zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-08-03 16:32:11 +02:00
Code Issues Projects Releases Packages Wiki Activity

Add open source RDE operational documentation

Browse source 
Taken from the SRE procedures page.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=136083695
This commit is contained in:
mountford 2016-10-13 14:06:40 -07:00 committed by Ben McIlwain
parent 7794fb04d1
commit 86dde1d976
1 changed files with 285 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

285
docs/operational-procedures/rde-deposits.md Normal file
View file

@ -0,0 +1,285 @@
# RDE Deposits
## Overview
Many registries are required by ICANN to make daily escrow deposits of the
registry data. Note that this applies mainly to gTLDs. ccTLDs do not generally
have this requirement, in which case the following would not apply.
The RDE process takes care of escrow deposit processing. It happens in three
phases:
1. [Staging](https://github.com/google/nomulus/blob/master/java/google/registry/rde/RdeStagingAction.java):
Generate XML deposit and XML report files on Google Cloud Storage.
2. [Upload](https://github.com/google/nomulus/blob/master/java/google/registry/rde/RdeUploadAction.java):
Transmit XML deposit to the escrow provider via SFTP.
3. [Report](https://github.com/google/nomulus/blob/master/java/google/registry/rde/RdeReportAction.java):
Transmit XML *report* file to ICANN via HTTPS.
Each phase happens with an App Engine task queue entry that retries on failure.
When each task succeeds, it automatically enqueues a task for the next phase in
the process. The staging files are stored in Google Cloud Storage indefinitely,
encrypted with the GhostRyDE container format.
For each phase in the process, the system maintains a `Cursor` entity in
Datastore, which contains a timestamp indicating that everything up to the day
before the timestamp is current. For RDE, there are four cursor types:
* `RDE_STAGING`
* `RDE_UPLOAD`
* `RDE_UPLOAD_SFTP`
* `RDE_REPORT`
To view the cursors, you can use the `nomulus list_cursors` command. Here are
some examples:
```shell
$ nomulus -e production list_cursors --type RDE_STAGING
2015-05-22T00:00:00.000Z tld1
2015-05-22T00:00:00.000Z tld2
2015-05-22T00:00:00.000Z tld3
2015-05-22T00:00:00.000Z tld4
[....]
$ nomulus -e production list_cursors --type RDE_UPLOAD
2015-05-22T00:00:00.000Z tld1
2015-05-22T00:00:00.000Z tld2
2015-05-22T00:00:00.000Z tld3
2015-05-22T00:00:00.000Z tld4
[...]
$ nomulus -e production list_cursors --type RDE_REPORT
2015-05-22T00:00:00.000Z tld1
2015-05-22T00:00:00.000Z tld2
2015-05-22T00:00:00.000Z tld3
2015-05-22T00:00:00.000Z tld4
[....]
```
The `RDE_UPLOAD_SFTP` cursor is used to avoid uploading multiple files to the
escrow provider within too short a time span, as described below.
## Listing deposits in Cloud Storage
You can list the files in Cloud Storage for a given TLD using the gsutil tool.
All files are stored in the {PROJECT-ID}-rde bucket, where {PROJECT-ID} is the
name of the App Engine project for the particular environment you are checking.
```shell
$ gsutil ls gs://{PROJECT-ID}-rde/zip_2015-05-16*
gs://{PROJECT-ID}-rde/zip_2015-05-16-report.xml.ghostryde
gs://{PROJECT-ID}-rde/zip_2015-05-16.xml.ghostryde
gs://{PROJECT-ID}-rde/zip_2015-05-16.xml.length
```
## Normal launch
Under normal circumstances, RDE is launched by CronFanoutServlet, configured in
cron.xml. If the App Engine's cron executor isn't working, you can spawn it
manually by visiting the following URL:
https://backend-dot-{PROJECT-ID}.appspot.com/_dr/task/rdeStaging
That will spawn a staging task for each TLD under the backend module in that App
Engine project.
## Notification of upload problems
If there is a problem with the deposit from the escrow provider's side, they
will usually email a notification. Here is an example of such a notification
from Iron Mountain, one common escrow provider:
```
Greetings,
The Registry Data Escrow deposit for XXX has failed the verification process.
Details can be found below.
------------- Name Check ---------------- 
Name Check Filename : xxx_2015-05-16_full_S1_R0.sig 
Name Check : SUCCESSFUL 
Name Check Filename : xxx_2015-05-16_full_S1_R0.ryde 
Name Check : SUCCESSFUL 
------------- Signature Check ---------------- 
Signature Check Filename : xxx_2015-05-16_full_S1_R0.ryde 
Digital Signature Check : FAILED 
Thank you
Iron Mountain
```
## Iron Mountain-specific caveat: never re-upload between 10 p.m. and 3 a.m. UTC
When Iron Mountain receives two deposits for the same TLD within two hours, it
merges them together. So when resending deposits, don't do it anywhere near
midnight UTC, since that might get merged with the output of the regular cron
job. And if you need to resend deposits for more than one day on a single TLD,
space the uploading at least two hours apart.
Note that this warning only applies when you (re)upload files directly to the
sFTP server. There's an RDE_UPLOAD_SFTP cursor that prevents the production
system from uploading twice in a two hour window, so when you let the production
job upload missing deposits, it will be safe. Therefore, one safe approach is to
reset the cursor, then kick off the production job manually.
## Decrypting GhostRyDE files
Sometimes you'll want to take a peek at the contents of a deposit that's been
staged to cloud storage. Use this command:
```shell
$ gsutil cat gs://{PROJECT-ID}-rde/foo.ghostryde | nomulus -e production ghostryde --decrypt | less
```
## Identifying which phase of the process failed
Analyze the GAE logs on the backend module.
If the rdeStaging task failed, then it's likely the files do not exist in cloud
storage.
If the rdeUpload task failed, then it's likely the files were not uploaded to
the escrow provider's sFTP server.
If the rdeReport task failed, then it's likely the report file was not sent to
ICANN.
## Generating RDE files
You can use the `nomulus` command to generate the RDE files on a per-TLD basis.
Here's an example:
```shell
# Define the tld/date combination.
$ tld=xxx
$ date=2015-05-16
# 1. Generate the deposit. This drops a bunch of files in the current directory.
$ nomulus -e production generate_escrow_deposit --tld=${tld} --watermark=${date}T00:00:00Z
$ ls -l
total 22252
-rw-r----- 1 tjb eng     2292 May 19 16:49 xxx_2015-05-16_full_S1_R0-report.xml
-rw-r----- 1 tjb eng  1321343 May 19 16:49 xxx_2015-05-16_full_S1_R0.ryde
-rw-r----- 1 tjb eng      361 May 19 16:49 xxx_2015-05-16_full_S1_R0.sig
-rw-r----- 1 tjb eng 21448005 May 19 16:49 xxx_2015-05-16_full_S1_R0.xml
-rw-r----- 1 tjb eng      977 May 19 16:49 xxx.pub
$ nomulus -e production validate_escrow_deposit -i ${tld}_${date}_full_S1_R0.xml
ID: AAAACTK2AU2AA
Previous ID: null
Type: FULL
Watermark: 2015-05-16T00:00:00.000Z
RDE Version: 1.0
RDE Object URIs:
  - urn:ietf:params:xml:ns:rdeContact-1.0
  - urn:ietf:params:xml:ns:rdeDomain-1.0
  - urn:ietf:params:xml:ns:rdeHeader-1.0
  - urn:ietf:params:xml:ns:rdeHost-1.0
  - urn:ietf:params:xml:ns:rdeRegistrar-1.0
Contents:
  - XjcRdeContact: 4,224 entries
  - XjcRdeDomain: 2,667 entries
  - XjcRdeHeader: 1 entry
  - XjcRdeHost: 35,932 entries
  - XjcRdeRegistrar: 146 entries
RDE deposit is XML schema valid
# 2. GhostRyDE it!
$ nomulus -e production ghostryde --encrypt \
    --input=${tld}_${date}_full_S1_R0-report.xml \
    --output=${tld}_${date}_full_S1_R0-report.xml.ghostryde
$ nomulus -e production ghostryde --encrypt \
    --input=${tld}_${date}_full_S1_R0.xml \
    --output=${tld}_${date}_full_S1_R0.xml.ghostryde
# 3. Copy to Cloud Storage so RdeUploadTask can find them.
$ gsutil cp ${tld}_${date}_full_S1_R0{,-report}.xml.ghostryde gs://{PROJECT-ID}-rde/
```
## Updating an RDE cursor
If the rdeStaging or rdeUpload tasks are failing and you find yourself needing
to perform this process manually, you must make sure to update the appropriate
cursors. Again, you can use the `nomulus` to perform this operation.
```shell
$ nomulus -e production update_cursors --timestamp=2015-05-21T00:00:00Z --type=RDE_STAGING $tld
$ nomulus -e production update_cursors --timestamp=2015-05-21T00:00:00Z --type=RDE_UPLOAD $tld
$ nomulus -e production update_cursors --timestamp=2015-05-21T00:00:00Z --type=RDE_REPORT $tld
```
## Manually uploading files to the escrow provider
These instructions work for Iron Mountain, and should be applicable to other
escrow providers as well. We upload the RDE deposits to an sFTP server (see the
[ConfigModule](https://github.com/google/nomulus/blob/master/java/google/registry/config/ConfigModule.java)
for specific URLs). First, you need a generated deposit .xml file (see above for
how to generate such a file locally, or how to decrypt a .ghostryde file into
the .xml original).
### Encrypting the RDE deposits for sending to the escrow provider
```shell
$ nomulus -e production encrypt_escrow_deposit --tld=$tld --input=${tld}_${date}_full_S1_R0-report.xml
$ ls *.ryde *.sig
${tld}_${date}_full_S1_R0-report.ryde
  ${tld}_${date}_full_S1_R0-report.sig
```
### Verifying the deposit signature (optional)
```shell
$ nomulus -e production get_key --name rde-signing-public > rde-signing-public
$ (umask 0077; mkdir gpgtemp)
$ GNUPGHOME=gpgtemp gpg --import ./rde-signing-public
$ GNUPGHOME=gpgtemp gpg --verify ${tld}_${date}_full_S1_R0-report.{sig,ryde}
...
gpg: Good signature from ...
...
$ rm -rf gpgtemp
```
### Uploading the encrypted deposit and signature files
NOTE: If you need to manually upload files directly to the escrow provider, only
upload the .ryde and .sig files. DO NOT upload any other files.
```shell
# First, you'll need to get the SSH private key from KeyStore
$ (umask 0077; nomulus -e production get_key --name rde-ssh-client-private > escrow_ssh)
# Next, sftp to the server
$ sftp -i escrow_ssh ${user}@${host}:Outbox
Connected to ${host}.
sftp> ls
# Once in the Outbox/ directory, you can change your local directory to where you have the escrow files
sftp> lcd /path/to/escrow/files/on/local/machine
sftp> put ${tld}_2015-05-16_full_S1_R0.ryde
sftp> put ${tld}_2015-05-16_full_S1_R0.sig
```
It would be convenient to have the following in your `~/.ssh/config` file and
store the SSH private key that you stored in `escrow_ssh` as
`~/.ssh/id_rsa_escrow` so that you can simply run `$ sftp escrow` to connect to
the sFTP server.
```
Host escrow
  Hostname $host
  User $user
  IdentityFile ~/.ssh/id_rsa_escrow
```
## Resending the ICANN notification report
As with everything else related to RDE, you can use the `nomulus` tool to send a
notification report to ICANN:
```shell
# This command assumes the report XML file is in your current working directory
$ nomulus -e production send_escrow_report_to_icann xxx_2015-05-16_full_S1_R0-report.xml
```