PPP router management agent — REST API for accel-ppp BNG nodes
Project description
Broadband management, simplified.
PyPI |
Documentation |
Releases
Overview
DawOS Agent is an open-source broadband network gateway management daemon built on FastAPI. It wraps accel-cmd, nft, ip, tc, vtysh, and other Linux system utilities as 170 HTTP endpoints across 38 router modules, giving you full control of your accel-ppp PPPoE infrastructure through a single REST API.
The agent runs as a lightweight single-process daemon (64 MB RSS at idle) alongside accel-ppp on the same node. It provides complete remote management without direct SSH access, making it suitable for automation, orchestration platforms, and multi-node ISP deployments.
Key Features
- PPPoE lifecycle -- sessions, rate-limiting, PADO delay, MAC filtering
- Network management -- interfaces, VLANs, routes, DNS, DHCP, VRRP, LLDP
- Firewall -- nftables rules, NAT/masquerade, zone firewall, conntrack
- Dynamic routing -- BGP, OSPF, RIP, BFD status via FRR/vtysh
- Config management -- checkpoint, diff, rollback, guarded apply with auto-revert
- Monitoring -- Prometheus metrics endpoint, health/readiness probes, WebSocket event streaming
- Security -- API-key auth with RBAC (viewer/operator/admin), rate limiting, systemd sandboxing, least-privilege sudoers
- Observability -- structured JSON logging, request ID tracing, audit log with in-memory buffer, webhook notifications
- Automation -- operational playbooks, bulk operations, cron-like scheduler
- Streaming -- SSE endpoints for live traffic and log tailing
Table of Contents
- Installation
- Quick Start
- Configuration
- API Reference
- Authentication
- Usage Examples
- Deployment
- Architecture
- Development
- Testing
- Contributing
- Security
- Changelog
- License
Installation
Prerequisites
- Python 3.9 or later
- Linux (Debian 11+ / Ubuntu 22.04+), x86_64 architecture
- accel-ppp — the installer script builds it from source automatically; if installing via pip you must install accel-ppp yourself first
Recommended Install (installer script)
The installer handles everything end-to-end: builds accel-ppp from source if not present, creates a dawos system user, installs the agent in a virtualenv, sets up systemd, sudoers, conntrack, and file ownership.
# One-line install (recommended)
curl -sL https://raw.githubusercontent.com/Cepat-Kilat-Teknologi/dawos-agent/main/install.sh | sudo bash
# Or clone and run manually
git clone https://github.com/Cepat-Kilat-Teknologi/dawos-agent.git
cd dawos-agent
sudo bash install.sh
Options:
sudo bash install.sh # Interactive TUI wizard
sudo bash install.sh --yes # Non-interactive (accept defaults)
sudo bash install.sh --uninstall # Remove everything
Install via pip
Note: This installs only the Python package. You must have accel-ppp already installed and running on the system. Systemd service, sudoers, and conntrack must be configured manually.
1. Install accel-ppp from source
# Install build dependencies
sudo apt-get update
sudo apt-get install -y cmake gcc g++ make git \
libssl-dev libpcre3-dev liblua5.1-0-dev
# Clone and build
git clone --depth 1 https://github.com/accel-ppp/accel-ppp.git /tmp/accel-ppp-build
mkdir /tmp/accel-ppp-build/build && cd /tmp/accel-ppp-build/build
cmake -DCMAKE_INSTALL_PREFIX=/usr \
-DKDIR=/lib/modules/$(uname -r)/build \
-DLUA=TRUE \
-DRADIUS=TRUE \
..
make -j$(nproc)
sudo make install
# Verify
accel-pppd --version
2. Install dawos-agent
pip install dawos-agent
3. Configure system (manual steps)
# Create system user
sudo useradd -r -s /usr/sbin/nologin dawos
# Install conntrack
sudo apt-get install -y conntrack
# Set up sudoers (least-privilege)
sudo tee /etc/sudoers.d/dawos-agent > /dev/null << 'SUDOERS'
dawos ALL=(ALL) NOPASSWD: /usr/sbin/nft
dawos ALL=(ALL) NOPASSWD: /usr/sbin/ip
dawos ALL=(ALL) NOPASSWD: /usr/sbin/tc
dawos ALL=(ALL) NOPASSWD: /usr/bin/vtysh
dawos ALL=(ALL) NOPASSWD: /usr/sbin/sysctl
dawos ALL=(ALL) NOPASSWD: /usr/bin/tee
dawos ALL=(ALL) NOPASSWD: /usr/sbin/conntrack
SUDOERS
sudo chmod 0440 /etc/sudoers.d/dawos-agent
# Set config ownership
sudo chown -R dawos:dawos /etc/accel-ppp.d/ 2>/dev/null || true
sudo chown dawos:dawos /etc/accel-ppp.conf
See Installation docs for systemd unit setup and full configuration.
Install from Source (Development)
git clone https://github.com/Cepat-Kilat-Teknologi/dawos-agent.git
cd dawos-agent
python3 -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
pip install pylint black
Upgrade
pip install --upgrade dawos-agent
Quick Start
1. Start the Agent
# Development mode
DAWOS_API_KEY=your-secret python -m dawos_agent
# Production (via systemd)
sudo systemctl start dawos-agent
2. Verify
# Health check (no auth required)
curl -s http://localhost:8470/health | python3 -m json.tool
# Readiness probe (checks accel-ppp connectivity)
curl -s http://localhost:8470/health/ready | python3 -m json.tool
# System info (auth required)
curl -H "X-API-Key: your-secret" http://localhost:8470/api/v1/system/info
3. Interactive API Docs
Open in your browser:
- Swagger UI:
http://localhost:8470/docs - ReDoc:
http://localhost:8470/redoc
Configuration
All settings use the DAWOS_ environment variable prefix. Place them in /etc/dawos-agent/agent.env for production.
| Variable | Default | Description |
|---|---|---|
DAWOS_HOST |
0.0.0.0 |
Listen address |
DAWOS_PORT |
8470 |
Listen port |
DAWOS_API_KEY |
(generated) | Shared secret for X-API-Key header |
DAWOS_NODE_NAME |
(hostname) | Node identity for health responses |
DAWOS_LOG_LEVEL |
info |
Log level (debug, info, warning, error) |
DAWOS_LOG_FORMAT |
text |
Log format (text or json for structured logging) |
DAWOS_RATE_LIMIT |
120/minute |
Per-IP rate limit (empty to disable) |
DAWOS_RETRY_MAX |
3 |
Max retry attempts for transient accel-cmd failures |
DAWOS_RETRY_DELAY |
1.0 |
Base retry delay in seconds |
DAWOS_AUDIT_BUFFER_SIZE |
1000 |
In-memory audit ring buffer size |
DAWOS_WEBHOOK_URL |
(disabled) | Webhook endpoint for event notifications |
DAWOS_WEBHOOK_SECRET |
(disabled) | HMAC-SHA256 secret for webhook signing |
DAWOS_API_KEYS_FILE |
(disabled) | JSON file mapping API keys to RBAC roles |
ACCEL_CMD |
/usr/bin/accel-cmd |
Path to accel-cmd |
ACCEL_CLI_PORT |
2001 |
accel-ppp CLI port |
ACCEL_CONFIG_PATH |
/etc/accel-ppp.conf |
accel-ppp config path |
ACCEL_SERVICE_NAME |
accel-ppp |
Systemd service name |
See Configuration docs for the full reference.
API Reference
170 endpoints across 38 groups. All require X-API-Key header except /health, /health/ready, and /metrics.
| Group | Endpoints | Description |
|---|---|---|
| health | 2 | Liveness and readiness probes (public) |
| metrics | 1 | Prometheus metrics (public) |
| system | 2 | OS info, CPU, memory, disk |
| service | 5 | Status, start/stop/restart, graceful shutdown, accel-cmd passthrough |
| sessions | 4 | List, stats, find, terminate |
| session-control | 5 | Lookup by SID/IP, snapshot, restart |
| config | 3 | Read/update accel-ppp.conf |
| checkpoint | 8 | Revisions, diff, rollback, guarded apply, confirm |
| network | 13 | Interfaces, VLANs, routes, DNS, throughput |
| firewall | 19 | nftables, NAT, sysctl, conntrack, SNMP |
| firewall-groups | 4 | Named groups with member management |
| pppoe | 6 | Listener interfaces, MAC filter |
| pado-delay | 2 | PADO delay for PPPoE |
| traffic | 5 | SSE streams, TC queues, rate limits |
| routing | 9 | BGP, OSPF, RIP, BFD |
| conntrack | 8 | Table size, timeouts, profiles, flush |
| connection-limits | 3 | Global/per-interface limits |
| ip-pool | 4 | Address pool management |
| scheduler | 4 | Job scheduling with run-on-demand |
| dns-forwarding | 4 | DNS forwarder, cache flush |
| ntp | 2 | NTP sync status |
| lldp | 3 | LLDP neighbor discovery |
| dhcp | 5 | DHCP/relay, leases |
| flow-accounting | 4 | NetFlow/sFlow collectors |
| event-handler | 6 | Event hooks, fire, history |
| zone-firewall | 4 | Zone-based firewall |
| vrrp | 4 | VRRP status, failover |
| monitoring | 4 | Prometheus exporters |
| diagnostics | 1 | System health check |
| logs | 2 | Log tail, SSE stream |
| audit | 1 | Write operation trail (admin-only) |
| bulk | 3 | Batch API operations |
| playbooks | 2 | Operational automation sequences |
| websocket | 1 | Real-time event streaming |
Full API reference: API Documentation
Authentication
All endpoints except /health, /health/ready, and /metrics require an X-API-Key header:
# Authenticated request
curl -H "X-API-Key: your-key" http://bng-node:8470/api/v1/system/info
# Without key -> 401 Unauthorized
curl http://bng-node:8470/api/v1/system/info
# Health check (public, no key required)
curl http://bng-node:8470/health
RBAC Roles
| Role | Access | Use Case |
|---|---|---|
| viewer | GET endpoints only | Monitoring dashboards, read-only scripts |
| operator | GET + POST/PUT/DELETE | Day-to-day management |
| admin | Full access | Service restart, config apply, audit log, playbooks |
The primary DAWOS_API_KEY always grants admin access. For multi-key RBAC, configure DAWOS_API_KEYS_FILE with a JSON mapping.
Generate a strong API key:
python3 -c "import secrets; print(secrets.token_urlsafe(32))"
Usage Examples
Session Management
# List active sessions
curl -H "X-API-Key: $KEY" http://$HOST:8470/api/v1/sessions/list
# Session statistics
curl -H "X-API-Key: $KEY" http://$HOST:8470/api/v1/sessions/stats
# Find a user
curl -H "X-API-Key: $KEY" "http://$HOST:8470/api/v1/sessions/find?username=john"
# Terminate a session
curl -X POST -H "X-API-Key: $KEY" -H "Content-Type: application/json" \
-d '{"username":"john"}' http://$HOST:8470/api/v1/sessions/terminate
Configuration with Guarded Apply
# Show current config
curl -H "X-API-Key: $KEY" http://$HOST:8470/api/v1/config/show
# Apply new config (auto-reverts if not confirmed within timeout)
curl -X POST -H "X-API-Key: $KEY" -H "Content-Type: application/json" \
-d '{"content":"..."}' http://$HOST:8470/api/v1/checkpoint/apply
# Confirm the apply (prevents auto-rollback)
curl -X POST -H "X-API-Key: $KEY" http://$HOST:8470/api/v1/checkpoint/confirm
Monitoring
# Prometheus metrics
curl http://$HOST:8470/metrics
# Readiness probe
curl http://$HOST:8470/health/ready
# WebSocket event stream (requires wscat or websocat)
wscat -c "ws://$HOST:8470/ws/events?key=$KEY"
Using with dawos-cli
For a rich terminal experience, use the companion CLI tool dawos-cli:
pip install dawos-cli
dawos profile add prod --url http://bng-node:8470 --key YOUR_KEY
dawos status
dawos session list
dawos top # live dashboard
Deployment
Measured Resource Usage
| Component | Memory (RSS) | CPU (idle) | CPU (under load) |
|---|---|---|---|
| dawos-agent (FastAPI + Uvicorn) | 64 MB | < 0.1% | < 2% |
| accel-ppp daemon (0 sessions) | 6 MB | 0% | varies |
| Combined management stack | 70 MB | < 0.2% | < 3% |
Sizing by Scale
| Scale | Sessions | CPU | RAM | Disk |
|---|---|---|---|---|
| Small | < 500 | 2 vCPU | 2 GB | 10 GB |
| Medium | 500 -- 2,000 | 2 vCPU | 4 GB | 20 GB |
| Large | 2,000 -- 10,000 | 4 vCPU | 8 GB | 40 GB |
File Locations
| Path | Purpose |
|---|---|
/opt/dawos-agent/ |
Install directory |
/opt/dawos-agent/venv/ |
Python virtual environment |
/etc/dawos-agent/agent.env |
Configuration (DAWOS_* vars) |
/etc/accel-ppp.conf |
accel-ppp configuration |
/etc/sudoers.d/dawos-agent |
Sudo rules |
/etc/systemd/system/dawos-agent.service |
dawos-agent systemd unit |
/etc/systemd/system/accel-ppp.service |
accel-ppp systemd unit |
Systemd Management
sudo systemctl start dawos-agent
sudo systemctl stop dawos-agent
sudo systemctl restart dawos-agent
sudo systemctl status dawos-agent
sudo journalctl -u dawos-agent -f
See Installation docs for full deployment details and the Production Hardening guide for production-ready configuration.
Architecture
dawos-agent/
├── dawos_agent/
│ ├── __init__.py # Package metadata
│ ├── __main__.py # uvicorn entry point
│ ├── app.py # FastAPI app factory, mounts all routers
│ ├── auth.py # X-API-Key header auth with RBAC
│ ├── config.py # pydantic-settings, DAWOS_ env prefix
│ ├── constants.py # Shared named constants
│ ├── events.py # WebSocket event bus (4 channels)
│ ├── logging.py # Structured logging setup (text/JSON)
│ ├── metrics.py # Prometheus metric definitions
│ ├── middleware.py # RequestId + AuditLog + Metrics middleware
│ ├── rbac.py # Role-based access control (viewer/operator/admin)
│ ├── retry.py # Exponential backoff retry for accel-cmd
│ ├── webhooks.py # Fire-and-forget webhook delivery
│ ├── models/
│ │ └── schemas.py # 214 Pydantic v2 request/response models
│ ├── routers/ # 38 API router modules (HTTP layer only)
│ └── services/ # 34 service modules (business logic + shell calls)
├── tests/ # 1410 tests
├── docs/ # MkDocs Material documentation
├── .github/
│ └── workflows/
│ ├── ci.yml # GitHub Actions CI (lint + test on push/PR)
│ ├── release.yml # PyPI publish + GitHub Release on tag
│ └── docs.yml # MkDocs auto-deploy to GitHub Pages
├── .pre-commit-config.yaml # Pre-commit hooks (Black, Ruff, Pylint)
├── mkdocs.yml # MkDocs configuration
├── install.sh # Production installer script (TUI wizard)
├── pyproject.toml # Project metadata, build config, tool settings
├── README.md # This file
├── CHANGELOG.md # Version history
├── CONTRIBUTING.md # Contribution guidelines
├── SECURITY.md # Security policy
├── CODE_OF_CONDUCT.md # Community guidelines
└── LICENSE # MIT License
Design Principles
| Principle | Implementation |
|---|---|
| Router -> Service -> Shell | Routers handle HTTP, services contain business logic, shell commands via _run(). |
| Auth on every endpoint | ApiKey dependency returns 401 on missing/invalid key. /health, /health/ready, /metrics are the only public endpoints. |
| Pydantic v2 models | All request/response types defined in models/schemas.py with strict validation. |
| Least-privilege sudo | Only 7 commands allowed: nft, ip, tc, vtysh, sysctl, tee, conntrack. |
| No shell injection | All subprocess calls use list-form arguments, never string interpolation. Defense-in-depth shlex.quote() on user-supplied values. |
| Systemd sandboxing | ProtectSystem=strict, ProtectHome=true, PrivateTmp=true, WatchdogSec=30. |
Development
Environment Setup
git clone https://github.com/Cepat-Kilat-Teknologi/dawos-agent.git
cd dawos-agent
python3 -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
pip install pylint black
Code Quality Tools
| Tool | Purpose | Configuration |
|---|---|---|
| Black | Code formatting | pyproject.toml [tool.black] |
| Pylint | Static analysis | pyproject.toml [tool.pylint] |
| Ruff | Fast linting (E/F/W/I/N/UP/B/SIM) | pyproject.toml [tool.ruff] |
| pytest | Test framework with async support | pyproject.toml [tool.pytest] |
| coverage | Coverage reporting | pyproject.toml [tool.coverage] |
| pre-commit | Git hooks (Black + Ruff + Pylint) | .pre-commit-config.yaml |
Running Quality Checks
# Format code
black dawos_agent/ tests/
# Lint
pylint dawos_agent/
ruff check dawos_agent/ tests/
# Run all tests
pytest tests/ -x -q
# Run with coverage
coverage run -m pytest tests/
coverage report -m
# All checks at once
black --check dawos_agent/ tests/ && ruff check dawos_agent/ tests/ && pylint dawos_agent/ && pytest tests/ -x -q
Pre-commit Hooks
Pre-commit hooks run Black, Ruff, and Pylint automatically on git commit:
# Install hooks (one-time setup)
pip install pre-commit
pre-commit install
# Run manually on all files
pre-commit run --all-files
Running Locally
DAWOS_API_KEY=dev-key python -m dawos_agent
The agent starts on http://localhost:8470 with Swagger docs at /docs.
Testing
# Quick test run
pytest tests/ -x -q
# Full coverage report
coverage run -m pytest tests/ && coverage report -m
Quality Gates
| Gate | Target | Command |
|---|---|---|
| Tests | 1410 passing | pytest tests/ -x -q |
| Coverage | minimum 90% | coverage report -m |
| Pylint | 10.00/10 | pylint dawos_agent/ |
| Black | All formatted | black --check dawos_agent/ tests/ |
| Ruff | Zero violations | ruff check dawos_agent/ tests/ |
| Vulnerabilities | 0 known | pip-audit |
Test Patterns
- Mirror source structure -- each service gets
test_xxx_service.py, each router getstest_xxx.py - Mock at shell level -- mock
asyncio.create_subprocess_execor service functions - Async tests -- use
pytest-asynciowithasyncio_mode="auto" - Edge cases -- error paths, empty data, subprocess failures
Contributing
We welcome contributions. Please see CONTRIBUTING.md for guidelines on:
- Setting up your development environment
- Code style and formatting standards (Black, Pylint 10.0/10, Ruff)
- Testing requirements
- Submitting pull requests
Security
- API-key auth with RBAC -- three-tier role hierarchy (viewer, operator, admin) on all endpoints except public probes
- Rate limiting -- per-IP throttling with configurable limits, HTTP 429 responses
- Systemd sandboxing --
ProtectSystem=strict,ProtectHome=true,PrivateTmp=true,WatchdogSec=30 - Least-privilege sudo -- limited to 7 commands:
nft,ip,tc,vtysh,sysctl,tee,conntrack - No shell injection -- all subprocess calls use list-form arguments with
shlex.quote()defense-in-depth - No
eval()orexec()anywhere in the codebase - Webhook signing -- optional HMAC-SHA256 payload verification
See SECURITY.md for the full security policy and vulnerability reporting process.
Changelog
See CHANGELOG.md for a detailed version history.
API Compatibility
DawOS Agent exposes a REST API on port 8470 consumed by DawOS CLI. All endpoints use X-API-Key header authentication. The WebSocket endpoint at /ws/events accepts the key as a query parameter.
License
This project is licensed under the MIT License. See LICENSE for the full text.
DawOS Agent is built with FastAPI, Pydantic v2, and Uvicorn.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file dawos_agent-0.4.1.tar.gz.
File metadata
- Download URL: dawos_agent-0.4.1.tar.gz
- Upload date:
- Size: 255.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
30185c5f863adca49f47951adc91455a0b60c206fe32be2236a779e06ea9a3ee
|
|
| MD5 |
7528f52931c1b7c6b072ca35ffd7566e
|
|
| BLAKE2b-256 |
24ebd716f040c14a1d8d3d418bbb64ce559f850b6959ae4e60391395f0a1e256
|
File details
Details for the file dawos_agent-0.4.1-py3-none-any.whl.
File metadata
- Download URL: dawos_agent-0.4.1-py3-none-any.whl
- Upload date:
- Size: 210.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e14b039d6e9fd7bc913a7a403bece51d55de4138648a0b99dff06a1a895bcfbf
|
|
| MD5 |
b9f9350ffb79b6430bff91576415defc
|
|
| BLAKE2b-256 |
bffc05577c2c68edd6cbc9f26cd35cb292b8da4c71c2918628be605aca1aaf56
|