feat: unix domain socket support for the daemon (input, output, API listener)#273
Merged
Conversation
Add a `unix://` event source and output sink behind a new `uds` Cargo feature (which enables tokio's `net`), gated `#[cfg(all(unix, feature = "uds"))]` so non-Unix targets are unaffected. - `UnixSocketSource` accepts newline-delimited events over a Unix socket, one reader task per connection feeding a bounded channel (back-pressure like stdin), with a 1 MiB per-line cap so an unterminated line cannot exhaust memory. - `UnixSocketSink` dials a collector socket and writes NDJSON, reconnecting once on a write failure before surfacing the error. - Shared bind helper recovers a stale socket file left by a crashed run (probe-then-unlink on AddrInUse), restricts the socket to 0600, and unlinks it on drop.
Wire the runtime's unix domain socket source and sink into the daemon: `--input unix:///path.sock` ingests newline-delimited events, and `--output`/`--dlq unix:///path.sock` write NDJSON to a local collector. The daemon feature enables `rsigma-runtime/uds`; the new match arms are `#[cfg(unix)]`, so on Windows `unix://` falls through to the existing unsupported-scheme config error. Flag help and supported-scheme messages updated.
Accept `--api-addr unix:///path/to.sock` so the health, metrics, and `/api/v1/*` API (plus OTLP ingestion when daemon-otlp is built in) can be served over a permission-gated local socket. A new `ListenAddr` enum parses the flag into TCP or Unix; the listener is bound through the runtime helper and served via `axum::serve`. TLS terminates on TCP only: `--tls-cert`/`--tls-key` combined with a unix:// address is rejected at startup, and a unix:// address is exempt from the plaintext-bind refusal (the socket file is the trust boundary). The socket is unlinked on clean shutdown.
Cover the unix:// input source, output sink, and API listener in the daemon CLI reference, the streaming-detection guide, the configuration and security references, and the config-schema doc comments, plus a CHANGELOG entry.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
unix://support to theengine daemonon three surfaces (Unix targets only). All socket code is#[cfg(unix)]-gated and the runtime source/sink sit behind a newrsigma-runtimeudsfeature (which enables tokio'snet); thedaemonfeature turns it on. On non-Unix targetsunix://falls through to the existing unsupported-scheme config error.--input unix:///path/to.sockingests newline-delimited events over a Unix domain socket, so co-located log shippers (rsyslogomuxsock, syslog-ngunix-stream, Vector, Fluent Bit) can feed the daemon without a TCP port or the HTTP-ingest overhead. One reader task per connection feeds the bounded event channel (same back-pressure model as stdin), with a 1 MiB per-line cap so an unterminated line cannot exhaust memory.--output unix:///path/to.sock(also accepted by--dlq) writes NDJSON detections and incidents to a collector listening on a local socket, reconnecting once on a transient write failure before routing to the DLQ. NewSink::Unixvariant.--api-addr unix:///path/to.sockserves the health, metrics, and/api/v1/*API (plus OTLP ingestion when built withdaemon-otlp) over a permission-gated local socket. A newListenAddrenum parses the flag; the listener is bound through a shared helper and served viaaxum::serve.Security and lifecycle:
0600and unlinked on clean shutdown; a stale socket left by a crashed run is reclaimed on the next start (probe-then-unlink onAddrInUse).--tls-cert/--tls-keycombined with aunix://API address is rejected at startup, and aunix://address is exempt from the non-loopback plaintext-bind refusal (the socket file is the trust boundary).Commits
feat(runtime): theUnixSocketSource,UnixSocketSink, and shared bind helper behind theudsfeature.feat(cli): wireunix://into the daemon input source and output sink.feat(cli):ListenAddrenum and theunix://API listener with the TLS/plaintext-policy handling.docs: daemon CLI reference, streaming-detection guide, configuration/security references, config-schema comments, and a CHANGELOG entry.Test plan
cargo fmt --all -- --checkcargo clippy --workspace --all-targets --all-features -- -D warningscargo test -p rsigma-runtime --features uds(round-trip over the socket, over-long-line drop, stale-socket rebind, live-socket rejection, scheme parsing)cargo test -p rsigma --features daemon,daemon-tls,daemon-otlp(newcli_daemon_uds:/healthzover a UDS, and TLS-over-UDS rejected)mkdocs build --strict