From 77253a5d8749e2a2dc02748721515d94f48b570c Mon Sep 17 00:00:00 2001 From: OG T Date: Sun, 5 Apr 2026 11:11:55 +0800 Subject: [PATCH] =?UTF-8?q?ops(repair-bot):=20=E4=B8=BB=E6=A9=9F=E7=99=BD?= =?UTF-8?q?=E5=90=8D=E5=96=AE=E4=BF=AE=E5=BE=A9=E8=85=B3=E6=9C=AC=20(Sprin?= =?UTF-8?q?t=203)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 110: sentry/harbor/gitea/gitea-runner/langfuse/alertmanager/signoz 188: openclaw/minio/signoz (docker compose) + redis/nginx/ollama (systemd) 安全設計: SSH command= 限制 + 嚴格白名單 + /var/log/awoooi-repair-bot.log 已部署: 110:/home/wooo/bin/ + 188:/home/ollama/bin/ Co-Authored-By: Claude Sonnet 4.6 --- scripts/repair-bot/repair-bot-110.sh | 67 ++++++++++++++++++++++ scripts/repair-bot/repair-bot-188.sh | 85 ++++++++++++++++++++++++++++ 2 files changed, 152 insertions(+) create mode 100755 scripts/repair-bot/repair-bot-110.sh create mode 100755 scripts/repair-bot/repair-bot-188.sh diff --git a/scripts/repair-bot/repair-bot-110.sh b/scripts/repair-bot/repair-bot-110.sh new file mode 100755 index 00000000..eaaa7069 --- /dev/null +++ b/scripts/repair-bot/repair-bot-110.sh @@ -0,0 +1,67 @@ +#!/bin/bash +# scripts/repair-bot/repair-bot-110.sh +# 修復機器人白名單腳本 — 110 主機 (DevOps 金庫) +# 2026-04-05 Claude Code: Sprint 3 Host Auto-Repair +# +# 安全設計: +# - SSH authorized_keys 的 command= 指向此腳本 +# - 只允許執行 COMPOSE_DIRS 中定義的修復指令 +# - 格式: repair: +# - SSH key 洩漏也只能執行白名單內的 docker compose up -d +# +# 部署位置: /home/wooo/bin/repair-bot-110.sh (on 192.168.0.110) +# 使用者: wooo + +LOG="/var/log/awoooi-repair-bot.log" +log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" | tee -a "$LOG"; } + +# 白名單: component → compose dir +declare -A COMPOSE_DIRS=( + ["sentry"]="/opt/sentry" + ["harbor"]="/home/wooo/harbor/harbor" + ["gitea"]="/home/wooo/gitea" + ["gitea-runner"]="/home/wooo/act-runner" + ["langfuse"]="/home/wooo/langfuse" + ["alertmanager"]="/home/wooo/monitoring" + ["signoz"]="/home/wooo/signoz/deploy/docker" +) + +CMD="${SSH_ORIGINAL_COMMAND:-}" +log "repair-bot-110 invoked: CMD=$CMD" + +if [[ "$CMD" =~ ^repair:([a-z0-9_-]+)$ ]]; then + COMPONENT="${BASH_REMATCH[1]}" + DIR="${COMPOSE_DIRS[$COMPONENT]}" + + if [ -z "$DIR" ]; then + log "DENIED: unknown component '$COMPONENT'" + echo "REPAIR_DENIED:unknown_component:$COMPONENT" + exit 1 + fi + + if [ ! -d "$DIR" ]; then + log "DENIED: directory not found '$DIR'" + echo "REPAIR_DENIED:dir_not_found:$DIR" + exit 1 + fi + + log "EXECUTING: cd $DIR && docker compose up -d" + cd "$DIR" && docker compose up -d 2>&1 | tail -5 + EXIT_CODE=$? + + if [ $EXIT_CODE -eq 0 ]; then + log "REPAIR_OK: $COMPONENT" + echo "REPAIR_OK:$COMPONENT" + else + log "REPAIR_FAIL: $COMPONENT (exit $EXIT_CODE)" + echo "REPAIR_FAIL:$COMPONENT:exit_$EXIT_CODE" + exit 1 + fi +elif [ "$CMD" = "health" ]; then + # 健康檢查 — 允許連線測試 + echo "REPAIR_BOT_HEALTHY:110" +else + log "DENIED: invalid command '$CMD'" + echo "REPAIR_DENIED:invalid_command" + exit 1 +fi diff --git a/scripts/repair-bot/repair-bot-188.sh b/scripts/repair-bot/repair-bot-188.sh new file mode 100755 index 00000000..ba5822f7 --- /dev/null +++ b/scripts/repair-bot/repair-bot-188.sh @@ -0,0 +1,85 @@ +#!/bin/bash +# scripts/repair-bot/repair-bot-188.sh +# 修復機器人白名單腳本 — 188 主機 (主服務主機) +# 2026-04-05 Claude Code: Sprint 3 Host Auto-Repair +# +# 安全設計: +# - SSH authorized_keys 的 command= 指向此腳本 +# - Docker Compose 類: docker compose up -d +# - Systemd 類: sudo systemctl restart +# +# 部署位置: /home/ollama/bin/repair-bot-188.sh (on 192.168.0.188) +# 使用者: ollama + +LOG="/var/log/awoooi-repair-bot.log" +log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" | tee -a "$LOG"; } + +# 白名單: component → 修復方式 +declare -A COMPOSE_DIRS=( + ["openclaw"]="/home/ollama/clawbot-v5" + ["minio"]="/home/ollama/minio" + ["signoz"]="/home/ollama/signoz/deploy/docker" +) + +declare -A SYSTEMD_SERVICES=( + ["redis"]="redis-server" + ["nginx"]="nginx" + ["ollama"]="ollama" +) + +CMD="${SSH_ORIGINAL_COMMAND:-}" +log "repair-bot-188 invoked: CMD=$CMD" + +if [[ "$CMD" =~ ^repair:([a-z0-9_-]+)$ ]]; then + COMPONENT="${BASH_REMATCH[1]}" + + # Docker Compose 類 + DIR="${COMPOSE_DIRS[$COMPONENT]}" + if [ -n "$DIR" ]; then + if [ ! -d "$DIR" ]; then + log "DENIED: directory not found '$DIR'" + echo "REPAIR_DENIED:dir_not_found:$DIR" + exit 1 + fi + log "EXECUTING: cd $DIR && docker compose up -d" + cd "$DIR" && docker compose up -d 2>&1 | tail -5 + EXIT_CODE=$? + if [ $EXIT_CODE -eq 0 ]; then + log "REPAIR_OK: $COMPONENT" + echo "REPAIR_OK:$COMPONENT" + else + log "REPAIR_FAIL: $COMPONENT (exit $EXIT_CODE)" + echo "REPAIR_FAIL:$COMPONENT:exit_$EXIT_CODE" + exit 1 + fi + exit 0 + fi + + # Systemd 類 + SVC="${SYSTEMD_SERVICES[$COMPONENT]}" + if [ -n "$SVC" ]; then + log "EXECUTING: sudo systemctl restart $SVC" + sudo systemctl restart "$SVC" 2>&1 + EXIT_CODE=$? + if [ $EXIT_CODE -eq 0 ]; then + log "REPAIR_OK: $COMPONENT" + echo "REPAIR_OK:$COMPONENT" + else + log "REPAIR_FAIL: $COMPONENT (exit $EXIT_CODE)" + echo "REPAIR_FAIL:$COMPONENT:exit_$EXIT_CODE" + exit 1 + fi + exit 0 + fi + + log "DENIED: unknown component '$COMPONENT'" + echo "REPAIR_DENIED:unknown_component:$COMPONENT" + exit 1 + +elif [ "$CMD" = "health" ]; then + echo "REPAIR_BOT_HEALTHY:188" +else + log "DENIED: invalid command '$CMD'" + echo "REPAIR_DENIED:invalid_command" + exit 1 +fi