Sas Swart
78ca41bafa
Rename the `coder boundary` CLI subcommand to `coder agent-firewall` as part of the Boundaries to Agent Firewall rebrand (AIGOV-236). `coder boundary` is retained as a hidden, deprecated alias that prints a deprecation notice to stderr before running. Both commands use separate builder functions that share the same boundary base command and license verification logic. Updates error messages, golden files, CLI reference docs, and prose docs to use the new naming.
4.9 KiB
Generated
agent-firewall
Network isolation tool for monitoring and restricting HTTP/HTTPS requests
Usage
coder agent-firewall [flags] [args...]
Description
boundary creates an isolated network environment for target processes, intercepting HTTP/HTTPS traffic through a transparent proxy that enforces user-defined allow rules.
Options
--config
| Type | yaml-config-path |
| Environment | $BOUNDARY_CONFIG |
Path to YAML config file.
--allow
| Type | string |
| Environment | $BOUNDARY_ALLOW |
Allow rule (repeatable). These are merged with allowlist from config file. Format: "pattern" or "METHOD[,METHOD] pattern".
--
| Type | string-array |
| YAML | allowlist |
Allowlist rules from config file (YAML only).
--log-level
| Type | string |
| Environment | $BOUNDARY_LOG_LEVEL |
| YAML | log_level |
| Default | warn |
Set log level (error, warn, info, debug).
--log-dir
| Type | string |
| Environment | $BOUNDARY_LOG_DIR |
| YAML | log_dir |
Set a directory to write logs to rather than stderr.
--proxy-port
| Type | int |
| Environment | $PROXY_PORT |
| YAML | proxy_port |
| Default | 8080 |
Set a port for HTTP proxy.
--pprof
| Type | bool |
| Environment | $BOUNDARY_PPROF |
| YAML | pprof_enabled |
Enable pprof profiling server.
--pprof-port
| Type | int |
| Environment | $BOUNDARY_PPROF_PORT |
| YAML | pprof_port |
| Default | 6060 |
Set port for pprof profiling server.
--jail-type
| Type | string |
| Environment | $BOUNDARY_JAIL_TYPE |
| YAML | jail_type |
| Default | nsjail |
Jail type to use for network isolation. Options: nsjail (default), landjail.
--use-real-dns
| Type | bool |
| Environment | $BOUNDARY_USE_REAL_DNS |
| YAML | use_real_dns |
Use real DNS in the jail instead of the dummy DNS (allows DNS exfiltration). Default: false.
--no-user-namespace
| Type | bool |
| Environment | $BOUNDARY_NO_USER_NAMESPACE |
| YAML | no_user_namespace |
Do not create a user namespace. Use in restricted environments that disallow user NS (e.g. Bottlerocket in EKS auto-mode).
--disable-audit-logs
| Type | bool |
| Environment | $DISABLE_AUDIT_LOGS |
| YAML | disable_audit_logs |
Disable sending of audit logs to the workspace agent when set to true.
--log-proxy-socket-path
| Type | string |
| Environment | $CODER_AGENT_BOUNDARY_LOG_PROXY_SOCKET_PATH |
| Default | /tmp/boundary-audit.sock |
Path to the socket where the boundary log proxy server listens for audit logs.
--version
| Type | bool |
Print version information and exit.