New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Reload ACL flags upon receiving a signal #253
Comments
Note this is achievable today simply by re-executing a new ghostunnel and killing the old one. Since it sets SO_REUSEPORT by default, you can run multiple instances in parallel. I think the most straightforward way to implement this would actually be a full configuration reload, with an internal re-execution version of just starting a new process. But maybe keeping some state (like metrics). Either way this is definitely blocked on #252 |
Agree, |
Some useful links I found on this topic: |
huh the ebpf trick is neat; I hadn't seen that before. If we do in-process reloads, theoretically at least that's not really a concern as we could dispatch in-process on a single listening queue. Not sure how much work that would be to build into Ghostunnel, though. Or, if we keep the TLS/packet forwarding stack running, we could ensure that everywhere that uses config that supports reloading pulls from a config that's reloaded, ala the certloader atomic.LoadPointer stuff |
Yeah, in-process reloading would avoid this and probably what we'll end up doing I guess. Though I really like the (theoretical) simplicity of reloading the entire process, that way there never needs to be complicated logic or careful handling anywhere for reloading whatever parts of the config. |
Thank you both for the fast responses!
If I were to maintain this project I'd push this option to the maximum :) I guess at the short term (low traffic) the solution of re-executing a new ghostunnel would be good enough for us! I'll keep an eye on this ticket to see how we can contribute. |
This is kinda possible now (on latest master) using OPA policies & reloading. You'll have to translate your flags into a policy file, but after that you can edit the policy file and have it reload the same way as certificates. |
We can close this issue if you want :) thanks Cedric |
Will do. Docs on OPA policies are here for anyone who's interested in this feature: https://github.com/ghostunnel/ghostunnel/blob/master/docs/ACCESS-FLAGS.md |
馃憢 great job here!
I'm interested in being able to reload ACLs without losing ongoing connections.
Given that this issue is implemented, after receiving a sighup, ghostunnel would reload the ACLs so for example, one can add/remove an organization without the need to change the command line or interrupt the current connections.
Thanks
The text was updated successfully, but these errors were encountered: