fix: align HWLAB v0.3 public ports
This commit is contained in:
@@ -104,7 +104,7 @@ UniDesk 是一个以主 server 为统一入口的分布式工作平台;本文
|
||||
## Critical G14 HWLAB Workspace Rule
|
||||
|
||||
- P0: HWLAB legacy G14 DEV/PROD 运行面已退役;`G14`/`G14-gitops`、`hwlab-dev`/`hwlab-prod`、17666/17667 和 18666/18667 不再作为当前开发、发布、验收或回归真相。退役状态、计划和执行入口固定为 `bun scripts/cli.ts hwlab g14 retirement status|plan|execute --confirm`,且该入口只允许触碰 legacy Argo Application 与 legacy namespace,必须保护 `hwlab-v02`/`hwlab-v03`。
|
||||
- P0: HWLAB 当前 G14 运行面默认收敛到 runtime lane:`v0.2` 固定使用分支 `v0.2`、开发 workspace `G14:/root/hwlab-v02`、CI/CD 专用 source repo `G14:/root/hwlab-v02-cicd.git`、namespace `hwlab-v02`、19666/19667 FRP 入口;`v0.3+` 通过 `hwlab nodes --node G14 --lane vNN` 和 `config/hwlab-node-lanes.yaml` 管理,长期细则见 `docs/reference/g14.md`。
|
||||
- P0: HWLAB 当前 G14 运行面默认收敛到 runtime lane:`v0.2` 固定使用分支 `v0.2`、开发 workspace `G14:/root/hwlab-v02`、CI/CD 专用 source repo `G14:/root/hwlab-v02-cicd.git`、namespace `hwlab-v02`、19666/19667 FRP 入口;`v0.3` 使用 `hwlab-v03` namespace 和 20666/20667 FRP 入口;`v0.3+` 通过 `hwlab nodes --node G14 --lane vNN` 和 `config/hwlab-node-lanes.yaml` 管理,长期细则见 `docs/reference/g14.md`。
|
||||
- P0: 每次开始 G14 HWLAB runtime lane 分布式开发、切换任务、恢复中断或上下文压缩后,必须重新读取目标 lane workspace 的 `AGENTS.md`,并以该文件和其引用的 HWLAB repo 内规则为当前任务约束;禁止只凭压缩摘要或主 server 记忆继续改代码。`/root/hwlab` 只在显式 legacy/retirement follow-up 时使用。
|
||||
- 操作入口必须通过 UniDesk SSH 维护桥:host/source 操作用 `trans G14 script` 或 workspace route 加 `apply-patch`,远端文本 patch 默认使用 `apply-patch` 的 v2 引擎、旧 helper 仅通过 `apply-patch-v1` 显式调用;k3s 操作用 `trans G14:k3s ...`;禁止使用 `ssh G14 k3s ...`,定位必须写在第一个 route token,后续 token 才是 operation。
|
||||
- P0: 每次开始 G14 HWLAB runtime lane 工作前,目标固定仓库必须先即时快进到目标 remote 分支最新;例如 v0.2 使用 `trans G14:/root/hwlab-v02 script -- 'git fetch origin v0.2 && git pull --ff-only origin v0.2 && git status --short --branch && git remote -v'`。若有未提交并行变更阻碍快进,必须先判断是否能与最新 remote 快速合并;能合并则立即合并,禁止默认 stash、丢弃或绕到落后 worktree;只有确实无法自动合并时才隔离保存并停止交给人工决策。禁止用落后的固定仓库继续预检、创建 worktree、开发、render、polling 或部署。
|
||||
|
||||
@@ -82,8 +82,8 @@ lanes:
|
||||
- hwlab-edge-proxy
|
||||
- hwlab-agent-skills
|
||||
public:
|
||||
webUrl: http://74.48.78.17:19766
|
||||
apiUrl: http://74.48.78.17:19767
|
||||
webUrl: http://74.48.78.17:20666
|
||||
apiUrl: http://74.48.78.17:20667
|
||||
|
||||
networkProfiles:
|
||||
node-ci-egress:
|
||||
|
||||
@@ -71,7 +71,7 @@ The `v0.2` CI/CD integration owns a dedicated CI/CD source repo, `devops-infra`
|
||||
|
||||
For current G14/v0.2, `deploy/deploy.yaml` is the single human-authored deploy/runtime config source. `deploy/deploy.json` is not a v0.2 compatibility source and must not be recreated for this lane. YAML and JSON parsing are centralized in the HWLAB repo's format-agnostic config layer: `scripts/src/structured-config.mjs` handles file format parsing/writing, while `scripts/src/deploy-config.mjs` owns deploy-config defaults and shape. Renderers, planners, smoke scripts and CLIs should consume that layer through `readStructuredFile` / `writeStructuredFile` / `readDeployConfig` or equivalent helpers; do not scatter direct YAML parser imports or ad hoc `readFile` + `YAML.parse` calls. Legacy D601 HWLAB CD still has its own `deploy/deploy.json` desired-state documented in `docs/reference/hwlab.md`; that legacy path is not the G14/v0.2 authority.
|
||||
|
||||
On the UniDesk control-plane side, HWLAB G14 runtime lane expansion is sourced from `/root/unidesk/config/hwlab-node-lanes.yaml`. That YAML owns `nodes`, `lanes`, `networkProfiles` and `downloadProfiles` for the UniDesk trigger/status/apply layer: `lanes.v03.node` points at `nodes.G14`, while proxy URLs, `NO_PROXY`, git/npm/pip/docker/curl retry/download defaults and Docker build proxy settings live under profile objects. G14 must remain a node config value, not a hardcoded code path such as `g14Proxy` or `g14GitOps`; future `v0.4+` lanes should be added by adding YAML entries and then consuming the generated spec. `hyueapi.com` and `.hyueapi.com` are required `NO_PROXY` entries and must remain present in effective runtime and Docker build proxy environments.
|
||||
On the UniDesk control-plane side, HWLAB G14 runtime lane expansion is sourced from `/root/unidesk/config/hwlab-node-lanes.yaml`. That YAML owns `nodes`, `lanes`, `networkProfiles`, `downloadProfiles` and public entrypoints for the UniDesk trigger/status/apply layer: `lanes.v03.node` points at `nodes.G14`, `lanes.v03.runtime.namespace` is `hwlab-v03`, and the v0.3 public entrypoints are `http://74.48.78.17:20666/` and `http://74.48.78.17:20667/health/live`. Proxy URLs, `NO_PROXY`, git/npm/pip/docker/curl retry/download defaults and Docker build proxy settings live under profile objects. G14 must remain a node config value, not a hardcoded code path such as `g14Proxy` or `g14GitOps`; future `v0.4+` lanes should be added by adding YAML entries and then consuming the generated spec. `hyueapi.com` and `.hyueapi.com` are required `NO_PROXY` entries and must remain present in effective runtime and Docker build proxy environments.
|
||||
|
||||
The `devops-infra` git mirror/relay remains manual and CLI-controlled, not CronJob-driven. The standard `v0.2` delivery trigger is `bun scripts/cli.ts hwlab g14 monitor-prs --lane v02`: it watches base=`v0.2` PRs, waits for GitHub preflight/CI readiness, auto-merges only ready and non-conflicting PRs, then drives the same controlled CD path and comments pending/blocked/succeeded/failed/timeout state back to the PR. The lower-level `bun scripts/cli.ts hwlab g14 control-plane trigger-current --lane v02 --confirm` remains the manual recovery or diagnosis entry; it must fetch `/root/hwlab-v02-cicd.git`, resolve the current `origin/v0.2` source commit, check the mirror's `localV02` ref before creating the PipelineRun, run one bounded manual `git-mirror sync` Job when the mirror is stale, and only continue after the mirror ref matches the current source commit. Use `hwlab g14 git-mirror sync --confirm` directly only for explicit mirror maintenance or diagnosis.
|
||||
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
|
||||
- UniDesk 指挥侧 workspace:`/root/unidesk`,固定使用 `master`,开始前执行 `git status` 和 `git pull --ff-only origin master`。
|
||||
- HWLAB legacy G14 DEV/PROD 已退役;`G14`/`G14-gitops`、`hwlab-dev`/`hwlab-prod`、17666/17667 和 18666/18667 不再是当前 source/runtime truth。退役状态和执行入口是 `bun scripts/cli.ts hwlab g14 retirement status|plan|execute --confirm`,细则见 `docs/reference/g14.md`。
|
||||
- HWLAB 当前 G14 主阵地是 runtime lane:`v0.2` 固定分支为 `v0.2`,固定开发 workspace 为 `G14:/root/hwlab-v02`,固定 CI/CD source repo 为 `G14:/root/hwlab-v02-cicd.git`,固定 namespace 为 `hwlab-v02`,公网入口为 `http://74.48.78.17:19666/` 与 `http://74.48.78.17:19667/health/live`;`v0.3+` 由 `hwlab nodes --node G14 --lane vNN` 与 `config/hwlab-node-lanes.yaml` 管理。
|
||||
- HWLAB 当前 G14 主阵地是 runtime lane:`v0.2` 固定分支为 `v0.2`,固定开发 workspace 为 `G14:/root/hwlab-v02`,固定 CI/CD source repo 为 `G14:/root/hwlab-v02-cicd.git`,固定 namespace 为 `hwlab-v02`,公网入口为 `http://74.48.78.17:19666/` 与 `http://74.48.78.17:19667/health/live`;`v0.3` 固定 namespace 为 `hwlab-v03`,公网入口为 `http://74.48.78.17:20666/` 与 `http://74.48.78.17:20667/health/live`;`v0.3+` 由 `hwlab nodes --node G14 --lane vNN` 与 `config/hwlab-node-lanes.yaml` 管理。
|
||||
- HWLAB 项目内长期规则入口仍以目标 repo 的 `AGENTS.md` 为准。进入 G14 runtime lane 分布式开发、切换任务、恢复中断或上下文压缩后,必须重新读取目标 workspace 的规则文件;不能只凭主 server 的压缩上下文继续操作。
|
||||
- 每次开始 G14 runtime lane 工作前必须通过 UniDesk SSH 桥检查目标 workspace,例如 `trans G14:/root/hwlab-v02 script -- 'git status --short --branch && git remote -v'`;若不满足目标 lane 预期,先修正 workspace,不能继续开发、render、polling 或部署。
|
||||
- G14 k3s 操作必须使用 route 语法 `G14:k3s`,例如 `trans G14:k3s kubectl get pods -n hwlab-v02`;禁止写成 `ssh G14 k3s ...`。第一个 route token 必须定位分布式目标,后续 token 才是 operation。
|
||||
@@ -39,9 +39,9 @@ HWLAB 公网 FRP server 由 master server 上的 `hwlab-frps-dev` 容器承担
|
||||
|
||||
新增或恢复 HWLAB 公网入口时,先判断问题是否只是 server 侧 `allowPorts` 缺口。若 `frpc` 日志出现 `port not allowed`,优先在 master server 修改 `/opt/hwlab-frp/frps.dev.toml` 的 `allowPorts`,而不是改 active runtime lane 的 GitOps、Service 或 `frpc` ConfigMap。修改前保留一份本机备份,例如 `/opt/hwlab-frp/frps.dev.toml.bak-<reason>`;修改后只重启 `hwlab-frps-dev`,不要重建镜像、清理 Docker volume、重启无关 UniDesk/HWLAB 服务或触碰数据库状态。
|
||||
|
||||
当前 HWLAB FRP server allowlist 至少应覆盖 active runtime lane 端口(例如 G14 `v0.2` `19666/19667`)以及仍被明确使用的维护端口。Legacy `16666/16667` 和 retired G14 DEV/PROD `17666/17667`、`18666/18667` 只作为历史对照,不应作为新增 runtime 入口要求。新增端口必须对应一个明确的 namespace/runtime 入口,不能把大范围端口段作为默认放行策略。
|
||||
当前 HWLAB FRP server allowlist 至少应覆盖 active runtime lane 端口(例如 G14 `v0.2` `19666/19667` 和 `v0.3` `20666/20667`)以及仍被明确使用的维护端口。Legacy `16666/16667` 和 retired G14 DEV/PROD `17666/17667`、`18666/18667` 只作为历史对照,不应作为新增 runtime 入口要求。新增端口必须对应一个明确的 namespace/runtime 入口,不能把大范围端口段作为默认放行策略。
|
||||
|
||||
FRP 维护验证顺序是:确认 `hwlab-frps-dev` 容器仍挂载 `/opt/hwlab-frp/frps.dev.toml`;重启后用 `ss -ltnp` 或等价只读命令确认 `frps` 正在监听 `7000` 和目标公网端口;再在目标 namespace 查看 `frpc` 日志,确认对应 proxy `start proxy success`;最后验证 active runtime lane 入口。`v0.2` 验证使用 `http://74.48.78.17:19666/` 与 `http://74.48.78.17:19667/health/live`。
|
||||
FRP 维护验证顺序是:确认 `hwlab-frps-dev` 容器仍挂载 `/opt/hwlab-frp/frps.dev.toml`;重启后用 `ss -ltnp` 或等价只读命令确认 `frps` 正在监听 `7000` 和目标公网端口;再在目标 namespace 查看 `frpc` 日志,确认对应 proxy `start proxy success`;最后验证 active runtime lane 入口。`v0.2` 验证使用 `http://74.48.78.17:19666/` 与 `http://74.48.78.17:19667/health/live`;`v0.3` 验证使用 `http://74.48.78.17:20666/` 与 `http://74.48.78.17:20667/health/live`。
|
||||
|
||||
FRP 文档、issue 和日志只能记录端口、容器名、ConfigMap 名、Secret 对象/key 是否存在和健康摘要;不得记录 Secret value、provider token、完整 DB URL、Codex auth JSON 或其他凭据内容。
|
||||
|
||||
|
||||
@@ -86,8 +86,8 @@ assertCondition(
|
||||
&& v03LaneSpec.runtimeNamespace === "hwlab-v03"
|
||||
&& v03LaneSpec.runtimeRenderDir === "runtime-v03"
|
||||
&& v03LaneSpec.pipeline === "hwlab-v03-ci-image-publish"
|
||||
&& v03LaneSpec.publicWebUrl.endsWith(":19766")
|
||||
&& v03LaneSpec.publicApiUrl.endsWith(":19767")
|
||||
&& v03LaneSpec.publicWebUrl.endsWith(":20666")
|
||||
&& v03LaneSpec.publicApiUrl.endsWith(":20667")
|
||||
&& v03LaneSpec.networkProfileId === "node-ci-egress"
|
||||
&& v03LaneSpec.downloadProfileId === "node-default"
|
||||
&& v03LaneSpec.networkProfile.proxy.noProxy.includes("hyueapi.com")
|
||||
|
||||
Reference in New Issue
Block a user