Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions deploy/one-click/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@ cp env.example .env
sudo ./install.sh
```

The default installation path is `/usr/local/services/cubetoolbox`.
The one-click installation path is fixed at `/usr/local/services/cubetoolbox`.

New one-click installations are managed by systemd only:

Expand Down Expand Up @@ -284,7 +284,7 @@ Other common parameters:
CUBE_PROXY_HTTPS_PORT=443
CUBE_PROXY_HTTP_PORT=80
# Deprecated: CUBE_PROXY_HOST_PORT is ignored; configure CUBE_PROXY_HTTP_PORT instead.
CUBE_PROXY_CERT_DIR="${ONE_CLICK_INSTALL_PREFIX}/cubeproxy/certs"
CUBE_PROXY_CERT_DIR=/usr/local/services/cubetoolbox/cubeproxy/certs
CUBE_PROXY_DNS_ANSWER_IP="${CUBE_SANDBOX_NODE_IP}"
WEB_UI_ENABLE=1
WEB_UI_IMAGE=cube-sandbox-image.tencentcloudcr.com/opensource/openresty:1.21.4.1-6-alpine-fat
Expand Down
4 changes: 2 additions & 2 deletions deploy/one-click/README_zh.md
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ cp env.example .env
sudo ./install.sh
```

默认会安装到 `/usr/local/services/cubetoolbox`。
one-click 固定安装到 `/usr/local/services/cubetoolbox`。

新的 one-click 安装统一只使用 systemd 托管:

Expand Down Expand Up @@ -271,7 +271,7 @@ CUBE_PROXY_DNS_ENABLE=1
CUBE_PROXY_HTTPS_PORT=443
CUBE_PROXY_HTTP_PORT=80
# 已废弃:CUBE_PROXY_HOST_PORT 会被忽略;如需调整启动后检查端口,请配置 CUBE_PROXY_HTTP_PORT。
CUBE_PROXY_CERT_DIR="${ONE_CLICK_INSTALL_PREFIX}/cubeproxy/certs"
CUBE_PROXY_CERT_DIR=/usr/local/services/cubetoolbox/cubeproxy/certs
CUBE_PROXY_DNS_ANSWER_IP="${CUBE_SANDBOX_NODE_IP}"
WEB_UI_ENABLE=1
WEB_UI_IMAGE=cube-sandbox-image.tencentcloudcr.com/opensource/openresty:1.21.4.1-6-alpine-fat
Expand Down
2 changes: 1 addition & 1 deletion deploy/one-click/USER_GUIDE_zh.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ cp env.example .env
sudo ./install.sh
```

默认安装目录
固定安装目录

```bash
/usr/local/services/cubetoolbox
Expand Down
7 changes: 1 addition & 6 deletions deploy/one-click/deploy-manual.sh
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,6 @@ Usage:
sudo ./deploy-manual.sh /path/to/cube-manual-update-*.tar.gz

Environment overrides:
ONE_CLICK_TOOLBOX_ROOT Toolbox root, default: /usr/local/services/cubetoolbox
ONE_CLICK_INSTALL_PREFIX Install prefix, default: same as toolbox root
ONE_CLICK_RUNTIME_DIR Runtime dir, default: /var/run/cube-sandbox-one-click
ONE_CLICK_LOG_DIR Log dir, default: /var/log/cube-sandbox-one-click
ONE_CLICK_MANUAL_PACKAGE_TAR
Expand Down Expand Up @@ -92,8 +90,7 @@ main() {
package_tar="$(resolve_package_path "${1:-}")" || die "manual update package not specified"
ensure_file "${package_tar}"

local toolbox_root="${ONE_CLICK_TOOLBOX_ROOT:-/usr/local/services/cubetoolbox}"
local install_prefix="${ONE_CLICK_INSTALL_PREFIX:-${toolbox_root}}"
local install_prefix="${CUBE_SANDBOX_INSTALL_ROOT}"
local runtime_dir="${ONE_CLICK_RUNTIME_DIR:-/var/run/cube-sandbox-one-click}"
local log_dir="${ONE_CLICK_LOG_DIR:-/var/log/cube-sandbox-one-click}"
local backup_dir="${install_prefix}/.backup/manual-update-$(date +%Y%m%d-%H%M%S)"
Expand Down Expand Up @@ -149,8 +146,6 @@ main() {
restart_core_services "${role}"

if [[ "${ONE_CLICK_SKIP_QUICKCHECK:-0}" != "1" ]]; then
ONE_CLICK_TOOLBOX_ROOT="${install_prefix}" \
ONE_CLICK_RUNTIME_ENV_FILE="${runtime_env_file}" \
ONE_CLICK_RUNTIME_DIR="${runtime_dir}" \
ONE_CLICK_LOG_DIR="${log_dir}" \
"${install_prefix}/scripts/one-click/quickcheck.sh"
Expand Down
3 changes: 1 addition & 2 deletions deploy/one-click/down.sh
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,7 @@ fi

require_root

TOOLBOX_ROOT="${ONE_CLICK_TOOLBOX_ROOT:-/usr/local/services/cubetoolbox}"
INSTALL_PREFIX="${ONE_CLICK_INSTALL_PREFIX:-${TOOLBOX_ROOT}}"
INSTALL_PREFIX="${CUBE_SANDBOX_INSTALL_ROOT}"
ensure_dir "${INSTALL_PREFIX}"

ROLE_FILE="${INSTALL_PREFIX}/.one-click.env"
Expand Down
4 changes: 1 addition & 3 deletions deploy/one-click/env.example
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,6 @@ ONE_CLICK_CUBE_SHIM_BUILD_MODE=local
# ONE_CLICK_GUEST_IMAGE_RESERVED_BYTES=33554432

# Target-machine install options.
# New installations are always managed by systemd; there is no systemd/non-systemd mode switch.
ONE_CLICK_INSTALL_PREFIX=/usr/local/services/cubetoolbox
ONE_CLICK_RUN_QUICKCHECK=1
# quickcheck waits for each runtime signal (systemd units, health endpoints,
# sockets, runtime files, node registration) to become ready within this overall
Expand Down Expand Up @@ -123,7 +121,7 @@ CUBE_PROXY_HTTPS_PORT=443
# The systemd post-start TCP listener check follows this HTTP proxy port.
CUBE_PROXY_HTTP_PORT=80
# Deprecated: CUBE_PROXY_HOST_PORT is ignored; configure CUBE_PROXY_HTTP_PORT instead.
CUBE_PROXY_CERT_DIR="${ONE_CLICK_INSTALL_PREFIX}/cubeproxy/certs"
CUBE_PROXY_CERT_DIR=/usr/local/services/cubetoolbox/cubeproxy/certs
CUBE_PROXY_REDIS_IP=127.0.0.1
# TLS cert/key file names under CUBE_PROXY_CERT_DIR. Defaults match the files
# auto-generated by mkcert (cube.app+3.pem / cube.app+3-key.pem). When you
Expand Down
57 changes: 23 additions & 34 deletions deploy/one-click/install.sh
Original file line number Diff line number Diff line change
Expand Up @@ -94,8 +94,7 @@ warn_default_external_credentials() {
fi
}

TOOLBOX_ROOT="${ONE_CLICK_TOOLBOX_ROOT:-/usr/local/services/cubetoolbox}"
INSTALL_PREFIX="${ONE_CLICK_INSTALL_PREFIX:-${TOOLBOX_ROOT}}"
INSTALL_PREFIX="${CUBE_SANDBOX_INSTALL_ROOT}"

# Resolve install vs upgrade mode and, for upgrades, run preflight + backup and
# build the config-preserving merged env BEFORE any destructive change. The
Expand Down Expand Up @@ -782,7 +781,7 @@ stop_existing_systemd_deployment() {
stop_existing_legacy_deployment() {
# Legacy bridge for upgrading pre-systemd one-click installs.
# New installs are systemd-only; this path only stops old nohup/pidfile deployments
# before the install prefix is replaced.
# before the install root is replaced.
local installed_role="$1"
local legacy_stop_script=""

Expand All @@ -794,18 +793,14 @@ stop_existing_legacy_deployment() {

if [[ -n "${legacy_stop_script}" ]]; then
log "stopping legacy pre-systemd deployment under ${INSTALL_PREFIX}"
ONE_CLICK_TOOLBOX_ROOT="${INSTALL_PREFIX}" \
ONE_CLICK_RUNTIME_ENV_FILE="${INSTALL_PREFIX}/.one-click.env" \
"${legacy_stop_script}" || true
"${legacy_stop_script}" || true
fi
}

install_systemd_units() {
local install_units_script="${INSTALL_PREFIX}/scripts/systemd/install-units.sh"
ensure_file "${install_units_script}"
ONE_CLICK_TOOLBOX_ROOT="${INSTALL_PREFIX}" \
ONE_CLICK_RUNTIME_ENV_FILE="${INSTALL_PREFIX}/.one-click.env" \
"${install_units_script}"
"${install_units_script}"
}

start_systemd_target() {
Expand Down Expand Up @@ -950,28 +945,24 @@ if [[ "${INSTALL_MODE}" == "upgrade" ]]; then
fi
fi

if [[ "${INSTALL_PREFIX%/}" == "${TOOLBOX_ROOT%/}" ]]; then
rm -rf \
"${INSTALL_PREFIX}/network-agent" \
"${INSTALL_PREFIX}/CubeAPI" \
"${INSTALL_PREFIX}/CubeMaster" \
"${INSTALL_PREFIX}/Cubelet" \
"${INSTALL_PREFIX}/cubeproxy" \
"${INSTALL_PREFIX}/coredns" \
"${INSTALL_PREFIX}/webui" \
"${INSTALL_PREFIX}/support" \
"${INSTALL_PREFIX}/systemd" \
"${INSTALL_PREFIX}/cube-shim" \
"${INSTALL_PREFIX}/cube-kernel-scf" \
"${INSTALL_PREFIX}/cube-image" \
"${INSTALL_PREFIX}/scripts" \
"${INSTALL_PREFIX}/sql" \
"${INSTALL_PREFIX}/.one-click.env"
else
# Full wipe of a custom prefix, but preserve any upgrade backup directory so
# the config snapshot survives for recovery/rollback.
wipe_custom_install_prefix_contents "${INSTALL_PREFIX}"
fi
assert_safe_install_prefix "${INSTALL_PREFIX}"
rm -rf \
Comment thread
fslongjin marked this conversation as resolved.
Comment thread
fslongjin marked this conversation as resolved.
"${INSTALL_PREFIX}/network-agent" \
"${INSTALL_PREFIX}/CubeAPI" \
"${INSTALL_PREFIX}/CubeMaster" \
"${INSTALL_PREFIX}/Cubelet" \
"${INSTALL_PREFIX}/cubeproxy" \
"${INSTALL_PREFIX}/coredns" \
"${INSTALL_PREFIX}/webui" \
"${INSTALL_PREFIX}/support" \
"${INSTALL_PREFIX}/systemd" \
"${INSTALL_PREFIX}/cube-shim" \
"${INSTALL_PREFIX}/cube-kernel-scf" \
"${INSTALL_PREFIX}/cube-image" \
"${INSTALL_PREFIX}/cube-egress" \
"${INSTALL_PREFIX}/scripts" \
"${INSTALL_PREFIX}/sql" \
"${INSTALL_PREFIX}/.one-click.env"

mkdir -p "${INSTALL_PREFIX}"
if [[ "${DEPLOY_ROLE}" == "compute" ]]; then
Expand Down Expand Up @@ -1154,9 +1145,7 @@ check_runtime_file_paths_not_directories
start_systemd_target

if [[ "${ONE_CLICK_RUN_QUICKCHECK:-1}" == "1" ]]; then
ONE_CLICK_TOOLBOX_ROOT="${INSTALL_PREFIX}" \
ONE_CLICK_RUNTIME_ENV_FILE="${RUNTIME_ENV_FILE}" \
"${INSTALL_PREFIX}/scripts/one-click/quickcheck.sh"
"${INSTALL_PREFIX}/scripts/one-click/quickcheck.sh"
fi

log "install complete (role=${DEPLOY_ROLE})"
Expand Down
60 changes: 42 additions & 18 deletions deploy/one-click/lib/common.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@

ONE_CLICK_LIB_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ONE_CLICK_DIR="$(cd "${ONE_CLICK_LIB_DIR}/.." && pwd)"
if [[ "${CUBE_SANDBOX_INSTALL_ROOT:-}" != "/usr/local/services/cubetoolbox" ]]; then
CUBE_SANDBOX_INSTALL_ROOT="/usr/local/services/cubetoolbox"
fi
readonly CUBE_SANDBOX_INSTALL_ROOT

log() {
echo "[one-click] $*" >&2
Expand Down Expand Up @@ -647,10 +651,9 @@ patch_cubelet_config_template() {
# ---------------------------------------------------------------------------

# assert_safe_install_prefix: refuse to perform a destructive full wipe of an
# obviously unsafe install prefix. Guards against a mis-set
# ONE_CLICK_INSTALL_PREFIX (e.g. "/" or "/usr", or a foreign dir like
# "/usr/local" / "/var/lib") turning the custom-prefix wipe into a
# system-destroying `rm -rf`. Beyond the root/system/top-level denylist, a
# obviously unsafe install root. Guards against a bad caller accidentally
# pointing a wipe at "/" or "/usr", or a foreign dir like "/usr/local" /
# "/var/lib", turning the wipe into a system-destroying `rm -rf`. Beyond the root/system/top-level denylist, a
# non-empty existing prefix is only wiped when it is a recognised CubeSandbox
# install (presence of a marker artifact such as .one-click.env / CubeMaster)
# or effectively empty. A lone '.backup' left over from an interrupted upgrade
Expand All @@ -659,14 +662,14 @@ patch_cubelet_config_template() {
assert_safe_install_prefix() {
local prefix="$1"

[[ -n "${prefix}" ]] || die "refusing to wipe an empty install prefix"
[[ "${prefix}" == /* ]] || die "refusing to wipe a non-absolute install prefix: ${prefix}"
[[ ! -L "${prefix}" ]] || die "refusing to wipe a symlink install prefix: ${prefix}"
[[ -n "${prefix}" ]] || die "refusing to wipe an empty install root"
[[ "${prefix}" == /* ]] || die "refusing to wipe a non-absolute install root: ${prefix}"
[[ ! -L "${prefix}" ]] || die "refusing to wipe a symlink install root: ${prefix}"

# Normalize: drop a single trailing slash (but keep "/" detectable).
local norm="${prefix%/}"
[[ -n "${norm}" ]] || die "refusing to wipe the filesystem root: ${prefix}"
[[ ! -L "${norm}" ]] || die "refusing to wipe a symlink install prefix: ${prefix}"
[[ ! -L "${norm}" ]] || die "refusing to wipe a symlink install root: ${prefix}"

case "${norm}" in
/usr|/bin|/sbin|/lib|/lib64|/etc|/var|/boot|/dev|/proc|/sys|/run|/root|/home|/opt)
Expand All @@ -682,7 +685,7 @@ assert_safe_install_prefix() {
# top-level directories cannot be wiped wholesale.
local trimmed="${norm#/}"
if [[ "${trimmed}" != */* ]]; then
die "refusing to wipe a top-level directory: ${prefix} (install prefix must be at least two levels deep)"
die "refusing to wipe a top-level directory: ${prefix} (install root must be at least two levels deep)"
fi

# Content sanity check: the custom-prefix wipe deletes every top-level entry
Expand All @@ -703,7 +706,7 @@ _assert_no_top_level_symlinks() {
local symlink
symlink="$(find "${dir}" -mindepth 1 -maxdepth 1 -type l -print -quit 2>/dev/null || true)"
if [[ -n "${symlink}" ]]; then
die "refusing to wipe custom install prefix ${display}: contains top-level symlink (${symlink}); move it away and retry"
die "refusing to wipe install root ${display}: contains top-level symlink (${symlink}); move it away and retry"
fi
}

Expand All @@ -722,7 +725,7 @@ _assert_cube_prefix_marker_or_empty() {
local stray
stray="$(find "${dir}" -mindepth 1 -maxdepth 1 ! -name '.backup' -print -quit 2>/dev/null || true)"
if [[ -n "${stray}" ]]; then
die "refusing to wipe custom install prefix ${display}: directory is not empty and contains no CubeSandbox installation markers (.one-click.env / CubeMaster / CubeAPI / Cubelet). Point ONE_CLICK_INSTALL_PREFIX at a dedicated CubeSandbox prefix, or remove the foreign content first."
die "refusing to wipe install root ${display}: directory is not empty and contains no CubeSandbox installation markers (.one-click.env / CubeMaster / CubeAPI / Cubelet). Remove the foreign content first."
fi
fi
}
Expand All @@ -740,14 +743,14 @@ wipe_custom_install_prefix_contents() {
fi

before="$(stat -c '%d:%i' -- "${norm}")" \
|| die "failed to stat install prefix before wipe: ${prefix}"
|| die "failed to stat install root before wipe: ${prefix}"

(
cd -- "${norm}" || die "failed to enter install prefix: ${prefix}"
cd -- "${norm}" || die "failed to enter install root: ${prefix}"
after="$(stat -c '%d:%i' -- .)" \
|| die "failed to stat install prefix after cd: ${prefix}"
|| die "failed to stat install root after cd: ${prefix}"
[[ "${before}" == "${after}" ]] \
|| die "install prefix changed while preparing to wipe: ${prefix}"
|| die "install root changed while preparing to wipe: ${prefix}"

# Re-run the marker/empty check against the pinned cwd. This closes the
# gap between path validation and destructive deletion.
Expand Down Expand Up @@ -862,6 +865,8 @@ def parse(path):
# database (configured via the WebUI), and the DB master key is auto-bootstrapped
# by CubeAPI, so AGENTHUB_SECRET_KEY is obsolete too.
DEPRECATED_KEYS = {
"ONE_CLICK_INSTALL_PREFIX",
"ONE_CLICK_TOOLBOX_ROOT",
"AGENTHUB_DEEPSEEK_API_KEY",
"OPENCLAW_DEEPSEEK_API_KEY",
"AGENTHUB_LLM_API_KEY",
Expand All @@ -877,6 +882,19 @@ DEPRECATED_KEYS = {
"CUBE_API_DATABASE_URL",
}

LEGACY_CUBE_PROXY_CERT_DIR_DEFAULTS = {
Comment thread
fslongjin marked this conversation as resolved.
'"${ONE_CLICK_INSTALL_PREFIX}/cubeproxy/certs"',
"'${ONE_CLICK_INSTALL_PREFIX}/cubeproxy/certs'",
"${ONE_CLICK_INSTALL_PREFIX}/cubeproxy/certs",
}


def normalize_legacy_value(key, val, tmpl_val):
Comment thread
fslongjin marked this conversation as resolved.
if key == "CUBE_PROXY_CERT_DIR" and val in LEGACY_CUBE_PROXY_CERT_DIR_DEFAULTS:
return tmpl_val, True
return val, False


new_defaults = parse(new_example)
old_values = parse(old_runtime)
old_baseline_vals = parse(old_baseline) if old_baseline else {}
Expand All @@ -887,6 +905,7 @@ added = []
updated_default = []
preserved = []
explicit = []
migrated_legacy = []
dropped = []

out_lines = []
Expand All @@ -912,7 +931,9 @@ for line in template:
chosen = new_overrides[key]
explicit.append(key)
elif key in old_values:
ov = old_values[key]
ov, migrated = normalize_legacy_value(key, old_values[key], tmpl_val)
if migrated:
migrated_legacy.append((key, old_values[key], ov))
if (has_baseline and key in old_baseline_vals
and ov == old_baseline_vals[key] and ov != tmpl_val):
chosen = tmpl_val
Expand Down Expand Up @@ -965,6 +986,9 @@ for k, ov, nv in updated_default:
report.append("[preserved] kept your customized values: %d" % len(preserved))
for k, v in preserved:
report.append(" = %s=%s" % (k, redact(k, v)))
report.append("[migrated-legacy] legacy defaults rewritten to new fixed defaults: %d" % len(migrated_legacy))
for k, ov, nv in migrated_legacy:
report.append(" ^ %s: %s -> %s" % (k, redact(k, ov), redact(k, nv)))
report.append("[explicit] taken from new .env overrides: %d" % len(explicit))
for k in explicit:
report.append(" ! %s" % k)
Expand All @@ -979,8 +1003,8 @@ with open(diff_file, "w", encoding="utf-8") as fh:
fh.write("\n".join(report) + "\n")

sys.stderr.write(
"[one-click] env merge: +%d new, ~%d default-updated, =%d preserved, >%d kept-extra, -%d dropped%s\n" % (
len(added), len(updated_default), len(preserved), len(extra), len(dropped),
"[one-click] env merge: +%d new, ~%d default-updated, =%d preserved, ^%d migrated-legacy, >%d kept-extra, -%d dropped%s\n" % (
len(added), len(updated_default), len(preserved), len(migrated_legacy), len(extra), len(dropped),
"" if has_baseline else " (two-way fallback: no baseline)"))
PY
}
Expand Down
5 changes: 2 additions & 3 deletions deploy/one-click/scripts/cube-diag/check-procs.sh
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,6 @@ Options:

Environment variables:
ONE_CLICK_DEPLOY_ROLE control (default) or compute
ONE_CLICK_TOOLBOX_ROOT Installation root (default: /usr/local/services/cubetoolbox)
ONE_CLICK_RUNTIME_DIR PID file directory (default: /var/run/cube-sandbox-one-click)
NETWORK_AGENT_HEALTH_ADDR network-agent health address (default: 127.0.0.1:19090)
CUBE_API_HEALTH_ADDR cube-api health address (default: 127.0.0.1:3000)
Expand All @@ -78,8 +77,8 @@ Examples:
EOF
}

# ── Config (override via env) ──────────────────────────────────────────────────
TOOLBOX_ROOT="${ONE_CLICK_TOOLBOX_ROOT:-/usr/local/services/cubetoolbox}"
# ── Config ─────────────────────────────────────────────────────────────────────
TOOLBOX_ROOT="/usr/local/services/cubetoolbox"
RUNTIME_DIR="${ONE_CLICK_RUNTIME_DIR:-/var/run/cube-sandbox-one-click}"
NA_HEALTH_ADDR="${NETWORK_AGENT_HEALTH_ADDR:-127.0.0.1:19090}"
CUBE_API_HEALTH_ADDR="${CUBE_API_HEALTH_ADDR:-127.0.0.1:3000}"
Expand Down
3 changes: 1 addition & 2 deletions deploy/one-click/scripts/cube-diag/collect-logs.sh
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,6 @@ Options:
--help Show this help message and exit

Environment variables:
ONE_CLICK_TOOLBOX_ROOT Installation root (default: /usr/local/services/cubetoolbox)
ONE_CLICK_LOG_DIR Runtime log directory (default: /var/log/cube-sandbox-one-click)
ONE_CLICK_RUNTIME_DIR PID file directory (default: /var/run/cube-sandbox-one-click)
CUBE_DATA_LOG_DIR Structured log root (default: /data/log)
Expand All @@ -96,7 +95,7 @@ EOF


# ── Config ─────────────────────────────────────────────────────────────────────
TOOLBOX_ROOT="${ONE_CLICK_TOOLBOX_ROOT:-/usr/local/services/cubetoolbox}"
TOOLBOX_ROOT="/usr/local/services/cubetoolbox"
RUNTIME_LOG_DIR="${ONE_CLICK_LOG_DIR:-/var/log/cube-sandbox-one-click}"
RUNTIME_PID_DIR="${ONE_CLICK_RUNTIME_DIR:-/var/run/cube-sandbox-one-click}"
DATA_LOG_DIR="${CUBE_DATA_LOG_DIR:-/data/log}"
Expand Down
Loading
Loading