Job Snijders <[email protected]> wrote: > In cases where rpki-client for some reason ends up taking longer than an > hour, the next execution attempt of the command will be skipped. Better > to just try again an hour later, this helps avoid concurrent rpki-client > processes crossing streams.
Agree. As discussed privately rpki-client has safe output functions, but the parallel rsync input phase lacks collision prevention. > I think 'once an hour' is a reasonable balance between the needs of > internet users (the ROAs creators who may depend urgently on an > expedient distribution of updated RPKI information); considerations for > what the Internet's CA infrastructure realisticly can support; and what > network operators are willing to tolerate in churn. We have to hold the > throttle open at the right position. I agree we should try 1 hour. > +#~ * * * * -s -n rpki-client -v && bgpctl reload I would prefer if you use -ns rather than the two seperate options.
