Configuration
The agent starts from sensible built-in defaults and, on top of those, loads
an optional node configuration file at /etc/cenvero-str/config.shub. If the
file is absent the defaults are used, so a freshly-installed node runs without
any config at all. Point the agent at a different file with --config <path>.
# Run with the default config (/etc/cenvero-str/config.shub if present)
cenvero-stratum
# Or an explicit path
cenvero-stratum --config /etc/cenvero-str/config.shubconfig.shub is a compact signed binary format (MessagePack payload +
Ed25519 signature) produced by the provisioning tooling — it isn't hand-edited.
Distributing one signed file lets you roll identical settings across a fleet.
When a config-signer public key is baked into the agent, the signature is
verified on load and a config that doesn't verify against a trusted signer is
rejected. Config signing is opt-in: with no config-signer key baked in, the
agent logs a warning and still boots from the unsigned .shub (so a fresh node
comes up), but for production you bake a config-signer key and sign your configs
so a tampered file can't be loaded.
What the config controls
The config file (and the matching defaults) sets the **agent's own runtime settings**:
| Area | Settings |
|---|---|
| Identity / cluster | node_id, cluster_enabled, cluster_bind_addr, cluster_bootstrap, cluster_cert_dir, gateway_shared_key |
| API | api_bind_address, api_rate_limit, api_rate_burst, api_allowed_ips, api_token, api_allowed_origins |
| TLS | tls_auto_generate, tls_cert_path, tls_key_path, tls_pubkey_path, grpc_client_ca_dir |
| Licensing | license_server (base URL; empty falls back to the built-in default) |
| Paths / logging | data_dir, config_dir, socket_path, log_level, ports |
A few of these can be adjusted on a running node from the CLI:
cenvero-str-ctl config set --api-bind 10.0.0.5 --api-rate-limit 2000 --api-rate-burst 200And two are overridable at launch via flags: --bind <addr> (API bind address)
and --log-level <debug|info|warn|error>.
What is not in this file
Operational resources — **networks, endpoints, IP pools, firewall rules, load
balancers, DNS/DHCP zones — are not** part of config.shub. They are managed
at runtime through the agent's API and cenvero-str-ctl (and replicated across a
cluster), not baked into the static node config. Use the relevant
CLI command group for each.
Ports
The agent listens on a fixed set of ports. Open these between cluster members on the management network only:
| Port | Protocol | Purpose |
|---|---|---|
| 7070 | HTTPS (REST) | Management API |
| 7071 | gRPC | Node-to-node control |
| 7072 | WebSocket | Live events / streaming |
| 7073 | TCP | Raft consensus |
| 7074 | UDP | Gateway HA heartbeat |
A note on time
Stratum works in UTC everywhere and cross-checks the host clock against NTP.
Large time drift is treated as a tamper signal for licensing, so keep chronyd
or systemd-timesyncd running on every node.
Next steps
- CLI Reference — the full command surface.
- Clustering Overview — joining nodes into a cluster.
- Licensing — how enforcement interacts with the agent.