147 lines
10 KiB
Markdown
147 lines
10 KiB
Markdown
# IwoooS Docker / systemd / 主機服務變更證據驗收
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-06-15 |
|
||
| 狀態 | `change_evidence_acceptance_ready_no_runtime_action` |
|
||
| 工具 | `scripts/security/host-service-change-evidence-acceptance.py` |
|
||
| 輸入 | `docs/security/host-service-owner-response-acceptance.snapshot.json` |
|
||
| Snapshot | `docs/security/host-service-change-evidence-acceptance.snapshot.json` |
|
||
| runtime gate | `0` |
|
||
|
||
## 1. 目的
|
||
|
||
Docker / systemd / host service 事故不能只看「服務又起來了」。主機重啟、Docker daemon starting、compose stack 退出、systemd failed unit、repair-bot / runner 競爭、cold-start recovery 或 port binding 漂移,都可能讓公開 route 短暫恢復但根因仍未驗收。
|
||
|
||
本文件只定義變更 / 事故證據如何收件、補證、隔離、拒收與進 reviewer review。它不是 live host read、不是 SSH、不是 Docker / systemd 操作、不是 repair-bot、不是 Ansible、不是 route smoke,也不是 production write 或 runtime gate 授權。
|
||
|
||
## 2. 摘要
|
||
|
||
| 指標 | 值 | 說明 |
|
||
|------|----|------|
|
||
| change evidence candidate count | `9` | 對應 9 個 host service surface |
|
||
| write-capable candidate count | `3` | Ansible role、110 repair-bot、188 repair-bot |
|
||
| live evidence required candidate count | `8` | local dev compose 之外都需 owner-provided live metadata |
|
||
| change evidence field count | `45` | 每份 candidate 的 metadata-only 欄位 |
|
||
| required evidence field count | `25` | actor、before / after、daemon、compose、systemd、port、dependency、route、post-check 等 |
|
||
| reviewer check count | `26` | actor、service state、daemon、compose、systemd、dependency、route recovery、no-false-green 等 |
|
||
| outcome lane count | `10` | waiting、quarantine、reject、supplement、incident backfill、no-false-green supplement、review、maintenance、runtime gate |
|
||
| blocked action count | `39` | SSH、Docker、systemctl、repair-bot、Ansible、route smoke、raw log storage、runtime gate 等 |
|
||
| change evidence received / accepted | `0 / 0` | 尚未收到,尚未驗收 |
|
||
| runtime gate / action button | `0 / 0` | 未開啟 |
|
||
|
||
## 3. 驗收候選
|
||
|
||
| Candidate | Host scope | 類型 | 變更證據焦點 |
|
||
|-----------|------------|------|--------------|
|
||
| `host_service_change_evidence:local_dev_compose` | `local_dev_only` | Docker Compose | dev-only disposition、不得誤用 production、secret placeholder policy |
|
||
| `host_service_change_evidence:monitoring_110_compose` | `host_110` | Docker Compose | Docker daemon、compose stack、route recovery、Alertmanager / Prometheus 影響 |
|
||
| `host_service_change_evidence:monitoring_exporters_188_compose` | `host_188` | Docker Compose | exporter state、DB / Redis dependency、compose recovery 與 post-check |
|
||
| `host_service_change_evidence:sentry_110_reference_compose` | `host_110` | reference compose | source-of-truth、official revision、backup / rollback path |
|
||
| `host_service_change_evidence:langfuse_110_compose` | `host_110` | Docker Compose | compose state、secret placeholder disposition、route recovery |
|
||
| `host_service_change_evidence:ansible_docker_compose_service_role` | `multi_host` | Ansible executor role | check-mode、allowed service_dir、人工 gate、rollback owner |
|
||
| `host_service_change_evidence:repair_bot_110_whitelist` | `host_110` | repair whitelist | actor、disable switch、audit log ref、post-check、runner contention |
|
||
| `host_service_change_evidence:repair_bot_188_whitelist` | `host_188` | repair whitelist | systemd restart approval gate、sudoers boundary、route smoke plan |
|
||
| `host_service_change_evidence:config_backup_host_capture` | `host_cluster` | config backup capture | latest backup status、restore drill owner、secret handling proof |
|
||
|
||
> 上表使用 host alias,不把內網位址放進前台產品文案。Snapshot 內若保留既有 repo-only scope,仍不得把它當成可公開文案或 live host 授權。
|
||
|
||
## 4. 必填證據欄位
|
||
|
||
| 欄位 | 規則 |
|
||
|------|------|
|
||
| `change_or_incident_ref` | 可追溯 change / incident / ticket ref |
|
||
| `actor_role_or_team` | 只填角色或團隊,不填私人聯絡資料或 credential |
|
||
| `decision` / `decision_reason` | 說明 confirm、defer、reject 或 request_more_evidence 的理由 |
|
||
| `affected_scope` | 明確列出 host alias、service scope、route / agent / monitoring 影響 |
|
||
| `boot_or_restart_window_ref` | boot、restart、kill、cold-start 或 recovery 時間 ref |
|
||
| `before_service_state_ref` / `after_service_state_ref` | 變更前後服務狀態 ref,不能只寫「已恢復」 |
|
||
| `docker_daemon_state_ref` | Docker daemon active / starting / failed / socket / contention metadata ref |
|
||
| `compose_stack_state_ref` | compose stack / container state 摘要 ref,不保存 raw `docker ps` dump |
|
||
| `systemd_unit_state_ref` | systemd unit、failed unit 或 degraded state 摘要 ref |
|
||
| `failed_unit_review_ref` | failed unit 是否與事故或恢復相關的 review ref |
|
||
| `port_binding_state_ref` | host port、container port、proxy、gateway / firewall exposure 摘要 ref |
|
||
| `dependency_impact_ref` | 上游、下游、資料庫、queue、registry、AI provider 與 public route 依賴 ref |
|
||
| `cold_start_sequence_ref` | Docker daemon、compose stack、systemd unit、runner 與 post-check 順序 ref |
|
||
| `runner_or_repair_bot_contention_ref` | runner、repair-bot、backup job、iptables / xtables 或 compose action 競爭 ref |
|
||
| `public_route_recovery_refs` / `admin_route_recovery_refs` | route 恢復 ref;無影響需說明不適用 |
|
||
| `agent_provider_health_refs` | AI provider、agent、webhook 或 proxy 健康 ref |
|
||
| `monitoring_alert_refs` | alert / incident / monitoring ref,避免人工觀察 false green |
|
||
| `operator_notification_refs` / `cross_project_sync_ref` | 跨產品 / Session / owner 同步 ref |
|
||
| `restoration_time_ref` | 已恢復事故的恢復時間;未恢復則提供 still-degraded ref |
|
||
| `rollback_owner` / `rollback_plan_ref` | 回復責任與 plan |
|
||
| `postcheck_evidence_refs` | service、route、agent、queue、monitoring 與 rollback stop condition |
|
||
|
||
## 5. Reviewer checks
|
||
|
||
| Check | 說明 |
|
||
|-------|------|
|
||
| `change_ref_present` | 必須有可追溯 change / incident ref |
|
||
| `actor_role_traceable` | 不接受匿名 restart、kill、compose action 或 daemon 操作 |
|
||
| `decision_reason_present` | decision 與 reason 必須同時存在 |
|
||
| `affected_scope_matches_surface` | affected scope 必須能對回 host service surface |
|
||
| `boot_or_restart_window_present` | 重啟、cold-start 或恢復需有時間 ref |
|
||
| `before_after_service_state_present` | 需有 before / after service state ref |
|
||
| `docker_daemon_state_present` | Docker daemon state 必須有脫敏 metadata ref |
|
||
| `compose_stack_state_present` | compose / container state 不保存 raw dump |
|
||
| `systemd_unit_state_present` | systemd unit / failed unit / degraded state 必須可追溯 |
|
||
| `failed_unit_review_present` | failed unit 是否相關必須 review |
|
||
| `port_binding_state_present` | port / proxy / gateway / firewall exposure 必須一致性 review |
|
||
| `dependency_impact_present` | 必須列上游、下游、queue、registry、AI provider、public route 與 monitoring 影響 |
|
||
| `cold_start_sequence_present` | 必須提供 cold-start / recovery sequence ref |
|
||
| `runner_repair_bot_contention_present` | 必須確認 runner、repair-bot、backup job 或 xtables 競爭 |
|
||
| `route_recovery_evidence_present` | route 受影響時需有恢復 ref |
|
||
| `agent_provider_health_present` | AI provider、agent 或 webhook 受影響時需有健康 ref |
|
||
| `monitoring_alert_ref_present` | 需列 monitoring / alert / incident ref |
|
||
| `operator_notification_present` | 需提供已通知受影響 owner / Session 的脫敏 ref |
|
||
| `cross_project_sync_present` | 跨專案影響需有同步 ref |
|
||
| `restoration_time_present` | 已恢復事故需提供恢復時間或 still-degraded ref |
|
||
| `rollback_owner_present` | rollback owner 與 rollback plan 必須存在 |
|
||
| `postcheck_evidence_present` | post-check 必須覆蓋 service、route、agent、queue、monitoring 與 stop condition |
|
||
| `secret_or_raw_payload_absent` | 不得包含 secret、env dump、raw docker logs、raw journal、private key 或 cookie |
|
||
| `no_false_green_service_health` | 不得把 healthy、route 200、container up 或 dashboard up 當成驗收完成 |
|
||
| `no_runtime_authorization` | 證據驗收不授權 SSH、Docker、systemctl、repair-bot、Ansible 或 host write |
|
||
| `counts_transition_safe` | 只有 reviewer record 可更新 accepted count,且不得開 runtime gate |
|
||
|
||
## 6. 禁止事項
|
||
|
||
1. 不 SSH read / write。
|
||
2. 不讀 live host、live Docker、live systemd 或 live journal。
|
||
3. 不執行 `docker compose up/down/pull`、`docker restart`、`docker kill`。
|
||
4. 不執行 `systemctl restart/reload/kill`。
|
||
5. 不呼叫 repair-bot,不跑 Ansible apply。
|
||
6. 不做 sudo action、host file write、firewall / port change 或 route smoke。
|
||
7. 不保存 raw live config、raw docker log、raw journal、raw env dump、secret value 或 private key。
|
||
8. 不把服務 healthy、route `200`、container up 或 dashboard up 當成 recovery / config 已驗收。
|
||
9. 不跳過 source-of-truth、依賴圖、port binding、cold-start sequence 或 daemon / runner contention review。
|
||
10. 不開 runtime gate,不建立 action button。
|
||
|
||
## 7. 指令
|
||
|
||
產生 committed snapshot:
|
||
|
||
```bash
|
||
python3 scripts/security/host-service-change-evidence-acceptance.py \
|
||
--root . \
|
||
--owner-response-report docs/security/host-service-owner-response-acceptance.snapshot.json \
|
||
--output docs/security/host-service-change-evidence-acceptance.snapshot.json \
|
||
--generated-at 2026-06-15T18:50:00+08:00
|
||
```
|
||
|
||
驗證 guard:
|
||
|
||
```bash
|
||
python3 scripts/security/security-mirror-progress-guard.py --root .
|
||
```
|
||
|
||
## 8. 完成度
|
||
|
||
| 工作 | 完成度 | 說明 |
|
||
|------|--------|------|
|
||
| host service change evidence acceptance artifact | `100%` | 產生器、snapshot 與文件已固定 |
|
||
| Docker / systemd / host service 只讀治理成熟度 | `58% -> 62%` | 事故 / 變更證據、重啟 actor、before / after、daemon、compose、systemd、port、dependency、route recovery、operator notice 與 no-false-green 已納入 |
|
||
| change evidence received / accepted | `0%` | 尚未收到,尚未驗收 |
|
||
| live host read / SSH | `0%` | 尚未批准且未執行 |
|
||
| Docker / systemd / repair-bot / Ansible | `0%` | 尚未批准且未執行 |
|
||
| runtime gate / host write | `0%` | 未授權且未執行 |
|