@rubytech/create-maxy-code 0.1.332 → 0.1.334
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
// Contract for the hardware watchdog arming point.
|
|
2
|
+
//
|
|
3
|
+
// On a constrained Pi the installer's `RuntimeWatchdogSec=20s` drop-in,
|
|
4
|
+
// armed at install step 1, reboot-looped its own install: the heavy npm/swap
|
|
5
|
+
// steps stalled PID1 past 20s, the board reset, the relaunch stalled again.
|
|
6
|
+
// The fix arms the watchdog only as the final install action, once the heavy
|
|
7
|
+
// build/swap window is over, and applies it via `daemon-reexec` so it is
|
|
8
|
+
// actually active (RuntimeWatchdogUSec non-zero) without waiting for a reboot.
|
|
9
|
+
//
|
|
10
|
+
// Static-grep, not behaviour: the call site and the apply command live in the
|
|
11
|
+
// top-level install flow of index.ts, which executes real sudo/systemctl.
|
|
12
|
+
// Same pattern as base-toolchain-deps.test.ts — read src/index.ts at runtime
|
|
13
|
+
// as the authoritative source.
|
|
14
|
+
import test from "node:test";
|
|
15
|
+
import assert from "node:assert/strict";
|
|
16
|
+
import { readFileSync } from "node:fs";
|
|
17
|
+
import { fileURLToPath } from "node:url";
|
|
18
|
+
import { dirname, resolve } from "node:path";
|
|
19
|
+
// dist/__tests__/watchdog-deferred-arming.test.js → ../../src/index.ts
|
|
20
|
+
const here = dirname(fileURLToPath(import.meta.url));
|
|
21
|
+
const INDEX_TS = resolve(here, "../../src/index.ts");
|
|
22
|
+
const SRC = readFileSync(INDEX_TS, "utf-8");
|
|
23
|
+
/** Body of configureHardwareWatchdog(), up to the next top-level function. */
|
|
24
|
+
function watchdogFnBody() {
|
|
25
|
+
const start = SRC.indexOf("function configureHardwareWatchdog");
|
|
26
|
+
assert.ok(start >= 0, "could not locate configureHardwareWatchdog in index.ts");
|
|
27
|
+
const end = SRC.indexOf("function installSystemDeps", start);
|
|
28
|
+
assert.ok(end > start, "could not bound configureHardwareWatchdog body");
|
|
29
|
+
return SRC.slice(start, end);
|
|
30
|
+
}
|
|
31
|
+
test("watchdog is armed after buildPlatform and installService, not at step 1", () => {
|
|
32
|
+
const watchdogCall = SRC.indexOf("configureHardwareWatchdog();");
|
|
33
|
+
const build = SRC.indexOf("buildPlatform();");
|
|
34
|
+
const service = SRC.indexOf("installService();");
|
|
35
|
+
assert.ok(watchdogCall >= 0, "no configureHardwareWatchdog() call in the install flow");
|
|
36
|
+
assert.ok(build >= 0 && service >= 0, "expected buildPlatform()/installService() calls");
|
|
37
|
+
assert.ok(watchdogCall > build, "watchdog must be armed after buildPlatform()");
|
|
38
|
+
assert.ok(watchdogCall > service, "watchdog must be armed after installService()");
|
|
39
|
+
// the old step-1 placement (immediately after installSystemDeps()) is gone
|
|
40
|
+
assert.equal(SRC.includes("installSystemDeps();\n configureHardwareWatchdog();"), false, "watchdog must not be armed at step 1, right after installSystemDeps()");
|
|
41
|
+
});
|
|
42
|
+
test("watchdog drop-in is applied with daemon-reexec, not daemon-reload", () => {
|
|
43
|
+
const body = watchdogFnBody();
|
|
44
|
+
// match the quoted systemctl argument so explanatory comments naming the old
|
|
45
|
+
// command do not skew the assertion.
|
|
46
|
+
assert.ok(body.includes('"daemon-reexec"'), "configureHardwareWatchdog must apply via daemon-reexec");
|
|
47
|
+
assert.equal(body.includes('"daemon-reload"'), false, "daemon-reload does not apply RuntimeWatchdogSec");
|
|
48
|
+
});
|
|
49
|
+
test("idempotent re-run only skips re-arming when the watchdog is live-armed", () => {
|
|
50
|
+
// A drop-in on disk does not prove the live PID1 has the watchdog active
|
|
51
|
+
// (prior daemon-reload, or a just-removed disable override). The function must
|
|
52
|
+
// read RuntimeWatchdogUSec and re-arm when it is 0, so the muvin remediation
|
|
53
|
+
// (drop-in present, previously disabled) actually arms.
|
|
54
|
+
const body = watchdogFnBody();
|
|
55
|
+
assert.ok(body.includes("RuntimeWatchdogUSec"), "must read live RuntimeWatchdogUSec before skipping the arm");
|
|
56
|
+
assert.ok(body.includes('"--value"'), "must read the live watchdog value, not just the drop-in content");
|
|
57
|
+
});
|
|
58
|
+
test("watchdog keeps the 20s runtime / 2min reboot values", () => {
|
|
59
|
+
const body = watchdogFnBody();
|
|
60
|
+
assert.ok(body.includes("RuntimeWatchdogSec=20s"), "RuntimeWatchdogSec stays 20s");
|
|
61
|
+
assert.ok(body.includes("RebootWatchdogSec=2min"), "RebootWatchdogSec stays 2min");
|
|
62
|
+
});
|
package/dist/index.js
CHANGED
|
@@ -617,6 +617,53 @@ function writeChromiumBinaryPathFile() {
|
|
|
617
617
|
// warns, never aborts the install. Cannot recover a latched-off brownout (no
|
|
618
618
|
// power = no watchdog) — that needs the external power-cycler documented in
|
|
619
619
|
// deployment.md.
|
|
620
|
+
//
|
|
621
|
+
// Called as the FINAL install action (not step 1): RuntimeWatchdogSec=20s is a
|
|
622
|
+
// tight timer, and the heavy npm-install/swap-thrash steps stall PID1 past 20s
|
|
623
|
+
// on a constrained Pi. Arming early reboot-looped the install (the board reset
|
|
624
|
+
// mid-build, relaunched under the same load, reset again). Deferring the arm to
|
|
625
|
+
// after the build/swap window, then applying it with `daemon-reexec` so it is
|
|
626
|
+
// active immediately (RuntimeWatchdogUSec non-zero), keeps kernel-hang recovery
|
|
627
|
+
// without the loop.
|
|
628
|
+
// Disable the hardware watchdog drop-in for the duration of the install.
|
|
629
|
+
// configureHardwareWatchdog() writes /etc/systemd/system.conf.d/10-maxy-watchdog.conf
|
|
630
|
+
// (RuntimeWatchdogSec=20s) at the END of every install. That file persists
|
|
631
|
+
// across reboots, so on every install AFTER the first, PID1 already has the
|
|
632
|
+
// watchdog armed from boot. The heavy npm/Playwright/swap step in step [3/11]
|
|
633
|
+
// can stall PID1 past 20s on a constrained Pi, the SoC resets mid-install,
|
|
634
|
+
// boot resumes with the watchdog re-armed, the install never completes, and
|
|
635
|
+
// the box wedges (SSH never returns; observed on beacons).
|
|
636
|
+
//
|
|
637
|
+
// Neutralise the watchdog at install start by overwriting the drop-in with
|
|
638
|
+
// RuntimeWatchdogSec=0 and daemon-reexec to apply it immediately. Re-armed
|
|
639
|
+
// at install end by configureHardwareWatchdog(). If install fails between
|
|
640
|
+
// the two, the box is unarmed — recoverable, far better than reboot-loop.
|
|
641
|
+
function disableHardwareWatchdogForInstall() {
|
|
642
|
+
try {
|
|
643
|
+
if (!isLinux()) {
|
|
644
|
+
logFile(" hardware watchdog: disable-for-install skipped (not Linux)");
|
|
645
|
+
return;
|
|
646
|
+
}
|
|
647
|
+
if (!existsSync("/dev/watchdog")) {
|
|
648
|
+
logFile(" hardware watchdog: disable-for-install skipped (/dev/watchdog absent)");
|
|
649
|
+
return;
|
|
650
|
+
}
|
|
651
|
+
const disabled = "[Manager]\nRuntimeWatchdogSec=0\n";
|
|
652
|
+
const dropinDir = "/etc/systemd/system.conf.d";
|
|
653
|
+
const dropinPath = `${dropinDir}/10-maxy-watchdog.conf`;
|
|
654
|
+
const tmpPath = "/tmp/10-maxy-watchdog.conf";
|
|
655
|
+
writeFileSync(tmpPath, disabled);
|
|
656
|
+
console.log(" [privileged] disable hardware watchdog for install duration (RuntimeWatchdogSec=0)");
|
|
657
|
+
shell("mkdir", ["-p", dropinDir], { sudo: true });
|
|
658
|
+
shell("cp", [tmpPath, dropinPath], { sudo: true });
|
|
659
|
+
spawnSync("rm", ["-f", tmpPath]);
|
|
660
|
+
spawnSync("sudo", ["systemctl", "daemon-reexec"], { stdio: "inherit" });
|
|
661
|
+
logFile(` hardware watchdog: disabled for install (${dropinPath}, RuntimeWatchdogSec=0; re-armed at install end)`);
|
|
662
|
+
}
|
|
663
|
+
catch (err) {
|
|
664
|
+
console.error(` WARNING: failed to disable hardware watchdog for install: ${err instanceof Error ? err.message : String(err)}`);
|
|
665
|
+
}
|
|
666
|
+
}
|
|
620
667
|
function configureHardwareWatchdog() {
|
|
621
668
|
try {
|
|
622
669
|
if (!isLinux()) {
|
|
@@ -640,18 +687,33 @@ function configureHardwareWatchdog() {
|
|
|
640
687
|
current = "";
|
|
641
688
|
}
|
|
642
689
|
}
|
|
643
|
-
if (current
|
|
644
|
-
|
|
690
|
+
if (current !== desired) {
|
|
691
|
+
const tmpPath = "/tmp/10-maxy-watchdog.conf";
|
|
692
|
+
writeFileSync(tmpPath, desired);
|
|
693
|
+
console.log(" [privileged] install systemd hardware watchdog drop-in (RuntimeWatchdogSec=20s RebootWatchdogSec=2min)");
|
|
694
|
+
shell("mkdir", ["-p", dropinDir], { sudo: true });
|
|
695
|
+
shell("cp", [tmpPath, dropinPath], { sudo: true });
|
|
696
|
+
spawnSync("rm", ["-f", tmpPath]);
|
|
697
|
+
}
|
|
698
|
+
// Arm now, idempotently. The drop-in being on disk does NOT mean the live
|
|
699
|
+
// PID1 has the watchdog active — a prior install that only ran daemon-reload,
|
|
700
|
+
// or a just-removed disable override (RuntimeWatchdogSec=0), leaves the file
|
|
701
|
+
// present but RuntimeWatchdogUSec=0. So read the live value and only skip the
|
|
702
|
+
// re-exec when the watchdog is genuinely armed already; otherwise daemon-reexec
|
|
703
|
+
// re-execs PID1 in place (host-wide; running services are preserved) to apply
|
|
704
|
+
// the system-manager setting. daemon-reload does not apply RuntimeWatchdogSec.
|
|
705
|
+
const liveUsec = spawnSync("systemctl", ["show", "-p", "RuntimeWatchdogUSec", "--value"], {
|
|
706
|
+
encoding: "utf-8",
|
|
707
|
+
stdio: "pipe",
|
|
708
|
+
timeout: 5_000,
|
|
709
|
+
});
|
|
710
|
+
const usec = (liveUsec.stdout ?? "").trim();
|
|
711
|
+
if (current === desired && usec !== "" && usec !== "0") {
|
|
712
|
+
logFile(` hardware watchdog: already active (${dropinPath}, RuntimeWatchdogUSec=${usec})`);
|
|
645
713
|
return;
|
|
646
714
|
}
|
|
647
|
-
|
|
648
|
-
|
|
649
|
-
console.log(" [privileged] install systemd hardware watchdog drop-in (RuntimeWatchdogSec=20s RebootWatchdogSec=2min)");
|
|
650
|
-
shell("mkdir", ["-p", dropinDir], { sudo: true });
|
|
651
|
-
shell("cp", [tmpPath, dropinPath], { sudo: true });
|
|
652
|
-
spawnSync("rm", ["-f", tmpPath]);
|
|
653
|
-
spawnSync("sudo", ["systemctl", "daemon-reload"], { stdio: "inherit" });
|
|
654
|
-
logFile(` hardware watchdog: enabled (wrote ${dropinPath}; arms on next boot or systemd re-exec)`);
|
|
715
|
+
spawnSync("sudo", ["systemctl", "daemon-reexec"], { stdio: "inherit" });
|
|
716
|
+
logFile(` hardware watchdog: enabled (${dropinPath}; armed now via daemon-reexec, after the build/swap window)`);
|
|
655
717
|
}
|
|
656
718
|
catch (err) {
|
|
657
719
|
console.error(` WARNING: failed to configure hardware watchdog: ${err instanceof Error ? err.message : String(err)}`);
|
|
@@ -1502,6 +1564,28 @@ WantedBy=multi-user.target
|
|
|
1502
1564
|
spawnSync("sudo", ["systemctl", "daemon-reload"], { stdio: "inherit" });
|
|
1503
1565
|
console.log(" [privileged] systemctl enable");
|
|
1504
1566
|
shell("systemctl", ["enable", serviceName], { sudo: true });
|
|
1567
|
+
// Tear down a legacy-package dedicated Neo4j unit pinning the same port.
|
|
1568
|
+
// The `-code` rewrite packages (`create-<brand>-code`) replace the legacy
|
|
1569
|
+
// `create-<brand>` packages. When migrating a device from legacy to -code,
|
|
1570
|
+
// both packages' dedicated Neo4j units exist (`neo4j-<brand>.service` and
|
|
1571
|
+
// `neo4j-<brand>-code.service`) and both try to bind the same dedicated
|
|
1572
|
+
// bolt port. The legacy unit wins the race (it boots first because it's
|
|
1573
|
+
// alphabetically earlier in systemd's load order), the new unit silently
|
|
1574
|
+
// fails with `bind failed -98 Address already in use`, and the seed step
|
|
1575
|
+
// talks to the legacy instance with the wrong password — auth fails with
|
|
1576
|
+
// a misleading "client is unauthorized" (observed on beacons).
|
|
1577
|
+
if (brandSuffix.endsWith("-code")) {
|
|
1578
|
+
const legacyBrand = brandSuffix.slice(0, -"-code".length);
|
|
1579
|
+
const legacyUnit = `neo4j-${legacyBrand}.service`;
|
|
1580
|
+
const legacyUnitFile = `/etc/systemd/system/${legacyUnit}`;
|
|
1581
|
+
if (existsSync(legacyUnitFile)) {
|
|
1582
|
+
const legacyMsg = ` [neo4j] legacy unit detected (${legacyUnit}) — stopping + disabling so the -code unit owns port ${NEO4J_PORT}`;
|
|
1583
|
+
console.log(legacyMsg);
|
|
1584
|
+
logFile(legacyMsg);
|
|
1585
|
+
shell("systemctl", ["stop", legacyUnit], { sudo: true, bestEffort: true });
|
|
1586
|
+
shell("systemctl", ["disable", legacyUnit], { sudo: true, bestEffort: true });
|
|
1587
|
+
}
|
|
1588
|
+
}
|
|
1505
1589
|
// skip stop+disable when a peer brand on this host still depends
|
|
1506
1590
|
// on the apt `neo4j.service` (port 7687). Disabling it would kill the peer's
|
|
1507
1591
|
// database reproducer on Neo's laptop. The kept-active path is
|
|
@@ -2794,7 +2878,29 @@ function writeInstallDefaults(accountId) {
|
|
|
2794
2878
|
mkdirSync(publicDir, { recursive: true });
|
|
2795
2879
|
const publicTemplatesDir = join(INSTALL_DIR, "platform/templates/agents/public");
|
|
2796
2880
|
const publicIdentityDst = join(publicDir, "IDENTITY.md");
|
|
2797
|
-
|
|
2881
|
+
const publicIdentitySrc = join(publicTemplatesDir, "IDENTITY.md");
|
|
2882
|
+
cpSync(publicIdentitySrc, publicIdentityDst);
|
|
2883
|
+
// Defensive verify: a 0-byte IDENTITY.md silently traps the brand server
|
|
2884
|
+
// in STARTING (the reachability auditor logs `reachable=false reason=files
|
|
2885
|
+
// -missing IDENTITY.md:empty` every minute and the splash never clears).
|
|
2886
|
+
// Observed on 192.168.88.16 after a re-install: source 1655 bytes, dest
|
|
2887
|
+
// 0 bytes. Loud-fail here so a corrupt copy can never reach the device's
|
|
2888
|
+
// runtime.
|
|
2889
|
+
try {
|
|
2890
|
+
const srcBytes = statSync(publicIdentitySrc).size;
|
|
2891
|
+
const dstBytes = statSync(publicIdentityDst).size;
|
|
2892
|
+
if (dstBytes === 0 || dstBytes !== srcBytes) {
|
|
2893
|
+
throw new Error(`public-identity copy verify failed: src=${publicIdentitySrc} (${srcBytes} bytes) ` +
|
|
2894
|
+
`dst=${publicIdentityDst} (${dstBytes} bytes). A 0-byte or partial copy traps the brand ` +
|
|
2895
|
+
`server in STARTING forever — re-run the installer after restoring the template, or ` +
|
|
2896
|
+
`report this as a copy regression.`);
|
|
2897
|
+
}
|
|
2898
|
+
}
|
|
2899
|
+
catch (err) {
|
|
2900
|
+
if (err instanceof Error && err.message.startsWith("public-identity copy verify failed"))
|
|
2901
|
+
throw err;
|
|
2902
|
+
throw new Error(`public-identity verify stat failed: ${err instanceof Error ? err.message : String(err)}`);
|
|
2903
|
+
}
|
|
2798
2904
|
console.log(` [install-defaults] public-identity path=${publicIdentityDst}`);
|
|
2799
2905
|
logFile(` [install-defaults] public-identity path=${publicIdentityDst}`);
|
|
2800
2906
|
}
|
|
@@ -4255,8 +4361,12 @@ console.log("");
|
|
|
4255
4361
|
logDiagnostics("pre-flight");
|
|
4256
4362
|
logFile(` Neo4j instance: ${NEO4J_DEDICATED ? "dedicated" : "shared"} on bolt://localhost:${NEO4J_PORT}`);
|
|
4257
4363
|
try {
|
|
4364
|
+
// Disable any pre-existing hardware-watchdog drop-in BEFORE any heavy step.
|
|
4365
|
+
// configureHardwareWatchdog() re-arms it at install end. Without this, the
|
|
4366
|
+
// 20s deadline armed from boot reboots the box mid-install on every install
|
|
4367
|
+
// after the first.
|
|
4368
|
+
disableHardwareWatchdogForInstall();
|
|
4258
4369
|
installSystemDeps();
|
|
4259
|
-
configureHardwareWatchdog();
|
|
4260
4370
|
installNodejs();
|
|
4261
4371
|
installClaudeCode();
|
|
4262
4372
|
installNeo4j();
|
|
@@ -4314,6 +4424,11 @@ try {
|
|
|
4314
4424
|
const ok = freezing ? immutable : !immutable;
|
|
4315
4425
|
console.log(` [agent-guard] op=${ok ? op : `${op}-failed`} target=${target}`);
|
|
4316
4426
|
}
|
|
4427
|
+
// Arm the hardware watchdog as the final install action — after the heavy
|
|
4428
|
+
// build/swap window, so a tight watchdog can never reboot the box mid-install
|
|
4429
|
+
// (the reboot-loop this defends against). A partial/failed install exits
|
|
4430
|
+
// before this point and never writes the drop-in.
|
|
4431
|
+
configureHardwareWatchdog();
|
|
4317
4432
|
console.log("");
|
|
4318
4433
|
console.log("================================================================");
|
|
4319
4434
|
console.log("");
|
package/package.json
CHANGED
|
@@ -145,6 +145,15 @@ SETTINGS_EOF
|
|
|
145
145
|
[ "$_AGENT_NAME" = "admin" ] && continue
|
|
146
146
|
[ -f "$_AGENT_DIR/IDENTITY.md" ] || continue
|
|
147
147
|
cp "$TEMPLATES_DIR/agents/public/IDENTITY.md" "$_AGENT_DIR/IDENTITY.md"
|
|
148
|
+
# Defensive verify — a 0-byte cp traps the brand server in STARTING (the
|
|
149
|
+
# reachability auditor reports `reachable=false reason=files-missing
|
|
150
|
+
# IDENTITY.md:empty` every minute). Observed on 192.168.88.16 after a
|
|
151
|
+
# re-install: source 1655 bytes, dest 0 bytes. Loud-fail here so the
|
|
152
|
+
# operator sees the bad write at install time, not the splash forever.
|
|
153
|
+
if [ ! -s "$_AGENT_DIR/IDENTITY.md" ]; then
|
|
154
|
+
echo " [setup] FATAL agents/$_AGENT_NAME/IDENTITY.md is empty after copy from $TEMPLATES_DIR/agents/public/IDENTITY.md ($(wc -c < "$TEMPLATES_DIR/agents/public/IDENTITY.md") bytes); aborting before the brand server starts" >&2
|
|
155
|
+
return 1
|
|
156
|
+
fi
|
|
148
157
|
echo " agents/$_AGENT_NAME/IDENTITY.md re-synced"
|
|
149
158
|
done
|
|
150
159
|
|