Running a Krill Test Environment

You do not need to run your own Krill Test Environment if you just want to try out Krill. You can simply install Krill on a test machine and set it up under the public Krill based RPKI testbed that NLnet Labs runs here: https://testbed.krill.cloud/ui/testbed

Read more about this in our blog.

But of course, you are perfectly welcome to run your own Test environment as well. That way you have total control over your test environment. This may be particularly useful for training purposes, and for testing code integration using the API or the RFC 8181 Publication Protocol or RFC 6492 Provisioning Protocol.

Here we will document how we set up a simple testbed. This is not a strict guide. You may want to do things differently and that would be fine, but we hope that this provides a useful walkthrough.

Install a Proxy Server

Here we use NGINX, but of course you can use an alternative if you prefer:

apt install nginx
cd /etc/nginx/sites-enabled
rm default

Then we created a configuration file that will proxy all traffic to our Krill server (which we will install in a moment):

/etc/nginx/sites-enabled/krill.example.org

server {
      server_name krill.example.org;
      client_max_body_size 100M;

      location / {
              proxy_pass https://localhost:3000/;
      }

  listen 80;
}

Restart nginx and we have our proxy server set up:

systemctl restart nginx

Set up Letsencrypt

This is as easy as installing the certbot and running its interactive script to setup integration with NGINX:

apt install certbot
apt install python3-certbot-nginx
certbot --nginx

Install Krill

We use our debian package to install Krill on a test system:

echo "deb [arch=amd64] https://packages.nlnetlabs.nl/linux/ubuntu/ focal main" >> /etc/apt/sources.list
apt-get update
apt-get install krill

You can read more about Krill installation options here.

Configure Testbed

Before you start Krill edit /etc/krill.conf. Make sure that you are okay with the autogenerated random value for auth_token, or override it with something to your liking.

If you need your testbed to be accessible from other CAs, either for publication or to be added as a child under the ‘testbed’ CA, then make sure that you set the following directive to use the public URI for your proxy server:

service_uri = "https://krill.example.org/"

Add the following section to your config and change the values to your machine’s hostname.

[testbed]
# RRDP BASE URI
#
# Set the base RRDP uri for the testbed repository server.
#
# It is highly recommended to use a proxy in front of Krill.
#
# To expose the RRDP files you can actually proxy back to your testbed
# krill server (https://<yourkrill>/rrdp/), or you can expose the
# files as they are written to disk ($data_dir/repo/rrdp/)
#
# Set the following value to *your* public proxy hostname and path.
rrdp_base_uri = "https://krill.example.org/rrdp/"

# RSYNC BASE URI
#
# Set the base rsync URI (jail) for the testbed repository server.
#
# Make sure that you have an rsyncd running and a module which is
# configured to expose the rsync repository files. By default these
# files would be saved to: $data/repo/rsync/current/
rsync_jail = "rsync://krill.example.org/repo/"

# TA AIA
#
# Set the rsync location for your testbed trust anchor certificate.
#
# You need to configure an rsync server to expose another module for the
# TA certificate. Don't use the module for the repository as its
# content will be overwritten.
#
# Manually retrieve the TA certificate from krill and copy it
# over - it won't change again. You can get it at:
# https://<yourkrill>/ta/ta.cer
ta_aia = "rsync://krill.example.org/ta/ta.cer"

# TA URI
#
# Like above, make the TA certificate available over HTTPS and
# specify the url here so that it may be included in the TAL.
ta_uri = "https://krill.example.org/ta/ta.cer"

Start / Enable krill

root@krill-test-09-rc:/etc# systemctl start krill
root@krill-test-09-rc:/etc# journalctl -u krill
-- Logs begin at Thu 2021-04-01 11:23:39 UTC, end at Thu 2021-04-01 19:55:19 UTC. --
Apr 01 19:55:17 krill-test-09-rc systemd[1]: Starting Krill...
Apr 01 19:55:17 krill-test-09-rc systemd[1]: Started Krill.
Apr 01 19:55:17 krill-test-09-rc krill[35246]: 2021-04-01 19:55:17 [INFO] Krill uses configuration file: /etc/krill.conf
Apr 01 19:55:17 krill-test-09-rc krill[35246]: 2021-04-01 19:55:17 [INFO] Starting Krill v0.8.2-bis
Apr 01 19:55:17 krill-test-09-rc krill[35246]: 2021-04-01 19:55:17 [INFO] Krill uses service uri: https://localhost:3000/
Apr 01 19:55:17 krill-test-09-rc krill[35246]: 2021-04-01 19:55:17 [INFO] Enabling TESTBED mode - ONLY USE THIS FOR TESTING AND TRAINING!
Apr 01 19:55:17 krill-test-09-rc krill[35246]: 2021-04-01 19:55:17 [INFO] Initializing repository
Apr 01 19:55:18 krill-test-09-rc krill[35246]: 2021-04-01 19:55:18 [INFO] Creating embedded Trust Anchor
Apr 01 19:55:18 krill-test-09-rc krill[35246]: 2021-04-01 19:55:18 [INFO] Sending command to publisher '0', version: 1: id '0' version 'any' details 'Added publisher 'ta''
Apr 01 19:55:18 krill-test-09-rc krill[35246]: 2021-04-01 19:55:18 [INFO] Sending command to CA 'ta', version: 1: id 'ta' version 'any' details 'Update repo to server at: https://localhost:3000/rfc8181/ta/'
Apr 01 19:55:18 krill-test-09-rc krill[35246]: 2021-04-01 19:55:18 [INFO] Sending command to CA 'ta', version: 2: id 'ta' version 'any' details 'Turn into Trust Anchor'
Apr 01 19:55:18 krill-test-09-rc krill[35246]: 2021-04-01 19:55:18 [INFO] Sending command to CA 'ta', version: 3: id 'ta' version 'any' details 'Update received cert in RC '0', with resources 'asn: 1 blocks, v4: >
Apr 01 19:55:18 krill-test-09-rc krill[35246]: 2021-04-01 19:55:18 [INFO] Creating embedded Testbed CA
Apr 01 19:55:18 krill-test-09-rc krill[35246]: 2021-04-01 19:55:18 [INFO] Sending command to publisher '0', version: 2: id '0' version 'any' details 'Added publisher 'testbed''
Apr 01 19:55:18 krill-test-09-rc krill[35246]: 2021-04-01 19:55:18 [INFO] Sending command to CA 'testbed', version: 1: id 'testbed' version 'any' details 'Update repo to server at: https://localhost:3000/rfc8181/>
Apr 01 19:55:18 krill-test-09-rc krill[35246]: 2021-04-01 19:55:18 [INFO] CA 'ta' process add child request: handle 'testbed' resources 'asn: AS0-AS4294967295, v4: 0.0.0.0/0, v6: ::/0'
Apr 01 19:55:18 krill-test-09-rc krill[35246]: 2021-04-01 19:55:18 [INFO] Sending command to CA 'ta', version: 4: id 'ta' version 'any' details 'Add child 'testbed' with RFC8183 key '98A7BBA3491C84000FADFF48AA53E>
Apr 01 19:55:18 krill-test-09-rc krill[35246]: 2021-04-01 19:55:18 [INFO] Sending command to CA 'testbed', version: 2: id 'testbed' version 'any' details 'Add parent 'ta' as 'RFC 6492 Parent''
Apr 01 19:55:18 krill-test-09-rc krill[35246]: 2021-04-01 19:55:18 [INFO] Upgraded Krill to version: 0.8.2-bis
Apr 01 19:55:19 krill-test-09-rc krill[35246]: 2021-04-01 19:55:19 [INFO] Will re-sync all CAs with their parents and repository after startup

If all is well you should be able to see the public testbed page now, that allows ANY unauthorised user to register a CA under your testbed and use it for publication, claiming any resources they please. This is by design. This meant for testing. Did we mention testing? You get the point.. don’t use the TAL, also listed on that page, for anything BUT testing.

To get to the page go to: https://<yourhost>/ui/testbed

You can download your TAL and TA certificate here: https://<yourhost>/ta/ta.tal https://<yourhost>/ta/ta.cer

If you want to use your testbed for validating then please have a look at our blog where we talk a bit more about making the TAL, TA certificate and repository available.