Releases: NLnetLabs/krill
One for All
This is the first major release of Krill in a while.
While basic ROA management is unchanged, there were many changes under the hood:
- Multi-user support in the User Interface (local users or OpenID Connect)
- Reduce disk space usage and growth over time
- API and naming consistency (in preparation for 1.0 in future)
- Publication Server improvements (to whom it may concern)
- Many small improvements and minor bug fixes
For a full list of issues that were included in this release see:
https://github.com/NLnetLabs/krill/projects/4
Updated documentation is available here:
https://krill.docs.nlnetlabs.nl/en/stable/index.html
With multi-user support you can now give people in your organization individual access rights to your CA - and they no longer need to share a password. If you have an OpenID Connect provider then you can integrate Krill with it. Read more here:
https://krill.docs.nlnetlabs.nl/en/stable/multi-user.html
Krill versions before 0.9.0 keep a lot of data around that is not strictly needed. This can clog up your system and it makes the Krill history difficult to parse. History can seen using krillc history. We will include support for inspecting history in the UI soon.
There were some API and CLI changes introduced in this release. Over time things had become a bit inconsistent and we felt we needed to fix that before we can consider going for the Krill 1.0 release. If you are using automation then these changes may break your current integrations. Please have a look at the following page to see if and how this affects you:
https://krill.docs.nlnetlabs.nl/en/stable/upgrade.html
Note that your Krill data store will be upgraded automatically if you upgrade to this release. This upgrade can take some time, up to around 30 minutes dependent on the amount of history which accumulated over time and the speed of your system. During the migration you will not be able to update your ROAs, but your existing ROAs will remain available to RPKI validators. I.e. there is no downtime expected with regards to RPKI validation.
We have tested this on various (big) Krill instances running CAs as well as Publication Servers. Still, we recommend that you make a backup of your data store before upgrading. In case the upgrade should unexpectedly fail for you, please restore your old data, run the previous binary, and contact us so that we can make a fix. Alternatively, copy your data except for the keys directory to a test system and then use the new Krill binary there with the following env variable set so you can test the data migration: KRILL_UPGRADE_ONLY=1
Finally, note that you need to run at least Krill 0.6.0 in order to upgrade. If you run an older version you will need to upgrade to version 0.8.2 first.
Can't touch this
As it turned out the previous release (0.8.1) still insisted on cleaning up 'redundant ROAs' when migrating to that version. This clean-up would not cause any issues with regards to the validity of your announcements. However, we realised in 0.8.1 that users should be the ones to decide whether they want to have extra ROAs or not. Therefore this clean-up should have been removed then.
This release removes this clean-up and introduces no other changes. We recommend that users who did not upgrade already upgrade to this release. However, if you already successfully upgraded to 0.8.1, then upgrading to this release is not needed.
The Gentle Art
The ROA guidance introduced in release 0.8.0 was more strict than it should be. This release allows users to create redundant ROAs once again, while providing guidance in the form of warnings and suggestions only. Full documentation on the Krill suggestions have been added to the online documentation.
In addition to this we have included some small improvements for the Krill Publication Server.
The Art of ROA Maintenance
We are happy to introduce Krill 0.8.0 'The Art of ROA Maintenance'. In this version we have added further refinements to the ROA management interface, to give users the confidence that their authorisations accurately reflect their BGP announcements.
The first of these improvements are warnings about ROAs that are too permissive, meaning that they allow more announcements than what is seen in BGP. This encourages users to apply best operational practices. Secondly, Krill will not allow the creation of redundant ROAs, or ROAs that would make other ones redundant. Lastly, there is now support for AS0 ROAs, which are explicit statements that specify which prefixes should never be seen on the public Internet.
The backend has several improvements and refinements as well, such as allowing aggregation of ROAs to lower the number of objects, and improved reporting on communication with parents and repository. To make Krill more resilient, we have added recovery functionality in case data on disk is incomplete due to for example a full disk or failed system. In relation to this, we now ensure Krill stops in case data cannot be written to disk, to prevent inconsistent states. Lastly, Krill does a full re-synchronisation with its parents and the repository on start-up.
With this release we have also started to operate a Krill testbed service. The testbed offers both a parent CA and a repository. As such you can just run a Krill instance, on a laptop even, without the need to operate real infrastructure for testing.
It allows you to register any resources for your Child CA, allowing you to test with your real resources. Because this testbed uses its own TEST Trust Anchor — ROAs created here will not end up being used by production routers.
You can find the test service here:
https://testbed.rpki.nlnetlabs.nl/
To install Krill 0.8.0 you can use Cargo, the Rust package manager, or use the packages for Debian and Ubuntu we provide on https://packages.nlnetlabs.nl
Related links:
Multipass!
There is no need to upgrade to this version. It was created only so that you can continue to compile Krill locally using the latest Rust compiler.
As it turns out the use of many asynchronous calls, the cool stuff which make Krill thread safe, cause the compiler to do quite a bit of work in a process called 'Monomorphization'. The latest compiler version will go on strike as a result, unless we instruct it beforehand that more work is coming its way.
Slow Food
Small Bites
This release fixes an issue where BGP RIS Dump files that were not properly retrieved would cause a thread to choke. As this can lead to lock poisoning this type of event could cause other Krill processes to stop functioning properly. All users of Krill 0.7.0 and 0.7.1 are advised to upgrade.
In addition to this German translations have been added to the UI.
Sobremesa
Escondidinho de Lagosta
This release brings significant improvements aimed at maintaining your ROAs. For now, Krill will download aggregated BGP dumps from the RIPE NCC Routing Information Service and analyse how your ROAs affect announcements seen for your resources. In future we will extend this system, so that it can use near-real-time data, or even a local feed with your own BGP information instead.
For these changes to work well we needed to do some work on cleaning up existing ROAs. Until now Krill has allowed the creation of essentially duplicate, or nonsensical ROAs, such as:
- ROAs for an ASN and prefix with and without an explicit max length matching the prefix
- ROAs for a prefix and ASN which were already permitted by another ROA.
On upgrade Krill will clean up such redundant authorizations for ROAs. For example if the following authorizations would exist:
192.168.0.0/16 => 64496
192.168.0.0/24 => 64496
192.168.0.0/16-24 => 64496
Then only this last authorization needs to be kept, the first two are also covered by it.
Before this release it was also possible to have the same authorization with, and without, using an explicit max length. For example:
192.168.0.0/16 => 64496
192.168.0.0/16-16 => 64496
Now Krill will always use an explicit max length in the definitions. Note however, that it is still best practice to use the same max length as the announced prefix length, so Krill will just set this by default if it is not specified.
Play it again, Sam
This release addresses an issue where users with a CA that has delegated children, which in turn had performed a key roll over in the past, could not upgrade to Release 0.6.2.
Users who already successfully upgraded to Release 0.6.2 do not need to upgrade urgently. This release includes a number of fixes for minor issues, which will also be included in the 0.7.0 Release which is due in 2-4 weeks:
- krillc issues fails with Error: Unknown API method (#248)
- krillc parents help text refers incorrectly to publisher request instead of child request (#251)
- Normalize request/response krillc help texts (#252)
- krillc incorrectly reports XML as a supported output format (#253)
- Inconsistent use of "cas" in krillc bulk subcommand summary text (#254)
- Be consistent when referring to ending with a / (#255)