fix(recovery): bind host112 closure artifacts
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 2m35s
CD Pipeline / build-and-deploy (push) Failing after 7m35s
CD Pipeline / post-deploy-checks (push) Has been skipped
AWOOOI Harbor 110 Local Repair / workflow-shape (push) Successful in 1s
AWOOOI Harbor 110 Local Repair / harbor-110-local-repair (push) Successful in 16s
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 2m35s
CD Pipeline / build-and-deploy (push) Failing after 7m35s
CD Pipeline / post-deploy-checks (push) Has been skipped
AWOOOI Harbor 110 Local Repair / workflow-shape (push) Successful in 1s
AWOOOI Harbor 110 Local Repair / harbor-110-local-repair (push) Successful in 16s
This commit is contained in:
@@ -26,11 +26,14 @@ A manager recovery is verified only when all of the following are true for the
|
||||
same apply:
|
||||
|
||||
1. The direct apply transport completed and the executor returned healthy.
|
||||
2. The apply emitted a new immutable receipt with the matching identity and
|
||||
boot, `terminal=verified_healthy`, independent manager verifier ready,
|
||||
`manager_runtime_write_performed=1`, and `manager_attempt_count=1`.
|
||||
3. A second correlated `sudo --dry-run` reloads the durable receipt and returns
|
||||
the exact same receipt path, SHA-256, identity, boot, and terminal.
|
||||
2. The complete guest verifier (console, SSH, recovery timer, Wazuh services,
|
||||
manager process and ports) passes before the apply emits
|
||||
`terminal=verified_healthy`. A manager-only success cannot freeze a green
|
||||
receipt while the rest of the guest is degraded.
|
||||
3. The apply emits a new immutable receipt and immutable readback with matching
|
||||
identity, boot, terminal, receipt path, receipt SHA-256, and readback
|
||||
SHA-256. A second correlated `sudo --dry-run` reloads and verifies that exact
|
||||
receipt/readback pair; it does not manufacture a current-state substitute.
|
||||
4. A final ordinary `--check` independently verifies current guest and manager
|
||||
runtime health on the same boot.
|
||||
|
||||
@@ -38,6 +41,23 @@ The last check is evidence only. A timer or external process that makes the
|
||||
manager healthy after a failed apply cannot replace the apply transport or its
|
||||
immutable receipt and therefore cannot turn that run green.
|
||||
|
||||
All mutating `systemctl` calls are conservatively classified as a write attempt
|
||||
before execution. A timeout or non-zero return therefore still produces a
|
||||
failure receipt instead of entering the no-write path. TERM/INT/HUP handling
|
||||
remains active through the complete verifier; the final receipt/readback pair is
|
||||
committed in one short signal-masked section.
|
||||
|
||||
## Timer artifact bound
|
||||
|
||||
The 60-second systemd timer does not create per-invocation immutable files when
|
||||
it observes no runtime mutation. Repeated no-write observations update one
|
||||
atomic `timer-observation.latest` aggregate with a state fingerprint and repeat
|
||||
count. Timer runs that attempt a runtime mutation use a 128-slot rolling ledger
|
||||
containing at most 128 receipt files and 128 linked readback files. Each slot
|
||||
records the exact run identity, receipt hash, terminal and explicit rolling
|
||||
retention policy. Agent99-triggered correlated applies remain immutable and are
|
||||
not part of this rolling timer ledger.
|
||||
|
||||
## Timeout chain
|
||||
|
||||
- Host executor absolute deadline: 420 seconds.
|
||||
|
||||
Reference in New Issue
Block a user