Skip to content

manager: policy-loader: new process for loading policy rules separately

Aleš Mrázek requested to merge separate-policy-kresd into master

The policy-loader is a new special kresd instance that helps loading policy rules into the rules database share among kresd workers. When the policy rules are finished loading, the process will automatically exit itself otherwise it will exit with an error code that is detected by supervisord.

The policy-loader is triggered only when there are changes in the configuration relevant to the policy rules or when the resolver is cold-started. This makes it unnecessary to restart the all running kresd workers when only the policy rules changed. The running workers are only notified of the policy rules changes in the rules database by their control socket with kr_rules_reset() function. The kresd workers are restarted only when relevant configuration change to them is made or again when the resolver is cold-started. The same as for the kresd workers applies to the kresd canary process, which is always run before the workers start to validate the configuration. The resolver is always waiting for the policy-loader to finish.

On the resolver cold-start: First, the policy-loader is started and the resolver waits for the policy rules to finish loading into the rules database. After that the kresd canary process is started to validate configuration and then the kresd workers are started. The resolver fails to start if any of the previous operations fails.

Edited by Aleš Mrázek

Merge request reports