fix: 改进CN LLM部署SSH处理 + 明确域名配置要求 (工单三/五修复)

Agent-Logs-Url: https://github.com/qinfendebingshuo/guanghulab/sessions/bf92e1d8-e789-468b-80ab-2d7fec9be6c2

Co-authored-by: qinfendebingshuo <207279273+qinfendebingshuo@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot] 2026-04-11 15:26:31 +00:00 committed by GitHub
parent 3967a943e8
commit 4c69bf46aa
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 62 additions and 12 deletions

View File

@ -45,20 +45,68 @@ jobs:
SSH_KEY: ${{ secrets.ZY_CN_LLM_KEY }}
run: |
mkdir -p ~/.ssh
echo "$SSH_KEY" > ~/.ssh/cn_key
chmod 700 ~/.ssh
# 写入私钥 · 确保末尾有换行符
printf '%s\n' "$SSH_KEY" > ~/.ssh/cn_key
chmod 600 ~/.ssh/cn_key
# 格式校验
if head -1 ~/.ssh/cn_key | grep -q "BEGIN" && tail -1 ~/.ssh/cn_key | grep -q "END"; then
echo "✅ SSH私钥格式正确"
else
echo "❌ SSH私钥格式异常 — 请检查 ZY_CN_LLM_KEY"
echo "首行: $(head -1 ~/.ssh/cn_key)"
echo "末行: $(tail -1 ~/.ssh/cn_key)"
exit 1
fi
ssh-keyscan -H ${{ secrets.ZY_CN_LLM_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
# 显示密钥指纹用于调试(不泄露私钥内容)
ssh-keygen -l -f ~/.ssh/cn_key && echo "✅ 密钥指纹读取成功" || echo "⚠️ 无法读取密钥指纹"
# 写入 SSH config · 统一连接参数
cat > ~/.ssh/config << 'SSHCONF'
Host cn-relay
StrictHostKeyChecking accept-new
UserKnownHostsFile ~/.ssh/known_hosts
IdentityFile ~/.ssh/cn_key
IdentitiesOnly yes
ServerAliveInterval 15
ServerAliveCountMax 3
ConnectTimeout 30
SSHCONF
# 注入实际 Host/User避免 heredoc 内插值泄露)
sed -i "1a\\ HostName ${{ secrets.ZY_CN_LLM_HOST }}" ~/.ssh/config
sed -i "2a\\ User ${{ secrets.ZY_CN_LLM_USER }}" ~/.ssh/config
chmod 600 ~/.ssh/config
# 扫描主机公钥(不静默·便于排查)
echo "═══ 扫描目标主机公钥 ═══"
ssh-keyscan -T 10 ${{ secrets.ZY_CN_LLM_HOST }} >> ~/.ssh/known_hosts 2>&1 || echo "⚠️ ssh-keyscan 未返回主机密钥(可能被安全组拦截)"
echo "known_hosts 条目数: $(wc -l < ~/.ssh/known_hosts)"
- name: 🔗 SSH连接测试
run: |
echo "═══ SSH连接测试verbose模式 ═══"
ssh -vvv -o BatchMode=yes -o ConnectTimeout=15 \
-i ~/.ssh/cn_key \
${{ secrets.ZY_CN_LLM_USER }}@${{ secrets.ZY_CN_LLM_HOST }} \
"echo '✅ SSH连接成功 · $(hostname) · $(date)'" \
2>&1 || {
echo ""
echo "═══ SSH连接失败 · 排查方向 ═══"
echo "1. 检查广州服务器 ~/.ssh/authorized_keys 是否包含对应公钥"
echo "2. 检查权限: chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys"
echo "3. 检查 /etc/ssh/sshd_config: PubkeyAuthentication yes"
echo "4. 检查腾讯云安全组是否放行 GitHub Actions IP 的 22 端口"
echo "5. 查看服务器 SSH 日志: journalctl -u sshd -n 50"
exit 1
}
- name: 📦 同步代码到广州
run: |
rsync -avz --delete \
-e "ssh -i ~/.ssh/cn_key" \
-e "ssh -i ~/.ssh/cn_key -o StrictHostKeyChecking=accept-new -o ConnectTimeout=30" \
--exclude='node_modules' \
--exclude='.env.relay' \
--exclude='logs' \
@ -130,14 +178,14 @@ jobs:
env:
SSH_KEY: ${{ secrets.ZY_CN_LLM_KEY }}
run: |
mkdir -p ~/.ssh
echo "$SSH_KEY" > ~/.ssh/cn_key
mkdir -p ~/.ssh && chmod 700 ~/.ssh
printf '%s\n' "$SSH_KEY" > ~/.ssh/cn_key
chmod 600 ~/.ssh/cn_key
ssh-keyscan -H ${{ secrets.ZY_CN_LLM_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
ssh-keyscan -T 10 ${{ secrets.ZY_CN_LLM_HOST }} >> ~/.ssh/known_hosts 2>&1 || true
- name: 🩺 检查服务状态
run: |
ssh -i ~/.ssh/cn_key \
ssh -i ~/.ssh/cn_key -o StrictHostKeyChecking=accept-new -o ConnectTimeout=15 \
${{ secrets.ZY_CN_LLM_USER }}@${{ secrets.ZY_CN_LLM_HOST }} << 'CMD'
echo "═══ PM2 状态 ═══"
pm2 list
@ -158,14 +206,14 @@ jobs:
env:
SSH_KEY: ${{ secrets.ZY_CN_LLM_KEY }}
run: |
mkdir -p ~/.ssh
echo "$SSH_KEY" > ~/.ssh/cn_key
mkdir -p ~/.ssh && chmod 700 ~/.ssh
printf '%s\n' "$SSH_KEY" > ~/.ssh/cn_key
chmod 600 ~/.ssh/cn_key
ssh-keyscan -H ${{ secrets.ZY_CN_LLM_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
ssh-keyscan -T 10 ${{ secrets.ZY_CN_LLM_HOST }} >> ~/.ssh/known_hosts 2>&1 || true
- name: 🔄 重启
run: |
ssh -i ~/.ssh/cn_key \
ssh -i ~/.ssh/cn_key -o StrictHostKeyChecking=accept-new -o ConnectTimeout=15 \
${{ secrets.ZY_CN_LLM_USER }}@${{ secrets.ZY_CN_LLM_HOST }} << 'CMD'
cd /opt/cn-llm-relay
pm2 restart cn-llm-relay

View File

@ -415,7 +415,7 @@ jobs:
curl -sf http://localhost:3100/health || echo "⚠️ MCP Server健康检查失败等待更长时间..."
sleep 5
curl -sf http://localhost:3800/api/health && echo "✅ 主应用已上线 (3800)" || echo "❌ 主应用启动失败 (3800)"
curl -sf http://localhost:3801/api/health && echo "✅ 预览进程已上线 (3801)" || echo "❌ 预览进程启动失败 (3801) · guanghulab.online 可能502"
curl -sf http://localhost:3801/api/health && echo "✅ 预览进程已上线 (3801)" || echo "❌ 预览进程启动失败 (3801) · 若 ZY_DOMAIN_PREVIEW 域名指向此端口则该域名可能502"
curl -sf http://localhost:3100/health && echo "✅ MCP Server已上线 (3100)" || echo "❌ MCP Server启动失败 (3100)"
# 记录部署操作

View File

@ -19,6 +19,8 @@
# ─── §1 主域名 · 正式对外网站 ───
# 部署时由 deploy workflow 自动将 ZY_DOMAIN_MAIN_PLACEHOLDER 替换为实际域名
# 替换源: GitHub Secrets → ZY_DOMAIN_MAIN
# ⚠️ 重要: guanghulab.online 必须配置为 ZY_DOMAIN_MAIN不是 ZY_DOMAIN_PREVIEW
# 否则 /api/* 请求会被路由到 §2 预览站的 3801 端口而非 3800 → 导致 502
server {
listen 80 default_server;
server_name ZY_DOMAIN_MAIN_PLACEHOLDER 43.134.16.246 localhost 127.0.0.1;