[[PageOutline]]

[[TracNav(doc/RPKI/TOC)]]

= Ubuntu trusty 14.04 RPKI Relying Party Cache Install =

Given a running Ubuntu 14.04 server, this should take ten minutes.

== Ingredients ==

You can start with the following:
* A small VM, 4GB disk, 512MB RAM, one processor
* Ubuntu 14.04 i386 server version
* opensshd, and
* Emacs, of course

I am lazy and log in as root as pretty much everything I do is going to
require being root.  If you like sudo, then just prefix a lot with it.

This example uses apt-get.  If you prefer other tools, see the more
detailed page,
https://trac.rpki.net/wiki/doc/RPKI/Installation/DebianPackages.

== Install the Basic RPKI RP Software ==

You should only need to perform these steps once for any particular
machine.

Add the GPG public key for this repository (optional, but APT will whine
unless you do this): 
{{{
wget -q -O - http://download.rpki.net/APT/apt-gpg-key.asc | sudo apt-key add -
}}}

Configure APT to use this repository (for Ubuntu Trusty systems):
{{{
wget -q -O /etc/apt/sources.list.d/rpki.list http://download.rpki.net/APT/rpki.trusty.list
}}}

Update available packages:
{{{
apt-get update
}}}

Install the software:
{{{
apt-get install rpki-rp
}}}

== Minimal Configuration ==

This example install uses the server hostname `test.dfw.rg.net`.  Any
use of that hostname below will have to be replaced with your host's
name, of course.

=== Relying Party - rcynic ===

The RP (Relying Party) software should have installed and should be
running.  You can test it by browsing to
https://test.dfw.rg.net/rcynic/.  It uses a self-signed TLS certificate;
you can be lazy and decided to accept it as opposed to installing a real
one generated from from your own TLS CA; your call.

The rcynic web page had not populated yet because the cron job to
populate is generated for a socially polite cache which fetches once an
hour.
{{{
test.dfw.rg.net:/root# crontab -u rcynic -l
MAILTO=root
49 * * * *      exec /usr/bin/rcynic-cron
}}}
Do not change this now as it would place an asocial load on the global
RPKI.

If you plan to use the rpki-rtr protocol to feed a router from the RP
cache you just installed, check `/etc/xinetd.d/rpki-rtr` to be sure the
port number is 323, the IANA assigned port, as opposed to some old hacks
that were used pre [http://www.rfc-editor.org/rfc/rfc6810.txt RFC 6810].
{{{
cat /etc/xinetd.d/rpki-rtr
service rpki-rtr
{
    type           = UNLISTED
    flags          = IPv4
    socket_type    = stream
    protocol       = tcp
    port           = 323
    wait           = no
    user           = rpkirtr
    server         = /usr/bin/rpki-rtr
    server_args    = server /var/rcynic/rpki-rtr
}
}}}

The configuration for rcynic is in `/etc/rcynic.conf`.  Note that it
says to use the trust anchors in the directory
`/etc/rpki/trust-anchors`.  As you intend to install the created root
instance's trust anchor there, try to remembered how to find it.

That's it!