Daemon Deployment on Bare Metal and VMs
This guide covers installing the Riptides daemon and kernel module on bare-metal Linux servers and virtual machines. This approach works for any Linux-based environment outside of Kubernetes, including EC2 instances, GCP VMs, Azure VMs, on-premises hardware, and local development VMs (e.g., Lima).
Prerequisites
Section titled “Prerequisites”- Linux kernel 5.15+ (x86_64 or ARM64)
- Root access
- Network connectivity to the Riptides control plane (ports 8443, 9443, 8001)
Step 1: Install the Kernel Module
Section titled “Step 1: Install the Kernel Module”The Riptides kernel module provides transparent in-kernel TLS/mTLS termination for TCP sockets.
The recommended way to install it is via the driver-loader package, which automatically detects your kernel version and architecture and downloads and installs the correct driver package. Download the appropriate package from the driver-loader releases page and install it:
Debian / Ubuntu:
sudo dpkg -i riptides-driver-loader_<version>_<arch>.deb# orsudo apt install ./riptides-driver-loader_<version>_<arch>.debCentOS / Fedora / Amazon Linux:
sudo rpm -i riptides-driver-loader-<version>.<arch>.rpm# orsudo dnf install ./riptides-driver-loader-<version>.<arch>.rpmAlternatively, download the driver package directly from the driver releases page. Select the driver version and the package matching your kernel version and architecture, then install it manually:
# Debian / Ubuntusudo dpkg -i riptides-driver-<distro>-<kernel-version>_<driver-version>_<arch>.deb# e.g. riptides-driver-ubuntu-6.14.0-37-generic_v0.5.15_arm64.deb
# CentOS / Fedora / Amazon Linuxsudo rpm -i riptides-driver-<distro>-<kernel-version>_<driver-version>.<arch>.rpmVerify the Module
Section titled “Verify the Module”Confirm the kernel module loaded successfully:
# Check kernel messagessudo dmesg -T | grep riptides
# Verify the module is loadedlsmod | grep riptides
# Check driver healthcat /proc/riptides/healthThe health endpoint will report “waiting for daemon” until the daemon connects and pushes configuration. This is expected.
Step 2: Install the Daemon Binary
Section titled “Step 2: Install the Daemon Binary”Install the daemon from the package repository:
Debian / Ubuntu:
sudo apt install riptides-daemonRHEL / Fedora / Amazon Linux:
sudo dnf install riptides-daemonAlternatively, build from source (requires a GitHub account with access to the daemon repository):
git clone https://github.com/riptideslabs/daemon.gitcd daemonGOOS=linux make build
# The binary is at ./build/riptidessudo cp ./build/riptides /usr/local/bin/riptidesStep 3: Configure the Daemon
Section titled “Step 3: Configure the Daemon”Create the configuration directories:
sudo mkdir -p /etc/riptides/identitiessudo mkdir -p /etc/riptides/servicessudo mkdir -p /etc/riptides/credentialsCreate a configuration file at /etc/riptides/config.yaml:
daemon: trustDomain: example.com defaultCertTTL: 2h dataDir: /var/lib/riptides
metadataCollectors: procfs: enabled: true extractEnvs: false linuxos: enabled: true sysfsdmi: enabled: true ec2: enabled: false # Set to true on AWS EC2 gcp: enabled: false # Set to true on GCP azure: enabled: false # Set to true on Azure kubernetes: enabled: false # Disable on bare metal docker: enabled: false
controlPlane: enabled: true url: https://cp.example.com grpcServerAddress: grpc.example.com:443 tokenBrokerBaseURL: https://cp.example.com/token-broker authPlugin: type: joinToken config: token: "your-join-token-here"
tunnelServer: address: tunnel.example.com:443Enable the cloud metadata collectors relevant to your environment:
- AWS EC2: Set
ec2.enabled: trueand useauthPlugin.type: AWSIIDfor automatic attestation - GCP: Set
gcp.enabled: trueand useauthPlugin.type: GCPIIT - Azure: Set
azure.enabled: true - On-premises / local VMs: Use
authPlugin.type: joinTokenwith a pre-shared token
Step 4: Run the Daemon
Section titled “Step 4: Run the Daemon”Run the daemon manually:
sudo riptides daemon \ --identities-path /etc/riptides/identities \ --services-path /etc/riptides/services \ --credentials-path /etc/riptides/credentialsRun as a systemd Service
Section titled “Run as a systemd Service”Create a systemd unit file at /etc/systemd/system/riptides-daemon.service:
[Unit]Description=Riptides DaemonAfter=network-online.targetWants=network-online.targetConditionPathExists=/dev/riptides
[Service]Type=simpleExecStart=/usr/local/bin/riptides daemon \ --identities-path /etc/riptides/identities \ --services-path /etc/riptides/services \ --credentials-path /etc/riptides/credentialsRestart=alwaysRestartSec=5LimitNOFILE=65536
[Install]WantedBy=multi-user.targetEnable and start the service:
sudo systemctl daemon-reloadsudo systemctl enable riptides-daemonsudo systemctl start riptides-daemonsudo systemctl status riptides-daemonStep 5: Verify
Section titled “Step 5: Verify”Once the daemon is running, the driver health should report OK:
cat /proc/riptides/healthCheck daemon logs:
# If running as a systemd servicesudo journalctl -u riptides-daemon -f
# If running manually, logs go to stdout/stderrLocal Development with Lima
Section titled “Local Development with Lima”You can run Riptides in a local Lima VM for development and testing. Install the kernel module and daemon inside the VM using the same steps above, and connect it to the hosted control plane using a JoinToken.
This is useful for testing workload identity assignment and credential injection locally before deploying to production infrastructure.
Diagnostics
Section titled “Diagnostics”The Riptides kernel module exposes several diagnostic endpoints for troubleshooting.
Direct Endpoints
Section titled “Direct Endpoints”| Path | Description |
|---|---|
/proc/riptides/health | Driver health status |
/proc/riptides/certificates | Currently loaded certificates |
/proc/riptides/connections | Active connection state |
/proc/riptides/trust_anchors | Trust anchor chain |
/sys/module/riptides/credentials/ | Credential files loaded by the daemon |
Example — dump certificates directly:
cat /proc/riptides/certificates | python3 -m json.toolExample — enable kernel dynamic debug for the module:
echo -n '-p; module riptides +pftl' | sudo tee /proc/dynamic_debug/control > /dev/nullUninstalling
Section titled “Uninstalling”Remove the Daemon
Section titled “Remove the Daemon”sudo systemctl stop riptides-daemonsudo systemctl disable riptides-daemonsudo rm /etc/systemd/system/riptides-daemon.servicesudo systemctl daemon-reloadIf installed via package:
sudo apt remove riptides-daemon # Debian/Ubuntusudo dnf remove riptides-daemon # RHEL/FedoraRemove the Kernel Module
Section titled “Remove the Kernel Module”# Unload the modulesudo modprobe -r riptides
# Remove the packagesudo apt remove riptides-driver # Debian/Ubuntusudo dnf remove riptides-driver # RHEL/FedoraExample: AWS EC2 Deployment
Section titled “Example: AWS EC2 Deployment”A complete configuration for an EC2 instance that attests using the instance identity document:
daemon: trustDomain: example.com defaultCertTTL: 2h dataDir: /var/lib/riptides
metadataCollectors: procfs: enabled: true extractEnvs: false linuxos: enabled: true sysfsdmi: enabled: true ec2: enabled: true gcp: enabled: false azure: enabled: false kubernetes: enabled: false docker: enabled: false
controlPlane: enabled: true url: https://cp.example.com grpcServerAddress: grpc.example.com:443 tokenBrokerBaseURL: https://cp.example.com/token-broker authPlugin: type: AWSIID
tunnelServer: address: tunnel.example.com:443No shared secrets are needed — the daemon uses the EC2 instance identity document signed by AWS for attestation with the control plane.