eghost¶
eghost is the host-side operator CLI for EnforceGate vX. It is the single entry point recommended for every day-to-day operator action — from starting the stack to authoring policies, managing users, and generating support bundles. Under the hood it wraps docker compose for lifecycle and egctl / egpolicy for the engine-side operations.
The binary is installed at /usr/local/bin/eghost on both the virtual appliance (by the first-boot wizard) and on Docker bundle deployments (manually from the bundle's installer/bin/). Run without arguments to see a deployment dashboard:
Run eghost help for the verb list, or eghost <verb> --help for per-verb usage.
Lifecycle¶
| Verb | Effect |
|---|---|
eghost up |
Start the stack (engine, captive portal, TLS terminator). |
eghost down |
Stop the stack. Volumes preserved. |
eghost restart [service] |
Restart everything, or one named service. |
eghost logs [service] |
Follow compose logs. Optionally scope to one service. |
eghost ps |
List the services and their state. |
Status¶
| Verb | Effect |
|---|---|
eghost |
One-screen deployment dashboard (no verb). |
eghost status |
Detailed engine and sidecar health, listener state, connector neighbours. |
eghost uptime |
Per-container uptime. |
eghost version |
CLI version plus the version of every running container's image. |
Host-CLI ↔ stack version mismatch warning¶
eghost version prints a release: line (the version compiled into the host eghost binary) and a per-image-version line for every running container (read live from each container's OCI label). The two should match — but a docker compose pull && docker compose up -d swap upgrades the images while leaving the host binary on disk untouched, so release: can silently lag the actual running stack.
To make that visible, eghost version prints an explicit warning when its compiled release: disagrees with the version reported by the running enforcegate engine image, and points the operator at the resolution:
[enforcegate@enforcegate-vx ~]$ eghost version
release: 2026.32.0 (EA)
enforcegate (engine): 2026.34.0 (EA)
captive-portal: 2026.34.0 (EA)
tls-terminator: 2026.34.0 (EA)
enforcegate-toolbox: 2026.34.0 (EA)
! warning: eghost release (2026.32.0) lags the running stack (2026.34.0).
! Re-run the appliance installer to refresh /usr/local/bin/eghost.
The warning is informational — every verb still works against the upgraded stack; the verbs have been forward-compatible across every shipped release. The fix is to re-run the installer (enforcegate-installer on the appliance, or ./install.sh for the Docker bundle), which writes a fresh /usr/local/bin/eghost matching the on-disk image tags.
Policy management¶
| Verb | Effect |
|---|---|
eghost policy list |
List every .policy file in the rules directory. |
eghost policy show <name> |
Print a policy's content. |
eghost policy new [name] |
Create a new policy file in $EDITOR. Saves, compiles, and reloads automatically. |
eghost policy edit <name> |
Edit an existing policy. Saves, compiles, and reloads automatically. |
eghost policy remove <name> |
Delete a policy. Prompts for confirmation, then recompiles and reloads. |
new, edit and remove invoke the underlying egpolicy compiler and the engine's reload path on save / confirm. The operator does not need a separate reload step.
The <name> argument can be:
- the full filename (
90-denyurlshort.policy), - the basename without extension (
90-denyurlshort), - or a unique substring (
denyurlshort) that matches exactly one file.
See policies for the file format.
User management¶
| Verb | Effect |
|---|---|
eghost users list |
List Control-API user accounts. |
eghost users add <name> |
Create a new user. Prompts for password and privilege level. |
eghost users passwd <name> |
Change a user's password. |
eghost users remove <name> |
Delete a user. Refuses to self-remove. |
See privilege model for the four levels.
Engine interaction¶
| Verb | Effect |
|---|---|
eghost cli |
Drop into the interactive egctl REPL. Credentials are prompted host-side and forwarded. |
eghost shell [service] |
Open a /bin/sh shell inside the named service container (default: enforcegate). |
eghost api control test |
Probe the engine's Control API for liveness. |
eghost api license-activation test |
Probe the external Control Server for license-activation reachability. |
Toolbox sidecar¶
Operator-facing surface for the optional enforcegate-toolbox sidecar — see Toolbox for the operator workflow and the volume / hardening model.
| Verb | Effect |
|---|---|
eghost toolbox |
Default verb — equivalent to eghost toolbox status. |
eghost toolbox enable |
Flip ENFORCEGATE_TOOLBOX_ENABLED=true in .env and start the toolbox container. |
eghost toolbox disable |
Stop the toolbox container; volumes preserved. |
eghost toolbox status |
Container state plus a per-list summary (loaded / rejected / stale). |
eghost toolbox shell |
Interactive bash inside the toolbox container — line editing, history, and tab completion. |
eghost toolbox run <script> |
Invoke scripts/<script> once, attached to the current terminal. |
eghost toolbox logs [-f] |
Tail the container's logs (JSON-line ingestable into a SIEM). |
eghost toolbox cron list |
Show the current crontab. |
eghost toolbox cron edit |
Edit the crontab in $EDITOR. |
eghost toolbox lists |
Enumerate currently loaded *.list files with last-update mtime. |
Git-repo script delivery¶
Every repo subcommand accepts an optional -v / --verbose flag that also emits the machine-readable JSON event record (e.g. {"ts":…,"event":"repo-pull",…}). Without the flag, the verb prints only the human status line (✓ egguard: pulled → …) — operators driving these interactively get a clean shell, while operator scripts that want to ingest the events into a SIEM enable -v per call.
| Verb | Effect |
|---|---|
eghost toolbox repo add <name> <url> [--branch B] [--entrypoint E] [--ssh-key K] [--ca C] [-v] |
Register and clone a repo into the toolbox's persistent volume. Multi-repo by name. |
eghost toolbox repo list |
List registered repos with their URL, branch, and last-pull timestamp. |
eghost toolbox repo show <name> |
One repo's URL / branch / HEAD / last pull. |
eghost toolbox repo pull <name> | --all [-v] |
Fetch and hard-reset a repo (or every registered repo) to its upstream. |
eghost toolbox repo run <name> [--pull] [-v] |
Run the repo's configured entrypoint now; optionally pull first. |
eghost toolbox repo remove <name> [-v] |
Unregister and remove a repo from the toolbox's volume. |
Credentials and trust material¶
| Verb | Effect |
|---|---|
eghost toolbox keys import <name> |
Import an SSH deploy key — paste the key on stdin, end with Ctrl-D. The key is stored at /var/lib/enforcegate-toolbox/.ssh/<name> (mode 0600). |
eghost toolbox ca import <name> |
Import a private / self-signed CA certificate (paste, Ctrl-D). Stored at /var/lib/enforcegate-toolbox/ca/<name>.crt. Referenced by name from repo add --ca. |
Manual file drop¶
| Verb | Effect |
|---|---|
eghost toolbox unpack <archive> |
Unpack a tarball or zip archive (previously dropped into the toolbox volume via docker cp) into the scripts/ directory. |
Reference and support¶
| Verb | Effect |
|---|---|
eghost license |
Show the current license activation state (edition, expiry, connector counts). Equivalent to egctl show-license on the host side. |
eghost notices [service] |
Print third-party software notices for the named service (default: enforcegate standalone). |
eghost links |
Print the URLs operators commonly need (portal, dashboard, docs) plus reference commands. |
eghost support |
Print an inline diagnostic block — paste into a ticket if requested. |
eghost support bundle |
Write a redacted diagnostic tarball to /tmp/enforcegate-diag-<timestamp>.tar.gz for support tickets. See troubleshooting. |
Environment¶
| Variable | Effect |
|---|---|
ENFORCEGATE_NO_COLOR=1 |
Disable ANSI colours in command output. |