fix: 改进CN LLM部署SSH处理 + 明确域名配置要求 (工单三/五修复)
Agent-Logs-Url: https://github.com/qinfendebingshuo/guanghulab/sessions/bf92e1d8-e789-468b-80ab-2d7fec9be6c2 Co-authored-by: qinfendebingshuo <207279273+qinfendebingshuo@users.noreply.github.com>
This commit is contained in:
parent
3967a943e8
commit
4c69bf46aa
|
|
@ -45,20 +45,68 @@ jobs:
|
|||
SSH_KEY: ${{ secrets.ZY_CN_LLM_KEY }}
|
||||
run: |
|
||||
mkdir -p ~/.ssh
|
||||
echo "$SSH_KEY" > ~/.ssh/cn_key
|
||||
chmod 700 ~/.ssh
|
||||
|
||||
# 写入私钥 · 确保末尾有换行符
|
||||
printf '%s\n' "$SSH_KEY" > ~/.ssh/cn_key
|
||||
chmod 600 ~/.ssh/cn_key
|
||||
|
||||
# 格式校验
|
||||
if head -1 ~/.ssh/cn_key | grep -q "BEGIN" && tail -1 ~/.ssh/cn_key | grep -q "END"; then
|
||||
echo "✅ SSH私钥格式正确"
|
||||
else
|
||||
echo "❌ SSH私钥格式异常 — 请检查 ZY_CN_LLM_KEY"
|
||||
echo "首行: $(head -1 ~/.ssh/cn_key)"
|
||||
echo "末行: $(tail -1 ~/.ssh/cn_key)"
|
||||
exit 1
|
||||
fi
|
||||
ssh-keyscan -H ${{ secrets.ZY_CN_LLM_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
|
||||
|
||||
# 显示密钥指纹用于调试(不泄露私钥内容)
|
||||
ssh-keygen -l -f ~/.ssh/cn_key && echo "✅ 密钥指纹读取成功" || echo "⚠️ 无法读取密钥指纹"
|
||||
|
||||
# 写入 SSH config · 统一连接参数
|
||||
cat > ~/.ssh/config << 'SSHCONF'
|
||||
Host cn-relay
|
||||
StrictHostKeyChecking accept-new
|
||||
UserKnownHostsFile ~/.ssh/known_hosts
|
||||
IdentityFile ~/.ssh/cn_key
|
||||
IdentitiesOnly yes
|
||||
ServerAliveInterval 15
|
||||
ServerAliveCountMax 3
|
||||
ConnectTimeout 30
|
||||
SSHCONF
|
||||
# 注入实际 Host/User(避免 heredoc 内插值泄露)
|
||||
sed -i "1a\\ HostName ${{ secrets.ZY_CN_LLM_HOST }}" ~/.ssh/config
|
||||
sed -i "2a\\ User ${{ secrets.ZY_CN_LLM_USER }}" ~/.ssh/config
|
||||
chmod 600 ~/.ssh/config
|
||||
|
||||
# 扫描主机公钥(不静默·便于排查)
|
||||
echo "═══ 扫描目标主机公钥 ═══"
|
||||
ssh-keyscan -T 10 ${{ secrets.ZY_CN_LLM_HOST }} >> ~/.ssh/known_hosts 2>&1 || echo "⚠️ ssh-keyscan 未返回主机密钥(可能被安全组拦截)"
|
||||
echo "known_hosts 条目数: $(wc -l < ~/.ssh/known_hosts)"
|
||||
|
||||
- name: 🔗 SSH连接测试
|
||||
run: |
|
||||
echo "═══ SSH连接测试(verbose模式) ═══"
|
||||
ssh -vvv -o BatchMode=yes -o ConnectTimeout=15 \
|
||||
-i ~/.ssh/cn_key \
|
||||
${{ secrets.ZY_CN_LLM_USER }}@${{ secrets.ZY_CN_LLM_HOST }} \
|
||||
"echo '✅ SSH连接成功 · $(hostname) · $(date)'" \
|
||||
2>&1 || {
|
||||
echo ""
|
||||
echo "═══ SSH连接失败 · 排查方向 ═══"
|
||||
echo "1. 检查广州服务器 ~/.ssh/authorized_keys 是否包含对应公钥"
|
||||
echo "2. 检查权限: chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys"
|
||||
echo "3. 检查 /etc/ssh/sshd_config: PubkeyAuthentication yes"
|
||||
echo "4. 检查腾讯云安全组是否放行 GitHub Actions IP 的 22 端口"
|
||||
echo "5. 查看服务器 SSH 日志: journalctl -u sshd -n 50"
|
||||
exit 1
|
||||
}
|
||||
|
||||
- name: 📦 同步代码到广州
|
||||
run: |
|
||||
rsync -avz --delete \
|
||||
-e "ssh -i ~/.ssh/cn_key" \
|
||||
-e "ssh -i ~/.ssh/cn_key -o StrictHostKeyChecking=accept-new -o ConnectTimeout=30" \
|
||||
--exclude='node_modules' \
|
||||
--exclude='.env.relay' \
|
||||
--exclude='logs' \
|
||||
|
|
@ -130,14 +178,14 @@ jobs:
|
|||
env:
|
||||
SSH_KEY: ${{ secrets.ZY_CN_LLM_KEY }}
|
||||
run: |
|
||||
mkdir -p ~/.ssh
|
||||
echo "$SSH_KEY" > ~/.ssh/cn_key
|
||||
mkdir -p ~/.ssh && chmod 700 ~/.ssh
|
||||
printf '%s\n' "$SSH_KEY" > ~/.ssh/cn_key
|
||||
chmod 600 ~/.ssh/cn_key
|
||||
ssh-keyscan -H ${{ secrets.ZY_CN_LLM_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
|
||||
ssh-keyscan -T 10 ${{ secrets.ZY_CN_LLM_HOST }} >> ~/.ssh/known_hosts 2>&1 || true
|
||||
|
||||
- name: 🩺 检查服务状态
|
||||
run: |
|
||||
ssh -i ~/.ssh/cn_key \
|
||||
ssh -i ~/.ssh/cn_key -o StrictHostKeyChecking=accept-new -o ConnectTimeout=15 \
|
||||
${{ secrets.ZY_CN_LLM_USER }}@${{ secrets.ZY_CN_LLM_HOST }} << 'CMD'
|
||||
echo "═══ PM2 状态 ═══"
|
||||
pm2 list
|
||||
|
|
@ -158,14 +206,14 @@ jobs:
|
|||
env:
|
||||
SSH_KEY: ${{ secrets.ZY_CN_LLM_KEY }}
|
||||
run: |
|
||||
mkdir -p ~/.ssh
|
||||
echo "$SSH_KEY" > ~/.ssh/cn_key
|
||||
mkdir -p ~/.ssh && chmod 700 ~/.ssh
|
||||
printf '%s\n' "$SSH_KEY" > ~/.ssh/cn_key
|
||||
chmod 600 ~/.ssh/cn_key
|
||||
ssh-keyscan -H ${{ secrets.ZY_CN_LLM_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
|
||||
ssh-keyscan -T 10 ${{ secrets.ZY_CN_LLM_HOST }} >> ~/.ssh/known_hosts 2>&1 || true
|
||||
|
||||
- name: 🔄 重启
|
||||
run: |
|
||||
ssh -i ~/.ssh/cn_key \
|
||||
ssh -i ~/.ssh/cn_key -o StrictHostKeyChecking=accept-new -o ConnectTimeout=15 \
|
||||
${{ secrets.ZY_CN_LLM_USER }}@${{ secrets.ZY_CN_LLM_HOST }} << 'CMD'
|
||||
cd /opt/cn-llm-relay
|
||||
pm2 restart cn-llm-relay
|
||||
|
|
|
|||
|
|
@ -415,7 +415,7 @@ jobs:
|
|||
curl -sf http://localhost:3100/health || echo "⚠️ MCP Server健康检查失败,等待更长时间..."
|
||||
sleep 5
|
||||
curl -sf http://localhost:3800/api/health && echo "✅ 主应用已上线 (3800)" || echo "❌ 主应用启动失败 (3800)"
|
||||
curl -sf http://localhost:3801/api/health && echo "✅ 预览进程已上线 (3801)" || echo "❌ 预览进程启动失败 (3801) · guanghulab.online 可能502"
|
||||
curl -sf http://localhost:3801/api/health && echo "✅ 预览进程已上线 (3801)" || echo "❌ 预览进程启动失败 (3801) · 若 ZY_DOMAIN_PREVIEW 域名指向此端口则该域名可能502"
|
||||
curl -sf http://localhost:3100/health && echo "✅ MCP Server已上线 (3100)" || echo "❌ MCP Server启动失败 (3100)"
|
||||
|
||||
# 记录部署操作
|
||||
|
|
|
|||
|
|
@ -19,6 +19,8 @@
|
|||
# ─── §1 主域名 · 正式对外网站 ───
|
||||
# 部署时由 deploy workflow 自动将 ZY_DOMAIN_MAIN_PLACEHOLDER 替换为实际域名
|
||||
# 替换源: GitHub Secrets → ZY_DOMAIN_MAIN
|
||||
# ⚠️ 重要: guanghulab.online 必须配置为 ZY_DOMAIN_MAIN(不是 ZY_DOMAIN_PREVIEW)
|
||||
# 否则 /api/* 请求会被路由到 §2 预览站的 3801 端口而非 3800 → 导致 502
|
||||
server {
|
||||
listen 80 default_server;
|
||||
server_name ZY_DOMAIN_MAIN_PLACEHOLDER 43.134.16.246 localhost 127.0.0.1;
|
||||
|
|
|
|||
Loading…
Reference in New Issue