-
Notifications
You must be signed in to change notification settings - Fork 231
Functional Block: Dynamic Config
The Dynamic Configuration (DyConf) block enables users to interact with a running Gatekeeper or Grantor instance at runtime.
The dynamic configuration opens a UNIX socket and accepts only one active connection at a time to avoid dealing with concurrency. It receives Lua configuration files from a client, and then calls the corresponding functions to perform various operations, including listing, adding, or deleting entries in other functional blocks (e.g., GK, GT, LLS).
The client program that sends requests to the Dynamic Configuration is maintained under the gkctl folder. The available functions that can be called are available in the Dynamic Configuration library (see below).
Examples of dynamic configuration requests include:
- Adding, deleting, and listing forwarding table rules (IPv4 and IPv6)
- Listing ARP and ND address resolution rules
- Updating the policy running at Grantor
All static configuration variables can be configured in lua/dyn_cfg.lua.
These variables are likely to change from deployment-to-deployment based on the operator's preferences.
log_level
The log level for the Dynamic Configuration block. Can be set to any one of the following values: RTE_LOG_EMERG, RTE_LOG_ALERT, RTE_LOG_CRIT, RTE_LOG_ERR, RTE_LOG_WARNING, RTE_LOG_NOTICE, RTE_LOG_INFO, RTE_LOG_DEBUG.
Since we typically use RTE_LOG_ERROR as the most severe log condition, we recommend not to set this value below RTE_LOG_ERROR.
mode
The permissions of the UNIX socket file created by the Dynamic Configuration block.
log_ratelimit_interval_ms
The interval at which logs are rate limited (in milliseconds). For a given interval, only log_ratelimit_burst log entries are permitted. The count of entries is reset for each new interval.
log_ratelimit_burst
The number of entries per interval allowed to be logged. When the number of log entries exceeds this limit in a given interval, the entries will be dropped.
mailbox_max_entries_exp
The log (base 2) of the maximum size of the Dynamic Config mailbox. For example, if the variable is set to 7, then room for 2^7 = 128 entries will be made in the mailbox.
Also used to determine how many entries will actually be available for use in the mailbox, which for efficiency reasons is one less than the maximum size of the mailbox (127 in the example above).
mailbox_mem_cache_size
Number of mailbox entries to keep in the cache for more efficient use of the mailbox. Set to 0 to disable the cache of the memory pool for the mailbox.
mailbox_burst_size
Maximum number of entries to receive in a burst every time the mailbox is checked.
These variables likely only need to be changed under extreme circumstances or for deployment-specific reasons.
server_path
To facilitate inter-process communication between a client and the Dynamic Configuration, Gatekeeper uses a UNIX (AF_UNIX) domain socket. The server_path variable holds the pathname that the UNIX socket is bound to, identifying the Dynamic Configuration server application. A typical value is '/var/run/gatekeeper/dyn_cfg.socket', since that is the default pathname assumed by the gkctl client application. Therefore, if the server path is changed, client applications need to be run with the corresponding new path name.
lua_dy_base_dir
The variable lua_dy_base_dir defines the directory for the Lua files of Dynamic Configuration. This will typically be a directory named './lua'.
lua_dy_lib
The variable lua_dy_lib defines the Lua file that contains the Dynamic Configuration library. This library includes definitions of constants, data types, and functions related to dynamic configuration of Gatekeeper. This will typically be a file named 'gatekeeper/dylib.lua'.
rcv_timeout_sec & rcv_timeout_usec
These variables specify the number of seconds and microseconds to wait before a connection with a dynamic configuration client times out. A reasonable value is 30 seconds and 0 microseconds.