fix: harden sentinel scheduler systemd environment

This commit is contained in:
Codex
2026-06-27 07:49:18 +00:00
parent 74afba293b
commit e56ffdc523
+21 -2
View File
@@ -59,6 +59,9 @@ const DEFAULT_STALE_MULTIPLIER = 1;
const DEFAULT_FETCH_TIMEOUT_MS = 15_000;
const HOST_SCHEDULER_INTERVAL_SECONDS = 120;
const STATE_DIR = rootPath(".state", "web-probe-sentinel-scheduler");
const BUN_EXECUTABLE = existsSync("/usr/bin/bun") ? "/usr/bin/bun" : process.execPath || "bun";
const SYSTEMD_PATH = "/root/.local/bin:/root/.bun/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin";
const SYSTEMD_NO_PROXY = noProxyValue();
await main().catch((error) => {
const message = error instanceof Error ? error.stack || error.message : String(error);
@@ -168,7 +171,7 @@ function sentinelSchedules(spec: ReturnType<typeof hwlabRuntimeLaneSpecForNode>,
async function triggerSentinel(options: SchedulerOptions, schedule: SentinelSchedule, before: OverviewSnapshot): Promise<TriggerResult> {
const command = [
"bun",
BUN_EXECUTABLE,
"scripts/cli.ts",
"web-probe",
"sentinel",
@@ -261,8 +264,12 @@ After=network-online.target
[Service]
Type=oneshot
Environment=HOME=/root
Environment=PATH=${SYSTEMD_PATH}
Environment=NO_PROXY=${SYSTEMD_NO_PROXY}
Environment=no_proxy=${SYSTEMD_NO_PROXY}
WorkingDirectory=${repoRoot}
ExecStart=/usr/bin/env bun ${join(repoRoot, "scripts", "web-probe-sentinel-scheduler.ts")} run --node ${options.node} --lane ${options.lane} --stale-multiplier ${options.staleMultiplier}
ExecStart=${BUN_EXECUTABLE} ${join(repoRoot, "scripts", "web-probe-sentinel-scheduler.ts")} run --node ${options.node} --lane ${options.lane} --stale-multiplier ${options.staleMultiplier}
`;
const timer = `[Unit]
Description=Run UniDesk web-probe sentinel host cadence scheduler for ${options.node}/${options.lane}
@@ -336,6 +343,8 @@ function rowFor(schedule: SentinelSchedule, overview: OverviewSnapshot | null, d
recorded: trigger.recorded,
latestRunIdBefore: trigger.latestRunIdBefore,
latestRunIdAfter: trigger.latestRunIdAfter,
stdoutTail: trigger.stdoutTail,
stderrTail: trigger.stderrTail,
},
valuesRedacted: true,
};
@@ -552,3 +561,13 @@ function systemdUnitName(options: SchedulerOptions): string {
function safeSegment(value: string): string {
return value.toLowerCase().replace(/[^a-z0-9._-]+/gu, "-").replace(/^-+|-+$/gu, "") || "default";
}
function noProxyValue(): string {
const raw = process.env.NO_PROXY || process.env.no_proxy || "";
const required = ["localhost", "127.0.0.1", "::1", "hyueapi.com", ".hyueapi.com"];
const values = raw.split(",").map((item) => item.trim()).filter(Boolean);
for (const item of required) {
if (!values.includes(item)) values.push(item);
}
return values.join(",");
}