Install and Run¶
Before you can start to use Krill you will need to install, configure and run the Krill application somewhere. Please follow the steps below and you will be ready to get started.
Warning
Krill does NOT support clustering at this time. You can use a shared disk and a standby Krill node for redundancy. However, data corruption issues can occur if you run multiple active Krill nodes using a shared disk. Therefore, you MUST ensure that only one Krill node is active at any given time.
We plan to offer support for clustering in Krill release 0.15.0 by allowing a postgresql to be used for storage. Krill will then rely on database transactions to ensure that no data corruption can occur. The database itself then still needs to be set up for redundancy of course, but there are several ways that this can be done using postgresql.
Quick Start¶
Getting started with Krill is really easy by either installing a binary package for Debian and Ubuntu or for Red Hat Enterprise Linux and CentOS. You can also run with Docker or build from Cargo, Rust’s build system and package manager.
In case you intend to serve your RPKI certificate and ROAs to the world yourself or you want to offer this as a service to others, you will also need to have a public rsyncd and HTTPS web server available.
Note
For the oldest platforms, Ubuntu 16.04 LTS and Debian 9, the packaged Krill binary is statically linked with OpenSSL 1.1.0 as this is the minimum version required by Krill and is higher than available in the official package repositories for those platforms.
If you have a machine with an amd64/x86_64 architecture running Debian 9, 10 or 11, you can install Krill from our software package repository.
If your machine uses an ARM architecture we also provide (via the same repository) ARMv6 & ARM64 packages for Debian 10 and an ARMv7 package for Debian 11, intended to support Raspberry Pi 1b, Rock64 and Raspberry Pi 4b respectively.
First update the
apt
package index:sudo apt updateThen install packages to allow
apt
to use a repository over HTTPS:sudo apt install \ ca-certificates \ curl \ gnupg \ lsb-releaseAdd the GPG key from NLnet Labs:
curl -fsSL https://packages.nlnetlabs.nl/aptkey.asc | sudo gpg --dearmor -o /usr/share/keyrings/nlnetlabs-archive-keyring.gpgNow, use the following command to set up the main repository:
echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/nlnetlabs-archive-keyring.gpg] https://packages.nlnetlabs.nl/linux/debian \ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/nlnetlabs.list > /dev/nullAfter updating the
apt
package index you can install Krill:sudo apt update sudo apt install krillReview the generated configuration file at
/etc/krill.conf
. Pay particular attention to theservice_uri
andadmin_token
settings. Tip: The configuration file was generated for you using thekrillc config simple
command.Warning
If you modify the default
storage_uri
, or if you decide to symlink its default directory/var/lib/krill/data
to another location or volume, you will need to:
ensure the user
krill
has write permissionsconfigure systemd to give the krill process access
The easiest way to achieve the latter is by using
systemctl edit krill
and adding the following:
` [Service] ReadWritePaths=/your/path/to/data `
Once happy with the settings use sudo systemctl enable --now krill
to
instruct systemd to enable the Krill service at boot and to start it
immediately. The krill daemon runs as user krill
and stores its data
in /var/lib/krill/data
, unless you modified the storage_uri setting.
You can check the status of Krill with:
sudo systemctl status krillYou can view the logs with:
sudo journalctl --unit=krill
If you have a machine with an amd64/x86_64 architecture running Ubuntu 16.x, 18.x, 20.x or 22.x, you can install Krill from our software package repository.
First update the
apt
package index:sudo apt updateThen install packages to allow
apt
to use a repository over HTTPS:sudo apt install \ ca-certificates \ curl \ gnupg \ lsb-releaseAdd the GPG key from NLnet Labs:
curl -fsSL https://packages.nlnetlabs.nl/aptkey.asc | sudo gpg --dearmor -o /usr/share/keyrings/nlnetlabs-archive-keyring.gpgNow, use the following command to set up the main repository:
echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/nlnetlabs-archive-keyring.gpg] https://packages.nlnetlabs.nl/linux/ubuntu \ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/nlnetlabs.list > /dev/nullAfter updating the
apt
package index you can install Krill:sudo apt update sudo apt install krillReview the generated configuration file at
/etc/krill.conf
. Pay particular attention to theservice_uri
andadmin_token
settings. Tip: The configuration file was generated for you using thekrillc config simple
command.Warning
If you modify the default
storage_uri
, or if you decide to symlink its default directory/var/lib/krill/data
to another location or volume, you will need to:
ensure the user
krill
has write permissionsconfigure systemd to give the krill process access
The easiest way to achieve the latter is by using
systemctl edit krill
and adding the following:
` [Service] ReadWritePaths=/your/path/to/data `
Once happy with the settings use sudo systemctl enable --now krill
to
instruct systemd to enable the Krill service at boot and to start it
immediately. The krill daemon runs as user krill
and stores its data
in /var/lib/krill/data
, unless you modified the storage_uri setting.
You can check the status of Krill with:
sudo systemctl status krillYou can view the logs with:
sudo journalctl --unit=krill
If you have a machine with an amd64/x86_64 architecture running a RHEL/CentOS 7 or 8 distribution, or a compatible OS such as Rocky Linux, you can install Krill from our software package repository.
To use this repository, create a file named
/etc/yum.repos.d/nlnetlabs.repo
, enter this configuration and save it:[nlnetlabs] name=NLnet Labs baseurl=https://packages.nlnetlabs.nl/linux/centos/$releasever/main/$basearch enabled=1Then run the following command to add the public key:
sudo rpm --import https://packages.nlnetlabs.nl/aptkey.ascYou can then install Krill by running:
sudo yum install -y krillReview the generated configuration file at
/etc/krill.conf
. Pay particular attention to theservice_uri
andadmin_token
settings. Tip: The configuration file was generated for you using thekrillc config simple
command.Warning
If you modify the default
storage_uri
, or if you decide to symlink its default directory/var/lib/krill/data
to another location or volume, you will need to:
ensure the user
krill
has write permissionsconfigure systemd to give the krill process access
The easiest way to achieve the latter is by using
systemctl edit krill
and adding the following:
` [Service] ReadWritePaths=/your/path/to/data `
Once happy with the settings use sudo systemctl enable --now krill
to
instruct systemd to enable the Krill service at boot and to start it
immediately. The krill daemon runs as user krill
and stores its data
in /var/lib/krill/data
, unless you modified the storage_uri setting.
You can check the status of Krill with:
sudo systemctl status krillYou can view the logs with:
sudo journalctl --unit=krill
Assuming you have a newly installed Debian or Ubuntu machine, you will need to install the C toolchain, OpenSSL and Rust. You can then install Krill using:
sudo apt install curl build-essential libssl-dev openssl pkg-config
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source ~/.cargo/env
cargo install --locked krill
Updating¶
To update an existing Krill installation, first update the repository using:
sudo apt update
You can use this command to get an overview of the available versions:
sudo apt policy krill
You can upgrade an existing Krill installation to the latest version using:
sudo apt --only-upgrade install krill
To update an existing Krill installation, first update the repository using:
sudo apt update
You can use this command to get an overview of the available versions:
sudo apt policy krill
You can upgrade an existing Krill installation to the latest version using:
sudo apt --only-upgrade install krill
To update an existing Krill installation, you can use this command to get an overview of the available versions:
sudo yum --showduplicates list krill
You can update to the latest version using:
sudo yum update -y krill
If you want to install the latest version of Krill using Cargo, it’s
recommended to also update Rust to the latest version first. Use the
--force
option to overwrite an existing version with the latest
release:
rustup update
cargo install --locked --force krill
Rollback¶
If you experience issues after an upgrade you may want to roll back to the previous Krill version you had installed. A rollback is somewhat risky so it should not be attempted unless there is no other choice.
Also note that you may lose any changes you made since upgrading, so you may have to re-do ROA changes for example. Do not try to rollback in case you delegated CA certificates to any child CA, as loosing changes may then result in issues that are hard to debug.
First make sure that Krill is no longer running. Then go into your Krill
data directory and list the directories. You may see a number of
arch-*-<version>
directories that Krill left in case it needed to do
a data migration from your previous version. For example:
/var/lib/krill/data/arch-ca_objects-0.11.0/
/var/lib/krill/data/arch-cas-0.11.0/
/var/lib/krill/data/arch-pubd-0.11.0/
/var/lib/krill/data/arch-pubd_objects-0.11.0/
You should also see the corresponding current directories:
/var/lib/krill/data/ca_objects/
/var/lib/krill/data/cas/
/var/lib/krill/data/pubd/
/var/lib/krill/data/pubd_objects/
Note that you may NOT see all these directories for your previous version. Krill only keeps these backups in case a data migration was needed for the upgrade.
To rollback backup any current directories for which an arch-..-<version>
directory exists that matches your previous Krill version. Then rename
that directory to its “current” name: i.e. strip the arch- prefix and
version suffix. Then re-install the previous version of Krill.
Installing Release Candidates¶
Before every new release of Krill, one or more release candidates are provided for testing through every installation method. You can also install a specific version, if needed.
Note
As a rule we test every release candidate ourselves in our own production environment and only do the actual release for a new version when we are confident that there are no issues.
But, we really appreciate it if Krill users test out release candidates and let us know if they have any questions, comments, or run into any issues.
We recommend that you install release candidates on test systems only. If you set it up as a child under our testbed you can test all functions without risking issues in your production environment.
If you would like to try out release candidates of Krill you can add the proposed repository to the existing main repository described earlier.
Assuming you already have followed the steps to install regular releases, run this command to add the additional repository:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/nlnetlabs-archive-keyring.gpg] https://packages.nlnetlabs.nl/linux/debian \
$(lsb_release -cs)-proposed main" | sudo tee /etc/apt/sources.list.d/nlnetlabs-proposed.list > /dev/null
Make sure to update the apt
package index:
sudo apt update
You can now use this command to get an overview of the available versions:
sudo apt policy krill
You can install a specific version using <package name>=<version>
,
e.g.:
sudo apt install krill=0.9.0~rc2-1buster
If you would like to try out release candidates of Krill you can add the proposed repository to the existing main repository described earlier.
Assuming you already have followed the steps to install regular releases, run this command to add the additional repository:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/nlnetlabs-archive-keyring.gpg] https://packages.nlnetlabs.nl/linux/ubuntu \
$(lsb_release -cs)-proposed main" | sudo tee /etc/apt/sources.list.d/nlnetlabs-proposed.list > /dev/null
Make sure to update the apt
package index:
sudo apt update
You can now use this command to get an overview of the available versions:
sudo apt policy krill
You can install a specific version using <package name>=<version>
,
e.g.:
sudo apt install krill=0.9.0~rc2-1bionic
To install release candidates of Krill, create an additional repo
file named /etc/yum.repos.d/nlnetlabs-testing.repo
, enter this
configuration and save it:
[nlnetlabs-testing]
name=NLnet Labs Testing
baseurl=https://packages.nlnetlabs.nl/linux/centos/$releasever/proposed/$basearch
enabled=1
You can use this command to get an overview of the available versions:
sudo yum --showduplicates list krill
You can install a specific version using
<package name>-<version info>
, e.g.:
sudo yum install -y krill-0.9.0~rc2
All release versions of Krill, as well as release candidates, are
available on crates.io,
the Rust package registry. If you want to install a specific version of
Krill using Cargo, explicitly use the --version
option. If
needed, use the --force
option to overwrite an existing version:
cargo install --locked --force krill --version 0.9.0-rc2
All new features of Krill are built on a branch and merged via a
pull request, allowing
you to easily try them out using Cargo. If you want to try the a specific
branch from the repository you can use the --git
and --branch
options:
cargo install --git https://github.com/NLnetLabs/krill.git --branch main
For more installation options refer to the Cargo book.