Commit graph

747 commits

Author SHA1 Message Date
rcourtman
ed65fda74d Extend node cleanup to fully remove Pulse footprint
When a Proxmox node is removed from Pulse, the cleanup now performs full uninstallation:

- SSH keys removal (existing functionality)
- Uninstalls pulse-sensor-proxy service
- Removes LXC bind mounts from container configs
- Deletes Proxmox API tokens
- Removes pulse-monitor@pam user

This aligns with security best practices and user expectations - "remove node"
should completely sever trust with that machine, not leave credentials and
privileged services behind.

The cleanup script now calls the uninstaller (--uninstall) and uses pveum
to remove API tokens. This prevents leftover artifacts if the host is
repurposed or compromised.

Related: config_handlers.go triggerPVEHostCleanup() at node deletion
2025-11-14 22:58:50 +00:00
rcourtman
c5a5eb2534 Use unique temp file prefix to avoid permission conflicts
- Change mktemp to use /tmp/pulse-config.XXXXXXXXXX template
- Prevents conflicts with stale temp files from previous runs
- Fixes 'Permission denied' errors when script re-runs
2025-11-14 22:44:33 +00:00
rcourtman
3a381e764a Add cleanup trap and better error handling to update_allowed_nodes
- Add trap to remove temp file on function return (success or failure)
- Add error check for mv command with descriptive message
- Ensure config file has proper permissions after update

This prevents orphaned temp files when errors occur and provides
better diagnostics when file operations fail.
2025-11-14 22:13:35 +00:00
rcourtman
d0080e4adf Remove invalid 'local' keyword from main script scope
The all_nodes arrays were declared with 'local' keyword outside of
functions, causing bash syntax error:
  'local: can only be used in a function'

Fixed by removing 'local' keyword - arrays in main script scope don't
need it and it's actually invalid syntax.
2025-11-14 22:06:44 +00:00
rcourtman
ddf0733353 Fix update_allowed_nodes to remove comment headers
The awk logic was removing allowed_nodes sections but leaving their
comment headers behind. When multiple sections existed, comments would
accumulate.

New approach:
- Buffer all comment lines encountered outside sections
- When a non-comment line is found, flush buffered comments
- When allowed_nodes is found, discard buffered comments (they belonged
  to the section we're removing)
- This cleanly removes section headers like:
  '# Cluster nodes (auto-discovered during installation)'
  '# These nodes are allowed to request...'

Tested with config containing duplicate allowed_nodes sections - now
correctly produces clean output with all duplicates and headers removed.
2025-11-14 22:02:10 +00:00
rcourtman
245d6f5b47 Ensure base config exists before updating allowed_nodes
The installer was only creating base config.yaml in standalone mode,
but update_allowed_nodes() is also called in LXC mode. When the config
didn't exist, update_allowed_nodes() would create an empty file and only
add the allowed_nodes section, missing required fields like
allowed_peer_uids, metrics_address, rate_limit, etc.

This caused the proxy to fail when it tried to parse the incomplete config.

Now creates a proper base config with all required fields if the file
doesn't exist, before any mode-specific configuration is added.
2025-11-14 21:57:16 +00:00
rcourtman
f7936cb540 Fix duplicate allowed_nodes in sensor proxy installer
The install-sensor-proxy.sh script was blindly appending allowed_nodes
sections to the config file without checking if they already existed.
When the script was re-run or if the initial config already had an
allowed_nodes section, this created duplicate YAML keys that caused
the proxy service to fail with parse errors.

Changes:
- Add update_allowed_nodes() helper function that safely updates the
  allowed_nodes section by removing any existing ones first
- Replace all three cat >> config.yaml heredocs with calls to the
  helper function (cluster nodes, standalone mode, pvecm fallback)
- Uses awk to properly parse and remove multi-line YAML sections

This makes the installer idempotent and prevents config corruption on
re-runs.

Fixes issue where proxy service crashed with:
  'mapping key "allowed_nodes" already defined at line X'
2025-11-14 21:43:31 +00:00
rcourtman
387a68ef18 Allow dev builds to skip proxy version gate 2025-11-14 21:34:55 +00:00
rcourtman
e708727725 Improve sensor proxy socket verification 2025-11-14 20:14:25 +00:00
rcourtman
7cfe998fca Make download tests use temp bin dir 2025-11-14 13:59:50 +00:00
rcourtman
1c7991954e CI: remove unsupported vitest args 2025-11-14 13:41:16 +00:00
rcourtman
20194d9bb7 Add CI build workflow and tighten proxy diagnostics 2025-11-14 13:32:29 +00:00
rcourtman
65fbd72b15 feat: add shared status indicators
Related to #677
2025-11-14 12:42:08 +00:00
rcourtman
349f5627e5 monitoring: add poll watchdog to prevent worker leaks (refs #696) 2025-11-14 11:24:59 +00:00
rcourtman
6e9a62f663 Ensure Windows download finds .exe (related to #684) 2025-11-14 10:59:45 +00:00
rcourtman
1d0d23d237 Related to #710: harden Windows installer arch detection 2025-11-14 10:50:56 +00:00
rcourtman
1ed69d35b6 docs: highlight runbooks in index and script verification checklist 2025-11-14 10:39:10 +00:00
rcourtman
dca562b7b4 docs: reference log forwarding runbook in sensor proxy guides 2025-11-14 10:37:09 +00:00
rcourtman
4693900f8b docs: document sensor proxy log forwarding 2025-11-14 01:12:25 +00:00
rcourtman
da192dd4c2 docs: surface operations runbooks in main readme 2025-11-14 01:08:41 +00:00
rcourtman
34bf5f524b docs: add auto-update troubleshooting 2025-11-14 01:07:32 +00:00
rcourtman
7a9c420912 docs: clarify auto-update flow and surface proxy guide 2025-11-14 01:06:11 +00:00
rcourtman
a163988bf5 docs: add auto-update runbook 2025-11-14 01:05:06 +00:00
rcourtman
1aec43b1ac docs: escape table pipes in sensor proxy readme 2025-11-14 01:01:55 +00:00
rcourtman
9864258207 docs: add operations runbooks and audit fixes 2025-11-14 01:01:21 +00:00
rcourtman
4d021f8a50 Related to #701: improve sensor proxy installer caching 2025-11-14 00:51:54 +00:00
rcourtman
b77330b1be Clarify sensor proxy HTTPS workflow in docs 2025-11-14 00:48:41 +00:00
rcourtman
a278b52b5e Explain HTTPS-first temperature architecture 2025-11-14 00:45:20 +00:00
rcourtman
bfb8fd4a64 Document v4.31.0 release highlights 2025-11-14 00:43:16 +00:00
rcourtman
86bc617940 Fix YAML syntax errors in workflow files 2025-11-13 23:54:55 +00:00
rcourtman
99b53afc49 Add branch trigger for testing 2025-11-13 23:48:19 +00:00
rcourtman
b650f7e174 Add minimal test workflow 2025-11-13 23:45:23 +00:00
rcourtman
3f8c994aa9 Use GITHUB_EVENT_PATH to parse inputs avoiding template context errors 2025-11-13 23:44:40 +00:00
rcourtman
f1303cf339 Fix workflow inputs context for push events 2025-11-13 23:42:59 +00:00
rcourtman
a8b6143408 Re-add tag trigger to enable workflow 2025-11-13 23:37:48 +00:00
rcourtman
039aba5df1 Match dry-run workflow format exactly 2025-11-13 23:29:56 +00:00
rcourtman
f886a3a422 Rename workflow file to force new workflow_id 2025-11-13 23:29:19 +00:00
rcourtman
cb8c1075fd Remove tag trigger to test workflow_dispatch 2025-11-13 23:28:57 +00:00
rcourtman
7e90ce0377 Add test workflow to diagnose dispatch issue 2025-11-13 23:26:39 +00:00
rcourtman
b36c988173 Add new pulse-release workflow with unique name 2025-11-13 23:23:39 +00:00
rcourtman
8f42dae363 Remove duplicate release workflows to force GitHub re-indexing 2025-11-13 23:23:16 +00:00
rcourtman
cc42007b00 Force workflow re-index for v4.31.0 release 2025-11-13 23:18:12 +00:00
rcourtman
33d712c185 Prepare v4.31.0 release 2025-11-13 23:14:01 +00:00
rcourtman
4f8b807f0c Refine Windows host installer logging (related to #709) 2025-11-13 23:09:22 +00:00
rcourtman
f2b888386c Remove installer v2 rollout doc 2025-11-13 22:36:01 +00:00
rcourtman
6d591920d9 Remove CONTRIBUTING-SCRIPTS doc 2025-11-13 22:34:21 +00:00
rcourtman
70673c1fdc Improve temperature proxy diagnostics and tests 2025-11-13 22:31:53 +00:00
rcourtman
319bf56a6f Add context timeout to local temperature collection
The getTemperatureLocal() function was running sensors without a timeout,
which could cause HTTP requests to hang if the sensors command stalled.

This adds context.Context parameter and uses exec.CommandContext to ensure
local temperature collection respects the same 15-second timeout as SSH-based
collection.

Fixes issue where HTTP mode worked for remote nodes but timed out for
self-monitoring on the same host.
2025-11-13 20:15:05 +00:00
rcourtman
9cb151d836 Add localhost to allowed_source_subnets for self-monitoring
The HTTP mode installer now includes 127.0.0.1/32 in allowed_source_subnets
to permit self-monitoring queries from localhost. This fixes 403 Forbidden
errors when nodes query their own sensor-proxy instance.

Related to HTTP mode implementation for external PVE hosts.
2025-11-13 19:34:11 +00:00
rcourtman
3c707a7368 Fix HTTP mode reliability: add context timeouts to SSH collection
Critical fix for intermittent HTTP endpoint hangs identified by Codex analysis.

## Root Cause
SSH collection via getTemperatureViaSSH() had no timeout, causing HTTP
handlers to block indefinitely when sensors command hung. This held node-level
mutexes and rate limit slots, creating cascading failures where subsequent
requests queued indefinitely.

## Solution
- Thread request context through to SSH execution
- Add exec.CommandContext with 15s timeout (vs 30s HTTP client timeout)
- Create execCommandWithLimitsContext() to wrap SSH commands
- Ensures handlers always release locks and respond within deadline

## Impact
- HTTP temps endpoint now responds in ~70ms consistently
- Temperature data successfully collected and displayed in Pulse
- Eliminates 'context deadline exceeded' errors
- Prevents node gate deadlocks from slow/stuck SSH sessions

Related to Codex session 019a7e99-00fc-7903-afa3-01100baf47c6
2025-11-13 19:09:50 +00:00