The previous diagrams were too complex and overwhelming. Simplified all diagrams to show core concepts clearly: - Adaptive polling: reduced to basic scheduler→queue→workers flow - Temperature proxy: simplified to 3-box trust boundary view - Sensor proxy sequence: simplified to essential request flow - Webhook pipeline: reduced to template→send→retry flow - Script library: simplified to code→test→bundle→dist flow Fixed parsing error in temperature proxy diagram (parentheses in edge label causing render failure). Diagrams should clarify architecture, not recreate implementation.
4.1 KiB
4.1 KiB
Pulse Sensor Proxy Runbook
Quick Reference
- Binary:
/opt/pulse/sensor-proxy/bin/pulse-sensor-proxy - Unit:
pulse-sensor-proxy.service - Logs:
/var/log/pulse/sensor-proxy/proxy.log - Audit trail:
/var/log/pulse/sensor-proxy/audit.log(hash chained, forwarded via rsyslog) - Metrics:
http://127.0.0.1:9127/metrics(setPULSE_SENSOR_PROXY_METRICS_ADDRto change/disable) - Limiters: ~12 requests/minute per UID (burst 2), per-UID concurrency 2, global concurrency 8, 2 s penalty on validation failures
Monitoring Alerts & Response
sequenceDiagram
participant Backend
participant Proxy
participant Node
Backend->>Proxy: get_temperature
Proxy->>Proxy: Check rate limit
Proxy->>Node: SSH sensors -j
Node->>Proxy: JSON response
Proxy->>Backend: Temperature data
Rate Limit Hits (pulse_proxy_limiter_rejections_total)
- Check audit log entries tagged
limiter.rejectionfor offending UID. - Confirm workload legitimacy; if expected, consider increasing limits via config override.
- If malicious, block source process/user and inspect Pulse audit logs.
Penalty Events (pulse_proxy_limiter_penalties_total)
- Review corresponding validation failures in audit log (
command.validation_failed). - If repeated invalid JSON/unknown methods, inspect caller code for regressions or intrusion attempts.
Audit Log Forwarder Down
journalctl -u rsyslogto confirm transmission errors.- Ensure
/etc/pulse/log-forwardingcerts valid & remote host reachable. - Forwarding queue stored locally in
/var/log/pulse/sensor-proxy/forwarding.log; ship manually if outage exceeds 1 hour.
Proxy Health Endpoint Fails
systemctl status pulse-sensor-proxy- Check
/var/log/pulse/sensor-proxy/proxy.logfor panic or limiter exhaustion. - Inspect
/var/log/pulse/sensor-proxy/audit.logfor recent privileged method denials.
Standard Procedures
Restart Proxy Safely
sudo systemctl stop pulse-sensor-proxy
sudo apparmor_parser -r /etc/apparmor.d/pulse-sensor-proxy # if updating policy
sudo systemctl start pulse-sensor-proxy
Verify:
# Metrics endpoint exposes proxy build/health
curl -s http://127.0.0.1:9127/metrics | grep pulse_proxy_build_info
# Ensure adaptive polling sees the proxy again
curl -s http://localhost:7655/api/monitoring/scheduler/health \
| jq '.instances[] | select(.key | contains("temperature")) | {key, pollStatus}'
Temperature instances should show recent lastSuccess timestamps with no DLQ entries.
Rotate SSH Keys
- Run
scripts/secure-sensor-files.shto regenerate keys (ensure environment locked down). - Use RPC
ensure_cluster_keysto distribute new public key. - Confirm nodes accept
sshfrom proxy host. - Confirm the scheduler clears any temporary breakers/dlq entries:
Expectcurl -s http://localhost:7655/api/monitoring/scheduler/health \ | jq '.instances[] | select(.key | contains("temperature")) | {key, breaker: .breaker.state, deadLetter: .deadLetter.present}'breaker.state=="closed"anddeadLetter.present==falsefor all proxy-driven pollers.
Adjust Rate Limits
- Update
limiter_policyenvironment overrides (future config). - Restart proxy; monitor limiter metrics to validate new thresholds.
- Document change in security runbook.
Incident Handling
- Unauthorized Command Attempt: audit log shows
command.validation_failedand limiter penalties; capture correlation ID, check Pulse side for compromised container. - Excessive Temperature Failures: refer to
pulse_proxy_ssh_requests_total{result="error"}; validate network ACLs and node health; escalate to Proxmox team if nodes unreachable. - Log Tampering Suspected: verify audit hash chain by replaying
eventHashvalues; compare with remote log store (immutable). Trigger security response if mismatch.
Postmortem Checklist
- Timeline: command audit entries, limiter stats, rsyslog queue depth.
- Verify AppArmor/seccomp status (
aa-status,systemctl show pulse-sensor-proxy -p AppArmorProfile). - Ensure firewall ACLs match
docs/security/pulse-sensor-proxy-network.md.