Deployment
Kifa runs as a single binary. Start it however the system starts processes.
Linux with Systemd
Section titled “Linux with Systemd”A hardened systemd service file is included at systemd/kifa.service:
# Copy service filesudo cp systemd/kifa.service /etc/systemd/system/
# Edit configurationsudo systemctl edit kifa# Add: Environment=KIFA_TCP=127.0.0.1:5514
# Enable and startsudo systemctl enable --now kifa
# Check statussudo systemctl status kifajournalctl -u kifa -fSecurity Hardening
Section titled “Security Hardening”The included service file enables:
| Setting | Effect |
|---|---|
DynamicUser=yes | Runs as ephemeral user |
ProtectSystem=strict | Read-only filesystem except data dir |
PrivateNetwork=no | Allows TCP/UDP listeners |
MemoryDenyWriteExecute=yes | Prevents code injection |
Signal Handling
Section titled “Signal Handling”| Signal | Action |
|---|---|
SIGINT (Ctrl+C) | Graceful shutdown, flush pending data |
SIGTERM | Same as SIGINT (for systemd) |
SIGUSR1 | Escalate flush mode (Cautious to Emergency) |
Exit codes follow Unix convention:
| Code | Meaning |
|---|---|
0 | Clean exit |
130 | Terminated by SIGINT |
143 | Terminated by SIGTERM |
Container orchestrators like Docker and Kubernetes use these exit codes to distinguish graceful termination from forced kills.
Security Considerations
Section titled “Security Considerations”- No encryption at rest. Apply filesystem-level encryption (LUKS, dm-crypt) for sensitive data.
- Restrict data directory permissions. Only the service user should have access.
- Bind listeners carefully. Use
127.0.0.1unless remote ingestion is explicitly needed. - Review flush mode. Balance durability requirements against performance for the deployment environment.
Choosing a Flush Mode Durability vs throughput trade-offs.
Security Policy Vulnerability reporting and disclosure.