Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update l3afd case #144

Merged
merged 1 commit into from
Nov 2, 2022
Merged

Update l3afd case #144

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 9 additions & 9 deletions docs/prod-deploy-guide.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
# Guide to use L3AF in production environments

## Installing L3AFd
## Installing l3afd

Download the latest build artifacts for the last stable release on the L3AFd [repo page](../../../)
Download the latest build artifacts for the last stable release on the l3afd [repo page](../../../)

## Configuring L3AFd
## Configuring l3afd

This guide lists recommendations on how to run L3AFd in a production environment. Please see [l3afd.cfg](../config/l3afd.cfg) for a sample configuration.
This guide lists recommendations on how to run l3afd in a production environment. Please see [l3afd.cfg](../config/l3afd.cfg) for a sample configuration.

The only secure configuration for production deployments at this time is with mTLS enabled. mTLS is necessary to properly protect the REST API when running in production mode. To securely run L3AFd in a production environment please follow the configuration guidelines below.
The only secure configuration for production deployments at this time is with mTLS enabled. mTLS is necessary to properly protect the REST API when running in production mode. To securely run l3afd in a production environment please follow the configuration guidelines below.

* Make sure `environment: PROD` is set to prevent L3AFd starting up in an insecure configuration.
* Make sure `environment: PROD` is set to prevent l3afd starting up in an insecure configuration.

* Ensure mTLS is set to `enabled: true` in the configuration.

Expand All @@ -20,13 +20,13 @@ The only secure configuration for production deployments at this time is with mT

* The debug log API should only be enabled and set to listen on localhost when it is required to debug issues with program chaining. The debug log should normally be disabled by setting `enable: false` in the `ebpf-chain-debug` section.

* For security reasons, it is not recommended configuring L3AFd to point to a public eBPF repository. Instead, configure L3AFd to point to a private mirror or local file repository once you have validated and ensured the eBPF programs are safe to run in production.
* For security reasons, it is not recommended configuring l3afd to point to a public eBPF repository. Instead, configure l3afd to point to a private mirror or local file repository once you have validated and ensured the eBPF programs are safe to run in production.
* eBPF repository artifacts are retrieved by joining the following elements to build the complete path: `https://<ebpf-repo-url>/<ebpf-program>/<version>/<platform>/<artifact>` or `file:///<repo-dir>/<ebpf-program>/<version>/<platform>/<artifact>`.

## Running L3AFd
## Running l3afd

* l3afd on Linux needs to run with the `CAP_SYS_ADMIN` or with the `CAP_BPF`, `CAP_NET_ADMIN`, and `CAP_PERFMON` privileges (newer kernels). Unprivileged users will not have the necessary permissions to load eBPF programs.

* l3afd only supports handling the following signals `SIGINT`, `SIGTERM`, which will cause L3AFd to perform a clean shut down.
* l3afd only supports handling the following signals `SIGINT`, `SIGTERM`, which will cause l3afd to perform a clean shut down.

* l3afd can be configured through a system manager to start on boot, such as systemd.