policy-loader

The policy-loader is a new special kresd instance ensuring that configured policies are loaded into the rules database where they are made available to all running kresd workers. If the policies are loaded successfully, the policy-loader exits automatically, otherwise it exits with an error code that is detected by Supervisor.

The policy-loader is triggered on every reload or a cold start to recompile the LMDB of rules, as changes to external files are not tracked (e.g. RPZ or /etc/hosts). This eliminates the need to restart kresd workers if only the policies have changed. In that case the running kresd workers are only notified of changes in the rules database by their control socket using the kr_rules_reset() function.

The kresd workers are only restarted when a relevant configuration change is made. In particular, options located under the views and local-data do not need kresd restarts. The same as for the kresd workers applies to the kresd canary process, which is always run before the kresd workers to validate the new configuration. The manager always waits for the policy-loader to finish before working with other processes.

The resolver’s cold start

First, the policy-loader is started and the manager waits for the policies to finish loading into the rules database. Then the kresd canary process is started to validate the configuration, and then all the kresd workers are started. The resolver will not start if any of the operations fail.