11 KiB
11 KiB
IwoooS Docker / systemd / 主機服務 Owner Response Acceptance
| 項目 | 內容 |
|---|---|
| 日期 | 2026-06-14 |
| 狀態 | owner_response_acceptance_ledger_ready_no_runtime_action |
| 工具 | scripts/security/host-service-owner-response-acceptance.py |
| 輸入 | docs/security/host-service-config-inventory.snapshot.json、docs/security/host-service-owner-request-draft.snapshot.json |
| Snapshot | docs/security/host-service-owner-response-acceptance.snapshot.json |
| runtime gate | 0 |
1. 目的
Docker / systemd / host service config 會直接影響 110 / 188 的 Compose stack、repair-bot、Ansible service role、host config backup 與服務 restart 邊界。既有 repo-only 清冊與 owner request draft 已完成,但若缺少 owner response acceptance 帳本,後續容易把未驗收回覆誤判成 live host read、docker compose、systemctl、repair-bot、Ansible、sudo 或 host write 授權。
本文件只定義 owner response 如何收件、補證、隔離、拒收與進 reviewer review。它不是 request sent、不是 owner response received、不是 accepted response、不是 live host read、不是 Docker / systemd 操作,也不是 repair-bot、Ansible、SSH、host write、production write 或 runtime gate 授權。
2. 摘要
| 指標 | 值 | 說明 |
|---|---|---|
| acceptance candidate count | 9 |
9 個 host service surface |
| write-capable candidate count | 3 |
Ansible role、110 repair-bot、188 repair-bot |
| live evidence required candidate count | 8 |
local dev compose 之外都需 owner-provided live hash / disposition |
| acceptance field count | 34 |
每份 candidate 的 metadata-only 欄位 |
| required owner field count | 18 |
owner / decision / scope / redacted refs / live hash / windows / rollback / post-check / disable switch / source-of-truth / 依賴 / port / cold-start / incident / contention |
| reviewer check count | 21 |
owner、scope、redaction、secret、live hash、restart window、rollback、post-check、事故回補、runtime request 檢查 |
| outcome lane count | 8 |
waiting、quarantine、reject、supplement、incident backfill、host service review、read-only update、waiting runtime gate |
| blocked action count | 27 |
SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、silent restart、active scan 等 |
| owner response received / accepted | 0 / 0 |
尚未收到,尚未驗收 |
| live host read / Docker / systemctl / repair-bot / Ansible | 0 / 0 / 0 / 0 / 0 |
尚未批准且未執行 |
| runtime gate / action button | 0 / 0 |
未開啟 |
3. 九份驗收候選
| Acceptance candidate | Host scope | 類型 | 驗收焦點 |
|---|---|---|---|
host_service_owner_response_acceptance:local_dev_compose |
local_dev_only |
Docker Compose | dev-only disposition、不得誤用 production、secret placeholder policy |
host_service_owner_response_acceptance:monitoring_110_compose |
192.168.0.110 |
Docker Compose | live hash ref、restart window、rollback owner、post-check 指標 |
host_service_owner_response_acceptance:monitoring_exporters_188_compose |
192.168.0.188 |
Docker Compose | exporter env source、live hash ref、rollback owner |
host_service_owner_response_acceptance:sentry_110_reference_compose |
192.168.0.110 |
reference compose | actual source-of-truth、official revision、backup path、rollback owner |
host_service_owner_response_acceptance:langfuse_110_compose |
192.168.0.110 |
Docker Compose | live hash ref、secret placeholder disposition、restart window、rollback owner |
host_service_owner_response_acceptance:ansible_docker_compose_service_role |
multi_host |
Ansible executor role | allowed service_dir、check-mode、人工 gate、rollback owner |
host_service_owner_response_acceptance:repair_bot_110_whitelist |
192.168.0.110 |
repair whitelist | authorized_keys binding、disable switch、audit log、post-check |
host_service_owner_response_acceptance:repair_bot_188_whitelist |
192.168.0.188 |
repair whitelist | systemd restart approval gate、sudoers boundary、disable switch、route smoke |
host_service_owner_response_acceptance:config_backup_host_capture |
110_188_120_121_cluster |
config backup capture | latest backup status、restore drill owner、secret handling proof |
4. Owner response 必填欄位
| 欄位 | 規則 |
|---|---|
owner_role_or_team |
只填角色或團隊,不填私人聯絡資料或 credential |
decision |
允許 confirm、defer、reject、request_more_evidence |
decision_reason |
摘要說明,不貼 raw compose、env dump、systemd unit、secret 或 log payload |
affected_scope |
明確列出 host scope、service scope、repo source、runtime 影響範圍 |
redacted_evidence_refs |
只接受脫敏 ref、ticket id、文件路徑、hash 或摘要 |
live_config_hash_ref |
只能是 owner-provided metadata ref,不得貼 raw live config |
maintenance_window |
未來 live read、restart、repair-bot 或 Ansible 動作的窗口;本 response 不開執行權 |
restart_window |
restart / reload window 必須與 action 分離,不得自動執行 |
rollback_owner |
未來若進變更的 rollback owner |
post_check_plan |
服務健康、route、queue、log、error budget 與 rollback 停止條件 |
disable_switch |
repair-bot、Ansible role 或 service config 的停用方式 / freeze rule |
config_source_of_truth_ref |
repo source、live source、runner source 與 backup source 的脫敏真相來源 ref |
service_dependency_map_ref |
上游、下游、資料庫、queue、registry、AI provider 與 public route 依賴 ref |
port_binding_inventory_ref |
host port、container port、proxy 與 firewall exposure inventory ref |
cold_start_sequence_ref |
Docker daemon、compose stack、systemd unit、runner 與 post-check 的冷啟動 / recovery 順序 ref |
incident_recovery_evidence_ref |
服務異常、重啟或端口事故的恢復時間、服務健康、route health 與 operator notice ref |
daemon_runner_contention_ref |
Docker daemon、iptables / xtables、runner、repair-bot、backup job 或 compose action 的競爭風險 ref |
followup_owner |
後續補證、reviewer 或 runtime gate 負責角色 |
5. Reviewer checks
| Check | 說明 |
|---|---|
owner_identity_present |
owner role / team 必須可追溯 |
decision_reason_present |
decision 與 reason 必須同時存在 |
affected_scope_matches_surface |
affected scope 必須能對回 committed surface_id |
redacted_refs_only |
evidence 只能是脫敏 ref、ticket、hash、文件路徑或摘要 |
secret_value_absent |
不得出現 token、password、cookie、private key、env dump 或 partial secret |
live_config_hash_metadata_only |
live config hash 只能是 metadata ref,不得貼 raw live config |
maintenance_window_present |
未來 host read、restart、repair-bot 或 Ansible 動作需獨立維護窗口 |
restart_window_separate_from_action |
restart window 與 docker / systemctl action 必須分離 |
rollback_owner_present |
rollback owner、rollback ref 或 disable path 必須存在 |
post_check_plan_present |
post-check 必須列服務健康、route、queue、log 與 rollback 停止條件 |
disable_switch_present |
repair-bot、Ansible role 或 service config 需有 disable switch 或 freeze rule |
config_source_of_truth_present |
必須提供 repo / live / runner / backup source-of-truth ref |
service_dependency_map_present |
必須提供服務依賴圖 ref |
port_binding_inventory_present |
必須提供 host / container / proxy / firewall port binding inventory ref |
cold_start_sequence_present |
必須提供 cold-start / recovery sequence ref |
incident_recovery_evidence_present |
涉及服務異常、重啟或端口事故時必須提供恢復與健康證據 ref |
daemon_runner_contention_reviewed |
必須說明 Docker daemon、iptables、runner、repair-bot、backup job 或 compose action 是否競爭 |
silent_restart_not_accepted |
沒有 actor、原因、依賴圖、port inventory、回滾與 post-check 的 restart / reload 不可接受 |
write_capable_requires_extra_review |
write-capable surface 必須進額外 reviewer review |
no_runtime_request |
夾帶 SSH、Docker、systemctl、repair-bot、Ansible、sudo 或 host write 要求時拒收 |
counts_transition_safe |
只有 reviewer record 可更新 received / accepted / rejected,且不得開 runtime gate |
6. Outcome lanes
| Lane | 意義 |
|---|---|
waiting_owner_response |
尚未收到 owner response |
quarantine_secret_or_raw_payload |
收到 secret、env dump、raw compose、raw systemd unit 或未脫敏 host config 時隔離 |
reject_execution_request |
夾帶 SSH、Docker、systemctl、repair-bot、Ansible、sudo 或 host write 要求時拒收 |
request_supplement |
欄位不足、scope 不清、live hash ref / rollback / post-check 缺失時要求補件 |
incident_recovery_backfill_required |
涉及服務異常、靜默重啟、端口事故或 cold-start recovery 時,必須進事故回補 |
ready_for_host_service_review |
metadata 合格後,只能進 host service reviewer review |
owner_review_only_update |
只允許更新只讀 owner review ledger |
waiting_runtime_gate |
即使 owner response accepted,runtime gate 仍等待獨立人工批准 |
7. 禁止事項
- 不 SSH read / write。
- 不執行
docker compose up/down/pull。 - 不執行
systemctl restart/reload。 - 不呼叫 repair-bot。
- 不跑 Ansible apply。
- 不做 sudo action、host file write 或 firewall change。
- 不保存 raw live config、env dump、secret value、未脫敏 log 或 shell history。
- 不把 restart window、maintenance window 或 owner response 當成 runtime approval。
- 不開 runtime gate,不建立 action button。
- 不接受靜默 restart / reload。
- 不把服務目前 healthy 當成 config 已驗收。
- 不跳過 source-of-truth、服務依賴圖、port binding、cold-start sequence 或 daemon / runner contention review。
8. 指令
產生 committed snapshot:
python3 scripts/security/host-service-owner-response-acceptance.py \
--root . \
--inventory-report docs/security/host-service-config-inventory.snapshot.json \
--owner-request-report docs/security/host-service-owner-request-draft.snapshot.json \
--output docs/security/host-service-owner-response-acceptance.snapshot.json \
--generated-at 2026-06-15T14:45:00+08:00
驗證 guard:
python3 scripts/security/security-mirror-progress-guard.py --root .
9. 完成度
| 工作 | 完成度 | 說明 |
|---|---|---|
| owner response acceptance ledger artifact | 100% |
產生器、snapshot 與文件已固定 |
| Docker / systemd / host service 只讀治理成熟度 | 54% -> 58% |
事故恢復、依賴圖、port binding、cold-start、source-of-truth 與 daemon / runner 競爭回補已納入;不代表 live evidence 或 runtime action |
| owner response received / accepted | 0% |
尚未收到,尚未驗收 |
| live config hash accepted | 0% |
尚未收到 owner-provided metadata ref |
| live host read / SSH | 0% |
尚未批准且未執行 |
| Docker / systemd / repair-bot / Ansible | 0% |
尚未批准且未執行 |
| runtime gate / host write | 0% |
未授權且未執行 |