Skip to content

egpolicy

egpolicy is the policy compilation utility. It parses .policy files from the configured rules directory, validates them, compiles the merged rule set into the engine's database, and asks the engine to reload its in-memory policy graph.

In normal operation operators do not invoke egpolicy directly — eghost policy wraps it. The cases where the operator does reach for egpolicy are:

  • Bind-mount or docker cp edits — when a .policy file is added or modified through a path other than eghost policy …, the engine needs to be told to recompile.
  • CI policy lintsegpolicy compile --dry-run validates .policy syntax without touching the database.
  • First-boot bootstrap — the standalone image's boot sequence runs egpolicy load so the engine starts with policy already compiled.

The binary lives at /usr/local/bin/egpolicy inside the standalone image.

Subcommands

egpolicy load

Read every .policy file under the configured rules directory, validate, compile, and load into the engine.

docker exec enforcegate egpolicy load

The full procedure:

  1. Scan and parse every .policy file in lexicographical order.
  2. Validate each block — any syntax error aborts the load with a precise diagnostic.
  3. Compile the merged rule set into the engine's database.
  4. Call the engine's Control API to reload the in-memory policy graph.

On success the engine immediately enforces the updated policies. The container does not need to restart.

Requires Control API communication

Step 4 requires successful authentication to the engine's Control API (TCP 11225 by default). In a multi-container deployment where egpolicy runs outside the engine container, configure [global].host and [global].port in egpolicy.conf accordingly.

egpolicy compile --dry-run

Validate syntax only. Useful for CI pipelines that lint operator-authored policies before pushing them to the deployment.

docker exec enforcegate egpolicy compile --dry-run

Exits zero on clean parse, non-zero with a diagnostic on the first error. Does not touch the database and does not call the Control API.

Configuration file

egpolicy reads its configuration from /etc/enforcegate/egpolicy.conf. The shipped default is empty — every setting has a sensible compile-time default for the standalone deployment.

[global]

The optional [global] section contains settings that apply globally to egpolicy.

Name Type Description Default
rules_dir string Directory containing .policy rule files. /etc/enforcegate/rules.d
host string Control API hostname/IP for the reload call. 127.0.0.1
port integer Control API port. 11225

Operators typically need no overrides for the standalone deployment. Customers bind-mount their own egpolicy.conf only for multi-image / multi-host deployments where the database and Control API live elsewhere.

See also

  • Policy file format — the .policy syntax egpolicy compiles.
  • eghost policy — the recommended operator workflow that calls egpolicy under the hood.
  • egctl — for the online policy reload (request policy reload) operators run from the REPL.