Services¶

When using an official EnforceGate vX distribution, all services start automatically once the deployment is configured. The virtual appliance launches the compose stack at host boot via a systemd unit that runs eghost up; the Docker bundle is started with the same command after the operator installs eghost. Inside the enforcegate container, the container supervises the engine and Squid as long-running services and runs the boot one-shots in a deterministic order.

Day-to-day operator commands¶

The eghost CLI is the recommended entry point for every lifecycle action — up, down, restart, ps, status, logs. See the eghost reference for the full verb catalogue and the factory-reset (down -v) flow.

Virtual appliance — autostart¶

On the appliance, a systemd unit runs eghost up at every host boot.

# Unit status
systemctl status enforcegate

# Boot log
journalctl -u enforcegate -f

# Restart via systemd (equivalent to `eghost restart`)
systemctl restart enforcegate

The unit failures are reported through journalctl; the compose-level failures inside the unit are visible through eghost logs.

Inside the `enforcegate` container — boot chain¶

The standalone image runs a deterministic chain of boot one-shots before the engine and Squid start. The order is:

banner
  → integrity-check
    → seed-defaults
      → apply env overrides
        → generate-engine-key
          → generate-ssl-certs
            → init-ssl-bump
              → generate-portal-cert
                → compile-default-policy
                  → engine (longrun)
                  → squid  (longrun)
                  → ready
                  → integrity-watcher (longrun, re-hashes every 5 min)

What each one-shot does, in plain terms:

One-shot	What it does
`banner`	Prints the boot card header.
`integrity-check`	Re-hashes the bundled binaries against `/opt/enforcegate/manifest.sha256`. Mismatch aborts.
`seed-defaults`	Copies new files from `/opt/enforcegate/skel/` into the config volume; section-merges new sections.
Apply environment overrides	Rewrites matching `engine.conf` keys from `ENFORCEGATE_*` environment variables. `.env` wins.
`generate-engine-key`	Mints the engine ⇄ connector shared key and the engine ⇄ portal shared secret on first boot.
`generate-ssl-certs`	Mints the Defendr listener cert + key + DH params on first boot.
`init-ssl-bump`	Mints the SSL-bump CA on first boot, seeds the per-host cert DB, writes the inspection-mode squid snippet.
`generate-portal-cert`	Mints a leaf TLS cert for the captive portal, signed by the bump CA. Auto-renews ≤ 30 days from expiry.
`compile-default-policy`	Runs `egpolicy load` to compile `/etc/enforcegate/rules.d/*.policy` into `engine.db`.
`engine` (longrun)	Starts `enforcegate-engine` as the `enforcegate` user.
`squid` (longrun)	Starts Squid; Squid spawns 5 connector helpers as `url_rewrite_program` children.
`ready`	Polls the listeners and prints the closing boot-card line with the captive-portal URL.
`integrity-watcher`	Re-hashes the bundled binaries every 5 min. Mismatch crashes the container.

The boot card on stdout uses four 11-char source prefixes — [system] / [engine] / [squid] / [connector] — so log lines align at column 13 regardless of source. Status lines use BSD-style bracket states: [ OK ], [ BUSY ], [ SKIP ], [ FAIL ], [ WARN ].

To drop the ANSI escapes for downstream log shippers, set ENFORCEGATE_NO_COLOR=1 in .env.

Engine in foreground / debug mode¶

For diagnostic purposes you can run the engine directly from inside the container. Drop into a shell in the enforcegate service container, then launch the engine binary in the foreground:

eghost shell                                                       # → /bin/sh in the enforcegate container
/usr/local/bin/enforcegate-engine --loglevel debug

Performance hit

Debug-level logging generates large volumes of output and may significantly impact performance. Use sparingly and only for incident diagnosis.

Do not use --logtype console for the supervised engine

The engine's libc stdio is block-buffered when stdout is not a TTY, which starves docker logs. The shipped boot configuration uses the file logger plus a tail+awk pipeline to stream lines in real time. Only override the log type when you are running a one-off foreground instance interactively.

Squid connector¶

The connector is not supervised by the container init — Squid spawns it as a url_rewrite_program helper pool (5 children by default) and re-spawns on demand. See the Squid connector reference for the url_rewrite_program stanza, helper-pool tuning, and the remote-engine deployment shape.