fix(ota): 引入 bash -n 语法树完整性校验,彻底阻断因网络波动下载不全导致的单点死机风险
This commit is contained in:
hotyue
@@ -370,10 +370,12 @@ class AgentHandler(http.server.BaseHTTPRequestHandler):
|
||||
self.end_headers()
|
||||
self.wfile.write(b"Action Accepted: trigger_ota\n")
|
||||
|
||||
# [修复] 逃逸 Systemd Cgroup,防止 Agent 在升级时被同归于尽机制误杀
|
||||
# [修复] 逃逸 Systemd Cgroup,并引入 bash -n 语法树校验防砖机制
|
||||
import shutil
|
||||
repo_url = "https://raw.githubusercontent.com/hotyue/IP-Sentinel/main"
|
||||
ota_cmd = f"export SILENT_OTA='true'; curl -fsSL {repo_url}/core/install.sh -o /tmp/ota_agent.sh && bash /tmp/ota_agent.sh > /opt/ip_sentinel/logs/ota_upgrade.log 2>&1"
|
||||
repo_url = "https://raw.githubusercontent.com/hotyue/IP-Sentinel/v3.6.3-dev"
|
||||
|
||||
# [v3.6.3 修复] 🚀 下载后先执行 if bash -n 语法校验,通过后再执行覆盖
|
||||
ota_cmd = f"export SILENT_OTA='true'; curl -fsSL {repo_url}/core/install.sh -o /tmp/ota_agent.sh && if bash -n /tmp/ota_agent.sh; then bash /tmp/ota_agent.sh > /opt/ip_sentinel/logs/ota_upgrade.log 2>&1; else echo 'OTA Checksum Failed: Script corrupted' > /opt/ip_sentinel/logs/ota_upgrade.log; fi"
|
||||
|
||||
if shutil.which("systemd-run"):
|
||||
full_cmd = f"systemd-run --quiet --no-block bash -c \"{ota_cmd}\""
|
||||
|
||||
@@ -15,7 +15,7 @@ if [ "$EUID" -ne 0 ]; then
|
||||
fi
|
||||
|
||||
# 你的 GitHub 仓库 Raw 数据直链前缀
|
||||
REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/main"
|
||||
REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/v3.6.3-dev"
|
||||
# 临时改为开发地址用于测试
|
||||
# REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/v3.6.2-rc"
|
||||
INSTALL_DIR="/opt/ip_sentinel"
|
||||
|
||||
@@ -9,7 +9,7 @@ INSTALL_DIR="/opt/ip_sentinel"
|
||||
CONFIG_FILE="${INSTALL_DIR}/config.conf"
|
||||
UA_FILE="${INSTALL_DIR}/data/user_agents.txt"
|
||||
# 你的 GitHub 仓库 Raw 数据直链前缀
|
||||
REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/main"
|
||||
REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/v3.6.3-dev"
|
||||
# 临时改为私库地址用于测试
|
||||
# REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/v3.6.2-rc"
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@ CONFIG_FILE="${INSTALL_DIR}/config.conf"
|
||||
UA_TIME_FILE="${INSTALL_DIR}/core/.ua_last_update"
|
||||
|
||||
# GitHub 仓库 Raw 数据直链前缀
|
||||
REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/main"
|
||||
REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/v3.6.3-dev"
|
||||
# 临时改为开发地址用于测试
|
||||
# REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/v3.6.2-rc"
|
||||
|
||||
|
||||
@@ -15,7 +15,7 @@ if [ "$EUID" -ne 0 ]; then
|
||||
fi
|
||||
|
||||
# 你的 GitHub 仓库 Raw 数据直链前缀
|
||||
REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/main"
|
||||
REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/v3.6.3-dev"
|
||||
# 临时改为开发地址用于测试
|
||||
# REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/v3.6.2-rc"
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@ CONF="/opt/ip_sentinel_master/master.conf"
|
||||
source "$CONF"
|
||||
|
||||
# [核心: 运行态版本继承与云通信地址]
|
||||
REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/main"
|
||||
REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/v3.6.3-dev"
|
||||
# 临时改为开发地址用于测试
|
||||
# REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/v3.6.2-rc"
|
||||
# MASTER_VERSION 已经在上方的 source "$CONF" 中被载入
|
||||
@@ -262,6 +262,17 @@ while true; do
|
||||
|
||||
# 下载最新的 master install 脚本作为幽灵进程
|
||||
curl -fsSL "${REPO_RAW_URL}/master/install_master.sh" -o "/tmp/install_master.sh"
|
||||
|
||||
# [v3.6.3 修复] 🚀 OTA 防砖机制:严格校验脚本完整性
|
||||
if ! bash -n "/tmp/install_master.sh" >/dev/null 2>&1; then
|
||||
if [ -n "$MSG_ID" ]; then
|
||||
edit_msg "$CHAT_ID" "$MSG_ID" "❌ OTA 传输受损:脚本下载不完整,已触发防砖熔断,升级取消!"
|
||||
else
|
||||
send_msg "$CHAT_ID" "❌ OTA 传输受损:脚本下载不完整,已触发防砖熔断,升级取消!"
|
||||
fi
|
||||
continue
|
||||
fi
|
||||
|
||||
chmod +x "/tmp/install_master.sh"
|
||||
|
||||
# 抛出幽灵进程进行脱壳升级,传递静默变量与回执 ID
|
||||
|
||||
Reference in New Issue
Block a user