CLI Reference
cenvero-str-ctl is the operator interface to a node. It talks to the running
agent over a local Unix socket in /run/cenvero-str/, so it only works on the
node itself and requires root for any command that changes state.
cenvero-str-ctl <group> <command> [flags]
Add --format json (or yaml) to any command for machine-readable output, and
-h to any group or command for its full help.
status
cenvero-str-ctl status # one-line health summary
cenvero-str-ctl status --verbose # per-subsystem detail
Reports agent version, license state, data-plane programs, bridge state, and
cluster membership.
network
A network is a managed private network: a CIDR pool whose usable host IPs are
each materialized into an endpoint profile (an IP paired with a generated
MAC). You attach a workload by claiming a free endpoint; there is no separate
"VM" object — the endpoint is the workload's network identity.
| Command | Purpose |
|---|
network create | Define a network (--name --cidr [--gateway --vlan --tenant]) |
network list | List networks and their endpoint counts |
network show <id> | Full detail for one network, including its endpoints |
network endpoints <id> | List a network's endpoint profiles (IP ↔ MAC) |
network attach <id> [--ip] | Claim a free endpoint (optionally a specific IP) |
network detach <endpoint-id> | Free a bound endpoint |
network delete <id> | Remove a network (must have no bound endpoints) |
sudo cenvero-str-ctl network create --name app-net \
--cidr 10.20.0.0/24 --gateway 10.20.0.1
# Claim an endpoint for a workload — Stratum returns its IP + generated MAC
sudo cenvero-str-ctl network attach <network-id> --ip 10.20.0.50
MAC bindings — which tie a MAC address to its authorized IP for the eBPF
anti-spoof guard — are managed automatically for managed-network endpoints. For
addresses you bridge in from outside, manage them through the agent's
/api/v1/macbind REST API.
firewall
| Command | Purpose |
|---|
firewall allow | Add an allow rule |
firewall deny | Add an explicit deny rule |
firewall list | Show the active policy |
firewall delete <id> | Remove a rule |
dns
| Command | Purpose |
|---|
dns zones | List DNS zones |
dns records / dns list | List DNS records (optionally for one network) |
dns add / dns delete | Add or remove a DNS record |
lb
| Command | Purpose |
|---|
lb create | Create an L4 virtual IP and backend set |
lb add-backend / lb remove-backend | Adjust backends live |
lb list / lb show | Show VIPs, algorithms, backends, and health |
lb set-health | Configure a VIP's health check |
lb delete | Remove a VIP |
tenant
| Command | Purpose |
|---|
tenant list | List tenants |
tenant create | Create a tenant |
tenant quota <id> | Show a tenant's quota |
cluster
| Command | Purpose |
|---|
cluster join | Join this node to an existing cluster |
cluster status | Raft role, term, and peer health |
cluster leave | Gracefully remove this node |
sudo cenvero-str-ctl cluster join --peer 10.0.0.11:7073
license
| Command | Purpose |
|---|
license activate <license-key> | Send this machine's activation request (the key is positional, not a flag) |
license fetch <license-key> | Fetch the signed license once it has been confirmed |
license status | Installed license + this machine's hardware ID |
license renew / license refresh | Re-fetch the signed license for this machine |
license load <file> | Load a signed license XML manually |
config
| Command | Purpose |
|---|
config show | Print the active config (paths, ports, API settings) |
config set | Adjust API settings on a running node (--api-bind, --api-rate-limit, --api-rate-burst) |
config encode | Write a binary .shub config from flags (used by the installer) |
config export | Dump the running config |
config import | Load a previously exported config |
config apply <file> | Compile, sign, and load a config file |
config encode emits a real binary .shub (magic + MessagePack payload +
signature field) directly from flags — --out, --node-id, --license-server,
--api-token (a random one is generated when empty), --api-bind, --node-mode,
--gateway-wan/--gateway-lan, etc. The installer calls it to write
/etc/cenvero-str/config.shub instead of plaintext, and it prints the resulting
api_token. The file it writes is unsigned (a baked-in config-signer enforces
signatures later).
config apply takes a plain, unsigned input file you author (any filename — e.g.
node.yaml); the agent compiles it, signs it, and writes the canonical signed
config.shub to /etc/cenvero-str/. The signed .shub is what the agent loads
on boot — see Configuration.
node
| Command | Purpose |
|---|
node set-mode | Set compute or gateway mode |
node info | Hardware ID, mode, uptime, versions |
Exit codes
| Code | Meaning |
|---|
| 0 | Success |
| 1 | General error |
| 2 | Invalid arguments |
| 3 | Agent unreachable (is cenvero-stratum.service running?) |
| 4 | Operation blocked by license enforcement (see Licensing) |
