fix(swarm-mgmt): exclude .env from bundle, chmod +x decnet, mkdir log
This commit is contained in:
@@ -66,6 +66,11 @@ _EXCLUDES: tuple[str, ...] = (
|
|||||||
"decnet-state.json",
|
"decnet-state.json",
|
||||||
"master.log", "master.json",
|
"master.log", "master.json",
|
||||||
"decnet.tar",
|
"decnet.tar",
|
||||||
|
# Dev-host env/config leaks — these bake the master's absolute paths into
|
||||||
|
# the agent and point log handlers at directories that don't exist on the
|
||||||
|
# worker VM.
|
||||||
|
".env", ".env.*", "**/.env", "**/.env.*",
|
||||||
|
"decnet.ini", "**/decnet.ini",
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -28,6 +28,9 @@ python3 -m venv .venv
|
|||||||
install -Dm0644 etc/decnet/decnet.ini /etc/decnet/decnet.ini
|
install -Dm0644 etc/decnet/decnet.ini /etc/decnet/decnet.ini
|
||||||
[[ -f services.ini ]] && install -Dm0644 services.ini /etc/decnet/services.ini
|
[[ -f services.ini ]] && install -Dm0644 services.ini /etc/decnet/services.ini
|
||||||
|
|
||||||
|
# Log directory the baked-in INI points at — must exist before `decnet` imports config.
|
||||||
|
install -d -m0755 /var/log/decnet
|
||||||
|
|
||||||
REAL_USER="${SUDO_USER:-root}"
|
REAL_USER="${SUDO_USER:-root}"
|
||||||
REAL_HOME="$(getent passwd "$REAL_USER" | cut -d: -f6)"
|
REAL_HOME="$(getent passwd "$REAL_USER" | cut -d: -f6)"
|
||||||
for f in ca.crt worker.crt worker.key; do
|
for f in ca.crt worker.crt worker.key; do
|
||||||
@@ -35,6 +38,9 @@ for f in ca.crt worker.crt worker.key; do
|
|||||||
"home/.decnet/agent/$f" "$REAL_HOME/.decnet/agent/$f"
|
"home/.decnet/agent/$f" "$REAL_HOME/.decnet/agent/$f"
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# Guarantee the pip-installed entrypoint is executable (some setuptools+editable
|
||||||
|
# combos drop it with mode 0644) and expose it on PATH.
|
||||||
|
chmod 0755 "$INSTALL_DIR/.venv/bin/decnet"
|
||||||
ln -sf "$INSTALL_DIR/.venv/bin/decnet" /usr/local/bin/decnet
|
ln -sf "$INSTALL_DIR/.venv/bin/decnet" /usr/local/bin/decnet
|
||||||
sudo -u "$REAL_USER" /usr/local/bin/decnet agent --daemon
|
sudo -u "$REAL_USER" /usr/local/bin/decnet agent --daemon
|
||||||
echo "[DECNET] agent {{ agent_name }} enrolled -> {{ master_host }}. Forwarder auto-spawned."
|
echo "[DECNET] agent {{ agent_name }} enrolled -> {{ master_host }}. Forwarder auto-spawned."
|
||||||
|
|||||||
@@ -159,6 +159,10 @@ async def test_get_tgz_contents(client, auth_token, tmp_path):
|
|||||||
assert "__pycache__" not in bad
|
assert "__pycache__" not in bad
|
||||||
assert not bad.endswith(".pyc")
|
assert not bad.endswith(".pyc")
|
||||||
assert "node_modules" not in bad
|
assert "node_modules" not in bad
|
||||||
|
# Dev-host env leaks would bake absolute master paths into the agent.
|
||||||
|
assert not bad.endswith(".env"), f"leaked env file: {bad}"
|
||||||
|
assert ".env.local" not in bad, f"leaked env file: {bad}"
|
||||||
|
assert ".env.example" not in bad, f"leaked env file: {bad}"
|
||||||
|
|
||||||
# INI content is correct
|
# INI content is correct
|
||||||
ini = tf.extractfile("etc/decnet/decnet.ini").read().decode()
|
ini = tf.extractfile("etc/decnet/decnet.ini").read().decode()
|
||||||
|
|||||||
Reference in New Issue
Block a user