fix: align HWLAB v0.3 public ports

This commit is contained in:
Codex
2026-06-08 19:11:28 +00:00
parent 75e72eeddf
commit 9b79034378
5 changed files with 9 additions and 9 deletions
+1 -1
View File
@@ -71,7 +71,7 @@ The `v0.2` CI/CD integration owns a dedicated CI/CD source repo, `devops-infra`
For current G14/v0.2, `deploy/deploy.yaml` is the single human-authored deploy/runtime config source. `deploy/deploy.json` is not a v0.2 compatibility source and must not be recreated for this lane. YAML and JSON parsing are centralized in the HWLAB repo's format-agnostic config layer: `scripts/src/structured-config.mjs` handles file format parsing/writing, while `scripts/src/deploy-config.mjs` owns deploy-config defaults and shape. Renderers, planners, smoke scripts and CLIs should consume that layer through `readStructuredFile` / `writeStructuredFile` / `readDeployConfig` or equivalent helpers; do not scatter direct YAML parser imports or ad hoc `readFile` + `YAML.parse` calls. Legacy D601 HWLAB CD still has its own `deploy/deploy.json` desired-state documented in `docs/reference/hwlab.md`; that legacy path is not the G14/v0.2 authority.
On the UniDesk control-plane side, HWLAB G14 runtime lane expansion is sourced from `/root/unidesk/config/hwlab-node-lanes.yaml`. That YAML owns `nodes`, `lanes`, `networkProfiles` and `downloadProfiles` for the UniDesk trigger/status/apply layer: `lanes.v03.node` points at `nodes.G14`, while proxy URLs, `NO_PROXY`, git/npm/pip/docker/curl retry/download defaults and Docker build proxy settings live under profile objects. G14 must remain a node config value, not a hardcoded code path such as `g14Proxy` or `g14GitOps`; future `v0.4+` lanes should be added by adding YAML entries and then consuming the generated spec. `hyueapi.com` and `.hyueapi.com` are required `NO_PROXY` entries and must remain present in effective runtime and Docker build proxy environments.
On the UniDesk control-plane side, HWLAB G14 runtime lane expansion is sourced from `/root/unidesk/config/hwlab-node-lanes.yaml`. That YAML owns `nodes`, `lanes`, `networkProfiles`, `downloadProfiles` and public entrypoints for the UniDesk trigger/status/apply layer: `lanes.v03.node` points at `nodes.G14`, `lanes.v03.runtime.namespace` is `hwlab-v03`, and the v0.3 public entrypoints are `http://74.48.78.17:20666/` and `http://74.48.78.17:20667/health/live`. Proxy URLs, `NO_PROXY`, git/npm/pip/docker/curl retry/download defaults and Docker build proxy settings live under profile objects. G14 must remain a node config value, not a hardcoded code path such as `g14Proxy` or `g14GitOps`; future `v0.4+` lanes should be added by adding YAML entries and then consuming the generated spec. `hyueapi.com` and `.hyueapi.com` are required `NO_PROXY` entries and must remain present in effective runtime and Docker build proxy environments.
The `devops-infra` git mirror/relay remains manual and CLI-controlled, not CronJob-driven. The standard `v0.2` delivery trigger is `bun scripts/cli.ts hwlab g14 monitor-prs --lane v02`: it watches base=`v0.2` PRs, waits for GitHub preflight/CI readiness, auto-merges only ready and non-conflicting PRs, then drives the same controlled CD path and comments pending/blocked/succeeded/failed/timeout state back to the PR. The lower-level `bun scripts/cli.ts hwlab g14 control-plane trigger-current --lane v02 --confirm` remains the manual recovery or diagnosis entry; it must fetch `/root/hwlab-v02-cicd.git`, resolve the current `origin/v0.2` source commit, check the mirror's `localV02` ref before creating the PipelineRun, run one bounded manual `git-mirror sync` Job when the mirror is stale, and only continue after the mirror ref matches the current source commit. Use `hwlab g14 git-mirror sync --confirm` directly only for explicit mirror maintenance or diagnosis.
+3 -3
View File
@@ -6,7 +6,7 @@
- UniDesk 指挥侧 workspace`/root/unidesk`,固定使用 `master`,开始前执行 `git status``git pull --ff-only origin master`
- HWLAB legacy G14 DEV/PROD 已退役;`G14`/`G14-gitops``hwlab-dev`/`hwlab-prod`、17666/17667 和 18666/18667 不再是当前 source/runtime truth。退役状态和执行入口是 `bun scripts/cli.ts hwlab g14 retirement status|plan|execute --confirm`,细则见 `docs/reference/g14.md`
- HWLAB 当前 G14 主阵地是 runtime lane`v0.2` 固定分支为 `v0.2`,固定开发 workspace 为 `G14:/root/hwlab-v02`,固定 CI/CD source repo 为 `G14:/root/hwlab-v02-cicd.git`,固定 namespace 为 `hwlab-v02`,公网入口为 `http://74.48.78.17:19666/``http://74.48.78.17:19667/health/live``v0.3+``hwlab nodes --node G14 --lane vNN``config/hwlab-node-lanes.yaml` 管理。
- HWLAB 当前 G14 主阵地是 runtime lane`v0.2` 固定分支为 `v0.2`,固定开发 workspace 为 `G14:/root/hwlab-v02`,固定 CI/CD source repo 为 `G14:/root/hwlab-v02-cicd.git`,固定 namespace 为 `hwlab-v02`,公网入口为 `http://74.48.78.17:19666/``http://74.48.78.17:19667/health/live``v0.3` 固定 namespace 为 `hwlab-v03`,公网入口为 `http://74.48.78.17:20666/``http://74.48.78.17:20667/health/live``v0.3+``hwlab nodes --node G14 --lane vNN``config/hwlab-node-lanes.yaml` 管理。
- HWLAB 项目内长期规则入口仍以目标 repo 的 `AGENTS.md` 为准。进入 G14 runtime lane 分布式开发、切换任务、恢复中断或上下文压缩后,必须重新读取目标 workspace 的规则文件;不能只凭主 server 的压缩上下文继续操作。
- 每次开始 G14 runtime lane 工作前必须通过 UniDesk SSH 桥检查目标 workspace,例如 `trans G14:/root/hwlab-v02 script -- 'git status --short --branch && git remote -v'`;若不满足目标 lane 预期,先修正 workspace,不能继续开发、render、polling 或部署。
- G14 k3s 操作必须使用 route 语法 `G14:k3s`,例如 `trans G14:k3s kubectl get pods -n hwlab-v02`;禁止写成 `ssh G14 k3s ...`。第一个 route token 必须定位分布式目标,后续 token 才是 operation。
@@ -39,9 +39,9 @@ HWLAB 公网 FRP server 由 master server 上的 `hwlab-frps-dev` 容器承担
新增或恢复 HWLAB 公网入口时,先判断问题是否只是 server 侧 `allowPorts` 缺口。若 `frpc` 日志出现 `port not allowed`,优先在 master server 修改 `/opt/hwlab-frp/frps.dev.toml``allowPorts`,而不是改 active runtime lane 的 GitOps、Service 或 `frpc` ConfigMap。修改前保留一份本机备份,例如 `/opt/hwlab-frp/frps.dev.toml.bak-<reason>`;修改后只重启 `hwlab-frps-dev`,不要重建镜像、清理 Docker volume、重启无关 UniDesk/HWLAB 服务或触碰数据库状态。
当前 HWLAB FRP server allowlist 至少应覆盖 active runtime lane 端口(例如 G14 `v0.2` `19666/19667`)以及仍被明确使用的维护端口。Legacy `16666/16667` 和 retired G14 DEV/PROD `17666/17667``18666/18667` 只作为历史对照,不应作为新增 runtime 入口要求。新增端口必须对应一个明确的 namespace/runtime 入口,不能把大范围端口段作为默认放行策略。
当前 HWLAB FRP server allowlist 至少应覆盖 active runtime lane 端口(例如 G14 `v0.2` `19666/19667``v0.3` `20666/20667`)以及仍被明确使用的维护端口。Legacy `16666/16667` 和 retired G14 DEV/PROD `17666/17667``18666/18667` 只作为历史对照,不应作为新增 runtime 入口要求。新增端口必须对应一个明确的 namespace/runtime 入口,不能把大范围端口段作为默认放行策略。
FRP 维护验证顺序是:确认 `hwlab-frps-dev` 容器仍挂载 `/opt/hwlab-frp/frps.dev.toml`;重启后用 `ss -ltnp` 或等价只读命令确认 `frps` 正在监听 `7000` 和目标公网端口;再在目标 namespace 查看 `frpc` 日志,确认对应 proxy `start proxy success`;最后验证 active runtime lane 入口。`v0.2` 验证使用 `http://74.48.78.17:19666/``http://74.48.78.17:19667/health/live`
FRP 维护验证顺序是:确认 `hwlab-frps-dev` 容器仍挂载 `/opt/hwlab-frp/frps.dev.toml`;重启后用 `ss -ltnp` 或等价只读命令确认 `frps` 正在监听 `7000` 和目标公网端口;再在目标 namespace 查看 `frpc` 日志,确认对应 proxy `start proxy success`;最后验证 active runtime lane 入口。`v0.2` 验证使用 `http://74.48.78.17:19666/``http://74.48.78.17:19667/health/live``v0.3` 验证使用 `http://74.48.78.17:20666/``http://74.48.78.17:20667/health/live`
FRP 文档、issue 和日志只能记录端口、容器名、ConfigMap 名、Secret 对象/key 是否存在和健康摘要;不得记录 Secret value、provider token、完整 DB URL、Codex auth JSON 或其他凭据内容。