Compilation and Installation

Index

  1. Dependencies
  2. Option 1: Installing the package
    1. Debian package
    2. FreeBSD package
    3. Gentoo package
    4. RHEL/CentOS package
  3. Option 2: Compiling and installing the release tarball
    1. Debian version
    2. OpenBSD version
    3. RHEL/CentOS version
    4. Fedora version
    5. openSUSE Leap version
    6. FreeBSD version
    7. Slackware version
    8. Gentoo version
    9. Alpine version
  4. Option 3: Compiling and installing the git repository
  5. Option 4: Running from a Docker container
  6. Fetching the TALs

Dependencies

Note: This section is included in case you intend to install Fort in an unlisted OS (and therefore need a little research). For Debians, OpenBSD, RHEL/CentOS, Fedora, openSUSE Leap, FreeBSD, and Slackware just follow the steps in the sections below.

The dependencies are

  1. jansson
  2. libcrypto (Either LibreSSL or OpenSSL >= 1.1)
  3. rsync
  4. libcurl
  5. libxml2

Fort currently supports 64-bit Operating Systems. A 32-bit OS may face the Year 2038 problem when handling certificate dates, and there’s no workaround for this at the moment.

Option 1: Installing the package

Debian package

Currently, there are 2 alternatives to install a debian package:

  • Latest version: this package is created as part of the latest release (currently 1.6.1) and is manually installed.
  • Debian repository version: this package is at Debian repositories, so it can be fetched from there.

Latest version

Just download the .deb package and install it. The fort service is automatically started once the installation is done.

wget https://github.com/NICMx/FORT-validator/releases/download/1.6.1/fort_1.6.1-1_amd64.deb
sudo apt install ./fort_1.6.1-1_amd64.deb

If a dependency can’t be found at the repositories (i.e. libcurl4), try using a newer repository, such as Debian Buster.

Add the following line to /etc/apt/sources.list, replacing the mirror (http://ftp.mx.debian.org/debian) with your preferred one:

deb http://ftp.mx.debian.org/debian buster main

This version ships with 4 of the 5 TALs, so in order to get the missing one, the --init-tals argument can be utilized using also the argument --tal=/etc/fort/tal:

sudo fort --init-tals --tal=/etc/fort/tal
# Don't forget to restart fort service
sudo service fort restart

Aside from the fort binary documented elsewhere in this documentation, the Debian package also ships with a systemd service, which is just the binary ran as a daemon. You can configure it at /etc/fort/config.json.

sudo service fort start
service fort status
tail /var/log/syslog
sudo service fort stop

Or, using systemctl:

sudo systemctl start fort
systemctl status fort
sudo systemctl stop fort

# In case you don't need to run fort on start
sudo systemctl disable fort
sudo systemctl enable fort

Debian repository version

Special thanks to Marco d’Itri for this collaboration.

To know the current status of this package, visit fort-validator debian package tracker.

The main differences between this version (fort-validator package) and the Latest version package are:

  • rpki-trust-anchors dependency: this package has such dependency, while Latest version doesn’t.
  • Since this package isn’t maintained by FORT validator’s team, it could be at least one version behind than Latest version.
  • This version reads the TALs from /etc/tals, while Latest version reads them from /etc/fort/tal.

Assuming that the package is still at the testing repository, such repository can be added to the APT sources list in order to do a simple apt install.

First, check if the file /etc/apt/apt.conf exists, otherwise create it. The file should have the following line to keep using the stable repository as the default:

APT::Default-Release "stable";

Now add the Debian testing repositories, add the following lines to /etc/apt/sources.list:

deb http://deb.debian.org/debian/ testing main
deb-src http://deb.debian.org/debian/ testing main

Finally, just run:

sudo apt update
sudo apt -t testing install fort-validator

FORT validator is now installed as a service, check the status with sudo service fort start.

FreeBSD package

FORT Validator is available in the FreeBSD ports tree since October 2021. The port maintainer closely follows the development of FORT. Updates to the FreeBSD port appear shortly after FORT releases. Binary packages can be installed in the usual way:

pkg install fort

If you prefer to build software from ports, this works too:

cd /usr/ports/net/fort
make install clean

A default configuration will be installed in /usr/local/etc/fort/fort-config.json. The package is careful not to overwrite an existing configuration.

To use FORT on FreeBSD, you will need the Trust Anchor Locator (TAL) files. You can download these by running fort --init-tals as follows:

fort --init-tals --tal /usr/local/etc/fort/tal

When you have downloaded the TAL files, you can start the RTR server and validator with the included service script:

sysrc fort_enable=YES # or edit /etc/rc.conf manually
service fort start

The default configuration will bind the RTR server to localhost on port 8323.

Gentoo package

Thanks to @alarig for his collaboration creating this package.

img/warn.svg The package is currently at the GURU repository, it could be at least one version behind the latest version, so please check first which version is the latest at the repository ‘net-misc/FORT-validator’.

Layman will be utilized, so it must be installed in order to add the GURU repository:

root# emerge --ask app-portage/layman
root# layman -a guru

Now, allow to install the unstable FORT validator package (use according to your architecture). The following lines can be used for amd64 arch:

root# nano /etc/portage/package.accept_keywords
## Add the following line and save
net-misc/FORT-validator ~amd64

FORT validator can now be installed. Don’t forget to update the TALs and restart the validator:

root# emerge --ask net-misc/FORT-validator
root# su -s /bin/sh -c '/usr/bin/fort --init-tals --tal /usr/share/fort/tal/' fort"
root# rc-service fort restart

The configuration file utilized by the service can be found at /etc/fort/config.json (see more about configuration file).

RHEL/CentOS package

RHEL/CentOS 7 users: the EPEL repository must be enabled to successfully install FORT validator.

The following command will do: sudo yum install epel-release

Download the .rpm and install it (currently tested at CentOS 7 and 8):

wget https://github.com/NICMx/FORT-validator/releases/download/1.6.1/fort-1.6.1-1.el8.x86_64.rpm
sudo yum install fort-1.6.1-1.el8.x86_64.rpm

This version ships with 4 of the 5 TALs, so in order to get the missing one, the --init-tals argument can be utilized using also the argument --tal=/etc/fort/tal:

sudo fort --init-tals --tal=/etc/fort/tal

By default, FORT validator service isn’t initialized once it’s installed; so, initialize the service:

sudo systemctl start fort
systemctl status fort

# In case you want to stop it
sudo systemctl stop fort

The configuration file utilized by the service can be found at /etc/fort/config.json (see more about configuration file).

Option 2: Compiling and installing the release tarball

Debian version

sudo apt install autoconf automake build-essential libjansson-dev libssl-dev pkg-config rsync libcurl4-openssl-dev libxml2-dev

wget https://github.com/NICMx/FORT-validator/releases/download/1.6.1/fort-1.6.1.tar.gz
tar xvzf fort-1.6.1.tar.gz
cd fort-1.6.1/
./configure
make
sudo make install

OpenBSD version

su
pkg_add curl jansson libexecinfo rsync libxml # OpenBSD already ships with LibreSSL
exit

ftp https://github.com/NICMx/FORT-validator/releases/download/1.6.1/fort-1.6.1.tar.gz
tar xzf fort-1.6.1.tar.gz
cd fort-1.6.1/
# clang is needed because of gnu11.
env CC=clang CFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib ./configure
make
su
make install
exit

Last tested on OpenBSD 7.2.

RHEL/CentOS version

RHEL/CentOS 8

The following steps are for RHEL/CentOS 8.

sudo dnf install autoconf automake gcc jansson-devel libcurl-devel libxml2-devel make openssl-devel pkgconfig rsync tar wget

wget https://github.com/NICMx/FORT-validator/releases/download/1.6.1/fort-1.6.1.tar.gz
tar xvzf fort-1.6.1.tar.gz
cd fort-1.6.1/
./configure
make
sudo make install

RHEL/CentOS 7

The following steps are for RHEL/CentOS 7.

This OS requires additional steps due to its default GCC version (currently 4.8.5, fort needs >= 4.9) and its default OpenSSL version (currently 1.0.2k, fort needs >= 1.1.0).

Upgrade OpenSSL from 1.0.2k to 1.1.1c

There are two options to upgrade OpenSSL:

  1. Compile and install a newer version >= 1.1.0 (manual process).
  2. Use the EPEL repository (indicated at the following steps).

Upgrade GCC

There are two options to upgrade GCC:

  1. Compile and install a newer version >= 4.9 (slow process).
  2. Use Software Collections (indicated at the following steps).
sudo yum install centos-release-scl epel-release
sudo yum install autoconf automake devtoolset-8-gcc jansson-devel libcurl-devel libxml2-devel make openssl11-devel pkgconfig rsync tar wget
# Start a session using the upgraded GCC
scl enable devtoolset-8 bash
cd ~
wget https://github.com/NICMx/FORT-validator/releases/download/1.6.1/fort-1.6.1.tar.gz
tar xvzf fort-1.6.1.tar.gz
cd fort-1.6.1/
# Insert paths from newer OpenSSL version
export CFLAGS+=" $(pkg-config --cflags openssl11)" LDFLAGS+=" $(pkg-config --libs openssl11)"
./configure
make
sudo make install
# Close the 'devtoolset' session
exit

Fedora version

The following steps are for Fedora 30 (and later).

sudo dnf install autoconf automake gcc jansson-devel libcurl-devel libxml2-devel make openssl-devel pkgconfig rsync tar wget
wget https://github.com/NICMx/FORT-validator/releases/download/1.6.1/fort-1.6.1.tar.gz
tar xvzf fort-1.6.1.tar.gz
cd fort-1.6.1/
./configure
make
sudo make install

openSUSE Leap version

The following steps are for openSUSE Leap 15.1.

sudo zypper install autoconf automake gcc libopenssl-devel libjansson-devel libcurl-devel libxml2-devel

wget https://github.com/NICMx/FORT-validator/releases/download/1.6.1/fort-1.6.1.tar.gz
tar xvzf fort-1.6.1.tar.gz
cd fort-1.6.1/
./configure
make
sudo make install

FreeBSD version

sudo pkg install autotools curl jansson pkgconf rsync libxml2
fetch https://github.com/NICMx/FORT-validator/releases/download/1.6.1/fort-1.6.1.tar.gz
tar xzf fort-1.6.1.tar.gz
cd fort-1.6.1/

export CFLAGS=-I/usr/local/include
./configure
make
sudo make install

Last tested on FreeBSD 13.1.

Slackware version

The following steps are for Slackware “current” release (as of 2020-07-13).

All dependencies are included in the current release, so there’s no need to install any dependency.

wget https://github.com/NICMx/FORT-validator/releases/download/1.6.1/fort-1.6.1.tar.gz
tar xvzf fort-1.6.1.tar.gz
cd fort-1.6.1/
./configure
make
sudo make install

Gentoo version

The following steps are for Gentoo “current” release (as of 2020-07-13).

It’s very likely that most of the dependencies are already installed (except dev-libs/jansson), still you can execute the following commands.

su
emerge sys-devel/autoconf sys-devel/automake net-misc/rsync net-misc/curl dev-libs/jansson 
exit

wget https://github.com/NICMx/FORT-validator/releases/download/1.6.1/fort-1.6.1.tar.gz
tar xvzf fort-1.6.1.tar.gz
cd fort-1.6.1/
./configure
make
su
make install
exit

Alpine version

The following steps are for Alpine Linux 3.12.0

su
apk add build-base autoconf automake pkgconfig openssl-dev jansson-dev curl-dev libxml2-dev bsd-compat-headers rsync
exit

wget https://github.com/NICMx/FORT-validator/releases/download/1.6.1/fort-1.6.1.tar.gz
tar xvzf fort-1.6.1.tar.gz
cd fort-1.6.1/
./configure
make
su
make install
exit

Option 3: Compiling and installing the git repository

In case you wan’t a fresh version of Fort validator, there’s this third option. The steps are mostly the same as in Option 2, just another dependency (as minimum) must be installed: “git”; and a few steps are included in order to get the source code and generate configuration scripts.

The following example is the process to clone, compile and install in Debian OS.

sudo apt install autoconf automake build-essential git libjansson-dev libssl-dev pkg-config rsync libcurl4-openssl-dev libxml2-dev

git clone https://github.com/NICMx/FORT-validator.git
cd FORT-validator/
./autogen.sh
./configure
make
sudo make install

Option 4: Running from a Docker container

There’s also the option to run FORT validator from a Docker container. The image can be pulled from Docker Hub or built from the official Github repository: FORT-validator/docker.

To pull the image from the official repository, run:

docker pull nicmx/fort-validator:latest

Or to build from the source Dockerfile, just run (from the same directory where the Dockerfile is):

docker build -t fort-validator:latest .

A basic example to run the container using the default values, reading from a local TAL directory (i.e. host/path/to/tals), and binding to the local port 8323:

docker run --name fort-validator -v host/path/to/tals:/etc/fort/tal:ro -p 8323:323 -d fort-validator

Read more about the Docker container at the Github repository FORT-validator/docker.

Fetching the TALs

fort --init-tals --tal /etc/fort/tal

More details here.