` depends on [rcynic][] to collect and validate the RPKI data. +`rpki-rtr`'s's job is to serve up that data in a lightweight format suitable +for routers that want to do prefix origin authentication. To use `rpki-rtr`, you need to do two things beyond just running `rcynic`: - 1. You need to post-process `rcynic`'s output into the data files used by rpki-rtr. The `rcynic-cron` script handles this automatically, so the default installation should already be taking care of this for you. - 2. You need to set up a listener for the `rpki-rtr` server, using the generated data files. The platform-specific packages for FreeBSD, Debian, and Ubuntu automatically set up a plain TCP listener, but you will have to do something on other platforms, or if you're using a transport protocol other than plain TCP. + 1. You need to [post-process `rcynic`'s output][rpki-rtr] into the data files used by rpki-rtr. The `rcynic-cron` script handles this automatically, so the default installation should already be taking care of this for you. + 2. You need to [set up a listener][rpki-rtr] for the `rpki-rtr` server, using the generated data files. The platform-specific packages for FreeBSD, Debian, and Ubuntu automatically set up a plain TCP listener, but you will have to do something on other platforms, or if you're using a transport protocol other than plain TCP. ## Post-processing rcynic's output @@ -117,7 +116,7 @@ required by the protocol specification. `rpki-rtr listener` is a free-standing plain TCP server which just listens on a TCP socket then forks a child process running `rpki-rtr server`. -All of the caveats regarding plain TCP apply to `rpki-rtr listener`. +All of the [caveats regarding plain TCP][rpki-rtr] apply to `rpki-rtr listener`. `rpki-rtr listener` takes one required argument, the TCP port number on which to listen; it also accepts a second argument which specifies the rcynic output @@ -145,3 +144,7 @@ running the rpki-rtr link over an unsecured TCP connection. $ rpki-rtr client tcp <hostname> <port> 2. `rpki-rtr show` will display a text dump of pre-digested data files in the current directory. + +[RFC-6810]: http://www.rfc-editor.org/rfc/rfc6810.txt +[rcynic]: 06.RPKI.RP.rcynic.md +[rpki-rtr]: 07.RPKI.RP.rpki-rtr.md diff --git a/doc/08.RPKI.RP.RunningUnderCron.md b/doc/08.RPKI.RP.RunningUnderCron.md index bcfc2eb6..bea2e4dc 100644 --- a/doc/08.RPKI.RP.RunningUnderCron.md +++ b/doc/08.RPKI.RP.RunningUnderCron.md @@ -5,7 +5,7 @@ cron daemon. Consequently, most of the other tools are also designed to run under the cron daemon, so that they can make use of rcynic's output immediately after rcynic finishes a validation run. -rcynic-cron runs the basic set of relying party tools (`rcynic`, `rcynic- +[rcynic-cron][RP] runs the basic set of relying party tools (`rcynic`, `rcynic- html`, and `rpki-rtr cronjob`); if this suffices for your purposes, you don't need to do anything else. This section is a discussion of alternative approaches. @@ -57,3 +57,5 @@ If you use the chroot program instead of chrootuid, change the line that invokes rcynic to: /usr/sbin/chroot --userspec rcynic:rcynic /var/rcynic /bin/rcynic -c /etc/rcynic.conf || exit + +[RP]: 05.RPKI.RP.md diff --git a/doc/09.RPKI.RP.HierarchicalRsync.md b/doc/09.RPKI.RP.HierarchicalRsync.md index d996379c..196f0d2d 100644 --- a/doc/09.RPKI.RP.HierarchicalRsync.md +++ b/doc/09.RPKI.RP.HierarchicalRsync.md @@ -11,10 +11,10 @@ Note The relying parties in this configuration still perform their own validation, they just let the gatherers do the work of collecting the unvalidated data for them. A gatherer in a configuration like this would look just like a stand-alone -relying party as discussed above. The only real difference is that a gatherer -must also make its unauthenticated data collection available to other relying -parties. Assuming the standard configuration, this will be the directory -`/var/rcynic/data/unauthenticated` and its subdirectories. +relying party as discussed [above][HierarchicalRsync]. The only real difference is that a +gatherer must also make its unauthenticated data collection available to other +relying parties. Assuming the standard configuration, this will be the +directory `/var/rcynic/data/unauthenticated` and its subdirectories. There are two slightly different ways to do this with rsync: @@ -84,3 +84,5 @@ Configuration for such a module would look like: transfer logging = yes path = /var/rcynic/data/unauthenticated comment = Unauthenticated RPKI data + +[HierarchicalRsync]: 09.RPKI.RP.HierarchicalRsync.md diff --git a/doc/10.RPKI.RP.rcynicChroot.md b/doc/10.RPKI.RP.rcynicChroot.md index 27a5eb7b..27db8b03 100644 --- a/doc/10.RPKI.RP.rcynicChroot.md +++ b/doc/10.RPKI.RP.rcynicChroot.md @@ -10,8 +10,8 @@ Makefiles, but you may still want to understand what all this is trying to do. rcynic itself does not include any direct support for running chrooted, but is designed to be (relatively) easy to run in a chroot jail. -To enable chroot support during installation, you should install from source -and use the `--enable-rcynic-jail` option to `./configure`. +To enable chroot support during installation, you should [install from +source][1] and use the `--enable-rcynic-jail` option to `./configure`. rcynic-cron includes support for running chrooted. To use it, specify the `--chroot` option on rcynic-cron's command line. This will cause rcynic-cron @@ -157,3 +157,5 @@ is to add the following lines to /etc/rc.conf: This tells syslogd to listen on an additional `PF_UNIX` socket within rcynic's chroot jail. + +[1]: 04.RPKI.Installation.FromSource.md diff --git a/doc/11.RPKI.CA.md b/doc/11.RPKI.CA.md index dd523fc8..a26f91e9 100644 --- a/doc/11.RPKI.CA.md +++ b/doc/11.RPKI.CA.md @@ -6,18 +6,18 @@ implemented primarily in Python, with an extension module linked against an RFC-3779-enabled version of the OpenSSL libraries to handle some of the low- level details. -See the relying party tools for tools for retrieving, verifying, and using -RPKI data. +See the [relying party tools][1] for tools for retrieving, verifying, and +using RPKI data. ## Getting started If you just want to get started with the CA tools and hate reading documentation, here's a roadmap on what you do need to read: - 1. Start with the installation instructions; if you're using pre-built packages you may be able to skip this step. - 2. Then read the configuration instructions - 3. Then the MySQL setup instructions - 4. And finally either the command line tool or web interface + 1. Start with the [installation instructions][2]; if you're using pre-built packages you may be able to skip this step. + 2. Then read the [configuration instructions][3] + 3. Then the [MySQL setup instructions][4] + 4. And finally either the [command line tool][5] or [web interface][6] ## Overview of the CA engine @@ -44,7 +44,7 @@ RPKI:: ### Programs -See the installation instructions for how to build and install the code. +See the [installation instructions][2] for how to build and install the code. The RPKI CA engine includes the following programs: @@ -81,16 +81,17 @@ irdbd, rpkic, and the GUI collectively make up the "Internet registry back end" (IRBE) component of the system. These programs take configuration files in a common format similar to that -used by the OpenSSL command line tool, see the configuration guide for +used by the OpenSSL command line tool, see the [configuration guide][3] for details. Basic operation consists of creating the appropriate MySQL databases (see -MySQL setup), starting the daemons, and using rpkic or the web interface to -configure relationships between parents and children, relationships between -publication clients and repositories, allocate resources to children, and -create ROAs. Once setup is complete, rpkid should maintain the requested data -automatically, including re-querying its parent(s) periodically to check for -changes, reissuing certificates and other objects as needed, and so forth. +[MySQL setup][4]), starting the daemons, and using [rpkic][5] or [the web +interface][6] to configure relationships between parents and children, +relationships between publication clients and repositories, allocate resources +to children, and create ROAs. Once setup is complete, rpkid should maintain +the requested data automatically, including re-querying its parent(s) +periodically to check for changes, reissuing certificates and other objects as +needed, and so forth. The daemons are all event-driven, and are (in theory) capable of supporting an arbitrary number of hosted RPKI engines to run in a single rpkid instance, up @@ -98,7 +99,7 @@ to the performance limits of the underlying hardware. ## Starting the servers -You need to follow the instructions in the configuration guide before +You need to follow the instructions in the [configuration guide][3] before attempting to start the servers. Once you've written the servers' configuration file, the easiest way to run @@ -125,18 +126,18 @@ debugging. Some of the configuration options are common to all daemons: which daemon they affect depends only on which sections of the configuration file they are in. -See Common Options for details. +See [Common Options][7] for details. ### rpkid rpkid is the main RPKI engine daemon. Configuration of rpkid is a two step process: a config file to bootstrap rpkid to the point where it can speak -using the left-right protocol, followed by dynamic configuration via the left- -right protocol. The latter stage is handled by the command line tool or the -web interface. +using the [left-right protocol][8], followed by dynamic configuration via the +left-right protocol. The latter stage is handled by the [command line tool][5] +or the [web interface][6]. rpkid stores dynamic data in an SQL database, which must have been created for -it, as explained in in the MySQL setup instructions. +it, as explained in in the [MySQL setup instructions][4]. ### pubd @@ -150,10 +151,10 @@ pubd is separate from rpkid for two reasons: * The publication server has to run on (or at least close to) the publication point itself, which in turn must be on a publically reachable server to be useful. rpkid, on the other hand, need only be reachable by the IRBE and its children in the RPKI tree. rpkid is a much more complex piece of software than pubd, so in some situations it might make sense to wrap tighter firewall constraints around rpkid than would be practical if rpkid and pubd were a single program. pubd stores dynamic data in an SQL database, which must have been created for -it, as explained in the MySQL setup instructions. pubd also stores the +it, as explained in the [MySQL setup instructions][4]. pubd also stores the published objects themselves as disk files in a configurable location which should correspond to an appropriate module definition in rsync.conf; see the -configuration guide for details. +[configuration guide][3] for details. ### rootd @@ -162,7 +163,7 @@ down protocol. It's a separate program because the root certificate of an RPKI certificate tree requires special handling and may also require a special handling policy. rootd is a simple implementation intended for test use, it's not suitable for use in a production system. All configuration comes via the -config file; see the configuration guide for details. +config file; see the [configuration guide][3] for details. ### irdbd @@ -181,7 +182,7 @@ implementatation. Ordinarly you won't care about this, but if for some reason you need to write your own irdbd implementation, you might find it easier to start from the minimal version. -See the configuration guide for details on configuring irdbd. +See the [configuration guide][3] for details on configuring irdbd. ## Test programs @@ -197,8 +198,8 @@ resource assignments, in a relatively compact form. The test programs use these descriptions to generate a set of configuration files, populate the back end database, and drive the test. -See the test configuration language for details on the content of these YAML -files. +See the [test configuration language][9] for details on the content of these +YAML files. ### smoketest @@ -229,3 +230,13 @@ test description file. This may change in the future. Running yamltest will generate a fairly complete set configuration files, which may be useful as examples. + +[1]: 05.RPKI.RP.md +[2]: 01.RPKI.Installation.md +[3]: 12.RPKI.CA.Configuration.md +[4]: 24.RPKI.CA.MySQLSetup.md +[5]: 27.RPKI.CA.UI.rpkic.md +[6]: 28.RPKI.CA.UI.GUI.md +[7]: 13.RPKI.CA.Configuration.Common.md +[8]: 35.RPKI.CA.Protocols.LeftRight.md +[9]: 22.RPKI.CA.Configuration.Tests.md diff --git a/doc/12.RPKI.CA.Configuration.md b/doc/12.RPKI.CA.Configuration.md index d1ded6fb..22804b18 100644 --- a/doc/12.RPKI.CA.Configuration.md +++ b/doc/12.RPKI.CA.Configuration.md @@ -48,7 +48,7 @@ during installation, it's either `/etc/rpki.conf` or There are _many_ other configuration options, but setting the above correctly should suffice to get you started with the default configuration. Read on for -details if you need to know more, otherwise go to next steps. +details if you need to know more, otherwise go to [next steps][1]. ## Configuration file syntax @@ -106,7 +106,7 @@ The list of options that you can set in `rpki.conf` is ridiculously long. The default configuration includes what we hope are reasonable default settings for all of them, so in many cases you will never need to know about most of these options. A number of the options for individual programs are specified -in terms of other options, using the macro facility described above. +in terms of other options, using the macro facility [described above][2]. In general, if you don't understand what an option does, you probably should leave it alone. @@ -115,14 +115,14 @@ Detailed information about individual options is listed in separate sections, one per section of `rpki.conf`. These documentation sections are generated from the same source file as the sample configuration file. - * Common Options - * [myrpki] section - * [rpkid] section - * [irdbd] section - * [pubd] section - * [rootd] section - * [web_portal] section - * [autoconf] section + * [ Common Options ][3] + * [ [myrpki] section ][4] + * [ [rpkid] section ][5] + * [ [irdbd] section ][6] + * [ [pubd] section ][7] + * [ [rootd] section ][8] + * [ [web_portal] section ][9] + * [ [autoconf] section ][10] ## rsyncd.conf @@ -154,24 +154,39 @@ pages for more details. ## Running your own RPKI root In general, we do not recommend running your own RPKI root environment, for -various reasons. If, however, you need to do so, you should read the -documentation for the [rootd] section , and the instructions for creating a -RPKI root certificate . +various reasons. If, however, you need to do so, you should read [ the +documentation for the [rootd] section ][8], and [ the instructions for +creating a RPKI root certificate ][11]. ## Running rpkid or pubd on a different server The default configuration runs rpkid, pubd (if enabled) and the back end code all on the same server. For most purposes, this is fine, but in some cases you might want to split these functions up among different servers. If you need to -do this, see these instructions. +do this, see [these instructions][12]. ## Configuring the test harness We expect the test harness to be of interest primarily to developers, but if -you need to understand how it works, you will probably want to read these -instructions. +you need to understand how it works, you will probably want to read [these +instructions][13]. ## Next steps Once you've finished with configuration, the next thing you should read is the -MySQL setup instructions. +[MySQL setup instructions][14]. + +[1]: 12.RPKI.CA.Configuration.md +[2]: 12.RPKI.CA.Configuration.md +[3]: 13.RPKI.CA.Configuration.Common.md +[4]: 14.RPKI.CA.Configuration.myrpki.md +[5]: 15.RPKI.CA.Configuration.rpkid.md +[6]: 16.RPKI.CA.Configuration.irdbd.md +[7]: 17.RPKI.CA.Configuration.pubd.md +[8]: 18.RPKI.CA.Configuration.rootd.md +[9]: 20.RPKI.CA.Configuration.web_portal.md +[10]: 21.RPKI.CA.Configuration.autoconf.md +[11]: 19.RPKI.CA.Configuration.CreatingRoot.md +[12]: 23.RPKI.CA.Configuration.DifferentServer.md +[13]: 22.RPKI.CA.Configuration.Tests.md +[14]: 24.RPKI.CA.MySQLSetup.md diff --git a/doc/18.RPKI.CA.Configuration.rootd.md b/doc/18.RPKI.CA.Configuration.rootd.md index a8d09eac..939aa0ff 100644 --- a/doc/18.RPKI.CA.Configuration.rootd.md +++ b/doc/18.RPKI.CA.Configuration.rootd.md @@ -105,9 +105,8 @@ Filename (as opposed to rsync URI) of rootd's root RPKI certificate. ## rpki-subject-pkcs10 -Where rootd should stash a copy of the PKCS [#10](/ticket/10 "enhancement: -Things Keyur wanted when he saw rcynic-ng's HTML \(closed: fixed\)" ) request -it gets from its one (and only) child +Where rootd should stash a copy of the PKCS #10 request it gets from its +one (and only) child rpki-subject-pkcs10 = ${myrpki::bpki_servers_directory}/rootd.subject.pkcs10 diff --git a/doc/19.RPKI.CA.Configuration.CreatingRoot.md b/doc/19.RPKI.CA.Configuration.CreatingRoot.md index 4340369e..777cf6e0 100644 --- a/doc/19.RPKI.CA.Configuration.CreatingRoot.md +++ b/doc/19.RPKI.CA.Configuration.CreatingRoot.md @@ -1,9 +1,9 @@ # Creating an RPKI Root Certificate -rootd does not create RPKI root certificates automatically. If you're running -your own root, you have to do this yourself. The usual method of doing this is -to use the OpenSSL command line tool. The exact details will depend on which -resources you need to put in the root certificate, the URIs for your +[rootd][] does not create RPKI root certificates automatically. If you're +running your own root, you have to do this yourself. The usual method of doing +this is to use the OpenSSL command line tool. The exact details will depend on +which resources you need to put in the root certificate, the URIs for your publication server, and so forth, but the general form looks something like this: @@ -119,3 +119,5 @@ key to PKCS #1 format with a script like this: echo Converted mv root.key.new root.key fi + +[rootd]: 18.RPKI.CA.Configuration.rootd.md diff --git a/doc/24.RPKI.CA.MySQLSetup.md b/doc/24.RPKI.CA.MySQLSetup.md index be00ef5f..bad9dd8e 100644 --- a/doc/24.RPKI.CA.MySQLSetup.md +++ b/doc/24.RPKI.CA.MySQLSetup.md @@ -3,12 +3,12 @@ You need to install MySQL and set up the relevant databases before starting rpkid, irdbd, or pubd. -See the Installation Guide for details on where to download MySQL and find -documentation on installing it. +See the [Installation Guide][Installation] for details on where to download MySQL and +find documentation on installing it. -See the Configuration Guide for details on the configuration file settings the -daemons will use to find and authenticate themselves to their respective -databases. +See the [Configuration Guide][Configuration] for details on the configuration file +settings the daemons will use to find and authenticate themselves to their +respective databases. Before you can (usefully) start any of the daemons, you will need to set up the MySQL databases they use. You can do this by hand, or you can use the @@ -58,4 +58,8 @@ where `pubd_database`, `pubd_user` `pubd_password` match the values you used in your configuration file. Once you've finished configuring MySQL, the next thing you should read is the -instructions for the user interface tools. +instructions for the [user interface tools][UI]. + +[Installation]: 01.RPKI.Installation.md +[Configuration]: 12.RPKI.CA.Configuration.md +[UI]: 26.RPKI.CA.UI.md diff --git a/doc/26.RPKI.CA.UI.md b/doc/26.RPKI.CA.UI.md index fe64aa1f..8f05a518 100644 --- a/doc/26.RPKI.CA.UI.md +++ b/doc/26.RPKI.CA.UI.md @@ -9,12 +9,12 @@ no existing back end with a fairly large programming project. The user interface tools attempt to fill that gap. Together with irdbd, these tools consitute the "IR back-end" (IRBE) programs. -rpkic is a command line interface to the the IRBE. The web interface is a -Django-based graphical user interface to the IRBE. The two user interfaces are -built on top of the same libraries, and can be used fairly interchangeably. -Most users will probably prefer the GUI, but the command line interface may be -useful for scripted control, for testing, or for environments where running a -web server is not practical. +[rpkic][1] is a command line interface to the the IRBE. The [web interface][2] +is a Django-based graphical user interface to the IRBE. The two user +interfaces are built on top of the same libraries, and can be used fairly +interchangeably. Most users will probably prefer the GUI, but the command line +interface may be useful for scripted control, for testing, or for environments +where running a web server is not practical. A large registry which already has its own back-end system might want to roll their own replacement for the entire IRBE package. The tools are designed to @@ -49,7 +49,7 @@ While the specific commands one uses differ depending on whether you are using the command line tool or the GUI, the basic operations during setup phase are the same: - 1. If you haven't already done so, install the software, create the rpki.conf for your installation, and set up the MySQL database. + 1. If you haven't already done so, [install the software][3], create the [rpki.conf][4] for your installation, and [set up the MySQL database][5]. 2. If you haven't already done so, create the initial BPKI database for your installation by running the "rpkic initialize" command. This will also create a BPKI identity for the handle specified in your rpki.conf file. BPKI initialization is tied to creation of the initial BPKI identity for historical reasons. These operations probably ought to be handled by separate commands, and may be in the future. 3. If you haven't already done so, start the servers, using the `rpki-start-servers` script. 4. Send a copy of the XML identity file written out by "rpkic initialize" to each of your parents, somehow (email, USB stick, carrier pigeon, we don't care). The XML identity file will have a filename like ./${handle}.identity.xml where "." is the directory in which you ran rpkic and ${handle} is the handle set in your rpki.conf file or selected with rpkic's `select_identity` command. This XML identity file tells each of your parents what you call yourself, and supplies each parent with a trust anchor for your resource-holding BPKI. @@ -94,6 +94,14 @@ just the URI of the directory on its command line: If you need to examine RPKI objects in detail, you have a few options: - * The RPKI utilities include several programs for dumping RPKI-specific objects in text form. + * The [RPKI utilities][6] include several programs for dumping RPKI-specific objects in text form. * The OpenSSL command line program can also be useful for examining and manipulating certificates and CMS messages, although the syntax of some of the commands can be a bit obscure. - * Peter Gutmann's excellent [dumpasn1](http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c) program may be useful if you are desperate enough that you need to examine raw ASN.1 objects. + * Peter Gutmann's excellent [dumpasn1][7] program may be useful if you are desperate enough that you need to examine raw ASN.1 objects. + +[1]: 26.RPKI.CA.UI.md.rpkic +[2]: 28.RPKI.CA.UI.GUI.md +[3]: 01.RPKI.Installation.md +[4]: 12.RPKI.CA.Configuration.md +[5]: 24.RPKI.CA.MySQLSetup.md +[6]: 36.RPKI.Utils.md +[7]: http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c diff --git a/doc/27.RPKI.CA.UI.rpkic.md b/doc/27.RPKI.CA.UI.rpkic.md index 1856489e..1a2df053 100644 --- a/doc/27.RPKI.CA.UI.rpkic.md +++ b/doc/27.RPKI.CA.UI.rpkic.md @@ -1,8 +1,9 @@ # The rpkic tool rpkic is a command line interface to rpkid and pubd. It implements largely the -same functionality as the web interface. In most cases you will want to use -the web interface for normal operation, but rpkic is available if you need it. +same functionality as the [web interface][GUI]. In most cases you will want to +use the web interface for normal operation, but rpkic is available if you need +it. rpkic can be run either in an interactive mode or by passing a single command on the command line when starting the program; the former mode is intended to @@ -11,8 +12,8 @@ and automated testing. Some rpkic commands write out data files, usually in the current directory. -rpkic uses the same system-wide rpki.conf file as the other CA tools as its -default configuration file. +rpkic uses the same system-wide [rpki.conf][Configuration] file as the other CA tools as +its default configuration file. rpkic includes a "help" command which provides inline help for its several commands. @@ -32,8 +33,8 @@ When running rpkic with a single command on the command line, use the "-i" (or ## rpkic in setup phase -See the introduction to the user interfaces for an overview of how setup phase -works. The general structure of the setup phase in rpkic is as described +See the [introduction to the user interfaces][UI] for an overview of how setup +phase works. The general structure of the setup phase in rpkic is as described there, but here we provide the specific commands involved. The following assumes that you have already installed the software and started the servers. @@ -79,3 +80,7 @@ exactly the wrong time. rpkic's "synchronize" command runs a synchronization cycle with rpkid (if `run_rpkic` is set) and pubd (if `run_pubd` is set). + +[GUI]: 28.RPKI.CA.UI.GUI.md +[Configuration]: 12.RPKI.CA.Configuration.md +[UI]: 26.RPKI.CA.UI.md diff --git a/doc/28.RPKI.CA.UI.GUI.md b/doc/28.RPKI.CA.UI.GUI.md index 2afdb4b4..bca8e9b9 100644 --- a/doc/28.RPKI.CA.UI.GUI.md +++ b/doc/28.RPKI.CA.UI.GUI.md @@ -1,9 +1,9 @@ # Installing and Configuring - * GUI/Installing for new installs - * GUI/Upgrading for upgrading from a previous install - * GUI/Configuring - * GUI/UserModel for instructions on managing users + * [GUI/Installing][1] for new installs + * [GUI/Upgrading][2] for upgrading from a previous install + * [GUI/Configuring][3] + * [GUI/UserModel][4] for instructions on managing users # Using the GUI @@ -11,37 +11,42 @@ ## Logging in to the GUI -[](/chrome/site/gui- -pics/01-login.jpg) +![][Login] ## The Dashboard - Let's Make a ROA -[](/chrome/site -/gui-pics/02-dashboard.jpg) +![][Dashboard] ## ROA List Currently Empty, So Let's Create One -[](/chrome/site/gui- -pics/03-roas.jpg) +![]ROAs] ## Choose an AS and Prefix - Let MaxLen? Default -[](/chrome/site -/gui-pics/04-create-roa.jpg) +![][Create-ROA] ## What Will the Consequences Be? - Confirm OK -[](/chrome/site/gui-pics/05-are-you-sure.jpg) +![][Are-You-Sure] ## Now We Can See ROAs - Let's Look at Routes -> [](/chrome/site -/gui-pics/06-roa-list.jpg) +![][ROA-List] ## Real Effect on Routing Table -[](/chrome/site -/gui-pics/07-route%20view.jpg) +![][Route-View] ## Ghostbusters etc. are Similar + +[Installing]: 29.RPKI.CA.UI.GUI.Installing.md +[Upgrading]: 30.RPKI.CA.UI.GUI.Upgrading.md +[Configuring]: 32.RPKI.CA.UI.GUI.Configuring.md +[UserModel]: 34.RPKI.CA.UI.GUI.UserModel.md +[Login]: 28.RPKI.CA.UI.GUI.00.jpg +[Dashboard]: 28.RPKI.CA.UI.GUI.01.jpg +[ROAs]: 28.RPKI.CA.UI.GUI.02.jpg +[Create-ROA]: 28.RPKI.CA.UI.GUI.03.jpg +[Are-You-Sure]: 28.RPKI.CA.UI.GUI.04.jpg +[ROA-List]: 28.RPKI.CA.UI.GUI.05.jpg +[Route-View]: 28.RPKI.CA.UI.GUI.06.jpg diff --git a/doc/29.RPKI.CA.UI.GUI.Installing.md b/doc/29.RPKI.CA.UI.GUI.Installing.md index 7e9855ec..bb582b56 100644 --- a/doc/29.RPKI.CA.UI.GUI.Installing.md +++ b/doc/29.RPKI.CA.UI.GUI.Installing.md @@ -1,16 +1,16 @@ # Installing the Web Portal for the First Time This page documents how to install the web portal software. **If you have -previously installed the software**, see doc/RPKI/CA/UI/GUI/Upgrading for +previously installed the software**, see [doc/RPKI/CA/UI/GUI/Upgrading][1] for instructions. ## Prerequisites This page assumes that you have already followed the steps to install the CA -software (see doc/RPKI/Installation) +software (see [doc/RPKI/Installation][2]) This page assumes that you have already created `/etc/rpki.conf` (see -doc/RPKI/CA/Configuration) +[doc/RPKI/CA/Configuration][3]) ## Create Database Tables @@ -33,4 +33,9 @@ does not exist in our setup (we use `rpki-manage` instead`). ## Next Step -See doc/RPKI/CA/UI/GUI/Configuring +See [doc/RPKI/CA/UI/GUI/Configuring][4] + +[1]: 30.RPKI.CA.UI.GUI.Upgrading.md +[2]: 01.RPKI.Installation.md +[3]: 12.RPKI.CA.Configuration.md +[4]: 32.RPKI.CA.UI.GUI.Configuring.md diff --git a/doc/30.RPKI.CA.UI.GUI.Upgrading.md b/doc/30.RPKI.CA.UI.GUI.Upgrading.md index 8c03ce52..0b5c5bb1 100644 --- a/doc/30.RPKI.CA.UI.GUI.Upgrading.md +++ b/doc/30.RPKI.CA.UI.GUI.Upgrading.md @@ -1,10 +1,10 @@ # Upgrading from a Previous Version - * See wiki:doc/RPKI/CA/UI/GUI/Upgrading/BeforeMigration for the special situation where you are upgrading from a release **prior to database migration support being added**. + * See [wiki:doc/RPKI/CA/UI/GUI/Upgrading/BeforeMigration][1] for the special situation where you are upgrading from a release **prior to database migration support being added**. This page describes the steps you must take if you upgrading from a previous version of the software that is already installed on the system. If you are -installing for the first time see doc/RPKI/CA/UI/GUI/Installing. +installing for the first time see [doc/RPKI/CA/UI/GUI/Installing][2]. Run the following commands at a shell prompt. Note that you do not need run these as the _root_ user, any user with permission to read `/etc/rpki.conf` is @@ -33,4 +33,8 @@ _root_ in a shell: ## Next Step -See doc/RPKI/CA/UI/GUI/Configuring +See [doc/RPKI/CA/UI/GUI/Configuring][3] + +[1]: 31.RPKI.CA.UI.GUI.Upgrading.BeforeMigration.md +[2]: 29.RPKI.CA.UI.GUI.Installing.md +[3]: 32.RPKI.CA.UI.GUI.Configuring.md diff --git a/doc/31.RPKI.CA.UI.GUI.Upgrading.BeforeMigration.md b/doc/31.RPKI.CA.UI.GUI.Upgrading.BeforeMigration.md index 2de17368..a2df6f8f 100644 --- a/doc/31.RPKI.CA.UI.GUI.Upgrading.BeforeMigration.md +++ b/doc/31.RPKI.CA.UI.GUI.Upgrading.BeforeMigration.md @@ -3,9 +3,9 @@ This page documents the steps required to upgrade the web portal when you have a previous version of the software install **prior to migration support via Django South**. Note that this is a special case and will not apply to most -situations (see doc/RPKI/CA/UI/GUI/Upgrading for the normal upgrade path). If -you have already performed the steps on this page previously, then it does not -apply to your situation. +situations (see [Upgrading][] for the normal upgrade +path). If you have already performed the steps on this page previously, then +it does not apply to your situation. If you are unsure whether or not you have previously run this command, you can verify with the following command: @@ -66,7 +66,7 @@ Now bring your database up to date with the current release: $ rpki-manage migrate From this point forward you will follow the steps in -doc/RPKI/CA/UI/GUI/Upgrading each time you upgrade. +[Upgrading][] each time you upgrade. ## Restart Apache @@ -74,3 +74,5 @@ In order to make Apache use the new version of the software, it must be restarted: $ apachectl restart + +[Upgrading]: 30.RPKI.CA.UI.GUI.Upgrading.md diff --git a/doc/32.RPKI.CA.UI.GUI.Configuring.md b/doc/32.RPKI.CA.UI.GUI.Configuring.md index 05da66c5..3c1acf54 100644 --- a/doc/32.RPKI.CA.UI.GUI.Configuring.md +++ b/doc/32.RPKI.CA.UI.GUI.Configuring.md @@ -1,16 +1,16 @@ # Configuring the Web Portal -Also see doc/RPKI/CA/Configuration for documentation on the `/etc/rpki.conf` -configuration file. +Also see [doc/RPKI/CA/Configuration][1] for documentation on the +`/etc/rpki.conf` configuration file. ## Creating Users -See doc/RPKI/CA/UI/GUI/UserModel +See [doc/RPKI/CA/UI/GUI/UserModel][2] ## Configuring Apache In order to use the web portal, Apache must be installed and configured to -serve the application. See doc/RPKI/CA/UI/GUI/Configuring/Apache. +serve the application. See [doc/RPKI/CA/UI/GUI/Configuring/Apache][3]. ## Error Notifications via Email @@ -38,9 +38,8 @@ these tasks. In order for the web portal to display the validation status of routes covered by a resource holder's RPKI certificates, it needs a source of the currently announced global routing table. The web portal includes a script which can -parse the output of the [RouteViews](http://www.routeviews.org) [full -snapshot](http://archive.routeviews.org/oix-route-views/oix-full-snapshot- -latest.dat.bz2) (**warning**: links to very large file!). +parse the output of the [RouteViews][4] [full snapshot][5] (**warning**: links +to very large file!). When the software is installed, there will be a `/usr/local/sbin/rpkigui- import-routes` script that should be invoked periodically. Routeviews.org @@ -55,7 +54,7 @@ Create an entry in root's crontab such as ### Importing ROAs If you want the GUI's "routes" page to see ROAs when you click those buttons, -you will need to run rcynic. see the instructions for setting up rcynic. +you will need to run rcynic. see the [instructions for setting up rcynic][6]. This data is imported by the `rcynic-cron` script. If you have not already set up that cron job, you should do so now. Note that by default, rcynic-cron is @@ -81,3 +80,10 @@ once a night: By default it will warn of expiration 14 days in advance, but this may be changed by using the `-t` command line option and specifying how many days in advance to check. + +[1]: 12.RPKI.CA.Configuration.md +[2]: 34.RPKI.CA.UI.GUI.UserModel.md +[3]: 33.RPKI.CA.UI.GUI.Configuring.Apache.md +[4]: http://www.routeviews.org +[5]: http://archive.routeviews.org/oix-route-views/oix-full-snapshot-latest.dat.bz2 +[6]: 06.RPKI.RP.rcynic.md diff --git a/doc/33.RPKI.CA.UI.GUI.Configuring.Apache.md b/doc/33.RPKI.CA.UI.GUI.Configuring.Apache.md index 13ab0d21..9b81c974 100644 --- a/doc/33.RPKI.CA.UI.GUI.Configuring.Apache.md +++ b/doc/33.RPKI.CA.UI.GUI.Configuring.Apache.md @@ -77,8 +77,9 @@ refix> for more information. Navigate to <https://YOURHOST/rpki/> and you should see the login page for the web portal. -Enter the superuser and password in login form (see -doc/RPKI/CA/UI/GUI/UserModel if you haven't yet created a superuser). If -you've only done the above bootstrap, there will only be a single handle to -manage, so the GUI will automatically bring you to the dashboard for that -handle. +Enter the superuser and password in login form (see [UserModel][] if +you haven't yet created a superuser). If you've only done the above +bootstrap, there will only be a single handle to manage, so the GUI +will automatically bring you to the dashboard for that handle. + +[UserModel]: 34.RPKI.CA.UI.GUI.UserModel.md diff --git a/doc/36.RPKI.Utils.md b/doc/36.RPKI.Utils.md index 3bbef1a5..aa668643 100644 --- a/doc/36.RPKI.Utils.md +++ b/doc/36.RPKI.Utils.md @@ -145,7 +145,7 @@ Usage: and prints out the signing time, ASN, and prefixes for each ROA, one ROA per line. -Other programs such as the rpki-rtr client use `scan_roas` to extract the +Other programs such as the [rpki-rtr client][] use `scan_roas` to extract the validated ROA payload after an rcynic validation run. Usage: @@ -165,8 +165,8 @@ Usage: for BGPSEC router certificates, and prints out data of interest to the rpki- rtr code. -Other programs such as the rpki-rtr client use `scan_routercerts` to extract -the validated ROA payload after an rcynic validation run. +Other programs such as the [rpki-rtr client][] use `scan_routercerts` to +extract the validated ROA payload after an rcynic validation run. Usage: @@ -178,3 +178,5 @@ Usage: `rcynic_directory` rcynic authenticated output tree + +[rpki-rtr client]: 07.RPKI.RP.rpki-rtr.md diff --git a/doc/37.RPKI.Protocols.md b/doc/37.RPKI.Protocols.md index 842e756f..35df4984 100644 --- a/doc/37.RPKI.Protocols.md +++ b/doc/37.RPKI.Protocols.md @@ -2,5 +2,8 @@ Brief overview of certain RPKI protocols. This is a work in progress. - * The out-of-band setup protocol - * The "Up-Down" provisioning protocol + * [The out-of-band setup protocol][OOB] + * [The "Up-Down" provisioning protocol][Up-Down] + +[OOB]: 38.RPKI.Protocols.OOB.md +[Up-Down]: 39.RPKI.Protocols.Up-Down.md diff --git a/doc/38.RPKI.Protocols.OOB.md b/doc/38.RPKI.Protocols.OOB.md index 322c9977..5fd64b52 100644 --- a/doc/38.RPKI.Protocols.OOB.md +++ b/doc/38.RPKI.Protocols.OOB.md @@ -10,6 +10,6 @@ In the long run we intend to clean this up and submit the cleaned-up version as a candidate for IETF standardization, since it seems to be in everyone's best interests, but we're not there yet. -[](https://trac.rpki.net/attachment/wiki/doc/RPKI/Protocols/OOB/oob- -setup.svg) +![][OOB] + +[OOB]: 38.RPKI.Protocols.OOB.00.svg diff --git a/doc/39.RPKI.Protocols.Up-Down.md b/doc/39.RPKI.Protocols.Up-Down.md index 144e116f..51f2835f 100644 --- a/doc/39.RPKI.Protocols.Up-Down.md +++ b/doc/39.RPKI.Protocols.Up-Down.md @@ -1,8 +1,8 @@ # RPKI "Up-Down" Provisioning Protocol -This is the provisioning protocol described in [RFC-6492](http://www.rfc- -editor.org/rfc/rfc6492.txt). +This is the provisioning protocol described in [RFC-6492][]. -[](https://trac.rpki.net/attachment/wiki/doc/RPKI/Protocols/Up-Down -/up-down.svg) +![][Up-Down] + +[RFC-6492]: http://www.rfc-editor.org/rfc/rfc6492.txt +[Up-Down]: 39.RPKI.Protocols.Up-Down.00.svg diff --git a/doc/rpki-wiki-to-markdown.py b/doc/rpki-wiki-to-markdown.py index 17f4209a..dff87e6b 100644 --- a/doc/rpki-wiki-to-markdown.py +++ b/doc/rpki-wiki-to-markdown.py @@ -101,9 +101,8 @@ def main(): urllib.urlretrieve(img_url, fn) sys.stderr.write("Wrote {}\n".format(fn)) - html2markdown = subprocess.Popen(("html2markdown",), - stdin = subprocess.PIPE, - stdout = subprocess.PIPE) + html2markdown = subprocess.Popen(("html2markdown", "--no-skip-internal-links", "--reference-links"), + stdin = subprocess.PIPE, stdout = subprocess.PIPE) page.write(html2markdown.stdin) html2markdown.stdin.close() lines = html2markdown.stdout.readlines() |