feat(swarm): per-host microservices as systemd units, mutator off agents
Previously `decnet status` on an agent showed every microservice as DOWN
because deploy's auto-spawn was unihost-scoped and the agent CLI gate
hid the per-host commands. Now:
- collect, probe, profiler, sniffer drop out of MASTER_ONLY_COMMANDS
(they run per-host; master-side work stays master-gated).
- mutate stays master-only (it orchestrates swarm-wide respawns).
- decnet/mutator/ excluded from agent tarballs — never invoked there.
- decnet/web exclusion tightened: ship db/ + auth.py + dependencies.py
(profiler needs the repo singleton), drop api.py, swarm_api.py,
ingester.py, router/, templates/.
- Four new systemd unit templates (decnet-collector/prober/profiler/
sniffer) shipped in every enrollment tarball.
- enroll_bootstrap.sh enables + starts all four alongside agent and
forwarder at install time.
- updater restarts the aux units on code push so they pick up the new
release (best-effort — legacy enrollments without the units won't
fail the update).
- status table hides Mutator + API rows in agent mode.
This commit is contained in:
@@ -1323,6 +1323,11 @@ def status() -> None:
|
||||
_status()
|
||||
|
||||
registry = _service_registry(str(DECNET_INGEST_LOG_FILE))
|
||||
# On agents, the Mutator runs master-side only (it schedules decky
|
||||
# respawns across the swarm) and the API is never shipped. Hide those
|
||||
# rows so operators aren't chasing permanent DOWN entries.
|
||||
if _agent_mode_active():
|
||||
registry = [r for r in registry if r[0] not in {"Mutator", "API"}]
|
||||
svc_table = Table(title="DECNET Services", show_lines=True)
|
||||
svc_table.add_column("Service", style="bold cyan")
|
||||
svc_table.add_column("Status")
|
||||
@@ -1762,13 +1767,17 @@ def db_reset(
|
||||
# MASTER_ONLY when touching command registration.
|
||||
#
|
||||
# Worker-legitimate commands (NOT in these sets): agent, updater, forwarder,
|
||||
# status (agents run deckies locally and should be able to inspect them).
|
||||
# status, collect, probe, profiler, sniffer. Agents run deckies locally and
|
||||
# should be able to inspect them + run the per-host microservices (collector
|
||||
# streams container logs, prober/profiler characterize attackers hitting
|
||||
# this host, sniffer captures traffic). Mutator stays master-only because
|
||||
# it orchestrates respawns across the swarm.
|
||||
# ───────────────────────────────────────────────────────────────────────────
|
||||
MASTER_ONLY_COMMANDS: frozenset[str] = frozenset({
|
||||
"api", "swarmctl", "deploy", "redeploy", "teardown",
|
||||
"probe", "collect", "mutate", "listener",
|
||||
"mutate", "listener",
|
||||
"services", "distros", "correlate", "archetypes", "web",
|
||||
"profiler", "sniffer", "db-reset",
|
||||
"db-reset",
|
||||
})
|
||||
MASTER_ONLY_GROUPS: frozenset[str] = frozenset({"swarm"})
|
||||
|
||||
|
||||
Reference in New Issue
Block a user