package maker import ( "context" "os" "path/filepath" "gitea.loveuer.com/yizhisec/pkg3/logger" "yizhisec.com/hsv2/forge/pkg/archiver" "yizhisec.com/hsv2/forge/pkg/resource" ) func (m *maker) HSNet(ctx context.Context) error { const ( _service = `[Unit] Description=hs-net Container Service Documentation=https://docs.containerd.io After=network.target containerd.service [Service] # 启动前清理旧容器 # ExecStartPre=-/usr/local/bin/k0s ctr -n hs-net task kill hs-net ExecStartPre=-/usr/local/bin/k0s ctr namespace create hs-net ExecStartPre=-/usr/local/bin/k0s ctr -n hs-net container rm hs-net # 拉取最新镜像(按需启用/注释) # ExecStartPre=/usr/local/bin/k0s ctr -n hs-net images pull hub.yizhisec.com/hybridscope/hsnet:release_2.1.0-std # 容器启动命令 ExecStart=/usr/local/bin/k0s ctr -n hs-net run \ --net-host \ --privileged \ --env LD_LIBRARY_PATH=/yizhisec/hs_net \ --env RUST_BACKTRACE=1 \ --mount type=bind,src=/etc/localtime,dst=/etc/localtime,options=rbind:ro \ --mount type=bind,src=/etc/hosts,dst=/etc/hosts,options=rbind:ro \ --mount type=bind,src=/etc/yizhisec,dst=/etc/yizhisec,options=rbind:rw \ --mount type=bind,src=/tmp,dst=/tmp,options=rbind:rw \ --mount type=bind,src=/etc/yosguard/uuid,dst=/etc/gateway/uuid.json,options=rbind:ro \ --mount type=bind,src=/mnt/huge,dst=/mnt/huge,options=rbind:rw \ --mount type=bind,src=/var/run,dst=/var/run,options=rbind:rw \ --mount type=bind,src=/yizhisec,dst=/yizhisec,options=rbind:rw \ --mount type=bind,src=/yizhisec/hs_net/conf,dst=/etc/hs_net,options=rbind:rw \ hub.yizhisec.com/hybridscope/hsnet:release_2.1.0-std hs-net # --cgroup host \ # --env RUSTFLAGS="-C target-cpu=nehalem" \ # 重启策略 Restart=on-failure RestartSec=5s StartLimitInterval=60s StartLimitBurst=5 # 资源限制(按需调整) MemoryLimit=2G CPUQuota=80% # 日志处理(将容器 stdout/stderr 交由 journald 管理) StandardOutput=journal StandardError=journal SyslogIdentifier=hs-net # 清理退出的容器 # ExecStop=/usr/local/bin/k0s ctr -n hs-net task kill hs-net ExecStopPost=/usr/local/bin/k0s ctr -n hs-net container rm hs-net [Install] WantedBy=multi-user.target` _conf_out = `log: level: info controller: protocol: https registerHost: hs-gateway-register-controller host: hs-gateway-controller port: 443 tokenFilePath: /etc/yizhisec/token registerRetry: 30 wg: private_key: qPfOaNKrV11kzaGQiNQNyiu6wMQGUpIM+/xqboVAnng= private_network: 246.0.0.1/8 listen_port: 23209 mtu: 1300 obf_key: 0 keep_alive: 61 tun_name: wg_tun yosGuard: host: __ip__ port: 7788 mqtt: protocol: tls host: mqtt.yizhisec.com port: '443' cert: /yizhisec/hs_net/conf/ssl/mqtt.client.crt key: /yizhisec/hs_net/conf/ssl/mqtt.client.key keep_alive: 60 paseto_key: TtKVnSzEHO3jRv/GWg3f5k3H1OVfMnPZ1Ke9E6MSCXk= resource_server: hs-gateway-controller dns_cache: Address: 127.0.0.1:9028 gatewayVersionFile: /etc/yizhisec/gateway_version.json lastVersion: null workDir: /yizhisec/hs_net/workspace eth_names: [] tag: '' cluster_mock: '' openobserve_uri: '' tcp_mode_disable: false ` _conf_in = `{ "LogLevel": "info", "LogFile": "/yizhisec/hs_net/workspace/log/wireguard", "DnsVirtNetwork": null, "DnsVirtNetworkV6": null, "Foreground": false, "WithPprof": false, "DnsCache": { "Address": "127.0.0.1:9028" }, "log": { "level": "info" }, "yosGuard": { "host": "__ip__", "port": 7788 }, "controller": { "protocol": "https", "host": "hs-gateway-controller", "registerHost": "hs-gateway-register-controller", "port": 443, "registerRetry": 30, "tokenFilePath": "/etc/yizhisec/token" }, "wg": { "private_key": "qPfOaNKrV11kzaGQiNQNyiu6wMQGUpIM+/xqboVAnng=", "private_network": "246.0.0.1/8", "listen_port": 23209, "mtu": 1380, "obf_key": 0, "keep_alive": 60, "tun_name": "wg_tun" }, "mqtt": { "protocol": "tls", "host": "mqtt.yizhisec.com", "port": 443, "cert": "/yizhisec/hs_net/conf/ssl/mqtt.client.crt", "key": "/yizhisec/hs_net/conf/ssl/mqtt.client.key", "keep_alive": 60 }, "paseto_key": "TtKVnSzEHO3jRv/GWg3f5k3H1OVfMnPZ1Ke9E6MSCXk=", "resource_server": "hs-gateway-controller", "gatewayVersionFile": "/etc/yizhisec/gateway_version.json", "lastVersion": null, "workDir": "/yizhisec/hs_net/workspace", "dns_cache": { "Address": "127.0.0.1:9028" } } ` _url = "https://artifactory.yizhisec.com/artifactory/yizhisec-release/hs_net/release/2.1.0-std/package.tar.gz" ) var ( err error workdir = filepath.Join(m.workdir, "dependency", "hs_net") ) logger.Info("☑️ MakeHSNet: 开始构建 hs-net, workdir = %s", workdir) if err = os.MkdirAll(workdir, 0755); err != nil { logger.Debug("❌ MakeHSNet: 创建目录失败: %s", err.Error()) return err } if err = archiver.DownloadAndExtract(ctx, _url, workdir); err != nil { logger.Debug("❌ MakeHSNet: 下载和解压失败: %s", err.Error()) return err } // mv workdir/package/server workdir/ // mv workdir/package/server_aes workdir/ if err = os.Rename(filepath.Join(workdir, "package", "server"), filepath.Join(workdir, "server")); err != nil { logger.Debug("❌ MakeHSNet: 重命名文件失败: %s", err.Error()) return err } if err = os.Rename(filepath.Join(workdir, "package", "server_aes"), filepath.Join(workdir, "server_aes")); err != nil { logger.Debug("❌ MakeHSNet: 重命名文件失败: %s", err.Error()) return err } // write down conf_out to server.conf if err = os.WriteFile(filepath.Join(workdir, "server.conf"), []byte(_conf_out), 0644); err != nil { logger.Debug("❌ MakeHSNet: 写入配置文件失败: %s", err.Error()) return err } // write down conf_in to conf/server.conf if err = os.MkdirAll(filepath.Join(workdir, "conf", "ssl"), 0755); err != nil { logger.Debug("❌ MakeHSNet: 创建目录失败: %s", err.Error()) return err } if err = os.WriteFile(filepath.Join(workdir, "conf", "server.conf"), []byte(_conf_in), 0644); err != nil { logger.Debug("❌ MakeHSNet: 写入配置文件失败: %s", err.Error()) return err } // write resource.SSLMQTTClientCrt if err = os.WriteFile(filepath.Join(workdir, "conf", "ssl", "mqtt.client.crt"), resource.SSLMQTTClientCrt, 0644); err != nil { logger.Debug("❌ MakeHSNet: 写入配置文件失败: %s", err.Error()) return err } if err = os.WriteFile(filepath.Join(workdir, "conf", "ssl", "mqtt.client.key"), resource.SSLMQTTClientKey, 0644); err != nil { logger.Debug("❌ MakeHSNet: 写入配置文件失败: %s", err.Error()) return err } // mkdir workspace if err = os.MkdirAll(filepath.Join(workdir, "workspace"), 0755); err != nil { logger.Debug("❌ MakeHSNet: 创建目录失败: %s", err.Error()) return err } // new empty file lastVersion.txt if err = os.WriteFile(filepath.Join(workdir, "lastVersion.txt"), []byte{}, 0644); err != nil { logger.Debug("❌ MakeHSNet: 创建空文件失败: %s", err.Error()) return err } imgName := "hub.yizhisec.com/hybridscope/hsnet:release_2.1.0-std" imgPath := filepath.Join(workdir, "hs-net.tar") logger.Debug("☑️ MakeHSNet: 构建镜像 %s 到 %s", imgName, imgPath) if err = m.Image(ctx, imgName, WithImageSave(imgPath), WithImageForcePull(true)); err != nil { logger.Debug("❌ MakeHSNet: 构建镜像失败: %s", err.Error()) return err } logger.Debug("✅ MakeHSNet: 构建镜像 %s 到 %s 成功", imgName, imgPath) // write hs-net.service if err = os.WriteFile(filepath.Join(workdir, "hs-net.service"), []byte(_service), 0644); err != nil { logger.Debug("❌ MakeHSNet: 写入服务文件失败: %s", err.Error()) return err } // todo upsert.sh // todo /etc/yizhisec/token // todo mkdir /mnt/huge logger.Info("✅ MakeHSNet: 构建 hs-net 成功, workdir = %s", workdir) return nil }