The sentinel bundle command provides a streamlined way to install Sentinel with its bundled agents. This is the recommended approach for production deployments on Linux servers.
Overview
Instead of manually downloading and configuring each agent, the bundle command:
- Downloads agent binaries from their official GitHub releases
- Installs them to the appropriate system locations
- Optionally generates configuration and systemd service files
┌─────────────────────────────────────────────────────────┐
│ sentinel bundle install │
│ │
│ Reads lock file → Downloads agents → Installs binaries │
│ │
│ Bundled agents: │
│ • WAF (ModSecurity-based firewall) │
│ • Ratelimit (Token bucket limiting) │
│ • Denylist (IP/path blocking) │
└─────────────────────────────────────────────────────────┘
Quick Start
# 1. Install Sentinel
|
# 2. Install bundled agents
# 3. Check status
# 4. Configure and start
Commands Reference
Install Agents
# Install all bundled agents
# Install with systemd services
# Install a specific agent only
# Preview without installing
# Force reinstall even if up to date
# Custom installation prefix
# Skip checksum verification
Check Status
Example output:
Sentinel Bundle Status
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Bundle version: 26.01_1
Install path: /usr/local/bin
Agent Installed Expected Status
─────────────────────────────────────────────────
denylist 0.2.0 0.2.0 ✓ up to date
ratelimit 0.2.0 0.2.0 ✓ up to date
waf - 0.2.0 ✗ not installed
Total: 3 | Up to date: 2 | Outdated: 0 | Not installed: 1
List Available Agents
# List agents
# With download URLs
Check for Updates
# Check what's available
# Apply updates
Uninstall Agents
# Remove all agents
# Remove specific agent
# Preview
Bundled Agents
The bundle includes agents that cover common production use cases:
WAF Agent
ModSecurity-based web application firewall with OWASP Core Rule Set support.
Use cases:
- SQL injection protection
- XSS prevention
- Request validation
- Security baseline
Configuration: /etc/sentinel/agents/waf.yaml
socket:
path: /var/run/sentinel/waf.sock
modsecurity:
engine: "On"
crs:
paranoia_level: 1
inbound_anomaly_score_threshold: 5
Ratelimit Agent
Token bucket rate limiting with flexible rule configuration.
Use cases:
- API rate limiting
- DDoS mitigation
- Fair usage enforcement
- Cost control
Configuration: /etc/sentinel/agents/ratelimit.yaml
socket:
path: /var/run/sentinel/ratelimit.sock
rules:
- name: api_per_ip
match:
path_prefix: /api
limit:
requests_per_second: 100
burst: 200
key: client_ip
Denylist Agent
Simple IP and path blocking for known bad actors.
Use cases:
- Block malicious IPs
- Block scanner paths
- Geographic restrictions
- Emergency blocking
Configuration: /etc/sentinel/agents/denylist.yaml
socket:
path: /var/run/sentinel/denylist.sock
ip_denylist:
enabled: true
path_denylist:
enabled: true
patterns:
- ".*\\.php$"
- "/wp-admin.*"
Configuration
After installing agents, configure Sentinel to use them.
Add Agents to sentinel.kdl
agents {
agent "waf" {
endpoint "unix:///var/run/sentinel/waf.sock"
timeout-ms 100
failure-mode "open"
}
agent "ratelimit" {
endpoint "unix:///var/run/sentinel/ratelimit.sock"
timeout-ms 50
failure-mode "open"
}
agent "denylist" {
endpoint "unix:///var/run/sentinel/denylist.sock"
timeout-ms 20
failure-mode "open"
}
}
Apply Agents to Routes
routes {
route "api" {
priority "high"
matches { path-prefix "/api" }
upstream "backend"
policies {
// Order matters: check deny first, then rate limit, then WAF
agents "denylist" "ratelimit" "waf"
}
}
route "static" {
priority "normal"
matches { path-prefix "/static" }
upstream "cdn"
policies {
// Static content only needs denylist
agents "denylist"
}
}
}
Systemd Integration
Install with systemd services for production:
# Install with systemd
# Reload systemd
# Enable the target (starts on boot)
# Start everything
The sentinel.target groups all services:
# Check all services
# View proxy logs
# View WAF logs
Service Dependencies
sentinel.target
├── sentinel.service (proxy)
├── sentinel-waf.service (WAF agent)
├── sentinel-ratelimit.service
└── sentinel-denylist.service
All agent services depend on sentinel.service and are part of sentinel.target.
Installation Paths
System-wide (requires root)
| Type | Path |
|---|---|
| Binaries | /usr/local/bin/sentinel-{agent}-agent |
| Configs | /etc/sentinel/agents/{agent}.yaml |
| Systemd | /etc/systemd/system/sentinel-{agent}.service |
| Runtime | /var/run/sentinel/ |
User-local (no root)
| Type | Path |
|---|---|
| Binaries | ~/.local/bin/sentinel-{agent}-agent |
| Configs | ~/.config/sentinel/agents/{agent}.yaml |
| Systemd | ~/.config/systemd/user/sentinel-{agent}.service |
The command automatically detects whether to use system-wide or user-local paths.
Version Management
Agent versions are coordinated via a lock file embedded in Sentinel:
# Check current versions
# Check for updates
# Update to latest
The lock file ensures that all installed components are tested to work together.
Troubleshooting
Permission Denied
# Use sudo for system-wide installation
# Or use user-local paths
Download Failed
Check network connectivity:
# Show download URLs
# Test connectivity
Agent Won’t Start
Check logs and socket permissions:
# Check logs
# Check socket directory
# Ensure sentinel user owns the directory
Version Mismatch
Force reinstall:
Example: Complete Setup
# 1. Install Sentinel
|
# 2. Install bundled agents with systemd
# 3. Create configuration
# 4. Start everything
# 5. Verify
See Also
- Installation - Installing Sentinel
- Systemd Deployment - Production systemd setup
- Docker Compose - Container deployment with agents
- Configuration Reference - Agent configuration options