systemd is the recommended deployment method for production Sentinel installations on Linux. It provides robust process supervision, socket activation, resource limits, and integration with system logging.
Overview
┌────────────────────────────────────────────────────────────┐
│ systemd │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ sentinel-agents.target │ │
│ │ ┌──────────────┐ ┌──────────────┐ ┌─────────────┐ │ │
│ │ │sentinel-auth │ │sentinel-waf │ │sentinel-echo│ │ │
│ │ │ .service │ │ .service │ │ .service │ │ │
│ │ └──────┬───────┘ └──────┬───────┘ └──────┬──────┘ │ │
│ │ │ │ │ │ │
│ │ ┌──────┴───────┐ ┌──────┴───────┐ ┌──────┴──────┐ │ │
│ │ │sentinel-auth │ │sentinel-waf │ │sentinel-echo│ │ │
│ │ │ .socket │ │ .socket │ │ .socket │ │ │
│ │ └──────────────┘ └──────────────┘ └─────────────┘ │ │
│ └─────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌────────────────────────┐ │
│ │ sentinel.service │ │
│ └────────────────────────┘ │
└────────────────────────────────────────────────────────────┘
Installation
Create User and Directories
# Create sentinel user
# Create directories
# Set permissions
Install Binaries
# Download and install
|
# Or from source
Unit Files
Sentinel Proxy Service
[Unit]
Sentinel Reverse Proxy
/
network-online.target sentinel-agents.target
network-online.target sentinel-agents.target
[Service]
simple
sentinel
sentinel
/usr/local/bin/sentinel --config /etc/sentinel/sentinel.kdl
/bin/kill -HUP $MAINPID
always
5
true
strict
true
true
true
true
true
true
/var/run/sentinel /var/log/sentinel
65536
1G
journal
journal
sentinel
[Install]
multi-user.target
Agent Socket (Template)
[Unit]
Sentinel Agent Socket (%i)
sentinel-agents.target
[Socket]
/var/run/sentinel/%i.sock
sentinel
sentinel
0600
[Install]
sockets.target
Agent Service (Template)
[Unit]
Sentinel Agent (%i)
/
sentinel-agent@%i.socket
sentinel-agent@%i.socket
sentinel-agents.target
[Service]
simple
sentinel
sentinel
/usr/local/bin/sentinel-%i-agent --socket /var/run/sentinel/%i.sock
on-failure
5
true
strict
true
true
256M
[Install]
multi-user.target
Agents Target
[Unit]
Sentinel Agents
/
[Install]
multi-user.target
Per-Agent Configuration
For agents with specific requirements, create dedicated unit files:
Auth Agent
[Unit]
Sentinel Auth Agent Socket
[Socket]
/var/run/sentinel/auth.sock
sentinel
sentinel
0600
[Install]
sentinel-agents.target
[Unit]
Sentinel Auth Agent
sentinel-auth.socket
sentinel-auth.socket
[Service]
simple
sentinel
sentinel
/usr/local/bin/sentinel-auth-agent \
--socket /var/run/sentinel/auth.sock \
--config /etc/sentinel/auth.toml
on-failure
5
"AUTH_SECRET_FILE=/etc/sentinel/secrets/auth.key"
/etc/sentinel/secrets
128M
[Install]
sentinel-agents.target
WAF Agent (gRPC)
[Unit]
Sentinel WAF Agent
network-online.target
[Service]
simple
sentinel
sentinel
/usr/local/bin/sentinel-waf-agent \
--grpc \
--rules /etc/sentinel/waf/crs-rules
on-failure
5
512M
[Install]
sentinel-agents.target
Sentinel Configuration
// /etc/sentinel/sentinel.kdl
system {
listen "0.0.0.0:80"
listen "0.0.0.0:443" {
tls {
cert "/etc/sentinel/tls/cert.pem"
key "/etc/sentinel/tls/key.pem"
}
}
}
admin {
listen "127.0.0.1:9090"
}
agents {
agent "auth" type="auth" {
unix-socket "/var/run/sentinel/auth.sock"
events "request_headers"
timeout-ms 50
failure-mode "closed"
}
agent "waf" type="waf" {
grpc "http://127.0.0.1:50051"
events "request_headers" "request_body"
timeout-ms 100
failure-mode "open"
max-request-body-bytes 1048576
}
}
upstreams {
upstream "api" {
targets "10.0.1.10:8080" "10.0.1.11:8080"
health-check {
path "/health"
interval-ms 5000
}
}
}
routes {
route "api" {
matches { path-prefix "/api/" }
upstream "api"
agents "auth" "waf"
}
}
Deployment Commands
Enable and Start
# Reload systemd
# Enable socket activation for agents
# Start agents target (starts sockets, services start on demand)
# Enable and start Sentinel
Management
# Check status
# View logs
# Reload configuration (graceful)
# Restart
# Stop everything
Socket Activation
Socket activation provides several benefits:
- Agents start on-demand when first connection arrives
- Faster system boot (agents start lazily)
- systemd holds the socket during agent restarts (no connection loss)
# Check socket status
# Socket is listening even if service isn't running
|
Log Management
journald Configuration
[Journal]
1G
7day
Log Queries
# All Sentinel logs
# Just proxy logs
# Agent logs with priority
# JSON output for parsing
|
Forward to External System
# Export to file for shipping
Resource Management
CPU and Memory Limits
[Service]
200%1G800M1000File Descriptor Limits
[Service]
655364096Verify Limits
# Check effective limits
Health Checks
Systemd Watchdog
[Service]
30
Sentinel must notify systemd periodically:
// In Sentinel code
notify?;
External Health Checks
# Simple HTTP check
||
# As a systemd timer
# /etc/systemd/system/sentinel-healthcheck.timer
Description=Sentinel
OnBootSec=1min
OnUnitActiveSec=30s
WantedBy=timers.target
Upgrades
Rolling Upgrade
# 1. Deploy new binary
# 2. Graceful restart
# or for full restart:
# 3. Verify
Blue-Green with Socket Activation
# Start new version on different port
&
# Test new version
# Switch traffic (update load balancer or DNS)
# Stop old version
# Rename new version
Troubleshooting
Agent Not Starting
# Check socket
# Check service
# Check logs
# Manual test
Permission Denied
# Check socket permissions
# Fix ownership
Connection Refused
# Is the socket listening?
|
# Is the service running?
# Try connecting manually