From 14a9628f0552d3818cd58fb085e7544cdbb3b5eb Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Wed, 3 Aug 2016 18:27:49 +0000 Subject: Dump of rpki.net Wiki, to capture content not linked into the manual. --- doc/wiki-dump/doc%2FRPKI%2FRP%2FHierarchicalRsync | 103 ++++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 doc/wiki-dump/doc%2FRPKI%2FRP%2FHierarchicalRsync (limited to 'doc/wiki-dump/doc%2FRPKI%2FRP%2FHierarchicalRsync') diff --git a/doc/wiki-dump/doc%2FRPKI%2FRP%2FHierarchicalRsync b/doc/wiki-dump/doc%2FRPKI%2FRP%2FHierarchicalRsync new file mode 100644 index 00000000..6727b073 --- /dev/null +++ b/doc/wiki-dump/doc%2FRPKI%2FRP%2FHierarchicalRsync @@ -0,0 +1,103 @@ +[[TracNav(doc/RPKI/TOC)]] +[[PageOutline]] + += Running a hierarchical rsync configuration = + +Having every relying party on the Internet contact every publication +service is not terribly efficient. In many cases, it may make more +sense to use a hierarchical configuration in which a few "gatherer" +relying parties contact the publication servers directly, while a +collection of other relying parties get their raw data from the +gatherers. + + Note:: The relying parties in this configuration still perform their + own validation, they just let the gatherers do the work of + collecting the unvalidated data for them. + +A gatherer in a configuration like this would look just like a +stand-alone relying party as discussed [[#cronjob|above]]. The only +real difference is that a gatherer must also make its unauthenticated +data collection available to other relying parties. Assuming the +standard configuration, this will be the directory +`/var/rcynic/data/unauthenticated` and its subdirectories. + +There are two slightly different ways to do this with rsync: + +1. Via unauthenticated rsync, by configuring an `rsyncd.conf` + "module", or + +2. Via rsync over a secure transport protocol such as ssh. + +Since the downstream relying party performs its own validation in any +case, either of these will work, but using a secure transport such as +ssh makes it easier to track problems back to their source if a +downstream relying party concludes that it's been receiving bad +data. + +Script for a downstream relying party using ssh might look like this: + +{{{ +#!sh +#!/bin/sh - + +PATH=/usr/bin:/bin:/usr/local/bin +umask 022 +eval `/usr/bin/ssh-agent -s` >/dev/null +/usr/bin/ssh-add /root/rpki_ssh_id_rsa 2>&1 | /bin/fgrep -v 'Identity added:' +hosts='larry.example.org moe.example.org curly.example.org' +for host in $hosts +do + /usr/bin/rsync --archive --update --safe-links rpkisync@${host}:/var/rcynic/data/unauthenticated/ /var/rcynic/data/unauthenticated.${host}/ +done +eval `/usr/bin/ssh-agent -s -k` >/dev/null +for host in $hosts +do + /usr/sbin/chroot -u rcynic -g rcynic /var/rcynic /bin/rcynic -c /etc/rcynic.conf -u /data/unauthenticated.${host} + /var/rcynic/bin/rcynic-html /var/rcynic/data/rcynic.xml /usr/local/www/data/rcynic.${host} +done +cd /var/rcynic/rpki-rtr +/usr/bin/su -m rcynic -c '/usr/local/bin/rpki-rtr cronjob /var/rcynic/data/authenticated' +}}} + +where /root/rpki_ssh_id_rsa is an SSH private key authorized to log in +as user "rpkisync" on the gatherer machines. If you want to lock this +down a little tighter, you could use ssh's `command="..."` +mechanism as described in the sshd documentation to restrict the +rpkisync user so that it can only run this one rsync command. + +If you prefer to use insecure rsync, perhaps to avoid allowing the +downstream relying parties any sort of login access at all on the +gatherer machines, the configuration would look more like this: + +{{{ +#!sh +#!/bin/sh - + +PATH=/usr/bin:/bin:/usr/local/bin +umask 022 +hosts='larry.example.org moe.example.org curly.example.org' +for host in $hosts +do + /usr/bin/rsync --archive --update --safe-links rsync://${host}/unauthenticated/ /var/rcynic/data/unauthenticated.${host}/ +done +for host in $hosts +do + /usr/sbin/chroot -u rcynic -g rcynic /var/rcynic /bin/rcynic -c /etc/rcynic.conf -u /data/unauthenticated.${host} + /var/rcynic/bin/rcynic-html /var/rcynic/data/rcynic.xml /usr/local/www/data/rcynic.${host} +done +cd /var/rcynic/rpki-rtr +/usr/bin/su -m rcynic -c '/usr/local/bin/rpki-rtr cronjob /var/rcynic/data/authenticated' +}}} + +where "unauthenticated" here is an rsync module pointing at +`/var/rcynic/data/unauthenticated` on each of the gatherer +machines. Configuration for such a module would look like: + +{{{ +#!ini +[unauthenticated] + read only = yes + transfer logging = yes + path = /var/rcynic/data/unauthenticated + comment = Unauthenticated RPKI data +}}} -- cgit v1.2.3