dog is a firewall management system

View on GitHub


dog_trainer is the central server component of dog, a centralized firewall management system.

Runtime Dependencies

Build Dependencies

Certificate Creation

If you already have a CA and per-server certs, you can reuse them, or buy new ones (costly). You can create your own self-signed certs with your own Certificate Authority.

One option to get you started is:

RethinkDB setup

Install RethinkDB

sudo apt install rethinkdb=2.3.6~0xenial

Setup clustering

For high availability, setup replication: sharding-and-replication

RethinkDB security

RethinkDB’s web console doesn’t require authentication, but you can use oauth2_proxy oauth2-proxy for that purpose.

Create database tables and indexes

Automatically created on dog_trainer start.

Import default Services

Definitions for some well known services can be imported.

rethinkdb import -f /opt/dog_trainer/scripts/default_services.json --table dog.service

RabbitMQ setup

install RabbitMQ

  sudo apt install rabbitmq-server=3.7.17-1

Copy and edit config

cp config/rabbitmq/rabbitmq.conf /etc/rabbitmq/
#edit rabbitmq to reflect location of certs and 
#you should replace PRIVATE_IP with an IP that is not accessible via the
#pubilc internet.
cp config/rabbitmq/enabled_plugins /etc/rabbitmq/
restart rabbitmq-server

Create virtual host and admin users

#edit, define variables.


Create DNS service names

It’s useful to create service names for the dog_trainer clients to connect to.
You may want to create one for each type of connection:

Federate multiple brokers to connect to multiple regions

You can deploy multiple rabbitmq servers across regions, using the federation plugin to replcate client queues and exchanges. You can then connect your agents to these distributed rabbitmqs via their local private IPs, avoiding having to have agents connect to a rabbitmq in another region across the public internet. RabbitMQ federation


Create directories:


Use github Release archive builds releases for Ubuntu x86

Download latest release archive:

Extract archive to /opt/dog_trainer/

Create configuration file /etc/dog_trainer/dog_trainer.config, based on this template:

    {dog_trainer, [
        {keepalive_alert_seconds, 60}
    {sync, [
        {growl, none},
        {log, [warnings, errors]},
        {non_descendants, fix},
        {executable, auto},
        {whitelisted_modules, []},
        {excluded_modules, []}
    {lager, [
        {handlers, [
        	   {lager_default_formatter, [time, 
        		" [", severity, "] ", pid, " (", {turbine_id, "non-turbine"}, ") ==> ", message, "\n"]}]},
            {{lager_file_backend, "error_log"}, [{file, "/var/log/dog_trainer/error.log"}, {level, error}]},
            {{lager_file_backend, "console_log"}, [{file, "/var/log/dog_trainer/console.log"}, {level, info }]}
        {crash_log, "/var/log/dog_trainer/crash.log"},
        {tracefiles, [
        {async_threshold, 10000},
        {sieve_threshold, 5000},
        {sieve_window, 100}
    {thumper, [
        {substitution_rules, []},
        {thumper_svrs, [default, publish]},
        {brokers, [
            {default, [
                        {host, "DOG_RABBITMQ_HOST"},
                        {port, 5673},
                        {api_port, 15672},
                        {virtual_host, <<"dog">>},
                        {user, <<"dog_trainer">>},
                        {password, <<"PASSWORD">>},
                        {ssl_options, [{cacertfile, "/opt/dog_trainer/priv/certs/rabbitmq/ca/cacert.pem"},
                                       {certfile, "/opt/dog_trainer/priv/certs/rabbitmq/client/cert.pem"},
                                       {keyfile, "/opt/dog_trainer/priv/certs/rabbitmq/client/key.pem"},
                                       {verify, verify_none},
                                       {fail_if_no_peer_cert, true}
            {publish, [{rabbitmq_config, default}]}
                {enabled, true},
                {dir, "/var/db/dog_trainer/queuejournal"},
                {memqueue_max, 10000},
                {check_journal, true}
    {erlcloud, [
      {aws_config, [
          {ec2_host, ""}

Build Release Deploy

$ rebar as $ENV tar

#copy tar to system, extract to /opt/dog_trainer


Setup systemd service

cp config/dog_trainer.service /lib/systemd/system/dog_trainer.service
systemctl enable dog_trainer
systemctl start dog_trainer



Deploy Agents