Skip to content

feat: unix domain socket support for the daemon (input, output, API listener)#273

Merged
mostafa merged 5 commits into
mainfrom
feat/unix-sockets
Jun 30, 2026
Merged

feat: unix domain socket support for the daemon (input, output, API listener)#273
mostafa merged 5 commits into
mainfrom
feat/unix-sockets

Conversation

@mostafa

@mostafa mostafa commented Jun 30, 2026

Copy link
Copy Markdown
Member

Summary

Adds unix:// support to the engine daemon on three surfaces (Unix targets only). All socket code is #[cfg(unix)]-gated and the runtime source/sink sit behind a new rsigma-runtime uds feature (which enables tokio's net); the daemon feature turns it on. On non-Unix targets unix:// falls through to the existing unsupported-scheme config error.

  • --input unix:///path/to.sock ingests newline-delimited events over a Unix domain socket, so co-located log shippers (rsyslog omuxsock, syslog-ng unix-stream, Vector, Fluent Bit) can feed the daemon without a TCP port or the HTTP-ingest overhead. One reader task per connection feeds the bounded event channel (same back-pressure model as stdin), with a 1 MiB per-line cap so an unterminated line cannot exhaust memory.
  • --output unix:///path/to.sock (also accepted by --dlq) writes NDJSON detections and incidents to a collector listening on a local socket, reconnecting once on a transient write failure before routing to the DLQ. New Sink::Unix variant.
  • --api-addr unix:///path/to.sock serves the health, metrics, and /api/v1/* API (plus OTLP ingestion when built with daemon-otlp) over a permission-gated local socket. A new ListenAddr enum parses the flag; the listener is bound through a shared helper and served via axum::serve.

Security and lifecycle:

  • The socket file is created 0600 and unlinked on clean shutdown; a stale socket left by a crashed run is reclaimed on the next start (probe-then-unlink on AddrInUse).
  • TLS terminates on TCP only: --tls-cert/--tls-key combined with a unix:// API address is rejected at startup, and a unix:// address is exempt from the non-loopback plaintext-bind refusal (the socket file is the trust boundary).

Commits

  • feat(runtime): the UnixSocketSource, UnixSocketSink, and shared bind helper behind the uds feature.
  • feat(cli): wire unix:// into the daemon input source and output sink.
  • feat(cli): ListenAddr enum and the unix:// API listener with the TLS/plaintext-policy handling.
  • docs: daemon CLI reference, streaming-detection guide, configuration/security references, config-schema comments, and a CHANGELOG entry.

Test plan

  • cargo fmt --all -- --check
  • cargo clippy --workspace --all-targets --all-features -- -D warnings
  • cargo test -p rsigma-runtime --features uds (round-trip over the socket, over-long-line drop, stale-socket rebind, live-socket rejection, scheme parsing)
  • cargo test -p rsigma --features daemon,daemon-tls,daemon-otlp (new cli_daemon_uds: /healthz over a UDS, and TLS-over-UDS rejected)
  • mkdocs build --strict
  • NATS integration tests require Docker; not run locally (unaffected by this change), covered by CI.

mostafa added 5 commits June 30, 2026 21:15
Add a `unix://` event source and output sink behind a new `uds` Cargo
feature (which enables tokio's `net`), gated `#[cfg(all(unix, feature =
"uds"))]` so non-Unix targets are unaffected.

- `UnixSocketSource` accepts newline-delimited events over a Unix socket,
  one reader task per connection feeding a bounded channel (back-pressure
  like stdin), with a 1 MiB per-line cap so an unterminated line cannot
  exhaust memory.
- `UnixSocketSink` dials a collector socket and writes NDJSON, reconnecting
  once on a write failure before surfacing the error.
- Shared bind helper recovers a stale socket file left by a crashed run
  (probe-then-unlink on AddrInUse), restricts the socket to 0600, and
  unlinks it on drop.
Wire the runtime's unix domain socket source and sink into the daemon:
`--input unix:///path.sock` ingests newline-delimited events, and
`--output`/`--dlq unix:///path.sock` write NDJSON to a local collector.
The daemon feature enables `rsigma-runtime/uds`; the new match arms are
`#[cfg(unix)]`, so on Windows `unix://` falls through to the existing
unsupported-scheme config error. Flag help and supported-scheme messages
updated.
Accept `--api-addr unix:///path/to.sock` so the health, metrics, and
`/api/v1/*` API (plus OTLP ingestion when daemon-otlp is built in) can be
served over a permission-gated local socket. A new `ListenAddr` enum
parses the flag into TCP or Unix; the listener is bound through the
runtime helper and served via `axum::serve`.

TLS terminates on TCP only: `--tls-cert`/`--tls-key` combined with a
unix:// address is rejected at startup, and a unix:// address is exempt
from the plaintext-bind refusal (the socket file is the trust boundary).
The socket is unlinked on clean shutdown.
Cover the unix:// input source, output sink, and API listener in the
daemon CLI reference, the streaming-detection guide, the configuration
and security references, and the config-schema doc comments, plus a
CHANGELOG entry.
@mostafa mostafa merged commit b02647c into main Jun 30, 2026
16 checks passed
@mostafa mostafa deleted the feat/unix-sockets branch June 30, 2026 19:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant