Skip to main content

PPP router management agent — REST API for accel-ppp BNG nodes

Project description

DawOS Agent

Broadband management, simplified.
PyPI | Documentation | Releases


CI PyPI Python License: MIT Docs

Overview

DawOS Agent is an open-source broadband network gateway management daemon built on FastAPI. It wraps accel-cmd, nft, ip, tc, vtysh, and other Linux system utilities as 170 HTTP endpoints across 38 router modules, giving you full control of your accel-ppp PPPoE infrastructure through a single REST API.

The agent runs as a lightweight single-process daemon (64 MB RSS at idle) alongside accel-ppp on the same node. It provides complete remote management without direct SSH access, making it suitable for automation, orchestration platforms, and multi-node ISP deployments.

Key Features

  • PPPoE lifecycle -- sessions, rate-limiting, PADO delay, MAC filtering
  • Network management -- interfaces, VLANs, routes, DNS, DHCP, VRRP, LLDP
  • Firewall -- nftables rules, NAT/masquerade, zone firewall, conntrack
  • Dynamic routing -- BGP, OSPF, RIP, BFD status via FRR/vtysh
  • Config management -- checkpoint, diff, rollback, guarded apply with auto-revert
  • Monitoring -- Prometheus metrics endpoint, health/readiness probes, WebSocket event streaming
  • Security -- API-key auth with RBAC (viewer/operator/admin), rate limiting, systemd sandboxing, least-privilege sudoers
  • Observability -- structured JSON logging, request ID tracing, audit log with in-memory buffer, webhook notifications
  • Automation -- operational playbooks, bulk operations, cron-like scheduler
  • Streaming -- SSE endpoints for live traffic and log tailing

Table of Contents


Installation

Prerequisites

  • Python 3.9 or later
  • Linux (Debian 11+ / Ubuntu 22.04+), x86_64 architecture
  • accel-ppp — the installer script builds it from source automatically; if installing via pip you must install accel-ppp yourself first

Recommended Install (installer script)

The installer handles everything end-to-end: builds accel-ppp from source if not present, creates a dawos system user, installs the agent in a virtualenv, sets up systemd, sudoers, conntrack, and file ownership.

# One-line install (recommended)
curl -sL https://raw.githubusercontent.com/Cepat-Kilat-Teknologi/dawos-agent/main/install.sh | sudo bash

# Or clone and run manually
git clone https://github.com/Cepat-Kilat-Teknologi/dawos-agent.git
cd dawos-agent
sudo bash install.sh

Options:

sudo bash install.sh            # Interactive TUI wizard
sudo bash install.sh --yes      # Non-interactive (accept defaults)
sudo bash install.sh --uninstall # Remove everything

Install via pip

Note: This installs only the Python package. You must have accel-ppp already installed and running on the system. Systemd service, sudoers, and conntrack must be configured manually.

1. Install accel-ppp from source

# Install build dependencies
sudo apt-get update
sudo apt-get install -y cmake gcc g++ make git \
    libssl-dev libpcre3-dev liblua5.1-0-dev

# Clone and build
git clone --depth 1 https://github.com/accel-ppp/accel-ppp.git /tmp/accel-ppp-build
mkdir /tmp/accel-ppp-build/build && cd /tmp/accel-ppp-build/build
cmake -DCMAKE_INSTALL_PREFIX=/usr \
      -DKDIR=/lib/modules/$(uname -r)/build \
      -DLUA=TRUE \
      -DRADIUS=TRUE \
      ..
make -j$(nproc)
sudo make install

# Verify
accel-pppd --version

2. Install dawos-agent

pip install dawos-agent

3. Configure system (manual steps)

# Create system user
sudo useradd -r -s /usr/sbin/nologin dawos

# Install conntrack
sudo apt-get install -y conntrack

# Set up sudoers (least-privilege)
sudo tee /etc/sudoers.d/dawos-agent > /dev/null << 'SUDOERS'
dawos ALL=(ALL) NOPASSWD: /usr/sbin/nft
dawos ALL=(ALL) NOPASSWD: /usr/sbin/ip
dawos ALL=(ALL) NOPASSWD: /usr/sbin/tc
dawos ALL=(ALL) NOPASSWD: /usr/bin/vtysh
dawos ALL=(ALL) NOPASSWD: /usr/sbin/sysctl
dawos ALL=(ALL) NOPASSWD: /usr/bin/tee
dawos ALL=(ALL) NOPASSWD: /usr/sbin/conntrack
SUDOERS
sudo chmod 0440 /etc/sudoers.d/dawos-agent

# Set config ownership
sudo chown -R dawos:dawos /etc/accel-ppp.d/ 2>/dev/null || true
sudo chown dawos:dawos /etc/accel-ppp.conf

See Installation docs for systemd unit setup and full configuration.

Install from Source (Development)

git clone https://github.com/Cepat-Kilat-Teknologi/dawos-agent.git
cd dawos-agent
python3 -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
pip install pylint black

Upgrade

pip install --upgrade dawos-agent

Quick Start

1. Start the Agent

# Development mode
DAWOS_API_KEY=your-secret python -m dawos_agent

# Production (via systemd)
sudo systemctl start dawos-agent

2. Verify

# Health check (no auth required)
curl -s http://localhost:8470/health | python3 -m json.tool

# Readiness probe (checks accel-ppp connectivity)
curl -s http://localhost:8470/health/ready | python3 -m json.tool

# System info (auth required)
curl -H "X-API-Key: your-secret" http://localhost:8470/api/v1/system/info

3. Interactive API Docs

Open in your browser:

  • Swagger UI: http://localhost:8470/docs
  • ReDoc: http://localhost:8470/redoc

Configuration

All settings use the DAWOS_ environment variable prefix. Place them in /etc/dawos-agent/agent.env for production.

Variable Default Description
DAWOS_HOST 0.0.0.0 Listen address
DAWOS_PORT 8470 Listen port
DAWOS_API_KEY (generated) Shared secret for X-API-Key header
DAWOS_NODE_NAME (hostname) Node identity for health responses
DAWOS_LOG_LEVEL info Log level (debug, info, warning, error)
DAWOS_LOG_FORMAT text Log format (text or json for structured logging)
DAWOS_RATE_LIMIT 120/minute Per-IP rate limit (empty to disable)
DAWOS_RETRY_MAX 3 Max retry attempts for transient accel-cmd failures
DAWOS_RETRY_DELAY 1.0 Base retry delay in seconds
DAWOS_AUDIT_BUFFER_SIZE 1000 In-memory audit ring buffer size
DAWOS_WEBHOOK_URL (disabled) Webhook endpoint for event notifications
DAWOS_WEBHOOK_SECRET (disabled) HMAC-SHA256 secret for webhook signing
DAWOS_API_KEYS_FILE (disabled) JSON file mapping API keys to RBAC roles
ACCEL_CMD /usr/bin/accel-cmd Path to accel-cmd
ACCEL_CLI_PORT 2001 accel-ppp CLI port
ACCEL_CONFIG_PATH /etc/accel-ppp.conf accel-ppp config path
ACCEL_SERVICE_NAME accel-ppp Systemd service name

See Configuration docs for the full reference.


API Reference

170 endpoints across 38 groups. All require X-API-Key header except /health, /health/ready, and /metrics.

Group Endpoints Description
health 2 Liveness and readiness probes (public)
metrics 1 Prometheus metrics (public)
system 2 OS info, CPU, memory, disk
service 5 Status, start/stop/restart, graceful shutdown, accel-cmd passthrough
sessions 4 List, stats, find, terminate
session-control 5 Lookup by SID/IP, snapshot, restart
config 3 Read/update accel-ppp.conf
checkpoint 8 Revisions, diff, rollback, guarded apply, confirm
network 13 Interfaces, VLANs, routes, DNS, throughput
firewall 19 nftables, NAT, sysctl, conntrack, SNMP
firewall-groups 4 Named groups with member management
pppoe 6 Listener interfaces, MAC filter
pado-delay 2 PADO delay for PPPoE
traffic 5 SSE streams, TC queues, rate limits
routing 9 BGP, OSPF, RIP, BFD
conntrack 8 Table size, timeouts, profiles, flush
connection-limits 3 Global/per-interface limits
ip-pool 4 Address pool management
scheduler 4 Job scheduling with run-on-demand
dns-forwarding 4 DNS forwarder, cache flush
ntp 2 NTP sync status
lldp 3 LLDP neighbor discovery
dhcp 5 DHCP/relay, leases
flow-accounting 4 NetFlow/sFlow collectors
event-handler 6 Event hooks, fire, history
zone-firewall 4 Zone-based firewall
vrrp 4 VRRP status, failover
monitoring 4 Prometheus exporters
diagnostics 1 System health check
logs 2 Log tail, SSE stream
audit 1 Write operation trail (admin-only)
bulk 3 Batch API operations
playbooks 2 Operational automation sequences
websocket 1 Real-time event streaming

Full API reference: API Documentation


Authentication

All endpoints except /health, /health/ready, and /metrics require an X-API-Key header:

# Authenticated request
curl -H "X-API-Key: your-key" http://bng-node:8470/api/v1/system/info

# Without key -> 401 Unauthorized
curl http://bng-node:8470/api/v1/system/info

# Health check (public, no key required)
curl http://bng-node:8470/health

RBAC Roles

Role Access Use Case
viewer GET endpoints only Monitoring dashboards, read-only scripts
operator GET + POST/PUT/DELETE Day-to-day management
admin Full access Service restart, config apply, audit log, playbooks

The primary DAWOS_API_KEY always grants admin access. For multi-key RBAC, configure DAWOS_API_KEYS_FILE with a JSON mapping.

Generate a strong API key:

python3 -c "import secrets; print(secrets.token_urlsafe(32))"

Usage Examples

Session Management

# List active sessions
curl -H "X-API-Key: $KEY" http://$HOST:8470/api/v1/sessions/list

# Session statistics
curl -H "X-API-Key: $KEY" http://$HOST:8470/api/v1/sessions/stats

# Find a user
curl -H "X-API-Key: $KEY" "http://$HOST:8470/api/v1/sessions/find?username=john"

# Terminate a session
curl -X POST -H "X-API-Key: $KEY" -H "Content-Type: application/json" \
  -d '{"username":"john"}' http://$HOST:8470/api/v1/sessions/terminate

Configuration with Guarded Apply

# Show current config
curl -H "X-API-Key: $KEY" http://$HOST:8470/api/v1/config/show

# Apply new config (auto-reverts if not confirmed within timeout)
curl -X POST -H "X-API-Key: $KEY" -H "Content-Type: application/json" \
  -d '{"content":"..."}' http://$HOST:8470/api/v1/checkpoint/apply

# Confirm the apply (prevents auto-rollback)
curl -X POST -H "X-API-Key: $KEY" http://$HOST:8470/api/v1/checkpoint/confirm

Monitoring

# Prometheus metrics
curl http://$HOST:8470/metrics

# Readiness probe
curl http://$HOST:8470/health/ready

# WebSocket event stream (requires wscat or websocat)
wscat -c "ws://$HOST:8470/ws/events?key=$KEY"

Using with dawos-cli

For a rich terminal experience, use the companion CLI tool dawos-cli:

pip install dawos-cli
dawos profile add prod --url http://bng-node:8470 --key YOUR_KEY
dawos status
dawos session list
dawos top    # live dashboard

Deployment

Measured Resource Usage

Component Memory (RSS) CPU (idle) CPU (under load)
dawos-agent (FastAPI + Uvicorn) 64 MB < 0.1% < 2%
accel-ppp daemon (0 sessions) 6 MB 0% varies
Combined management stack 70 MB < 0.2% < 3%

Sizing by Scale

Scale Sessions CPU RAM Disk
Small < 500 2 vCPU 2 GB 10 GB
Medium 500 -- 2,000 2 vCPU 4 GB 20 GB
Large 2,000 -- 10,000 4 vCPU 8 GB 40 GB

File Locations

Path Purpose
/opt/dawos-agent/ Install directory
/opt/dawos-agent/venv/ Python virtual environment
/etc/dawos-agent/agent.env Configuration (DAWOS_* vars)
/etc/accel-ppp.conf accel-ppp configuration
/etc/sudoers.d/dawos-agent Sudo rules
/etc/systemd/system/dawos-agent.service dawos-agent systemd unit
/etc/systemd/system/accel-ppp.service accel-ppp systemd unit

Systemd Management

sudo systemctl start dawos-agent
sudo systemctl stop dawos-agent
sudo systemctl restart dawos-agent
sudo systemctl status dawos-agent
sudo journalctl -u dawos-agent -f

See Installation docs for full deployment details and the Production Hardening guide for production-ready configuration.


Architecture

dawos-agent/
├── dawos_agent/
│   ├── __init__.py          # Package metadata
│   ├── __main__.py          # uvicorn entry point
│   ├── app.py               # FastAPI app factory, mounts all routers
│   ├── auth.py              # X-API-Key header auth with RBAC
│   ├── config.py            # pydantic-settings, DAWOS_ env prefix
│   ├── constants.py         # Shared named constants
│   ├── events.py            # WebSocket event bus (4 channels)
│   ├── logging.py           # Structured logging setup (text/JSON)
│   ├── metrics.py           # Prometheus metric definitions
│   ├── middleware.py         # RequestId + AuditLog + Metrics middleware
│   ├── rbac.py              # Role-based access control (viewer/operator/admin)
│   ├── retry.py             # Exponential backoff retry for accel-cmd
│   ├── webhooks.py          # Fire-and-forget webhook delivery
│   ├── models/
│   │   └── schemas.py       # 214 Pydantic v2 request/response models
│   ├── routers/             # 38 API router modules (HTTP layer only)
│   └── services/            # 34 service modules (business logic + shell calls)
├── tests/                   # 1410 tests
├── docs/                    # MkDocs Material documentation
├── .github/
│   └── workflows/
│       ├── ci.yml           # GitHub Actions CI (lint + test on push/PR)
│       ├── release.yml      # PyPI publish + GitHub Release on tag
│       └── docs.yml         # MkDocs auto-deploy to GitHub Pages
├── .pre-commit-config.yaml  # Pre-commit hooks (Black, Ruff, Pylint)
├── mkdocs.yml               # MkDocs configuration
├── install.sh               # Production installer script (TUI wizard)
├── pyproject.toml           # Project metadata, build config, tool settings
├── README.md                # This file
├── CHANGELOG.md             # Version history
├── CONTRIBUTING.md          # Contribution guidelines
├── SECURITY.md              # Security policy
├── CODE_OF_CONDUCT.md       # Community guidelines
└── LICENSE                  # MIT License

Design Principles

Principle Implementation
Router -> Service -> Shell Routers handle HTTP, services contain business logic, shell commands via _run().
Auth on every endpoint ApiKey dependency returns 401 on missing/invalid key. /health, /health/ready, /metrics are the only public endpoints.
Pydantic v2 models All request/response types defined in models/schemas.py with strict validation.
Least-privilege sudo Only 7 commands allowed: nft, ip, tc, vtysh, sysctl, tee, conntrack.
No shell injection All subprocess calls use list-form arguments, never string interpolation. Defense-in-depth shlex.quote() on user-supplied values.
Systemd sandboxing ProtectSystem=strict, ProtectHome=true, PrivateTmp=true, WatchdogSec=30.

Development

Environment Setup

git clone https://github.com/Cepat-Kilat-Teknologi/dawos-agent.git
cd dawos-agent
python3 -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
pip install pylint black

Code Quality Tools

Tool Purpose Configuration
Black Code formatting pyproject.toml [tool.black]
Pylint Static analysis pyproject.toml [tool.pylint]
Ruff Fast linting (E/F/W/I/N/UP/B/SIM) pyproject.toml [tool.ruff]
pytest Test framework with async support pyproject.toml [tool.pytest]
coverage Coverage reporting pyproject.toml [tool.coverage]
pre-commit Git hooks (Black + Ruff + Pylint) .pre-commit-config.yaml

Running Quality Checks

# Format code
black dawos_agent/ tests/

# Lint
pylint dawos_agent/
ruff check dawos_agent/ tests/

# Run all tests
pytest tests/ -x -q

# Run with coverage
coverage run -m pytest tests/
coverage report -m

# All checks at once
black --check dawos_agent/ tests/ && ruff check dawos_agent/ tests/ && pylint dawos_agent/ && pytest tests/ -x -q

Pre-commit Hooks

Pre-commit hooks run Black, Ruff, and Pylint automatically on git commit:

# Install hooks (one-time setup)
pip install pre-commit
pre-commit install

# Run manually on all files
pre-commit run --all-files

Running Locally

DAWOS_API_KEY=dev-key python -m dawos_agent

The agent starts on http://localhost:8470 with Swagger docs at /docs.


Testing

# Quick test run
pytest tests/ -x -q

# Full coverage report
coverage run -m pytest tests/ && coverage report -m

Quality Gates

Gate Target Command
Tests 1410 passing pytest tests/ -x -q
Coverage minimum 90% coverage report -m
Pylint 10.00/10 pylint dawos_agent/
Black All formatted black --check dawos_agent/ tests/
Ruff Zero violations ruff check dawos_agent/ tests/
Vulnerabilities 0 known pip-audit

Test Patterns

  • Mirror source structure -- each service gets test_xxx_service.py, each router gets test_xxx.py
  • Mock at shell level -- mock asyncio.create_subprocess_exec or service functions
  • Async tests -- use pytest-asyncio with asyncio_mode="auto"
  • Edge cases -- error paths, empty data, subprocess failures

Contributing

We welcome contributions. Please see CONTRIBUTING.md for guidelines on:

  • Setting up your development environment
  • Code style and formatting standards (Black, Pylint 10.0/10, Ruff)
  • Testing requirements
  • Submitting pull requests

Security

  • API-key auth with RBAC -- three-tier role hierarchy (viewer, operator, admin) on all endpoints except public probes
  • Rate limiting -- per-IP throttling with configurable limits, HTTP 429 responses
  • Systemd sandboxing -- ProtectSystem=strict, ProtectHome=true, PrivateTmp=true, WatchdogSec=30
  • Least-privilege sudo -- limited to 7 commands: nft, ip, tc, vtysh, sysctl, tee, conntrack
  • No shell injection -- all subprocess calls use list-form arguments with shlex.quote() defense-in-depth
  • No eval() or exec() anywhere in the codebase
  • Webhook signing -- optional HMAC-SHA256 payload verification

See SECURITY.md for the full security policy and vulnerability reporting process.


Changelog

See CHANGELOG.md for a detailed version history.


API Compatibility

DawOS Agent exposes a REST API on port 8470 consumed by DawOS CLI. All endpoints use X-API-Key header authentication. The WebSocket endpoint at /ws/events accepts the key as a query parameter.


License

This project is licensed under the MIT License. See LICENSE for the full text.


DawOS Agent is built with FastAPI, Pydantic v2, and Uvicorn.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

dawos_agent-0.4.1.tar.gz (255.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

dawos_agent-0.4.1-py3-none-any.whl (210.5 kB view details)

Uploaded Python 3

File details

Details for the file dawos_agent-0.4.1.tar.gz.

File metadata

  • Download URL: dawos_agent-0.4.1.tar.gz
  • Upload date:
  • Size: 255.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for dawos_agent-0.4.1.tar.gz
Algorithm Hash digest
SHA256 30185c5f863adca49f47951adc91455a0b60c206fe32be2236a779e06ea9a3ee
MD5 7528f52931c1b7c6b072ca35ffd7566e
BLAKE2b-256 24ebd716f040c14a1d8d3d418bbb64ce559f850b6959ae4e60391395f0a1e256

See more details on using hashes here.

File details

Details for the file dawos_agent-0.4.1-py3-none-any.whl.

File metadata

  • Download URL: dawos_agent-0.4.1-py3-none-any.whl
  • Upload date:
  • Size: 210.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for dawos_agent-0.4.1-py3-none-any.whl
Algorithm Hash digest
SHA256 e14b039d6e9fd7bc913a7a403bece51d55de4138648a0b99dff06a1a895bcfbf
MD5 b9f9350ffb79b6430bff91576415defc
BLAKE2b-256 bffc05577c2c68edd6cbc9f26cd35cb292b8da4c71c2918628be605aca1aaf56

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page