V10.420 guard 111 Ollama LAN access
This commit is contained in:
@@ -325,7 +325,7 @@ YOUTUBE_API_KEY = os.getenv('YOUTUBE_API_KEY', '')
|
||||
# ==========================================
|
||||
# 系統版本與路徑
|
||||
# ==========================================
|
||||
SYSTEM_VERSION = "V10.419"
|
||||
SYSTEM_VERSION = "V10.420"
|
||||
LOG_FILE_PATH = os.path.join(BASE_DIR, 'logs/system.log')
|
||||
public_url = PUBLIC_URL # 用於模板顯示
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
> **最後更新**: 2026-05-24 (台北時間)
|
||||
> **狀態**: 🟢 四 AI Agent 自動化閉環已落地;LLM 路由紅線升級為 Ollama-first 三主機級聯,Gemini 備援預設關閉
|
||||
> **適用版本**: V10.419
|
||||
> **適用版本**: V10.420
|
||||
|
||||
---
|
||||
|
||||
@@ -31,6 +31,7 @@
|
||||
- Gemini 不可被任何狀態面板或 router 推薦為主提供者:`AIProviderService._get_recommended_provider()` 不得回傳 `gemini`,只能顯示為 fallback 狀態;`llm_model_router` 的 `ea_engine` 若收到 `gemini-*` default 必須改回 `hermes3:latest`,需要深推理時才升本地 `deepseek-r1:14b`。
|
||||
- ElephantAlpha prompt / agent registry 不得再把 OpenClaw 描述為 Gemini 主模型;OpenClaw 是 `qwen2.5-coder:7b` / `qwen3:14b` Ollama-first 策略師,Gemini 僅能在 guard 顯式解鎖後作 emergency fallback。
|
||||
- 111 `192.168.0.111` 只是最後一道 Mac fallback,不承接 7B+、vision、long-context 模型長駐;`OllamaService.generate()` 落到 111 時會將 `qwen3`、`deepseek-r1`、`hermes3`、`qwen2.5*`、`gemma3`、`llava`、`minicpm-v` 與 7B+ 模型依 `OLLAMA_111_MODEL_DOWNGRADE_PATTERNS` 降級到 `OLLAMA_111_MODEL_FALLBACK=llama3.2:latest`,並以 `OLLAMA_111_KEEP_ALIVE=5m`、`OLLAMA_111_MAX_TIMEOUT=20`、`OLLAMA_111_NUM_CTX=4096`、`OLLAMA_111_NUM_PREDICT=512` 封頂。OpenClaw 報告型路徑的業務 keep-alive 預設 `5m`;Code Review 以 `CODE_REVIEW_ALLOW_111_FALLBACK=false`、Hermes 以 `HERMES_ALLOW_111_FALLBACK=false` 預設跳過 111,避免 16GB RAM 主機與 GCP-B 被長駐 runner、長輸出與 24h keep-alive 壓到高 load。
|
||||
- 111 的 LAN 入口必須經 `scripts/ops/ollama111_allow_proxy.py` allowlist proxy:真實 Ollama 綁 `127.0.0.1:11434`,proxy 綁 `192.168.0.111:11434`,預設只允許 111 本機與 188 生產宿主;110 / 121 / 其他 LAN client 不能直接打 111,避免跨專案 CI 或 VM 繞過 momo-pro router 載入 7B+ runner。
|
||||
- ElephantAlpha 的 `price_drop_alert` / `market_opportunity` Telegram HITL 告警必須把同款證據獨立呈現,至少包含 `match_type`、`price_basis`、`alert_tier` 與 `match_score`;沒有高信心同款與總價可比證據時,不得把 PChome/MOMO 價差寫成可直接跟價建議。
|
||||
|
||||
## 一、四 AI Agent 路由架構
|
||||
|
||||
@@ -13,6 +13,7 @@
|
||||
## 📅 詳細更新日誌 (考古存檔)
|
||||
|
||||
### 2026-05-24:PChome 近門檻身份回收第二輪
|
||||
- **V10.420 111 Ollama LAN allowlist proxy**: 追查 111 高負載時確認來源不是 momo-pro,而是 110 上 `awoooi-cd` 臨時測試與 121 VMware VM 直接打 `192.168.0.111:11434`,繞過 `ai_calls` 與 momo-pro router 載入 7B runner。新增 `scripts/ops/ollama111_allow_proxy.py`,將真實 Ollama 收斂到 `127.0.0.1:11434`,由 user-space proxy 綁 `192.168.0.111:11434` 並預設只允許 111 本機與 188 生產宿主;110 / 121 會被 reset,111 fallback 保留給 momo production。
|
||||
- **V10.419 Dr.Hsieh LabSmart 精華品線防錯配**: marketplace matcher 追加 `dr_hsieh_labsmart_line_conflict`,只針對 Dr.Hsieh/達特醫的 `LabSmart Hi-Tech` / `LabSmart Classic` 精華被拿去對 `神經醯胺多重修復保濕精華液` 的近門檻錯配做 hard veto;同品牌同容量但不同產品線不再因規格相同停在 `true_low_confidence` 或被誤推進比價。
|
||||
- **V10.419 production pilot**: 正式回刷 SKU `10413050` / `10413051`,兩筆 Dr.Hsieh LabSmart 精華 vs 神經醯胺多重修復精華皆由 `true_low_confidence` 轉為 `identity_veto`,`diagnostic_codes=["dr_hsieh_labsmart_line_conflict"]`;`matched` 維持 1619、`true_low_confidence` 753→751、`identity_veto` 4011→4013,無正式 `competitor_prices` 覆寫。
|
||||
- **V10.418 bge-m3 一致性檢查不打 111**: `verify_embedding_consistency()` 預設只比對 GCP-A / GCP-B,不再每週把 111 Mac 納入 bge-m3 背景驗證;新增 `EMBED_CONSISTENCY_INCLUDE_111=false` 預設,只有救急需要驗證 fallback 模型時才 opt-in。這補上 V10.417 後仍會由監測任務載入 111/GCP-B embedding runner 的缺口。
|
||||
|
||||
119
scripts/ops/ollama111_allow_proxy.py
Normal file
119
scripts/ops/ollama111_allow_proxy.py
Normal file
@@ -0,0 +1,119 @@
|
||||
#!/usr/bin/env python3
|
||||
"""
|
||||
User-space allowlist TCP proxy for the 111 Ollama fallback.
|
||||
|
||||
Purpose:
|
||||
- Keep the real Ollama server bound to 127.0.0.1:11434.
|
||||
- Expose 192.168.0.111:11434 only to approved momo-pro clients.
|
||||
- Reject noisy LAN / VM clients without requiring sudo/pfctl.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import asyncio
|
||||
import ipaddress
|
||||
import logging
|
||||
import os
|
||||
import signal
|
||||
from typing import Iterable
|
||||
|
||||
|
||||
LISTEN_HOST = os.getenv("OLLAMA111_PROXY_LISTEN_HOST", "192.168.0.111")
|
||||
LISTEN_PORT = int(os.getenv("OLLAMA111_PROXY_LISTEN_PORT", "11434"))
|
||||
TARGET_HOST = os.getenv("OLLAMA111_PROXY_TARGET_HOST", "127.0.0.1")
|
||||
TARGET_PORT = int(os.getenv("OLLAMA111_PROXY_TARGET_PORT", "11434"))
|
||||
ALLOWED_CIDRS = tuple(
|
||||
item.strip()
|
||||
for item in os.getenv(
|
||||
"OLLAMA111_PROXY_ALLOWED_CIDRS",
|
||||
"127.0.0.1/32,192.168.0.80/32,192.168.0.111/32,192.168.0.188/32",
|
||||
).split(",")
|
||||
if item.strip()
|
||||
)
|
||||
|
||||
|
||||
def _allowed_networks() -> tuple[ipaddress._BaseNetwork, ...]:
|
||||
return tuple(ipaddress.ip_network(item, strict=False) for item in ALLOWED_CIDRS)
|
||||
|
||||
|
||||
ALLOWED_NETWORKS = _allowed_networks()
|
||||
|
||||
|
||||
def _is_allowed(peer_ip: str) -> bool:
|
||||
try:
|
||||
ip = ipaddress.ip_address(peer_ip)
|
||||
except ValueError:
|
||||
return False
|
||||
return any(ip in network for network in ALLOWED_NETWORKS)
|
||||
|
||||
|
||||
async def _pipe(reader: asyncio.StreamReader, writer: asyncio.StreamWriter) -> None:
|
||||
try:
|
||||
while True:
|
||||
data = await reader.read(65536)
|
||||
if not data:
|
||||
break
|
||||
writer.write(data)
|
||||
await writer.drain()
|
||||
except (ConnectionError, asyncio.CancelledError):
|
||||
pass
|
||||
finally:
|
||||
try:
|
||||
writer.close()
|
||||
await writer.wait_closed()
|
||||
except Exception:
|
||||
pass
|
||||
|
||||
|
||||
async def _handle_client(reader: asyncio.StreamReader, writer: asyncio.StreamWriter) -> None:
|
||||
peer = writer.get_extra_info("peername")
|
||||
peer_ip = peer[0] if peer else "unknown"
|
||||
if not _is_allowed(peer_ip):
|
||||
logging.warning("reject peer=%s allowed=%s", peer_ip, ",".join(ALLOWED_CIDRS))
|
||||
writer.close()
|
||||
await writer.wait_closed()
|
||||
return
|
||||
|
||||
try:
|
||||
target_reader, target_writer = await asyncio.open_connection(TARGET_HOST, TARGET_PORT)
|
||||
except Exception as exc:
|
||||
logging.error("target connect failed peer=%s target=%s:%s err=%r", peer_ip, TARGET_HOST, TARGET_PORT, exc)
|
||||
writer.close()
|
||||
await writer.wait_closed()
|
||||
return
|
||||
|
||||
logging.info("proxy peer=%s -> %s:%s", peer_ip, TARGET_HOST, TARGET_PORT)
|
||||
await asyncio.gather(
|
||||
_pipe(reader, target_writer),
|
||||
_pipe(target_reader, writer),
|
||||
)
|
||||
|
||||
|
||||
async def _main() -> None:
|
||||
logging.basicConfig(
|
||||
level=os.getenv("OLLAMA111_PROXY_LOG_LEVEL", "INFO"),
|
||||
format="%(asctime)s %(levelname)s %(message)s",
|
||||
)
|
||||
server = await asyncio.start_server(_handle_client, LISTEN_HOST, LISTEN_PORT)
|
||||
sockets = ", ".join(str(sock.getsockname()) for sock in (server.sockets or []))
|
||||
logging.info(
|
||||
"ollama111 allow proxy listening=%s target=%s:%s allowed=%s",
|
||||
sockets,
|
||||
TARGET_HOST,
|
||||
TARGET_PORT,
|
||||
",".join(ALLOWED_CIDRS),
|
||||
)
|
||||
|
||||
stop = asyncio.Event()
|
||||
loop = asyncio.get_running_loop()
|
||||
for sig in (signal.SIGINT, signal.SIGTERM):
|
||||
loop.add_signal_handler(sig, stop.set)
|
||||
|
||||
async with server:
|
||||
await stop.wait()
|
||||
server.close()
|
||||
await server.wait_closed()
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
asyncio.run(_main())
|
||||
Reference in New Issue
Block a user