fix(recovery): remove 188 deploy sudo secret
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Failing after 3m13s
CD Pipeline / build-and-deploy (push) Has been skipped
CD Pipeline / post-deploy-checks (push) Has been skipped
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Failing after 3m13s
CD Pipeline / build-and-deploy (push) Has been skipped
CD Pipeline / post-deploy-checks (push) Has been skipped
This commit is contained in:
@@ -3,8 +3,7 @@
|
||||
# 執行方式: bash deploy-to-188.sh
|
||||
|
||||
set -euo pipefail
|
||||
HOST="ollama@192.168.0.188"
|
||||
PASS="0936223270"
|
||||
HOST="${HOST:-ollama@192.168.0.188}"
|
||||
|
||||
echo "=== 部署 awoooi-startup 到 192.168.0.188 ==="
|
||||
|
||||
@@ -18,16 +17,22 @@ scp awoooi-startup.service "$HOST:/tmp/awoooi-startup.service"
|
||||
|
||||
# 3. 安裝
|
||||
echo "[3/4] 安裝..."
|
||||
ssh "$HOST" "
|
||||
echo '$PASS' | sudo -S bash -c '
|
||||
cp /tmp/awoooi-startup.sh /usr/local/bin/awoooi-startup.sh
|
||||
chmod +x /usr/local/bin/awoooi-startup.sh
|
||||
cp /tmp/awoooi-startup.service /etc/systemd/system/awoooi-startup.service
|
||||
systemctl daemon-reload
|
||||
systemctl enable awoooi-startup.service
|
||||
echo done
|
||||
ssh "$HOST" 'set -euo pipefail
|
||||
if sudo -n true >/dev/null 2>&1; then
|
||||
SUDO="sudo -n"
|
||||
elif [ "${AWOOOI_ALLOW_INTERACTIVE_SUDO:-0}" = "1" ] && [ -t 0 ]; then
|
||||
SUDO="sudo"
|
||||
else
|
||||
echo "BLOCKED sudo_password_required_passwordless_sudo_or_tty_required" >&2
|
||||
exit 77
|
||||
fi
|
||||
|
||||
$SUDO install -m 0755 /tmp/awoooi-startup.sh /usr/local/bin/awoooi-startup.sh
|
||||
$SUDO install -m 0644 /tmp/awoooi-startup.service /etc/systemd/system/awoooi-startup.service
|
||||
$SUDO systemctl daemon-reload
|
||||
$SUDO systemctl enable awoooi-startup.service
|
||||
echo done
|
||||
'
|
||||
"
|
||||
|
||||
# 4. 驗證
|
||||
echo "[4/4] 驗證安裝..."
|
||||
|
||||
@@ -7,6 +7,7 @@ ROOT = Path(__file__).resolve().parents[3]
|
||||
SCRIPT = ROOT / "scripts" / "reboot-recovery" / "188-host-hygiene-maintenance-checklist.sh"
|
||||
STARTUP_188 = ROOT / "scripts" / "reboot-recovery" / "awoooi-startup.sh"
|
||||
STARTUP_188_SERVICE = ROOT / "scripts" / "reboot-recovery" / "awoooi-startup.service"
|
||||
DEPLOY_188 = ROOT / "scripts" / "reboot-recovery" / "deploy-to-188.sh"
|
||||
|
||||
|
||||
def test_188_and_110_default_to_reachable_runtime_identities() -> None:
|
||||
@@ -49,3 +50,13 @@ def test_188_startup_unit_timeout_matches_reboot_slo() -> None:
|
||||
text = STARTUP_188_SERVICE.read_text(encoding="utf-8")
|
||||
|
||||
assert "TimeoutStartSec=600" in text
|
||||
|
||||
|
||||
def test_188_deploy_helper_does_not_embed_sudo_password() -> None:
|
||||
text = DEPLOY_188.read_text(encoding="utf-8")
|
||||
|
||||
assert "sudo -S" not in text
|
||||
assert "PASS=" not in text
|
||||
assert "PASSWORD" not in text
|
||||
assert "sudo -n true" in text
|
||||
assert "BLOCKED sudo_password_required_passwordless_sudo_or_tty_required" in text
|
||||
|
||||
Reference in New Issue
Block a user