Management daemon
Tempesta Escudo runs two daemons:
-
tfw_mgr– a management daemon that receives gRPC messages from the client library or the CLI tool and dynamically reconfigures the Tempesta xFW and FW services. -
tfw_logger– responsible for observability logging into a ClickHouse database.
Both daemons are managed by the xfwctl script. For example, you can start the
Tempesta xFW service with:
# ./bin/xfwctl --start
Loading configuration from /etc/tempesta/xfw.json...
Configuration: -devices ens3
-devices-mode skb
-daemon_args
-daemon_log /var/log/tempesta/manager.log
-pidfile /var/run/tempesta_mgr.pid
-verbose false
-event-logging off
Note that the script prints the configuration options for tfw_mgr, which are
defined in /etc/tempesta/xfw.json by default.
You can specify a different configuration file path using the -c command-line
option for xfwctl. Run xfwctl --help for a list of available options and actions.
The configuration option event-logging in /etc/tempesta/xfw.json controls the collection of information about blocked packets.
By default, event-logging is on, meaning that information collection is active and the logging daemon (tfw_logger) will be started.
If event-logging is set to off, event collection will be disabled—even though the events themselves still occur—and tfw_logger will not start.
By default, tfw_logger is configured using /etc/tempesta/xfw_logger.json.
Configuration Options🔗
Network devices🔗
JSON key "devices". The value specifies the names of network devices to which XDP
and TC programs are attached. Example:
"devices": "ens3 ens4"
Network device mode🔗
JSON key "devices-mode". Refer to device modes.
Supported values are "skb" and "native". Example:
"devices-mode": "skb"
Management daemon arguments🔗
JSON key "daemon_args". The value is a string of command-line arguments passed to
tfw_mgr. Refer to the daemon help output for available options:
# /opt/tempesta/sbin/tfw_mgr --help
Usage: tempesta_mgr [options]:
-l [ --listen ] arg (=127.0.0.1) address to listen on
-p [ --port ] arg (=50051) grpc port to listen on
--http-port arg (=9090) http port to listen on
-G [ --geoip ] arg path to a GeoIP database file
-L [ --log ] arg (=/var/log/tempesta/manager.log)
path to a log-file
-P [ --pidfile ] arg (=/var/run/tempesta_mgr.pid)
path to a pid-file
-h [ --help ] show this message and exit
-d [ --debug ] run in debugging mode
Example:
"daemon_args": "-l 192.168.100.4 -p 5000"
Management daemon log path🔗
JSON key "daemon_log". The value specifies the path to the tfw_mgr log file.
The default is /var/log/tempesta/manager.log. Example:
"daemon_log": "/var/log/tempesta/tfw_mgr.log"
Management daemon PID file path🔗
JSON key "pidfile". The value specifies the path to the tfw_mgr PID file.
The default is /var/run/tempesta_mgr.pid. Example:
"pidfile": "/var/run/tfw_mgr.pid"
Verbose logging🔗
JSON key "verbose". The value is a boolean ("true" or "false",
default). This options enables verbose logging for tfw_mgr. Example:
"verbose": "true"