Confusion in operations - mft files which won't validate and roas which won't load in remote repositories #838
Comments
|
anything in logs? [ heading off to dinner ] Trac comment by randy on 2016-06-24T17:51:11Z |
|
At Fri, 24 Jun 2016 17:51:14 -0000,
part of my query was: "Which logs should I look at?" :) Trac comment by morrowc on 2016-06-24T17:55:43Z |
|
Some potentially useful logs: {{{ Trac comment by morrowc on 2016-06-24T18:55:16Z |
|
More logs, after the bpki_update process... (yes, some routes won't get signed, fine, I know why 8.8.8.0 is failing) {{{ Trac comment by morrowc on 2016-06-24T18:56:05Z |
|
So the "No covering certificate" messages mean what they say: you've requested ROAs for which you do not currently have a valid certificate from your parent, so rpkid can't issue those ROAs. The "Lost synchronization" errors may be unrelated: those are rpkid sending a change request to pubd, pubd saying "your patch does not apply cleanly", and rpkid saying "oh crap, OK, what's on file?" so that it can reissue the request. I don't see the part where rpkid decides what to do next based on the report from pubd, the second log snippet cuts off while rpkid is receiving that report (or perhaps right after the end of it). Trac comment by sra on 2016-06-25T22:12:09Z |
|
At Sat, 25 Jun 2016 22:12:09 -0000,
I sent log locale to private email thread about this... I can attach Trac comment by morrowc on 2016-06-26T01:57:01Z |
|
I have the logs. I have been staring at them. What I am seeing is a long repeated sequence of rpkid trying to publish something, pubd saying "sorry, you're out of sync buddy", rpkid trying to recover from that, wait half an hour, rinse, repeat. I suspect that there is something wrong with the resynchronization code (pas merde, Hercule), so I am looking at that now. Trac comment by sra on 2016-06-26T18:25:19Z |
|
Nothing obviously wrong with the resynchronization code. It's a bit cumbersome, but looks correct. Checked for SQL transactional nonsense that could be causing the resynchronization code to give a different result than the original request would have, found none. Clearly something is still wrong, but don't know what. Added a bit of additional logging to the resynchronization code so it will report what it thinks it's doing, will push that as soon as I've tested that I didn't break something obvious. Trac comment by sra on 2016-06-26T19:23:58Z |
[6445], binaries should pop out of the automatic build process sometime in the next half hour. Only other thing I can think to suggest would be enabling full debug logging (/etc/rpki.conf myrpki::log-level = "debug"). But I'd try seeing whether cleaning up old rpki.conf ("localhost" issue, etc) fixes anything first. Trac comment by sra on 2016-06-26T20:09:20Z |
|
more and more i am smelling an identity crisis at install time. not Trac comment by randy on 2016-06-26T20:38:27Z |
howdy!
somehow I think I got myself into a weird state, that I wasn't aware of until after my friendly other repository operators told me :(
I built an rpki repository/publication server (gogl-rpki.rarc.net), I published some data:
rsync://gogl-rpki.rarc.net/rpki/GOGL-morrowc/
and then oddly the manifest went stale/etc, seen in:
https://www.hactrn.net/opaque/rcynic/gogl-rpki.rarc.net.html
as: (55 roa like this)
2016-06-24T16:49:36Z current Skipped because not in manifest rsync://gogl-rpki.rarc.net/rpki/GOGL-morrowc/0o4I8AxZy_FfvJQmrOYtMiSgDW4.roa
It's unclear to me where:
I mashed around a bunch on:
rpkic> update_bpki
rpkic> synchronize
rpkic> force_publication
rpkic> force_reissue
I'm not sure any of that actually helped though...
Trac ticket #832 component rpkid priority minor, owner None, created by morrowc on 2016-06-24T17:48:56Z, last modified 2016-06-26T20:38:27Z
The text was updated successfully, but these errors were encountered: