Management daemon

Tempesta Escudo runs two daemons:

tfw_mgr – a management daemon that receives gRPC messages from the client library or the CLI tool and dynamically reconfigures the Tempesta xFW and FW services.
tfw_logger – responsible for observability logging into a ClickHouse database.

Both daemons are managed by the xfwctl script. For example, you can start the Tempesta xFW service with:

# ./bin/xfwctl --start
Loading configuration from /etc/tempesta/xfw.json...
Configuration: -devices ens3
               -devices-mode skb
               -daemon_args 
               -daemon_log /var/log/tempesta/manager.log
               -pidfile /var/run/tempesta_mgr.pid
               -verbose false
               -event-logging off

Note that the script prints the configuration options for tfw_mgr, which are defined in /etc/tempesta/xfw.json by default.

You can specify a different configuration file path using the -c command-line option for xfwctl. Run xfwctl --help for a list of available options and actions.

The configuration option event-logging in /etc/tempesta/xfw.json controls the collection of information about blocked packets. By default, event-logging is on, meaning that information collection is active and the logging daemon (tfw_logger) will be started. If event-logging is set to off, event collection will be disabled—even though the events themselves still occur—and tfw_logger will not start.

By default, tfw_logger is configured using /etc/tempesta/xfw_logger.json.

Configuration Options🔗

Network devices🔗

JSON key "devices". The value specifies the names of network devices to which XDP and TC programs are attached. Example:

"devices": "ens3 ens4"

Network device mode🔗

JSON key "devices-mode". Refer to device modes. Supported values are "skb" and "native". Example:

"devices-mode": "skb"

Management daemon arguments🔗

JSON key "daemon_args". The value is a string of command-line arguments passed to tfw_mgr. Refer to the daemon help output for available options:

# /opt/tempesta/sbin/tfw_mgr --help
Usage: tempesta_mgr [options]:
  -l [ --listen ] arg (=127.0.0.1)      address to listen on
  -p [ --port ] arg (=50051)            grpc port to listen on
  --http-port arg (=9090)               http port to listen on
  -G [ --geoip ] arg                    path to a GeoIP database file
  -L [ --log ] arg (=/var/log/tempesta/manager.log)
                                        path to a log-file
  -P [ --pidfile ] arg (=/var/run/tempesta_mgr.pid)
                                        path to a pid-file
  -h [ --help ]                         show this message and exit
  -d [ --debug ]                        run in debugging mode

Example:

"daemon_args": "-l 192.168.100.4 -p 5000"

Management daemon log path🔗

JSON key "daemon_log". The value specifies the path to the tfw_mgr log file. The default is /var/log/tempesta/manager.log. Example:

"daemon_log": "/var/log/tempesta/tfw_mgr.log"

Management daemon PID file path🔗

JSON key "pidfile". The value specifies the path to the tfw_mgr PID file. The default is /var/run/tempesta_mgr.pid. Example:

"pidfile": "/var/run/tfw_mgr.pid"

Verbose logging🔗

JSON key "verbose". The value is a boolean ("true" or "false", default). This options enables verbose logging for tfw_mgr. Example:

"verbose": "true"