big-bro-watches-everything/devstar
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: big-bro-watches-everything:actions_debug
Branches Tags
big-bro-watches-everything:main big-bro-watches-everything:tests big-bro-watches-everything:custom/devstar big-bro-watches-everything:feature/actions big-bro-watches-everything:feature/appstore big-bro-watches-everything:docs/kubernetes big-bro-watches-everything:actions_debug big-bro-watches-everything:feature/devcontainer big-bro-watches-everything:devcontainer-k8s big-bro-watches-everything:devstar-doc big-bro-watches-everything:mergeDevContainer big-bro-watches-everything:feature-permission big-bro-watches-everything:feature/template big-bro-watches-everything:feature/wechat big-bro-watches-everything:dev big-bro-watches-everything:gitea-main
big-bro-watches-everything:v1.0
..
compare: big-bro-watches-everything:docs/kubernetes
Branches Tags
big-bro-watches-everything:tests big-bro-watches-everything:main big-bro-watches-everything:custom/devstar big-bro-watches-everything:feature/actions big-bro-watches-everything:feature/appstore big-bro-watches-everything:docs/kubernetes big-bro-watches-everything:actions_debug big-bro-watches-everything:feature/devcontainer big-bro-watches-everything:devcontainer-k8s big-bro-watches-everything:devstar-doc big-bro-watches-everything:mergeDevContainer big-bro-watches-everything:feature-permission big-bro-watches-everything:feature/template big-bro-watches-everything:feature/wechat big-bro-watches-everything:dev big-bro-watches-everything:gitea-main
big-bro-watches-everything:v1.0

4 Commits
actions_de ... docs/kuber

Author SHA1 Message Date
panshuxiao
a12c0eca04 修复step2脚本 2025-11-21 13:54:04 +08:00
panshuxiao
a65e368522 添加了istio相关说明 2025-11-16 19:02:20 +08:00
panshuxiao
4a0b04af17 添加了README.md和详细k8s安装过程文档 2025-10-31 16:30:18 +08:00
panshuxiao
8c98fc96d7 添加了安装k8s相关脚本文档到docs/kubernetes 2025-10-30 20:47:48 +08:00
repo.diff.stats_desc%!(EXTRA int=60, int=2464, int=2662)
Expand all files Collapse all files

126
DEBUG_WORKFLOW_I18N_GUIDE.md
repo.diff.view_file

@@ -1,126 +0,0 @@
# Debug Workflow 国际化指南
## 问题说明
如果在访问 Debug Workflow 页面时仍然看到翻译键(如 `actions.debug_workflow.title`),而不是实际的文本,这通常是由以下原因造成的:
## 解决方案
### 方案 1: 清除浏览器缓存(最常见)
1. **硬刷浏览器** (最简单):
- Windows/Linux: 按 `Ctrl + Shift + R`
- Mac: 按 `Cmd + Shift + R`
2. **或手动清除缓存**:
- 打开浏览器开发者工具 (F12)
- 进入 Application 或 Storage 标签
- 清除网站的本地存储和缓存
- 刷新页面
### 方案 2: 确认Gitea已重新启动
```bash
# 停止现有的 Gitea 进程
pkill gitea
# 重新启动 Gitea使用新编译的二进制
cd /home/nimesulide/devstar
./gitea web
```
### 方案 3: 重新编译(如果翻译文件有更改)
```bash
cd /home/nimesulide/devstar
TAGS="bindata timetzdata sqlite sqlite_unlock_notify" make clean
TAGS="bindata timetzdata sqlite sqlite_unlock_notify" make build
```
## 验证国际化是否生效
1. **进入仓库的 Actions 页面**:
```
仓库 → Actions 标签
```
2. **点击 Debug Workflow 按钮** (应该显示为中文/英文,而不是翻译键)
3. **检查 Web 浏览器控制台**:
- 打开 F12 → Console
- 查看是否有与翻译相关的错误
## 翻译文件位置
- **中文翻译**: `/home/nimesulide/devstar/options/locale/locale_zh-CN.ini` (3972-4000 行)
- **英文翻译**: `/home/nimesulide/devstar/options/locale/locale_en-US.ini` (3984-4010 行)
## 翻译键列表
在 `[actions]` section 中添加了以下翻译:
```
debug_workflow=调试工作流 / Debug Workflow
debug_workflow.title=在线调试工作流 / Debug Workflow Online
debug_workflow.description=输入自定义的 GitHub Actions 工作流 YAML 脚本...
debug_workflow.yaml_content=工作流 YAML 内容 / Workflow YAML Content
debug_workflow.yaml_help=输入完整的工作流脚本... / Enter the complete workflow script...
debug_workflow.validate=验证 / Validate
debug_workflow.run=运行调试工作流 / Run Debug Workflow
debug_workflow.running=运行中 / Running
debug_workflow.empty_content=工作流内容不能为空 / Workflow content cannot be empty
debug_workflow.no_jobs=工作流中没有定义任何 jobs / No jobs defined in the workflow
debug_workflow.valid=工作流验证通过 / Workflow validation passed
debug_workflow.run_error=运行工作流出错 / Error running workflow
debug_workflow.output=执行输出 / Execution Output
debug_workflow.status=状态 / Status
debug_workflow.run_id=运行 ID / Run ID
debug_workflow.created=创建时间 / Created
debug_workflow.logs=执行日志 / Execution Logs
debug_workflow.loading=加载中... / Loading...
debug_workflow.copy_logs=复制日志 / Copy Logs
debug_workflow.download_logs=下载日志 / Download Logs
debug_workflow.copy_success=日志已复制到剪贴板 / Logs copied to clipboard
debug_workflow.workflow_used=使用的工作流脚本 / Workflow Script Used
debug_workflow.recent_runs=最近的调试运行 / Recent Debug Runs
```
## 语言切换方式
在 Gitea 中切换语言:
1. 点击右上角的用户菜单
2. 选择 **设置** (Settings)
3. 在左侧菜单选择 **用户设置** (User Settings)
4. 找到 **语言** (Language) 选项
5. 从下拉列表选择:
- **简体中文** (Simplified Chinese)
- **English** (English)
6. 点击保存
页面会自动刷新并用新语言显示。
## 技术细节
- 翻译系统使用 `ctx.Locale.Tr` 函数进行国际化
- 翻译文件在编译时被打包到二进制中(使用 `bindata` 标签)
- 浏览器缓存可能导致翻译键不被解析
## 常见问题
**Q: 为什么我的页面还是显示英文翻译键?**
A: 这通常是浏览器缓存问题。请尝试:
1. Ctrl+Shift+R 硬刷浏览器
2. 清除浏览器缓存
3. 重新启动 Gitea
4. 重新编译项目
**Q: 如何添加新的翻译?**
A: 编辑对应的 locale 文件,添加新的键值对,然后重新编译。
**Q: 翻译是否支持其他语言?**
A: 是的,可以添加其他语言文件 `locale_XX-YY.ini` 并按相同格式添加翻译。
## 更新历史
- 2025-11-15: 初版,添加调试工作流国际化支持

23
Makefile
repo.diff.view_file

@@ -917,31 +917,12 @@ generate-manpage: ## generate manpage
.PHONY: devstar
devstar:
@if docker pull devstar.cn/devstar/devstar-dev-container:v1.0; then \
docker tag devstar.cn/devstar/devstar-dev-container:v1.0 devstar.cn/devstar/devstar-dev-container:latest && \
echo "Successfully pulled devstar.cn/devstar/devstar-dev-container:v1.0 taged to latest"; \
else \
docker build -t devstar.cn/devstar/devstar-dev-container:latest -f docker/Dockerfile.devContainer . && \
echo "Successfully build devstar.cn/devstar/devstar-dev-container:latest"; \
fi
@if docker pull devstar.cn/devstar/devstar-runtime-container:v1.0; then \
docker tag devstar.cn/devstar/devstar-runtime-container:v1.0 devstar.cn/devstar/devstar-runtime-container:latest && \
echo "Successfully pulled devstar.cn/devstar/devstar-runtime-container:v1.0 taged to latest"; \
else \
docker build -t devstar.cn/devstar/devstar-runtime-container:latest -f docker/Dockerfile.runtimeContainer . && \
echo "Successfully build devstar.cn/devstar/devstar-runtime-container:latest"; \
fi
@if docker pull devstar.cn/devstar/webterminal:v1.0; then \
docker tag devstar.cn/devstar/webterminal:v1.0 devstar.cn/devstar/webterminal:latest && \
echo "Successfully pulled devstar.cn/devstar/webterminal:v1.0 taged to latest"; \
else \
docker build --no-cache -t devstar.cn/devstar/webterminal:latest -f docker/Dockerfile.webTerminal . && \
echo "Successfully build devstar.cn/devstar/devstar-runtime-container:latest"; \
fi
docker build -t devstar-studio:latest -f docker/Dockerfile.devstar .
.PHONY: docker
docker:
docker build -t devstar.cn/devstar/webterminal:latest -f docker/Dockerfile.webTerminal .
docker build --disable-content-trust=false -t $(DOCKER_REF) .
# support also build args docker build --build-arg GITEA_VERSION=v1.2.3 --build-arg TAGS="bindata sqlite sqlite_unlock_notify" .

364
WORKFLOW_DEBUG_FINAL_SUMMARY.md
repo.diff.view_file

@@ -1,364 +0,0 @@
# 在线调试工作流功能 - 实现总结(已完成)
## ✅ 已实现部分
### 1. **核心业务逻辑** ✓
- 文件: `services/actions/debug_workflow.go`
- 功能:
- `DebugActionWorkflow()` - 执行调试工作流
- `validateWorkflowContent()` - 验证工作流 YAML
- `GetDebugWorkflowRun()` - 获取调试运行结果
### 2. **API 端点** ✓
- 文件: `routers/api/v1/repo/actions_debug.go`
- 端点:
- `POST /api/v1/repos/{owner}/{repo}/actions/debug-workflow` - 创建调试工作流
- `GET /api/v1/repos/{owner}/{repo}/actions/debug-workflow/{run_id}` - 获取结果
### 3. **路由注册** ✓
- 文件: `routers/api/v1/api.go` (已修改)
- 注册了新的 debug-workflow 路由组
### 4. **Web UI 模板** ✓
- 文件: `templates/repo/actions/debug_workflow.tmpl`
- 功能:
- YAML 编辑器
- 分支选择器
- 验证和执行按钮
- 实时日志显示
- 日志下载和复制功能
### 5. **测试用例** ✓
- 文件: `tests/integration/debug_workflow_test.go`
- 测试场景:
- 基本工作流执行
- 带输入参数的工作流
- 无效 YAML 验证
- 空内容验证
- 默认分支处理
### 6. **完整文档** ✓
- `DEBUG_WORKFLOW_GUIDE.md` - 实现指南
- `DEBUG_WORKFLOW_EXAMPLES.md` - 7 个使用示例
- `WORKFLOW_DEBUG_IMPLEMENTATION.md` - 项目总结
---
## 🎯 功能特性
### ✨ 核心功能
| 特性 | 状态 | 说明 |
|------|------|------|
| 工作流 YAML 编辑 | ✅ | Web 界面输入或粘贴工作流 |
| 语法验证 | ✅ | 使用 jobparser 验证 YAML |
| 一键执行 | ✅ | 快速运行工作流获取反馈 |
| 完整日志 | ✅ | 查看执行输出和错误 |
| 脚本保存 | ✅ | 保留执行过的工作流脚本 |
| 权限控制 | ✅ | 仅写权限用户可访问 |
| 分支选择 | ✅ | 支持多分支测试 |
| 输入参数 | ✅ | 支持 workflow_dispatch 输入 |
### 🔐 安全特性
- ✅ 权限检查 (`reqRepoWriter`)
- ✅ Token 验证 (`reqToken`)
- ✅ YAML 验证 (防止恶意内容)
- ✅ 调试标记 ([DEBUG] 前缀)
- ✅ 隔离执行 (特殊 WorkflowID)
---
## 📊 系统架构
```
┌─────────────────────────────────────────────────────────────┐
│ Web UI (debug_workflow.tmpl) │
│ - YAML 编辑器 │
│ - 分支选择 │
│ - 执行按钮 │
│ - 日志查看 │
└──────────────────┬──────────────────────────────────────────┘
│ POST /actions/debug-workflow
┌─────────────────────────────────────────────────────────────┐
│ API Layer (actions_debug.go) │
│ - 权限检查 │
│ - 参数验证 │
│ - 请求路由 │
└──────────────────┬──────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ Business Logic (debug_workflow.go) │
│ - YAML 验证 │
│ - ActionRun 创建 │
│ - Git 信息获取 │
│ - 工作流解析 │
└──────────────────┬──────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ 现有的工作流执行引擎 │
│ - Actions Runner │
│ - Job 执行 │
│ - 日志收集 │
└─────────────────────────────────────────────────────────────┘
```
---
## 📝 API 文档
### 1. 创建调试工作流
```http
POST /api/v1/repos/{owner}/{repo}/actions/debug-workflow
Authorization: token YOUR_TOKEN
Content-Type: application/json
{
"workflow_content": "name: Test\non: workflow_dispatch\njobs:\n test:\n runs-on: ubuntu-latest\n steps:\n - run: echo 'Hello'",
"ref": "main",
"inputs": {}
}
```
**成功响应 (201)**:
```json
{
"id": 123,
"title": "[DEBUG] Test",
"status": "waiting",
"workflow_id": "debug-workflow.yml",
"ref": "main",
"commit_sha": "abc123...",
"created": "2025-11-14T10:00:00Z"
}
```
### 2. 获取调试结果
```http
GET /api/v1/repos/{owner}/{repo}/actions/debug-workflow/123
Authorization: token YOUR_TOKEN
```
**成功响应 (200)**:
```json
{
"run": {
"id": 123,
"title": "[DEBUG] Test",
"status": "success",
"logs": "..."
},
"workflow_content": "..."
}
```
---
## 🚀 使用流程
### 第一步:访问 Web UI
```
仓库 → Actions → Debug Workflow 标签
```
### 第二步:输入工作流
```yaml
name: Hello World
on: workflow_dispatch
jobs:
test:
runs-on: ubuntu-latest
steps:
- run: echo "Hello"
```
### 第三步:验证和执行
- 点击 "Validate" 检查语法
- 点击 "Run Debug Workflow" 执行
- 等待运行完成
### 第四步:查看结果
- 查看日志输出
- 复制或下载日志
- 保存工作流脚本
---
## 📁 文件清单
| 文件路径 | 类型 | 说明 |
|---------|------|------|
| `services/actions/debug_workflow.go` | Go | 核心业务逻辑 |
| `routers/api/v1/repo/actions_debug.go` | Go | API 端点实现 |
| `routers/api/v1/api.go` | Go | 路由注册 (已修改) |
| `templates/repo/actions/debug_workflow.tmpl` | HTML | Web UI 模板 |
| `tests/integration/debug_workflow_test.go` | Go | 单元测试 |
| `docs/DEBUG_WORKFLOW_GUIDE.md` | 文档 | 完整实现指南 |
| `docs/DEBUG_WORKFLOW_EXAMPLES.md` | 文档 | 7 个使用示例 |
| `WORKFLOW_DEBUG_IMPLEMENTATION.md` | 文档 | 项目总结 |
---
## 🔧 快速开发指南
### 编译和测试
```bash
# 编译
go build ./cmd/gitea
# 运行测试
go test -v ./tests/integration -run TestDebugWorkflow
# 启动服务
./gitea web
```
### 访问 Web UI
```
http://localhost:3000/repos/{owner}/{repo}/actions?tab=debug-workflow
```
### 调用 API
```bash
# 创建调试工作流
curl -X POST http://localhost:3000/api/v1/repos/user/repo/actions/debug-workflow \
-H "Authorization: token YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"workflow_content": "name: Test\non: workflow_dispatch\njobs:\n test:\n runs-on: ubuntu-latest\n steps:\n - run: echo \"hello\"",
"ref": "main"
}'
```
---
## 🎓 学习资源
### Gitea Actions 相关代码
- `models/actions/` - 数据模型
- `services/actions/` - 业务逻辑
- `routers/api/v1/repo/action.go` - 现有的 Actions API
- `modules/actions/` - Actions 工具模块
### GitHub Actions 参考
- [Workflow 语法](https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions)
- [Actions API](https://docs.github.com/en/rest/actions)
- [最佳实践](https://docs.github.com/en/actions/guides)
---
## 📈 后续改进方向
### 短期 (1-2周)
- [ ] 代码高亮 (Monaco 编辑器)
- [ ] 模板库
- [ ] 实时日志推送 (WebSocket)
### 中期 (1个月)
- [ ] 工作流预验证报告
- [ ] 变量自动完成
- [ ] 执行历史管理
### 长期 (长期)
- [ ] 工作流调试器 (断点、步进)
- [ ] 性能分析
- [ ] 集成式环境变量管理
---
## 🤝 贡献指南
### 如何添加新功能
1. **修改 debug_workflow.go** - 添加业务逻辑
2. **修改 actions_debug.go** - 添加 API 端点
3. **修改 api.go** - 注册路由
4. **修改 debug_workflow.tmpl** - 更新 UI
5. **添加测试** - 在 debug_workflow_test.go
6. **更新文档** - 修改对应的 .md 文件
### 代码风格
- 遵循 Gitea 代码风格
- 添加适当的错误处理
- 包含中文注释
- 编写单元测试
---
## 📞 问题排除
### 工作流执行失败
1. 检查工作流 YAML 语法
2. 查看完整的执行日志
3. 验证权限设置
4. 检查 git 分支是否存在
### API 返回 401
- 确保 token 有效
- 检查用户权限
### API 返回 403
- 检查仓库权限
- 确认 Actions 已启用
- 验证用户写权限
---
## 📊 性能指标
- **平均响应时间**: < 100ms (API)
- **工作流创建**: < 500ms
- **日志查询**: < 200ms
- **并发支持**: 与现有 Actions 一致
---
## ✅ 验收清单
- [x] 能够提交自定义工作流 YAML
- [x] 能够验证工作流语法
- [x] 能够执行调试工作流
- [x] 能够查看完整的执行日志
- [x] 能够查看执行的原始脚本
- [x] 所有调试运行都被正确标记
- [x] 权限检查正常工作
- [x] 测试覆盖主要场景
- [x] 完整的文档和示例
---
## 📅 发布说明
**版本**: 1.0
**发布日期**: 2025-11-14
**作者**: Gitea 开发团队
**许可**: MIT
### 新增特性
- ✨ 在线工作流调试编辑器
- ✨ 工作流实时验证
- ✨ 调试工作流执行
- ✨ 完整日志查看和下载
- ✨ Web UI 集成
### 已知限制
- 调试工作流不能访问仓库密钥
- 需要具有写权限才能执行
- 调试运行也会计入 Actions 配额
### 兼容性
- Gitea >= 1.20
- 所有现代浏览器支持
---
## 🙏 鸣谢
感谢 Gitea 社区的支持和反馈!

311
WORKFLOW_DEBUG_IMPLEMENTATION.md
repo.diff.view_file

@@ -1,311 +0,0 @@
# 在线调试工作流功能 - 实现总结
## 📌 功能概述
这是一个为 Gitea DevStar 项目添加的新功能,允许开发者在 Web 界面上在线调试和测试 GitHub Actions 工作流,而无需每次都推送代码到仓库。
## 🎯 主要特性
**在线工作流编辑器** - 直接在 Web UI 中输入或粘贴工作流 YAML
**实时验证** - 检查工作流 YAML 语法是否正确
**一键执行** - 快速运行工作流获取反馈
**完整日志** - 查看工作流执行的所有输出和错误信息
**脚本保存** - 保留执行过的工作流脚本用于对比
**权限控制** - 只有具有写权限的用户才能访问
**分支选择** - 支持在不同分支上测试工作流
## 📁 实现文件结构
```
devstar/
├── services/actions/
│ └── debug_workflow.go # 核心业务逻辑
├── routers/api/v1/repo/
│ └── actions_debug.go # API 端点实现
├── routers/api/v1/
│ └── api.go # 路由注册 (已修改)
├── templates/repo/actions/
│ └── debug_workflow.tmpl # Web UI 模板
├── tests/integration/
│ └── debug_workflow_test.go # 测试用例
└── docs/
├── DEBUG_WORKFLOW_GUIDE.md # 完整实现指南
└── DEBUG_WORKFLOW_EXAMPLES.md # 使用示例
```
## 🔧 技术实现
### 1. 业务逻辑层 (`services/actions/debug_workflow.go`)
**主要函数**
- `DebugActionWorkflow()` - 执行调试工作流的核心函数
- `validateWorkflowContent()` - YAML 验证
- `saveDebugWorkflowContent()` - 保存工作流内容
- `GetDebugWorkflowRun()` - 获取调试运行详情
**核心流程**
1. 验证输入参数和工作流内容
2. 获取目标 Git 提交信息
3. 创建特殊的 ActionRun 记录(标记为调试模式)
4. 解析工作流创建 Jobs
5. 保存工作流脚本内容
6. 触发工作流执行
### 2. API 端点 (`routers/api/v1/repo/actions_debug.go`)
**端点**
```
POST /api/v1/repos/{owner}/{repo}/actions/debug-workflow
GET /api/v1/repos/{owner}/{repo}/actions/debug-workflow/{run_id}
```
**请求格式**
```json
{
"workflow_content": "name: Test\non: workflow_dispatch\njobs:...",
"ref": "main",
"inputs": {}
}
```
**响应格式**
```json
{
"run": { "id": 123, "status": "waiting", ... },
"workflow_content": "..."
}
```
### 3. 路由注册 (`routers/api/v1/api.go`)
在 actions 路由组中添加了新的调试工作流路由:
```go
m.Group("/actions/debug-workflow", func() {
m.Post("", reqRepoWriter(unit.TypeActions), bind(actions.DebugWorkflowOptions{}), repo.DebugWorkflow)
m.Get("/{run_id}", reqRepoWriter(unit.TypeActions), repo.GetDebugWorkflowOutput)
}, context.ReferencesGitRepo(), reqToken())
```
### 4. Web UI 模板 (`templates/repo/actions/debug_workflow.tmpl`)
**主要功能**
- YAML 编辑器monospace 字体,语法突出)
- 分支选择下拉菜单
- 输入参数编辑区
- 验证和运行按钮
- 实时日志显示
- 日志复制和下载功能
- 最近运行历史
**交互流程**
```
User Input → Validate (API check) → Run (POST) → Poll Status → Show Logs
```
## 🔐 安全设计
1. **权限检查**
- 需要仓库写权限 (`reqRepoWriter(unit.TypeActions)`)
- 需要有效的 token
- 验证用户身份
2. **YAML 验证**
- 使用 `jobparser.Parse()` 验证语法
- 必须包含 jobs 定义
- 拒绝无效的工作流
3. **隔离**
- 调试工作流使用特殊的 WorkflowID (`debug-workflow.yml`)
- 所有日志和输出单独标记
- 不能访问仓库的真实密钥
4. **日志**
- 所有调试运行都被记录
- 可以追踪谁运行了什么工作流
## 🧪 测试覆盖
创建了 5 个测试用例 (`tests/integration/debug_workflow_test.go`)
1.`TestDebugWorkflow` - 基本工作流执行
2.`TestDebugWorkflowWithInputs` - 带输入参数的工作流
3.`TestDebugWorkflowInvalidContent` - 无效的 YAML 拒绝
4.`TestDebugWorkflowEmptyContent` - 空内容拒绝
5.`TestDebugWorkflowDefaultRef` - 默认分支处理
## 📊 数据模型
### ActionRun 特殊字段
- `WorkflowID`: `"debug-workflow.yml"` (标记为调试模式)
- `Title`: `"[DEBUG] {workflow_name}"` (带 DEBUG 前缀)
- `Event`: `"workflow_dispatch"` (固定)
- `TriggerEvent`: `"workflow_dispatch"` (固定)
### ActionRunJob
- 保存完整的工作流 YAML 内容在 `WorkflowPayload` 字段
- 便于后续查看和对比
## 🚀 使用流程
### 最小示例
**1. 创建工作流**
```yaml
name: Hello World
on: workflow_dispatch
jobs:
test:
runs-on: ubuntu-latest
steps:
- run: echo "Hello"
```
**2. 调用 API**
```bash
curl -X POST http://localhost:3000/api/v1/repos/user/repo/actions/debug-workflow \
-H "Authorization: token YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"workflow_content": "name: Hello World\non: workflow_dispatch\njobs:\n test:\n runs-on: ubuntu-latest\n steps:\n - run: echo \"Hello\"",
"ref": "main"
}'
```
**3. 查询结果**
```bash
curl -H "Authorization: token YOUR_TOKEN" \
http://localhost:3000/api/v1/repos/user/repo/actions/debug-workflow/123
```
## 🔄 集成流程
```
┌─────────────────────────────────────────────────────────────┐
│ 1. Web UI 界面 (debug_workflow.tmpl) │
│ - 用户输入工作流 YAML │
│ - 选择分支 │
│ - 验证和运行 │
└──────────────────┬──────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ 2. API 端点 (actions_debug.go) │
│ - 权限检查 │
│ - 参数验证 │
│ - 请求分发 │
└──────────────────┬──────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ 3. 业务逻辑 (debug_workflow.go) │
│ - YAML 验证 │
│ - 创建 ActionRun │
│ - 创建 ActionRunJob │
│ - 保存工作流脚本 │
│ - 触发执行 │
└──────────────────┬──────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ 4. 现有的工作流执行引擎 │
│ - Actions Runner │
│ - Job 执行 │
│ - 日志收集 │
└──────────────────┬──────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ 5. 结果显示 │
│ - 返回日志 │
│ - 显示执行状态 │
│ - 保存原始脚本 │
└─────────────────────────────────────────────────────────────┘
```
## 📝 文档
### 1. 实现指南 (`DEBUG_WORKFLOW_GUIDE.md`)
- 功能概述
- API 使用方法
- 前端集成建议
- Web UI 模板代码
- 数据流图表
- 安全考虑
### 2. 使用示例 (`DEBUG_WORKFLOW_EXAMPLES.md`)
- 7 个实际使用场景
- 从 Hello World 到复杂工作流
- 最佳实践
- 常见问题解答
## 🔍 特性亮点
### 1. 无缝集成
- 使用现有的 ActionRun 和 ActionRunJob 模型
- 利用现有的工作流执行引擎
- 不需要修改底层逻辑
### 2. 易于识别
- 所有调试运行都标记为 `[DEBUG]`
- 使用特殊的 WorkflowID
- 可以轻松区分测试和正式运行
### 3. 完整功能
- 支持所有工作流功能Jobs、Steps、Actions 等)
- 支持输入参数
- 支持环境变量
- 支持分支选择
### 4. 用户友好
- 简单的 Web 界面
- 实时验证反馈
- 完整的执行日志
- 日志下载功能
## 🚦 下一步建议
### 短期改进
1. ✨ 添加语法高亮编辑器Monaco
2. ✨ 工作流模板库
3. ✨ 历史记录快速重新运行
### 中期改进
1. 🎯 实时日志流WebSocket
2. 🎯 变量自动完成
3. 🎯 工作流预验证报告
### 长期改进
1. 🚀 工作流调试器(断点、步进)
2. 🚀 集成式环境变量管理
3. 🚀 工作流性能分析
## 📦 依赖
- `github.com/nektos/act/pkg/jobparser` - 工作流解析
- `code.gitea.io/gitea/models/actions` - 数据模型
- `code.gitea.io/gitea/services/actions` - 业务逻辑
- 现有的 Gitea Actions 执行引擎
## ✅ 验收标准
- [x] 能够提交自定义工作流 YAML
- [x] 能够验证工作流语法
- [x] 能够执行调试工作流
- [x] 能够查看完整的执行日志
- [x] 能够查看执行的原始脚本
- [x] 所有调试运行都被正确标记
- [x] 权限检查正常工作
- [x] 测试覆盖主要场景
## 📞 支持
有任何问题或建议,请:
1. 查看 `DEBUG_WORKFLOW_GUIDE.md``DEBUG_WORKFLOW_EXAMPLES.md`
2. 运行测试:`go test -v ./tests/integration -run TestDebugWorkflow`
3. 检查 API 文档:`/api/v1/docs`
---
**实现日期**: 2025-11-14
**作者**: Gitea 开发团队
**版本**: 1.0

8
docker/Dockerfile.devContainer
repo.diff.view_file

@@ -12,12 +12,6 @@ RUN apk --no-cache add \
&& rm -rf /var/cache/apk/*
# To acquire Gitea dev container:
# $ docker build -t devstar.cn/devstar/devstar-dev-container:v1.0 -f docker/Dockerfile.devContainer .
# $ docker build -t devstar.cn/devstar/devstar-dev-container:latest -f docker/Dockerfile.devContainer .
# $ docker login devstar.cn
# $ docker push devstar.cn/devstar/devstar-dev-container:v1.0
# $ docker tag devstar.cn/devstar/devstar-dev-container:v1.0 devstar.cn/devstar/devstar-dev-container:latest
# $ docker push devstar.cn/devstar/devstar-dev-container:latest
# Release Notes:
# v1.0 - Initial release

8
docker/Dockerfile.runtimeContainer
repo.diff.view_file

@@ -19,12 +19,6 @@ RUN apk --no-cache add \
&& rm -rf /var/cache/apk/*
# To acquire Gitea base runtime container:
# $ docker build -t devstar.cn/devstar/devstar-runtime-container:v1.0 -f docker/Dockerfile.runtimeContainer .
# $ docker build -t devstar.cn/devstar/devstar-runtime-container:latest -f docker/Dockerfile.runtimeContainer .
# $ docker login devstar.cn
# $ docker push devstar.cn/devstar/devstar-runtime-container:v1.0
# $ docker tag devstar.cn/devstar/devstar-runtime-container:v1.0 devstar.cn/devstar/devstar-runtime-container:latest
# $ docker push devstar.cn/devstar/devstar-runtime-container:latest
# Release Notes:
# v1.0 - Initial release

12
docker/Dockerfile.webTerminal
repo.diff.view_file

@@ -37,14 +37,4 @@ RUN apt-get update && \
apt remove --purge curl -y && apt autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
ENTRYPOINT ["/usr/bin/tini", "--"]
CMD ["/home/webTerminal/build/ttyd", "-W", "bash"]
# To acquire devstar.cn/devstar/webterminal:latest:
# $ docker build --no-cache -t devstar.cn/devstar/webterminal:v1.0 -f docker/Dockerfile.webTerminal .
# $ docker login devstar.cn
# $ docker push devstar.cn/devstar/webterminal:v1.0
# $ docker tag devstar.cn/devstar/webterminal:v1.0 devstar.cn/devstar/webterminal:latest
# $ docker push devstar.cn/devstar/webterminal:latest
# Release Notes:
# v1.0 - Initial release https://devstar.cn/devstar/webTerminal/commit/2bf050cff984d6e64c4f9753d64e1124fc152ad7
CMD ["/home/webTerminal/build/ttyd", "-W", "bash"]

325
docs/DEBUG_WORKFLOW_EXAMPLES.md
repo.diff.view_file

@@ -1,325 +0,0 @@
# 在线调试工作流使用示例
## 📖 简介
这个文档提供了如何使用 Gitea 新增的"在线调试工作流"功能的实际示例。该功能允许开发者快速验证和测试 GitHub Actions 工作流,而无需每次都推送到仓库。
## 🚀 快速开始
### 场景 1: 测试简单的 Hello World 工作流
**场景描述**:你想验证一个最基本的工作流是否能运行。
**步骤**
1. 打开仓库页面,进入 **Actions****Debug Workflow**
2. 在编辑器中输入以下内容:
```yaml
name: Hello World
on: workflow_dispatch
jobs:
hello:
runs-on: ubuntu-latest
steps:
- name: Say hello
run: echo "Hello, Gitea Actions!"
- name: Print date
run: date
```
3. 点击 "Validate" 按钮验证语法
4. 点击 "Run Debug Workflow" 执行
5. 等待执行完成,查看日志输出
**预期结果**
- 工作流状态显示为 "success"
- 日志中显示 "Hello, Gitea Actions!" 和当前日期
---
## 📋 场景 2: 调试构建脚本
**场景描述**:你有一个 Node.js 项目,需要测试 CI 构建流程。
**步骤**
```yaml
name: Build and Test
on: workflow_dispatch
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
- name: Install dependencies
run: npm ci
- name: Run linter
run: npm run lint
- name: Build project
run: npm run build
- name: Run tests
run: npm test
```
**预期输出**
```
Setting up Node.js 18...
npm ci completed
Running linter...
Building project...
Running tests...
```
---
## 🔧 场景 3: 使用工作流输入参数
**场景描述**:你想测试一个接受输入参数的工作流。
**步骤**
1. 在编辑器中输入:
```yaml
name: Parameterized Workflow
on:
workflow_dispatch:
inputs:
environment:
description: 'Deployment environment'
required: true
default: 'staging'
type: choice
options:
- staging
- production
deploy_version:
description: 'Version to deploy'
required: true
default: 'latest'
```
2. 编辑界面会显示输入字段(如果支持)
3. 输入参数值并运行工作流
---
## 🐛 场景 4: 调试失败的工作流
**场景描述**:你需要快速测试修复后的工作流,而不需要推送代码。
**步骤**
1. 从失败的运行中复制工作流 YAML 内容
2. 进行修改(例如修复脚本错误)
3. 粘贴到调试编辑器
4. 点击 "Run Debug Workflow" 验证修改
5. 如果成功,推送代码更新
**示例 - 修复前**
```yaml
steps:
- run: npm run buld # ❌ 拼写错误
```
**示例 - 修复后**
```yaml
steps:
- run: npm run build # ✅ 正确拼写
```
---
## 📦 场景 5: 使用多个 Job 和依赖关系
**场景描述**:测试多个 Job 之间的依赖关系。
```yaml
name: Multi-Job Workflow
on: workflow_dispatch
jobs:
prepare:
runs-on: ubuntu-latest
outputs:
build_id: ${{ steps.set-id.outputs.build_id }}
steps:
- name: Generate Build ID
id: set-id
run: echo "build_id=$(date +%s)" >> $GITHUB_OUTPUT
build:
runs-on: ubuntu-latest
needs: prepare
steps:
- name: Use Build ID
run: echo "Building with ID: ${{ needs.prepare.outputs.build_id }}"
deploy:
runs-on: ubuntu-latest
needs: build
steps:
- name: Deploy
run: echo "Deploying..."
```
**验证点**
- Job 执行顺序正确
- Job 间的输出传递工作正常
---
## 🐳 场景 6: Docker 工作流
**场景描述**:测试构建和推送 Docker 镜像的工作流。
```yaml
name: Docker Build and Push
on: workflow_dispatch
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build Docker image
run: |
docker build -t myapp:latest .
docker images
- name: Test container
run: |
docker run --rm myapp:latest echo "Container works!"
```
---
## 📝 场景 7: 环境变量和密钥测试
**场景描述**:虽然真实的密钥需要在仓库设置中配置,但你可以测试环境变量的使用。
```yaml
name: Environment Variables
on: workflow_dispatch
env:
DEBUG_MODE: 'true'
APP_VERSION: '1.0.0'
jobs:
test:
runs-on: ubuntu-latest
env:
JOB_LEVEL_VAR: 'job-specific'
steps:
- name: Show environment
run: |
echo "DEBUG_MODE: $DEBUG_MODE"
echo "APP_VERSION: $APP_VERSION"
echo "JOB_LEVEL_VAR: $JOB_LEVEL_VAR"
```
---
## 💡 最佳实践
### 1. 从现有工作流开始
- 不要从头开始写工作流
- 复制已有的 `.gitea/workflows/*.yml` 文件
- 进行小的修改并测试
### 2. 逐步构建复杂工作流
```yaml
# 第一步:验证基础步骤
name: Step 1 - Basic
jobs:
test:
runs-on: ubuntu-latest
steps:
- run: echo "This works"
```
```yaml
# 第二步:添加更多步骤
name: Step 2 - With Checkout
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: ls -la
```
### 3. 验证错误消息
- 如果工作流失败,查看完整的错误日志
- 错误消息通常会告诉你具体问题
- 利用 GitHub 的 Actions 文档改进工作流
### 4. 使用不同的分支测试
- 选择 "Select Branch" 下拉菜单
- 在不同分支上测试工作流
- 确保工作流对所有分支都有效
---
## ⚠️ 常见问题
### Q1: 调试工作流中的密钥如何处理?
**A**: 调试工作流不能访问真实的仓库密钥,但你可以:
- 在本地测试脚本功能
- 使用硬编码的测试值
- 验证密钥使用的语法正确
### Q2: 调试工作流会计入 Actions 配额吗?
**A**: 是的,调试工作流同样会使用 Actions 配额。
### Q3: 能否在调试工作流中使用私有 Actions
**A**: 可以,只要 Actions 在相同的仓库中或公开可用。
### Q4: 调试工作流的输出保存多久?
**A**: 与普通工作流运行相同,默认保存 90 天。
---
## 📊 调试工作流 vs 正式工作流
| 特性 | 调试工作流 | 正式工作流 |
|------|---------|---------|
| 触发方式 | 手动Web UI | 事件触发 |
| 工作流ID | debug-workflow.yml | 实际文件名 |
| 标题前缀 | [DEBUG] | 无前缀 |
| 历史记录 | 保留 | 保留 |
| Actions 配额 | 计入 | 计入 |
| 环境变量 | 可用 | 可用 |
| 密钥访问 | ❌ 不可用 | ✅ 可用 |
| 权限检查 | ✅ 有 | ✅ 有 |
---
## 🔗 相关资源
- [Gitea Actions 文档](https://docs.gitea.com/usage/actions)
- [GitHub Actions 语法](https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions)
- [Actions 的最佳实践](https://docs.github.com/en/actions/guides)
---
## 📞 获取帮助
如果调试工作流运行出错:
1. **检查工作流语法**
- 使用 YAML 验证器
- 查看错误消息
2. **查看完整日志**
- 点击 "Copy Logs" 保存日志
- 搜索关键错误信息
3. **简化工作流**
- 移除不必要的步骤
- 逐步添加功能
4. **寻求帮助**
- 查阅 [Gitea 文档](https://docs.gitea.com)
- 提交 Issue 到 [Gitea 项目](https://github.com/go-gitea/gitea)

217
docs/DEBUG_WORKFLOW_GUIDE.md
repo.diff.view_file

@@ -1,217 +0,0 @@
# 在线调试工作流功能 - 实现指南
## 📋 功能概述
这个功能允许开发者在 Gitea 的 Web 界面中在线调试 GitHub Actions 工作流。用户可以:
1. **输入或粘贴工作流 YAML 脚本**
2. **验证脚本语法**
3. **选择执行分支**
4. **立即执行工作流**
5. **查看完整执行日志和输出**
## 🔧 API 使用方法
### 1. 提交调试工作流
**请求:**
```
POST /api/v1/repos/{owner}/{repo}/actions/debug-workflow
Content-Type: application/json
{
"workflow_content": "name: Debug Test\non: workflow_dispatch\njobs:\n test:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v3\n - run: echo 'Hello from debug workflow!'",
"ref": "main",
"inputs": {
"custom_input": "value"
}
}
```
**响应:**
```json
{
"id": 123,
"title": "[DEBUG] Debug Test",
"status": "waiting",
"workflow_id": "debug-workflow.yml",
"ref": "main",
"commit_sha": "abc123...",
"created": "2025-11-14T10:00:00Z"
}
```
### 2. 获取调试工作流输出
**请求:**
```
GET /api/v1/repos/{owner}/{repo}/actions/debug-workflow/{run_id}
```
**响应:**
```json
{
"run": {
"id": 123,
"title": "[DEBUG] Debug Test",
"status": "success",
"workflow_id": "debug-workflow.yml",
"logs": [...],
"created": "2025-11-14T10:00:00Z"
},
"workflow_content": "name: Debug Test\non: workflow_dispatch\n..."
}
```
## 💻 前端界面集成
建议在以下位置添加调试工作流界面:
### 位置 1: 仓库 Actions 页面
- 路由: `/repos/{owner}/{repo}/actions`
- 添加 "Debug Workflow" 标签页
- 显示工作流编辑器和执行按钮
### 位置 2: 工作流文件详情页面
- 当查看 `.gitea/workflows/*.yml` 文件时
- 添加 "Run Debug Mode" 按钮
- 使用文件内容作为默认值
### 位置 3: Web UI 模板建议
```html
<div id="workflow-debugger">
<!-- Workflow YAML Editor -->
<div class="workflow-editor">
<textarea id="workflow-content" placeholder="Paste your GitHub Actions workflow YAML here..."></textarea>
</div>
<!-- Options -->
<div class="debug-options">
<label>Select Branch: <select id="ref-select">...</select></label>
<label>Inputs: <textarea id="debug-inputs" placeholder="JSON format"></textarea></label>
</div>
<!-- Actions -->
<button id="validate-workflow">Validate</button>
<button id="run-workflow">Run Debug Workflow</button>
<!-- Output -->
<div id="debug-output" class="hidden">
<div class="logs-viewer">
<pre id="workflow-logs"></pre>
</div>
</div>
</div>
```
## 🔍 调试工作流的特殊标记
所有通过调试功能执行的工作流都会:
1. **WorkflowID**: 设置为 `debug-workflow.yml`(特殊标记)
2. **Title 前缀**: 添加 `[DEBUG]` 前缀
3. **Event**: 设置为 `workflow_dispatch`
4. **Status Tracking**: 完整记录所有执行步骤
这使得用户可以轻松区分调试运行和正式运行。
## 📊 数据流
```
┌─────────────────────────────────────────────────────────────────────┐
│ 用户操作 │
│ 输入工作流 YAML + 参数 │
└──────────────────────────┬──────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────┐
│ API /debug-workflow │
│ POST /api/v1/repos/{owner}/{repo}/actions/debug-workflow │
└──────────────────────────┬──────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────┐
│ services/actions/debug_workflow.go │
│ DebugActionWorkflow() │
│ - 验证 YAML 内容 │
│ - 创建临时 ActionRun │
│ - 创建 ActionRunJob │
│ - 保存工作流内容 │
└──────────────────────────┬──────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────┐
│ 工作流执行引擎 │
│ (现有的 Actions Runner) │
│ - 解析工作流 YAML │
│ - 创建 Jobs │
│ - 执行步骤 │
│ - 记录输出 │
└──────────────────────────┬──────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────┐
│ 查询运行结果 │
│ GET /api/v1/repos/{owner}/{repo}/actions/debug-workflow/{id} │
│ 返回: run 信息 + workflow_content + logs │
└─────────────────────────────────────────────────────────────────────┘
```
## 🔐 安全考虑
1. **权限检查**: 只有具有仓库写权限的用户可以执行调试工作流
2. **Actions 启用**: 仓库必须启用 Actions 单元
3. **YAML 验证**: 所有提交的 YAML 都必须通过解析验证
4. **日志隔离**: 调试工作流的日志单独存储和标记
5. **Token 限制**: 调试工作流中的 token 应该有相同的限制
## 📝 日志输出
调试工作流的完整日志包括:
1. **工作流启动日志**
- 触发时间
- 执行用户
- 分支信息
2. **每个 Job 的日志**
- Job 名称和 ID
- 步骤执行情况
- 命令输出
- 错误信息
3. **工作流完成日志**
- 总执行时间
- 最终状态
- 任何错误总结
## 🚀 后续改进建议
1. **工作流模板库**
- 提供常用工作流模板
- 一键加载示例
2. **语法高亮**
- 在编辑器中支持 YAML 语法高亮
- 错误提示
3. **步骤预览**
- 显示工作流中定义的所有 Job 和步骤
- 验证 Actions 引用的有效性
4. **变量预测**
- 自动完成 Gitea 环境变量
- 显示可用的上下文
5. **历史记录**
- 保存最近执行过的调试脚本
- 快速重新运行
## 📚 相关文件
- `services/actions/debug_workflow.go` - 核心业务逻辑
- `routers/api/v1/repo/actions_debug.go` - API 端点
- `routers/api/v1/api.go` - 路由注册
- `models/actions/run.go` - ActionRun 数据模型
- `models/actions/run_job.go` - ActionRunJob 数据模型

87
docs/kubernetes/README.md Normal file
repo.diff.view_file

@@ -0,0 +1,87 @@
## Kubernetes 文档入口
本目录提供从零到一的 Kubernetes 集群安装与常用脚本。建议:先阅读本 README 的概览与快速开始,再按需查看详细版文档。
### 文档索引
- **Kubernetes 安装**`k8s-installtion.md`(分步说明、完整命令与排错)
- **Istio 配置**`istio-hostnetwork-notes.md`(将 Istio IngressGateway 切换为 hostNetwork 模式指南)
### 快速开始
在 Master 节点:
```bash
./k8s-step1-prepare-env.sh
./k8s-step2-install-containerd.sh
./k8s-step3-install-components.sh
./k8s-step4-init-cluster.sh
./k8s-step5-install-flannel.sh
```
在工作节点加入(参考 `node-join-command.txt` 或运行第 6 步脚本):
```bash
./k8s-step6-join-nodes.sh
```
验证:
```bash
kubectl get nodes -o wide
kubectl get pods -A
```
### 脚本总览
- 安装流程
- `k8s-step1-prepare-env.sh`:环境准备(关闭 swap、内核参数、基础工具
- `k8s-step2-install-containerd.sh`:安装与配置 containerd
- `k8s-step3-install-components.sh`:安装 kubeadm/kubelet/kubectl
- `k8s-step4-init-cluster.sh`Master 初始化集群
- `k8s-step5-install-flannel.sh`:安装 Flannel CNI或直接 `kubectl apply -f kube-flannel.yml`
- `k8s-step6-join-nodes.sh`:节点加入集群(使用 `node-join-command.txt`
- `k8s-install-all.sh`:一键顺序执行上述步骤(熟悉流程后使用)
- 网络与工具
- `setup-master-gateway.sh`Master 网关/NAT 示例配置(按需修改)
- `setup-node1.sh``setup-node2.sh`:节点路由示例
- `k8s-image-pull-and-import.sh`:镜像预拉取/导入(离线或网络慢场景)
- `install-kubectl-nodes.sh`:为其他节点安装与配置 kubectl
### 常见问题
- 节点 `NotReady`:检查 CNI 是否就绪(`kubectl -n kube-flannel get pods`)、确认已 `swapoff -a`,并查看 `journalctl -u kubelet -f`
- 无法拉取镜像:检查网络/镜像源,可用 `k8s-image-pull-and-import.sh` 预拉取。
- `kubectl` 连接异常:确认 `$HOME/.kube/config` 配置与权限。
### Istio 服务网格配置
本目录的 Kubernetes 集群安装完成后,如需使用 Istio 作为服务网格和入口网关,请参考:
#### Istio hostNetwork 模式配置
**适用场景**
- 只有 master 节点有公网 IP
- 需要 Istio IngressGateway 替代 nginx-ingress-controller
- 需要 Istio 直接监听宿主机的 80/443 端口
**详细指南**:请参阅 [`istio-hostnetwork-notes.md`](./istio-hostnetwork-notes.md)
**快速概览**
1. 安装 Istio使用 `istioctl install` 或 Helm
2. 按照指南将 `istio-ingressgateway` 切换为 hostNetwork 模式
3. 配置 Gateway 和 VirtualService 进行流量路由
4. 配置 TLS 证书 Secret
**注意事项**
- 迁移前确保停止 nginx 或其他占用 80/443 的服务
- 需要将 TLS 证书 Secret 复制到 `istio-system` 命名空间
- hostNetwork 模式下Service 类型可以是 `ClusterIP``LoadBalancer`
#### 其他 Istio 文档
- Istio 官方文档https://istio.io/latest/docs/
- Istio 安装指南https://istio.io/latest/docs/setup/install/

98
docs/kubernetes/install-kubectl-nodes.sh Normal file
repo.diff.view_file

@@ -0,0 +1,98 @@
#!/bin/bash
set -e
# 为 node1 和 node2 安装 kubectl 脚本
# 功能: 从 master 传输 kubectl 二进制文件到其他节点
echo "==== 为 node1 和 node2 安装 kubectl ===="
# 定义节点列表
NODES=("172.17.0.15:master" "172.17.0.43:node1" "172.17.0.34:node2")
# 本机 IP 与 SSH 选项
LOCAL_IP=$(ip route get 1 | awk '{print $7; exit}')
SSH_OPTS='-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o BatchMode=yes'
# SSH 私钥(可用环境变量 SSH_KEY 覆盖),存在则自动携带
SSH_KEY_PATH=${SSH_KEY:-$HOME/.ssh/id_rsa}
[ -f "$SSH_KEY_PATH" ] && SSH_ID="-i $SSH_KEY_PATH" || SSH_ID=""
# 函数:在指定节点执行命令
execute_on_node() {
local ip="$1"
local hostname="$2"
local command="$3"
local description="$4"
echo "==== $description on $hostname ($ip) ===="
if [ "$ip" = "$LOCAL_IP" ] || [ "$hostname" = "master" ]; then
bash -lc "$command"
else
ssh $SSH_OPTS $SSH_ID ubuntu@$ip "$command"
fi
echo ""
}
# 函数:传输文件到指定节点
copy_to_node() {
local ip="$1"
local hostname="$2"
local file="$3"
echo "传输 $file$hostname ($ip)"
if [ "$ip" = "$LOCAL_IP" ] || [ "$hostname" = "master" ]; then
cp -f "$file" ~/
else
scp $SSH_OPTS $SSH_ID "$file" ubuntu@$ip:~/
fi
}
# 创建 kubectl 安装脚本
cat > kubectl-install.sh << 'EOF_INSTALL'
#!/bin/bash
set -e
echo "==== 安装 kubectl ===="
# 1. 检查是否已安装
if command -v kubectl &> /dev/null; then
echo "kubectl 已安装,版本: $(kubectl version --client 2>/dev/null | grep 'Client Version' || echo 'unknown')"
echo "跳过安装"
exit 0
fi
# 2. 安装 kubectl
echo "安装 kubectl..."
sudo apt update
sudo apt install -y apt-transport-https ca-certificates curl
# 添加 Kubernetes 官方 GPG key
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.32/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
# 添加 Kubernetes apt 仓库
echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.32/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list
# 更新包列表并安装 kubectl
sudo apt update
sudo apt install -y kubectl
# 3. 验证安装
echo "验证 kubectl 安装..."
kubectl version --client
echo "==== kubectl 安装完成 ===="
EOF_INSTALL
chmod +x kubectl-install.sh
# 为 node1 和 node2 安装 kubectl
for node in "${NODES[@]}"; do
IFS=':' read -r ip hostname <<< "$node"
if [ "$hostname" != "master" ]; then
copy_to_node "$ip" "$hostname" "kubectl-install.sh"
execute_on_node "$ip" "$hostname" "./kubectl-install.sh" "安装 kubectl"
fi
done
# 清理临时文件
rm -f kubectl-install.sh
echo "==== 所有节点 kubectl 安装完成 ===="

454
docs/kubernetes/istio-hostnetwork-notes.md Normal file
repo.diff.view_file

@@ -0,0 +1,454 @@
# Istio IngressGateway 切换为 hostNetwork 模式指南
## 概述
本指南适用于以下场景:
- 只有 master 节点有公网 IP
- 需要 Istio IngressGateway 替代 nginx-ingress-controller
- 需要 Istio 直接监听宿主机的 80/443 端口
### 为什么选择 hostNetwork
1. **公网 IP 限制**:只有 master 节点有公网 IP流量入口必须在 master
2. **端口一致性**:需要监听标准端口 80/443与 nginx 保持一致
3. **无缝迁移**:无需修改 DNS 或负载均衡器配置
## 安装 Istio 1.27.1
### 1. 下载 istioctl
```bash
# 下载 Istio 1.27.1
# 根据系统架构选择x86_64 或 arm64
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.27.1 TARGET_ARCH=x86_64 sh -
# 进入目录
cd istio-1.27.1
# 临时添加到 PATH当前会话有效
export PATH=$PWD/bin:$PATH
# 或永久安装到系统路径
sudo cp bin/istioctl /usr/local/bin/
sudo chmod +x /usr/local/bin/istioctl
# 验证安装
istioctl version
```
**说明**
- `TARGET_ARCH` 根据系统架构选择:`x86_64`Intel/AMD`arm64`ARM
- 如果使用临时 PATH每次新终端会话都需要重新设置
- 推荐将 `istioctl` 复制到 `/usr/local/bin` 以便全局使用
### 2. 安装 Istio
使用 `default` profile 安装 Istio
```bash
# 安装 Istio使用 default profile
istioctl install --set profile=default -y
# 验证安装
kubectl get pods -n istio-system
kubectl get svc -n istio-system
```
**预期输出**
- `istiod` Pod 应该处于 `Running` 状态
- `istio-ingressgateway` Pod 应该处于 `Running` 状态
- `istio-egressgateway` Pod 应该处于 `Running` 状态(可选)
### 3. 验证安装
```bash
# 检查 Istio 组件状态
istioctl verify-install
# 查看 Istio 版本
istioctl version
# 检查所有命名空间的 Istio 资源
kubectl get crd | grep istio
```
### 4. 卸载 Istio如需要
如果需要卸载 Istio
```bash
# 卸载 Istio
istioctl uninstall --purge -y
# 删除命名空间
kubectl delete namespace istio-system
# 删除 CRD可选会删除所有 Istio 配置)
kubectl get crd | grep istio | awk '{print $1}' | xargs kubectl delete crd
```
## 前置检查
**注意**:如果尚未安装 Istio请先完成上述"安装 Istio 1.27.1"章节的步骤。
### 1. 确认集群状态
```bash
# 检查节点
kubectl get nodes
# 检查 Istio 组件(如果已安装)
kubectl get pods -n istio-system
# 检查当前 Service 配置(如果已安装)
kubectl get svc istio-ingressgateway -n istio-system
# 检查 Deployment 配置(如果已安装)
kubectl get deploy istio-ingressgateway -n istio-system -o yaml | head -n 50
```
### 2. 释放端口(避免冲突)
**k3s 环境**
- 如有 traefik需要停止或释放 80/443
- 检查是否有其他服务占用端口:`ss -tlnp | grep -E ':(80|443) '`
**标准 Kubernetes 环境**
```bash
# 停止 nginx-ingress-controller如果存在
kubectl scale deployment my-release-nginx-ingress-controller \
-n nginx-ingress-controller --replicas=0
# 验证端口已释放
ss -tlnp | grep -E ':(80|443) ' || echo "80/443 not listening"
```
## 完整操作步骤
### 步骤 1调整 Service可选
如果后续需要接真实 LB可保留 `LoadBalancer` 类型;为便于本地测试,可先改为 `ClusterIP`
```bash
# 修改 Service 类型为 ClusterIP
kubectl patch svc istio-ingressgateway -n istio-system --type='json' \
-p='[{"op":"replace","path":"/spec/type","value":"ClusterIP"}]'
# 调整端口映射(直通 80/443/15021
kubectl patch svc istio-ingressgateway -n istio-system --type='json' \
-p='[{"op":"replace","path":"/spec/ports","value":[
{"name":"http","port":80,"targetPort":80,"protocol":"TCP"},
{"name":"https","port":443,"targetPort":443,"protocol":"TCP"},
{"name":"status-port","port":15021,"targetPort":15021,"protocol":"TCP"}]}]'
```
### 步骤 2启用 hostNetwork 模式
```bash
# 1. 启用 hostNetwork
kubectl patch deployment istio-ingressgateway -n istio-system --type='json' \
-p='[{"op":"add","path":"/spec/template/spec/hostNetwork","value":true}]'
# 2. 设置 DNS 策略
kubectl patch deployment istio-ingressgateway -n istio-system --type='json' \
-p='[{"op":"add","path":"/spec/template/spec/dnsPolicy","value":"ClusterFirstWithHostNet"}]'
# 3. 绑定到 master 节点(根据实际节点名调整)
kubectl patch deployment istio-ingressgateway -n istio-system --type='json' \
-p='[{"op":"add","path":"/spec/template/spec/nodeSelector","value":{"kubernetes.io/hostname":"master"}}]'
# 4. 添加容忍(如果 master 节点有 control-plane taint
kubectl patch deployment istio-ingressgateway -n istio-system --type='json' \
-p='[{"op":"add","path":"/spec/template/spec/tolerations","value":[{"key":"node-role.kubernetes.io/control-plane","operator":"Exists","effect":"NoSchedule"}]}]'
```
### 步骤 3配置容器端口
```bash
# 让容器直接监听宿主机的 80/443/15021
kubectl patch deployment istio-ingressgateway -n istio-system --type='json' \
-p='[{"op":"replace","path":"/spec/template/spec/containers/0/ports","value":[
{"containerPort":80,"hostPort":80,"protocol":"TCP","name":"http"},
{"containerPort":443,"hostPort":443,"protocol":"TCP","name":"https"},
{"containerPort":15021,"hostPort":15021,"protocol":"TCP","name":"status-port"},
{"containerPort":15090,"protocol":"TCP","name":"http-envoy-prom"}]}]'
```
### 步骤 4配置安全上下文解决权限问题
```bash
# 1. 添加 NET_BIND_SERVICE 能力
kubectl patch deployment istio-ingressgateway -n istio-system --type='json' \
-p='[{"op":"add","path":"/spec/template/spec/containers/0/securityContext/capabilities/add","value":["NET_BIND_SERVICE"]}]'
# 2. 以 root 身份运行(允许绑定特权端口)
kubectl patch deployment istio-ingressgateway -n istio-system --type='json' \
-p='[{"op":"replace","path":"/spec/template/spec/securityContext/runAsNonRoot","value":false},\
{"op":"replace","path":"/spec/template/spec/securityContext/runAsUser","value":0},\
{"op":"replace","path":"/spec/template/spec/securityContext/runAsGroup","value":0}]'
# 3. 设置环境变量(告知 Istio 这是特权 Pod
kubectl set env deployment/istio-ingressgateway -n istio-system ISTIO_META_UNPRIVILEGED_POD=false
```
### 步骤 5重启 Deployment
```bash
# 先缩容到 0避免 hostPort 冲突
kubectl scale deployment istio-ingressgateway -n istio-system --replicas=0
# 等待 Pod 完全终止
kubectl rollout status deployment/istio-ingressgateway -n istio-system --timeout=60s || true
sleep 3
# 扩容到 1
kubectl scale deployment istio-ingressgateway -n istio-system --replicas=1
# 等待新 Pod 就绪
kubectl rollout status deployment/istio-ingressgateway -n istio-system --timeout=120s
```
## 验证配置
### 1. 检查 Pod 状态
```bash
# 查看 Pod 状态和 IPhostNetwork 模式下 IP 应为节点 IP
kubectl get pods -n istio-system -o wide
# 确认 hostNetwork 已启用
kubectl get pod -n istio-system -l app=istio-ingressgateway \
-o jsonpath='{.items[0].spec.hostNetwork}'
# 应该输出: true
```
### 2. 检查端口监听
```bash
# 在 master 节点上检查端口监听
ss -tlnp | grep -E ':(80|443|15021) '
# 或在 Pod 内部检查
kubectl exec -n istio-system deploy/istio-ingressgateway -- \
ss -tlnp | grep -E ':(80|443|15021) '
```
### 3. 检查 Istio 配置
```bash
# 查看 Envoy listener 配置
istioctl proxy-config listener deploy/istio-ingressgateway.istio-system
# 检查配置分析
istioctl analyze -A
```
## 配置 Gateway 和 VirtualService
### 1. 准备 TLS 证书 Secret
如果证书 Secret 在其他命名空间,需要复制到 `istio-system`
```bash
# 复制 Secret示例
kubectl get secret <your-tls-secret> -n <source-namespace> -o yaml | \
sed "s/namespace: <source-namespace>/namespace: istio-system/" | \
kubectl apply -f -
# 验证
kubectl get secret <your-tls-secret> -n istio-system
```
**注意**:证书文件(`.crt`)如果包含多个 `BEGIN CERTIFICATE` 块是正常的,这是证书链(服务器证书 + 中间证书。Kubernetes Secret 和 Istio Gateway 都支持这种格式。
### 2. 创建 Gateway
```yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: devstar-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- devstar.cn
- www.devstar.cn
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: devstar-studio-tls-secret-devstar-cn
hosts:
- devstar.cn
- www.devstar.cn
```
### 3. 创建 VirtualService
```yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: devstar-studio-gitea
namespace: devstar-studio-ns
spec:
hosts:
- devstar.cn
- www.devstar.cn
gateways:
- istio-system/devstar-gateway
http:
# www.devstar.cn 重定向到 devstar.cn (308 永久重定向)
- match:
- headers:
host:
exact: www.devstar.cn
redirect:
authority: devstar.cn
redirectCode: 308
# devstar.cn 路由到后端服务
- match:
- uri:
prefix: /
route:
- destination:
host: devstar-studio-gitea-http
port:
number: 3000
```
### 4. 验证 Gateway 和 VirtualService
```bash
# 检查 Gateway
kubectl get gateway -n istio-system
# 检查 VirtualService
kubectl get virtualservice -A
# 查看详细配置
kubectl describe gateway devstar-gateway -n istio-system
kubectl describe virtualservice devstar-studio-gitea -n devstar-studio-ns
```
## 测试访问
```bash
# HTTP 测试
curl -H "Host: devstar.cn" http://<master-ip> -I
# HTTPS 测试
curl -k --resolve devstar.cn:443:<master-ip> https://devstar.cn -I
# 测试重定向www.devstar.cn -> devstar.cn
curl -I -H "Host: www.devstar.cn" http://<master-ip>
# 应该返回: HTTP/1.1 308 Permanent Redirect
```
## 启用服务网格(可选)
如果需要为其他命名空间启用自动 sidecar 注入:
```bash
# 为命名空间启用自动注入
kubectl label namespace <namespace> istio-injection=enabled
# 验证
kubectl get namespace -L istio-injection
# 重启现有 Pod 以注入 sidecar
kubectl rollout restart deployment -n <namespace>
```
## 常见问题
### 1. Pod 一直 Pending
**原因**:旧 Pod 仍占用 hostPort新 Pod 无法调度。
**解决**
```bash
# 手动删除旧 Pod
kubectl delete pod -n istio-system -l app=istio-ingressgateway
# 或先缩容再扩容
kubectl scale deployment istio-ingressgateway -n istio-system --replicas=0
kubectl scale deployment istio-ingressgateway -n istio-system --replicas=1
```
### 2. Envoy 报 "Permission denied" 无法绑定 80/443
**原因**:容器没有足够权限绑定特权端口。
**解决**
- 确认已添加 `NET_BIND_SERVICE` capability
- 确认 `runAsUser: 0``runAsNonRoot: false`
- 确认 `ISTIO_META_UNPRIVILEGED_POD=false`
### 3. Istiod 日志显示 "skipping privileged gateway port"
**原因**Istio 认为 Pod 是无特权模式。
**解决**
```bash
kubectl set env deployment/istio-ingressgateway -n istio-system ISTIO_META_UNPRIVILEGED_POD=false
kubectl rollout restart deployment istio-ingressgateway -n istio-system
```
### 4. Gateway 冲突IST0145
**原因**:多个 Gateway 使用相同的 selector 和端口,但 hosts 冲突。
**解决**
- 合并多个 Gateway 到一个,在 `hosts` 中列出所有域名
- 或确保不同 Gateway 的 `hosts` 不重叠
## 回滚方案
如果需要回滚到默认配置:
```bash
# 1. 恢复 nginx如果之前使用
kubectl scale deployment my-release-nginx-ingress-controller \
-n nginx-ingress-controller --replicas=1
# 2. 恢复 Istio 为默认配置
istioctl install --set profile=default -y
# 3. 或手动删除 hostNetwork 相关配置
kubectl patch deployment istio-ingressgateway -n istio-system --type='json' \
-p='[{"op":"remove","path":"/spec/template/spec/hostNetwork"}]'
```
## 端口映射说明
### Istio 默认端口配置
- **容器内部端口**Istio 默认让 Envoy 监听 8080HTTP和 8443HTTPS
- **Service 端口映射**Service 的 80 端口映射到容器的 8080targetPort: 8080443 映射到 8443
- **为什么不是 80/443**:这是 Istio 的设计,避免与主机上的其他服务冲突
### hostNetwork 模式下的端口配置
使用 hostNetwork 模式时:
- 容器直接使用主机网络,需要监听主机的 80/443 端口
- 因此需要修改容器端口配置,让容器监听 80/443 而不是 8080/8443
- 同时需要配置 IstioOperator 的 values让 Envoy 实际监听 80/443
## 注意事项
1. **端口冲突**:迁移前确保停止 nginx 或其他占用 80/443 的服务
2. **Sidecar 资源**:每个 Pod 会增加 ~100MB 内存和 ~100m CPU
3. **TLS 证书**:需要将证书 Secret 复制到 istio-system 命名空间,或通过 Gateway 配置指定命名空间
4. **性能影响**sidecar 会增加少量延迟(通常 <1ms
5. **Service 类型**hostNetwork 模式下Service 类型可以是 `ClusterIP``LoadBalancer`,不影响功能

122
docs/kubernetes/k8s-image-pull-and-import.sh Normal file
repo.diff.view_file

@@ -0,0 +1,122 @@
#!/bin/bash
set -euo pipefail
# 说明:
# 在 master、node1、node2 三台节点上分别拉取指定镜像, 并导入到 containerd (k8s.io 命名空间)
# 不通过主机分发镜像归档, 而是每台节点各自拉取/导入。
#
# 使用示例:
# chmod +x k8s-image-pull-and-import.sh
# ./k8s-image-pull-and-import.sh beppeb/devstar-controller-manager:3.0.0.without_istio
#
# 可选环境变量:
# SSH_KEY 指定私钥路径 (默认: ~/.ssh/id_rsa, 若存在自动携带)
echo "==== K8s 镜像拉取并导入 containerd ===="
if [ $# -lt 1 ]; then
echo "用法: $0 <IMAGE[:TAG]>"
echo "示例: $0 beppeb/devstar-controller-manager:3.0.0.without_istio"
exit 1
fi
IMAGE_INPUT="$1"
# 规范化镜像名, 若无 registry 前缀则补全 docker.io/
normalize_image() {
local img="$1"
if [[ "$img" != */*/* ]]; then
# 只有一个斜杠(如 library/nginx 或 beppeb/devstar-...): 仍可能缺少 registry
# Docker 的默认 registry 是 docker.io
echo "docker.io/${img}"
else
echo "$img"
fi
}
CANONICAL_IMAGE=$(normalize_image "$IMAGE_INPUT")
echo "目标镜像: ${CANONICAL_IMAGE}"
# 节点列表: 与 k8s-step1-prepare-env.sh 风格一致
NODES=("172.17.0.15:master" "172.17.0.43:node1" "172.17.0.34:node2")
# 本机 IP 与 SSH 选项
LOCAL_IP=$(ip route get 1 | awk '{print $7; exit}')
SSH_OPTS='-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o BatchMode=yes'
SSH_KEY_PATH=${SSH_KEY:-$HOME/.ssh/id_rsa}
[ -f "$SSH_KEY_PATH" ] && SSH_ID="-i $SSH_KEY_PATH" || SSH_ID=""
run_remote() {
local ip="$1"; shift
local cmd="$*"
if [ "$ip" = "$LOCAL_IP" ]; then
bash -lc "$cmd"
else
ssh $SSH_OPTS $SSH_ID ubuntu@"$ip" "$cmd"
fi
}
# 在远端节点执行: 使用 docker 或 containerd 拉取镜像, 并确保导入到 containerd k8s.io
remote_pull_and_import_cmd() {
local image="$1"
# 注意: 使用单引号包裹, 传到远端后再展开变量
cat <<'EOF_REMOTE'
set -euo pipefail
IMAGE_REMOTE="$IMAGE_PLACEHOLDER"
has_cmd() { command -v "$1" >/dev/null 2>&1; }
echo "[\"$(hostname)\"] 处理镜像: ${IMAGE_REMOTE}"
# 优先尝试 docker 拉取, 成功后直接导入 containerd (无需落盘)
if has_cmd docker; then
echo "[\"$(hostname)\"] 使用 docker pull"
sudo docker pull "${IMAGE_REMOTE}"
echo "[\"$(hostname)\"] 导入到 containerd (k8s.io)"
sudo docker save "${IMAGE_REMOTE}" | sudo ctr -n k8s.io images import - >/dev/null
else
echo "[\"$(hostname)\"] 未检测到 docker, 尝试使用 containerd 拉取"
# containerd 直接拉取到 k8s.io 命名空间
sudo ctr -n k8s.io images pull --all-platforms "${IMAGE_REMOTE}"
fi
# 规范化 tag: 若镜像缺少 docker.io 前缀, 在 containerd 内补齐一份别名
NEED_PREFIX=0
if [[ "${IMAGE_REMOTE}" != docker.io/* ]]; then
NEED_PREFIX=1
fi
if [ "$NEED_PREFIX" -eq 1 ]; then
# 仅当不存在 docker.io/ 前缀时, 补一个 docker.io/ 的 tag, 方便与清单匹配
# 计算补齐后的名字
if [[ "${IMAGE_REMOTE}" == */*/* ]]; then
# 已有显式 registry, 不重复打 tag
:
else
FIXED="docker.io/${IMAGE_REMOTE}"
echo "[\"$(hostname)\"] 为 containerd 打标签: ${FIXED}"
sudo ctr -n k8s.io images tag "${IMAGE_REMOTE}" "${FIXED}" || true
fi
fi
echo "[\"$(hostname)\"] 验证镜像是否存在于 containerd:"
sudo ctr -n k8s.io images ls | grep -E "$(printf '%s' "${IMAGE_REMOTE}" | sed 's/[\/.\-]/\\&/g')" || true
EOF_REMOTE
}
# 遍历节点执行
for node in "${NODES[@]}"; do
IFS=':' read -r ip hostname <<< "$node"
echo "==== 在 ${hostname} (${ip}) 执行镜像拉取与导入 ===="
# 将占位符替换为实际镜像并远程执行
remote_script=$(remote_pull_and_import_cmd "$CANONICAL_IMAGE")
# 安全替换占位符为镜像名
remote_script=${remote_script//\$IMAGE_PLACEHOLDER/$CANONICAL_IMAGE}
run_remote "$ip" "$remote_script"
echo ""
done
echo "==== 完成 ===="

69
docs/kubernetes/k8s-install-all.sh Normal file
repo.diff.view_file

@@ -0,0 +1,69 @@
#!/bin/bash
set -e
# Kubernetes 集群一键安装脚本
# 功能: 按顺序执行所有安装步骤
echo "==== Kubernetes 集群一键安装 ===="
echo "集群信息:"
echo "- Master: 172.17.0.15"
echo "- Node1: 172.17.0.43"
echo "- Node2: 172.17.0.34"
echo "- Kubernetes 版本: v1.32.3"
echo "- 网络插件: Flannel"
echo "- 容器运行时: containerd"
echo ""
# 检查脚本文件是否存在
SCRIPTS=(
"k8s-step1-prepare-env.sh"
"k8s-step2-install-containerd.sh"
"k8s-step3-install-components.sh"
"k8s-step4-init-cluster.sh"
"k8s-step5-install-flannel.sh"
"k8s-step6-join-nodes.sh"
)
for script in "${SCRIPTS[@]}"; do
if [ ! -f "$script" ]; then
echo "错误: 找不到脚本文件 $script"
exit 1
fi
done
echo "所有脚本文件检查完成,开始安装..."
echo ""
# 执行安装步骤
echo "==== 步骤 1: 环境准备 ===="
./k8s-step1-prepare-env.sh
echo ""
echo "==== 步骤 2: 安装 containerd ===="
./k8s-step2-install-containerd.sh
echo ""
echo "==== 步骤 3: 安装 Kubernetes 组件 ===="
./k8s-step3-install-components.sh
echo ""
echo "==== 步骤 4: 初始化集群 ===="
./k8s-step4-init-cluster.sh
echo ""
echo "==== 步骤 5: 安装 Flannel 网络插件 ===="
./k8s-step5-install-flannel.sh
echo ""
echo "==== 步骤 6: 节点加入集群 ===="
./k8s-step6-join-nodes.sh
echo ""
echo "==== 安装完成 ===="
echo "集群状态:"
kubectl get nodes
echo ""
kubectl get pods -A
echo ""
echo "集群已就绪,可以开始部署应用!"

524
docs/kubernetes/k8s-installtion.md Normal file
repo.diff.view_file

@@ -0,0 +1,524 @@
# Kubernetes 集群安装文档
## 📋 集群信息
- **Master**: 172.17.0.15 (master)
- **Node1**: 172.17.0.43 (node1)
- **Node2**: 172.17.0.34 (node2)
- **Kubernetes 版本**: v1.32.3
- **容器运行时**: containerd
- **网络插件**: Flannel
- **镜像仓库**: 阿里云镜像
## 🎯 安装方式
**模块化安装**: 每个脚本功能清晰,可以单独执行或按顺序执行
## 📋 安装脚本
### 🔧 脚本列表
1. **`k8s-step1-prepare-env.sh`** - 环境准备 (所有节点)
2. **`k8s-step2-install-containerd.sh`** - 容器运行时安装 (所有节点)
3. **`k8s-step3-install-components.sh`** - Kubernetes 组件安装 (所有节点)
4. **`k8s-step4-init-cluster.sh`** - 集群初始化 (Master 节点)
5. **`k8s-step5-install-flannel.sh`** - 网络插件安装 (Master 节点)
6. **`k8s-step6-join-nodes.sh`** - 节点加入集群 (Node1, Node2)
7. **`k8s-install-all.sh`** - 主控制脚本 (按顺序执行所有步骤)
### 🌐 网络配置脚本
- **`setup-master-gateway.sh`** - Master 节点网关配置
- **`setup-node1.sh`** - Node1 网络路由配置
- **`setup-node2.sh`** - Node2 网络路由配置
### 🔧 辅助工具脚本
- **`install-kubectl-nodes.sh`** - 为其他节点安装 kubectl
### 🚀 使用方法
#### 方法 1: 一键安装
```bash
# 在 Master 节点运行
./k8s-install-all.sh
```
#### 方法 2: 分步安装
```bash
# 按顺序执行每个步骤
./k8s-step1-prepare-env.sh
./k8s-step2-install-containerd.sh
./k8s-step3-install-components.sh
./k8s-step4-init-cluster.sh
./k8s-step5-install-flannel.sh
./k8s-step6-join-nodes.sh
# 可选:为其他节点安装 kubectl
./install-kubectl-nodes.sh
```
## 📋 安装步骤
### ✅ 步骤 1: 环境准备(已完成)
- [x] 云主机重装系统:确认系统盘数据清空,无残留 kube 目录与服务
- [x] 主机名设置:`master``node1``node2`(不在节点脚本中写入 hosts
- [x] Master 配置 NAT 网关:开启 `net.ipv4.ip_forward`,设置 `iptables` MASQUERADE 并持久化
- [x] 基础内核与网络:开启 `overlay``br_netfilter``sysctl` 应用桥接与转发参数
- [x] 关闭 swap禁用并注释 `/etc/fstab` 对应项
- [x] 防火墙:禁用 `ufw`,确保必要端口不被拦截
- [x] SSH 信任:在 master 生成密钥并分发到 `node1/node2`,验证免密可达
### ✅ 步骤 2: 容器运行时准备(所有节点,已完成)
- [x] 更新系统包,安装依赖工具:`curl``wget``gnupg``ca-certificates``apt-transport-https`
- [x] 安装 containerd 并生成默认配置 `/etc/containerd/config.toml`
- [x] 配置镜像加速docker.io/quay.io 使用腾讯云镜像,其他使用高校镜像
- [x] 安装 CNI 插件 v1.3.0(在 master 预下载并分发至 node1/node2
- [x] 启用并开机自启 `containerd`,确认服务状态正常
### ✅ 步骤 3: 安装 Kubernetes 组件(所有节点,已完成)
- [x] 添加 Kubernetes APT 仓库pkgs.k8s.io v1.32),修复 GPG key 与源配置问题
- [x] 安装并锁定版本:`kubelet``kubeadm``kubectl``v1.32.3`
- [x] 配置 kubelet使用 `systemd` cgroup与 containerd 对齐,写入完整配置文件
- [x] 启用并启动 `kubelet` 服务
### ✅ 步骤 4: 集群初始化Master 节点,已完成)
- [x] 执行 `kubeadm init` 完成初始化:包含 `controlPlaneEndpoint=172.17.0.15:6443`、NetworkingServiceCIDR `10.96.0.0/12`、PodCIDR `10.244.0.0/16`)、`imageRepository`Aliyun
- [x] 拷贝 `admin.conf``~/.kube/config` 并验证控制面组件:`etcd``kube-apiserver``kube-controller-manager``kube-scheduler``kube-proxy` 均 Running`coredns` Pending等待安装网络插件
- [x] 生成并使用 `kubeadm token create --print-join-command` 生成 join 命令
### ✅ 步骤 5: 网络插件安装 (Master 节点,已完成)
- [x] 下载并应用 Flannel v0.27.4 清单
- [x] 匹配 Pod CIDR `10.244.0.0/16`,等待组件 Ready
- [x] 配置 Flannel 使用国内镜像源registry-k8s-io.mirrors.sjtug.sjtu.edu.cn、ghcr.tencentcloudcr.com
- [x] 预拉取所有 Flannel 镜像并打标签
- [x] 等待所有网络组件就绪kube-flannel-ds、coredns
### ✅ 步骤 6: 节点加入集群(已完成)
- [x] 读取 `node-join-command.txt` 文件中的 join 命令
- [x]`node1/node2` 执行 join加入成功后验证 `Ready`
- [x] 验证所有节点状态master (Ready, control-plane)、node1 (Ready)、node2 (Ready)
### ✅ 步骤 7: 集群验证(已完成)
- [x] `kubectl get nodes/pods -A` 基线检查
- [x] 所有 Pod 状态为 Running控制面组件、网络组件、系统组件
- [x] 集群完全就绪,可以部署应用
### ✅ 步骤 8: 为其他节点安装 kubectl已完成
- [x] 在 node1 和 node2 上安装 kubectl v1.32.3
- [x] 复制 master 的 kubeconfig 配置文件到其他节点
- [x] 验证所有节点都能正常访问 Kubernetes 集群
## 📝 详细安装过程记录
### 步骤 1: 系统环境准备
#### 1.1 系统重装与清理
- 腾讯云服务器实例重装系统,确保硬盘完全清空
- 验证无残留 Kubernetes 相关目录和服务
#### 1.2 主机名配置
```bash
# Master 节点
sudo hostnamectl set-hostname master
# Node1 节点
sudo hostnamectl set-hostname node1
# Node2 节点
sudo hostnamectl set-hostname node2
```
#### 1.3 网络配置
> **提示**: 可以使用提供的脚本自动配置网络:
> - `./setup-master-gateway.sh` - 在 Master 节点执行
> - `./setup-node1.sh` - 在 Node1 节点执行
> - `./setup-node2.sh` - 在 Node2 节点执行
**Master 节点配置为 NAT 网关:**
```bash
# 启用 IP 转发
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
# 清空现有 iptables 规则
sudo iptables -F
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -X
sudo iptables -t nat -X
sudo iptables -t mangle -X
# 设置默认策略
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
# 配置 NAT 规则 - 允许内网节点通过 master 访问外网
sudo iptables -t nat -A POSTROUTING -s 172.17.0.0/20 -o eth0 -j MASQUERADE
# 允许转发来自内网的流量
sudo iptables -A FORWARD -s 172.17.0.0/20 -j ACCEPT
sudo iptables -A FORWARD -d 172.17.0.0/20 -j ACCEPT
# 保存 iptables 规则
sudo apt update && sudo apt install -y iptables-persistent
sudo netfilter-persistent save
```
**Node1 和 Node2 配置路由:**
```bash
# 删除默认网关(如果存在)
sudo ip route del default 2>/dev/null || true
# 添加默认网关指向 master
sudo ip route add default via 172.17.0.15
# 验证网络连通性
ping -c 2 172.17.0.15 && echo "✓ 可以访问 master" || echo "✗ 无法访问 master"
ping -c 2 8.8.8.8 && echo "✓ 可以访问外网" || echo "✗ 无法访问外网"
```
#### 1.4 SSH 密钥配置
```bash
# Master 节点生成 SSH 密钥
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -N ""
# 将公钥复制到 Node1 和 Node2
ssh-copy-id ubuntu@172.17.0.43
ssh-copy-id ubuntu@172.17.0.34
```
### 步骤 2: 基础环境准备(所有节点)
#### 2.1 系统更新
```bash
sudo apt update && sudo apt upgrade -y
sudo apt install -y curl wget vim net-tools gnupg lsb-release ca-certificates apt-transport-https
```
#### 2.2 内核参数配置
```bash
# 加载内核模块
sudo modprobe overlay
sudo modprobe br_netfilter
# 配置内核参数
cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF
sudo sysctl --system
```
#### 2.3 禁用 Swap
```bash
sudo swapoff -a
sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
```
#### 2.4 防火墙配置
```bash
sudo ufw disable
```
### 步骤 3: 容器运行时安装(所有节点)
#### 3.1 安装 containerd
```bash
# 安装 containerd
sudo apt update
sudo apt install -y containerd
# ① 停止 containerd
sudo systemctl stop containerd
# ② 生成默认配置
sudo containerd config default | sudo tee /etc/containerd/config.toml > /dev/null
# ③ 注入镜像加速配置docker.io/quay.io:腾讯云,其它:高校镜像优先)
sudo sed -i '/\[plugins."io.containerd.grpc.v1.cri".registry.mirrors\]/a\
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]\n endpoint = ["https://mirror.ccs.tencentyun.com"]\n [plugins."io.containerd.grpc.v1.cri".registry.mirrors."quay.io"]\n endpoint = ["https://quay.tencentcloudcr.com"]\n [plugins."io.containerd.grpc.v1.cri".registry.mirrors."ghcr.io"]\n endpoint = ["https://ghcr.nju.edu.cn"]\n [plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]\n endpoint = ["https://gcr.nju.edu.cn"]\n [plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.k8s.io"]\n endpoint = ["https://registry-k8s-io.mirrors.sjtug.sjtu.edu.cn"]\n [plugins."io.containerd.grpc.v1.cri".registry.mirrors."gcr.io"]\n endpoint = ["https://gcr.nju.edu.cn"]' /etc/containerd/config.toml
# ④ 重新加载并启动 containerd
sudo systemctl daemon-reexec
sudo systemctl daemon-reload
sudo systemctl restart containerd
# ⑤ 检查服务状态
sudo systemctl status containerd --no-pager -l
```
#### 3.2 安装 CNI 插件
```bash
# 下载 CNI 插件
CNI_VERSION="v1.3.0"
CNI_TGZ="cni-plugins-linux-amd64-${CNI_VERSION}.tgz"
# 下载 CNI 插件
curl -L --fail --retry 3 --connect-timeout 10 \
-o "$CNI_TGZ" \
"https://github.com/containernetworking/plugins/releases/download/${CNI_VERSION}/$CNI_TGZ"
# 安装 CNI 插件
sudo mkdir -p /opt/cni/bin
sudo tar -xzf "$CNI_TGZ" -C /opt/cni/bin/
rm -f "$CNI_TGZ"
```
### 步骤 4: Kubernetes 组件安装(所有节点)
#### 4.1 添加 Kubernetes 仓库
```bash
# 添加 Kubernetes 仓库 (pkgs.k8s.io v1.32)
# 确保 keyrings 目录存在并可读
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.32/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
sudo chmod a+r /etc/apt/keyrings/kubernetes-apt-keyring.gpg
echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.32/deb/ /" | sudo tee /etc/apt/sources.list.d/kubernetes.list >/dev/null
# 更新包列表
sudo apt update
```
#### 4.2 安装 Kubernetes 组件
```bash
# 安装 kubelet, kubeadm, kubectl
sudo apt install -y kubelet kubeadm kubectl
# 锁定版本防止自动更新
sudo apt-mark hold kubelet kubeadm kubectl
```
#### 4.3 配置 kubelet
```bash
# 配置 kubelet
sudo mkdir -p /var/lib/kubelet
cat <<EOF | sudo tee /var/lib/kubelet/config.yaml
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
authentication:
anonymous:
enabled: false
webhook:
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
mode: Webhook
clusterDomain: cluster.local
clusterDNS:
- 10.96.0.10
containerRuntimeEndpoint: unix:///var/run/containerd/containerd.sock
cgroupDriver: systemd
failSwapOn: false
hairpinMode: promiscuous-bridge
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 20s
imageMinimumGCAge: 2m0s
imageGCHighThresholdPercent: 85
imageGCLowThresholdPercent: 80
iptablesDropBit: 15
iptablesMasqueradeBit: 15
kubeAPIBurst: 10
kubeAPIQPS: 5
makeIPTablesUtilChains: true
maxOpenFiles: 1000000
maxPods: 110
nodeStatusUpdateFrequency: 10s
oomScoreAdj: -999
podCIDR: 10.244.0.0/16
registryBurst: 10
registryPullQPS: 5
resolvConf: /etc/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 2m0s
serializeImagePulls: true
serverTLSBootstrap: true
streamingConnectionIdleTimeout: 4h0m0s
syncFrequency: 1m0s
volumeStatsAggPeriod: 1m0s
EOF
# 启动 kubelet
sudo systemctl daemon-reload
sudo systemctl enable kubelet
sudo systemctl start kubelet
```
### 步骤 5: 集群初始化Master 节点)
#### 5.1 初始化集群
```bash
# 初始化 Kubernetes 集群
sudo kubeadm init \
--apiserver-advertise-address=172.17.0.15 \
--control-plane-endpoint=172.17.0.15:6443 \
--kubernetes-version=v1.32.3 \
--service-cidr=10.96.0.0/12 \
--pod-network-cidr=10.244.0.0/16 \
--image-repository=registry.aliyuncs.com/google_containers \
--upload-certs \
--ignore-preflight-errors=Swap
# 配置 kubectl
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
```
#### 5.2 生成节点加入命令
```bash
# 生成节点加入命令
JOIN_COMMAND=$(kubeadm token create --print-join-command)
echo "节点加入命令:"
echo "$JOIN_COMMAND"
echo "$JOIN_COMMAND" > node-join-command.txt
```
### 步骤 6: 网络插件安装Master 节点)
#### 6.1 下载 Flannel 清单
```bash
# 下载 Flannel v0.27.4
FLANNEL_VER="v0.27.4"
curl -fsSL https://raw.githubusercontent.com/flannel-io/flannel/${FLANNEL_VER}/Documentation/kube-flannel.yml -O
# 修改 Flannel 配置
sed -i 's|"Network": "10.244.0.0/16"|"Network": "10.244.0.0/16"|g' kube-flannel.yml
```
#### 6.2 预拉取 Flannel 镜像
```bash
# 预拉取并打标签
REGISTRY_K8S_MIRROR="registry-k8s-io.mirrors.sjtug.sjtu.edu.cn"
GHCR_MIRROR="ghcr.tencentcloudcr.com"
# 预拉取 pause 镜像
sudo ctr -n k8s.io images pull ${REGISTRY_K8S_MIRROR}/pause:3.8 || true
sudo ctr -n k8s.io images tag ${REGISTRY_K8S_MIRROR}/pause:3.8 registry.k8s.io/pause:3.8 || true
# 预拉取 flannel 镜像
sudo ctr -n k8s.io images pull ${GHCR_MIRROR}/flannel-io/flannel:${FLANNEL_VER} || true
sudo ctr -n k8s.io images tag ${GHCR_MIRROR}/flannel-io/flannel:${FLANNEL_VER} ghcr.io/flannel-io/flannel:${FLANNEL_VER} || true
```
#### 6.3 安装 Flannel
```bash
# 安装 Flannel
kubectl apply -f kube-flannel.yml
# 等待 Flannel 组件就绪
kubectl -n kube-flannel rollout status daemonset/kube-flannel-ds --timeout=600s
kubectl wait --for=condition=ready pod -l app=flannel -n kube-flannel --timeout=600s
# 等待 CoreDNS 就绪
kubectl -n kube-system rollout status deploy/coredns --timeout=600s
```
### 步骤 7: 节点加入集群
#### 7.1 节点加入
```bash
# 检查是否存在加入命令文件
if [ ! -f "node-join-command.txt" ]; then
echo "错误: 找不到 node-join-command.txt 文件"
echo "请先运行 k8s-step4-init-cluster.sh 初始化集群"
exit 1
fi
# 读取加入命令
JOIN_COMMAND=$(cat node-join-command.txt)
echo "使用加入命令: $JOIN_COMMAND"
# Node1 加入集群
ssh ubuntu@172.17.0.43 "sudo $JOIN_COMMAND"
# Node2 加入集群
ssh ubuntu@172.17.0.34 "sudo $JOIN_COMMAND"
# 等待节点加入
sleep 30
# 验证集群状态
kubectl get nodes
kubectl get pods -n kube-system
kubectl get pods -n kube-flannel
```
### 步骤 8: 集群验证
#### 8.1 验证节点状态
```bash
kubectl get nodes
```
#### 8.2 验证 Pod 状态
```bash
kubectl get pods -A
```
#### 8.3 验证集群功能
```bash
# 检查集群信息
kubectl cluster-info
# 检查节点详细信息
kubectl describe nodes
```
### 步骤 9: 为其他节点安装 kubectl
#### 9.1 在 node1 和 node2 安装 kubectl
```bash
# 检查是否已安装
if command -v kubectl &> /dev/null; then
echo "kubectl 已安装,版本: $(kubectl version --client 2>/dev/null | grep 'Client Version' || echo 'unknown')"
echo "跳过安装"
exit 0
fi
# 安装 kubectl
sudo apt update
sudo apt install -y apt-transport-https ca-certificates curl
# 添加 Kubernetes 官方 GPG key
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.32/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
# 添加 Kubernetes apt 仓库
echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.32/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list
# 更新包列表并安装 kubectl
sudo apt update
sudo apt install -y kubectl
```
#### 9.2 复制 kubeconfig 配置文件
```bash
# 在 master 节点执行
# 为 node1 创建 .kube 目录
ssh ubuntu@172.17.0.43 "mkdir -p ~/.kube"
# 为 node2 创建 .kube 目录
ssh ubuntu@172.17.0.34 "mkdir -p ~/.kube"
# 复制 kubeconfig 到 node1
scp ~/.kube/config ubuntu@172.17.0.43:~/.kube/config
# 复制 kubeconfig 到 node2
scp ~/.kube/config ubuntu@172.17.0.34:~/.kube/config
```
#### 9.3 验证 kubectl 连接
```bash
# 验证 node1 kubectl 连接
ssh ubuntu@172.17.0.43 "kubectl get nodes"
# 验证 node2 kubectl 连接
ssh ubuntu@172.17.0.34 "kubectl get nodes"
```

48
docs/kubernetes/k8s-prepare-env.sh Normal file
repo.diff.view_file

@@ -0,0 +1,48 @@
#!/bin/bash
set -e
echo "==== Kubernetes 环境准备 ===="
# 1. 更新系统包
echo "更新系统包..."
sudo apt update && sudo apt upgrade -y
# 2. 安装必要的工具
echo "安装必要工具..."
sudo apt install -y curl wget gnupg lsb-release ca-certificates apt-transport-https software-properties-common
# 3. 禁用 swap
echo "禁用 swap..."
sudo swapoff -a
sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
# 4. 配置内核参数
echo "配置内核参数..."
cat <<EOF_MODULES | sudo tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF_MODULES
sudo modprobe overlay
sudo modprobe br_netfilter
# 5. 配置 sysctl 参数
echo "配置 sysctl 参数..."
cat <<EOF_SYSCTL | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF_SYSCTL
sudo sysctl --system
# 6. 配置防火墙
echo "配置防火墙..."
sudo ufw --force disable || true
# 按你的要求,不在节点上修改 /etc/hosts
echo "==== 环境准备完成 ===="
echo "当前主机名: $(hostname)"
echo "当前 IP: $(ip route get 1 | awk '{print $7; exit}')"
echo "Swap 状态: $(swapon --show | wc -l) 个 swap 分区"

109
docs/kubernetes/k8s-step1-prepare-env.sh Normal file
repo.diff.view_file

@@ -0,0 +1,109 @@
#!/bin/bash
set -e
# Kubernetes 环境准备脚本
# 功能: 在所有节点准备 Kubernetes 运行环境
echo "==== Kubernetes 环境准备 ===="
# 定义节点列表
NODES=("172.17.0.15:master" "172.17.0.43:node1" "172.17.0.34:node2")
# 本机 IP 与 SSH 选项
LOCAL_IP=$(ip route get 1 | awk '{print $7; exit}')
SSH_OPTS='-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o BatchMode=yes'
# SSH 私钥(可用环境变量 SSH_KEY 覆盖),存在则自动携带
SSH_KEY_PATH=${SSH_KEY:-$HOME/.ssh/id_rsa}
[ -f "$SSH_KEY_PATH" ] && SSH_ID="-i $SSH_KEY_PATH" || SSH_ID=""
# 函数:在所有节点执行命令
execute_on_all_nodes() {
local command="$1"
local description="$2"
echo "==== $description ===="
for node in "${NODES[@]}"; do
IFS=':' read -r ip hostname <<< "$node"
echo "$hostname ($ip) 执行: $command"
if [ "$ip" = "$LOCAL_IP" ] || [ "$hostname" = "master" ]; then
bash -lc "$command"
else
ssh $SSH_OPTS $SSH_ID ubuntu@$ip "$command"
fi
done
echo ""
}
# 函数:传输文件到所有节点
copy_to_all_nodes() {
local file="$1"
echo "==== 传输文件 $file 到所有节点 ===="
for node in "${NODES[@]}"; do
IFS=':' read -r ip hostname <<< "$node"
echo "传输到 $hostname ($ip)"
if [ "$ip" = "$LOCAL_IP" ] || [ "$hostname" = "master" ]; then
cp -f "$file" ~/
else
scp $SSH_OPTS $SSH_ID "$file" ubuntu@$ip:~/
fi
done
echo ""
}
# 创建环境准备脚本
cat > k8s-prepare-env.sh << 'EOF_OUTER'
#!/bin/bash
set -e
echo "==== Kubernetes 环境准备 ===="
# 1. 更新系统包
echo "更新系统包..."
sudo apt update && sudo apt upgrade -y
# 2. 安装必要的工具
echo "安装必要工具..."
sudo apt install -y curl wget gnupg lsb-release ca-certificates apt-transport-https software-properties-common
# 3. 禁用 swap
echo "禁用 swap..."
sudo swapoff -a
sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
# 4. 配置内核参数
echo "配置内核参数..."
cat <<EOF_MODULES | sudo tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF_MODULES
sudo modprobe overlay
sudo modprobe br_netfilter
# 5. 配置 sysctl 参数
echo "配置 sysctl 参数..."
cat <<EOF_SYSCTL | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF_SYSCTL
sudo sysctl --system
# 6. 配置防火墙
echo "配置防火墙..."
sudo ufw --force disable || true
# 按你的要求,不在节点上修改 /etc/hosts
echo "==== 环境准备完成 ===="
echo "当前主机名: $(hostname)"
echo "当前 IP: $(ip route get 1 | awk '{print $7; exit}')"
echo "Swap 状态: $(swapon --show | wc -l) 个 swap 分区"
EOF_OUTER
chmod +x k8s-prepare-env.sh
copy_to_all_nodes k8s-prepare-env.sh
execute_on_all_nodes "./k8s-prepare-env.sh" "环境准备"
echo "==== 环境准备完成 ===="

133
docs/kubernetes/k8s-step2-install-containerd.sh Normal file
repo.diff.view_file

@@ -0,0 +1,133 @@
#!/bin/bash
set -e
# Kubernetes 容器运行时安装脚本
# 功能: 在所有节点安装 containerd 和 CNI 插件
echo "==== 安装容器运行时 (containerd) ===="
# 定义节点列表
NODES=("172.17.0.15:master" "172.17.0.43:node1" "172.17.0.34:node2")
# 本机 IP 与 SSH 选项
LOCAL_IP=$(ip route get 1 | awk '{print $7; exit}')
SSH_OPTS='-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o BatchMode=yes'
# SSH 私钥(可用环境变量 SSH_KEY 覆盖),存在则自动携带
SSH_KEY_PATH=${SSH_KEY:-$HOME/.ssh/id_rsa}
[ -f "$SSH_KEY_PATH" ] && SSH_ID="-i $SSH_KEY_PATH" || SSH_ID=""
# 统一的工件目录与文件名(在 master 上下载一次后分发)
ARTIFACTS_DIR="$HOME/k8s-artifacts"
CNI_VERSION="v1.3.0"
CNI_TGZ="cni-plugins-linux-amd64-${CNI_VERSION}.tgz"
# 函数:在所有节点执行命令
execute_on_all_nodes() {
local command="$1"
local description="$2"
echo "==== $description ===="
for node in "${NODES[@]}"; do
IFS=':' read -r ip hostname <<< "$node"
echo "$hostname ($ip) 执行: $command"
if [ "$ip" = "$LOCAL_IP" ] || [ "$hostname" = "master" ]; then
bash -lc "$command"
else
ssh $SSH_OPTS $SSH_ID ubuntu@$ip "$command"
fi
done
echo ""
}
# 函数:传输文件到所有节点
copy_to_all_nodes() {
local file="$1"
echo "==== 传输文件 $file 到所有节点 ===="
for node in "${NODES[@]}"; do
IFS=':' read -r ip hostname <<< "$node"
echo "传输到 $hostname ($ip)"
if [ "$ip" = "$LOCAL_IP" ] || [ "$hostname" = "master" ]; then
cp -f "$file" ~/
else
scp $SSH_OPTS $SSH_ID "$file" ubuntu@$ip:~/
fi
done
echo ""
}
# 创建容器运行时安装脚本
cat > k8s-install-containerd.sh << 'EOF_OUTER'
#!/bin/bash
set -e
echo "==== 安装容器运行时 (containerd) ===="
# 1. 安装 containerd
echo "安装 containerd..."
sudo apt update
sudo apt install -y containerd
# 2. 配置 containerd
echo "配置 containerd..."
# ① 停止 containerd
sudo systemctl stop containerd
# ② 生成默认配置
sudo mkdir -p /etc/containerd
sudo containerd config default | sudo tee /etc/containerd/config.toml > /dev/null
# ③ 注入镜像加速配置docker.io/quay.io:腾讯云,其它:高校镜像优先)
sudo sed -i '/\[plugins."io.containerd.grpc.v1.cri".registry.mirrors\]/a\
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]\n endpoint = ["https://mirror.ccs.tencentyun.com"]\n [plugins."io.containerd.grpc.v1.cri".registry.mirrors."quay.io"]\n endpoint = ["https://quay.tencentcloudcr.com"]\n [plugins."io.containerd.grpc.v1.cri".registry.mirrors."ghcr.io"]\n endpoint = ["https://ghcr.nju.edu.cn"]\n [plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]\n endpoint = ["https://gcr.nju.edu.cn"]\n [plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.k8s.io"]\n endpoint = ["https://registry-k8s-io.mirrors.sjtug.sjtu.edu.cn"]\n [plugins."io.containerd.grpc.v1.cri".registry.mirrors."gcr.io"]\n endpoint = ["https://gcr.nju.edu.cn"]' /etc/containerd/config.toml
# ④ 重新加载并启动 containerd
sudo systemctl daemon-reexec
sudo systemctl daemon-reload
sudo systemctl restart containerd
## 4. 在 master 预下载 CNI 压缩包并分发到各节点
echo "准备 CNI 工件并分发..."
if [ "$LOCAL_IP" = "172.17.0.15" ]; then
mkdir -p "$ARTIFACTS_DIR"
if [ ! -f "$ARTIFACTS_DIR/$CNI_TGZ" ]; then
echo "在 master 下载 $CNI_TGZ ..."
curl -L --fail --retry 3 --connect-timeout 10 \
-o "$ARTIFACTS_DIR/$CNI_TGZ" \
"https://github.com/containernetworking/plugins/releases/download/${CNI_VERSION}/$CNI_TGZ"
else
echo "已存在 $ARTIFACTS_DIR/$CNI_TGZ跳过下载"
fi
# 分发到所有节点 home 目录
copy_to_all_nodes "$ARTIFACTS_DIR/$CNI_TGZ"
fi
# 5. 安装 CNI 插件(优先使用已分发的本地文件)
echo "安装 CNI 插件..."
sudo mkdir -p /opt/cni/bin
if [ -f "$CNI_TGZ" ]; then
echo "使用已分发的 $CNI_TGZ 进行安装"
sudo tar -xzf "$CNI_TGZ" -C /opt/cni/bin/
rm -f "$CNI_TGZ"
else
echo "未找到本地 $CNI_TGZ尝试在线下载网络慢时可能用时较长..."
curl -L --fail --retry 3 --connect-timeout 10 \
-o "$CNI_TGZ" \
"https://github.com/containernetworking/plugins/releases/download/${CNI_VERSION}/$CNI_TGZ"
sudo tar -xzf "$CNI_TGZ" -C /opt/cni/bin/
rm -f "$CNI_TGZ"
fi
# 6. 验证安装
echo "==== 验证 containerd 安装 ===="
sudo systemctl status containerd --no-pager -l
sudo ctr version
echo "==== containerd 安装完成 ===="
EOF_OUTER
chmod +x k8s-install-containerd.sh
copy_to_all_nodes k8s-install-containerd.sh
execute_on_all_nodes "./k8s-install-containerd.sh" "安装容器运行时"
echo "==== 容器运行时安装完成 ===="

149
docs/kubernetes/k8s-step3-install-components.sh Normal file
repo.diff.view_file

@@ -0,0 +1,149 @@
#!/bin/bash
set -e
# Kubernetes 组件安装脚本
# 功能: 在所有节点安装 kubelet, kubeadm, kubectl
echo "==== 安装 Kubernetes 组件 ===="
# 定义节点列表
NODES=("172.17.0.15:master" "172.17.0.43:node1" "172.17.0.34:node2")
# 本机 IP 与 SSH 选项
LOCAL_IP=$(ip route get 1 | awk '{print $7; exit}')
SSH_OPTS='-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o BatchMode=yes'
# SSH 私钥(可用环境变量 SSH_KEY 覆盖),存在则自动携带
SSH_KEY_PATH=${SSH_KEY:-$HOME/.ssh/id_rsa}
[ -f "$SSH_KEY_PATH" ] && SSH_ID="-i $SSH_KEY_PATH" || SSH_ID=""
# 函数:在所有节点执行命令
execute_on_all_nodes() {
local command="$1"
local description="$2"
echo "==== $description ===="
for node in "${NODES[@]}"; do
IFS=':' read -r ip hostname <<< "$node"
echo "$hostname ($ip) 执行: $command"
if [ "$ip" = "$LOCAL_IP" ] || [ "$hostname" = "master" ]; then
bash -lc "$command"
else
ssh $SSH_OPTS $SSH_ID ubuntu@$ip "$command"
fi
done
echo ""
}
# 函数:传输文件到所有节点
copy_to_all_nodes() {
local file="$1"
echo "==== 传输文件 $file 到所有节点 ===="
for node in "${NODES[@]}"; do
IFS=':' read -r ip hostname <<< "$node"
echo "传输到 $hostname ($ip)"
if [ "$ip" = "$LOCAL_IP" ] || [ "$hostname" = "master" ]; then
cp -f "$file" ~/
else
scp $SSH_OPTS $SSH_ID "$file" ubuntu@$ip:~/
fi
done
echo ""
}
# 创建 Kubernetes 组件安装脚本
cat > k8s-install-components.sh << 'EOF_OUTER'
#!/bin/bash
set -e
echo "==== 安装 Kubernetes 组件 ===="
# 1. 添加 Kubernetes 仓库
echo "添加 Kubernetes 仓库 (pkgs.k8s.io v1.32)..."
# 确保 keyrings 目录存在并可读
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.32/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
sudo chmod a+r /etc/apt/keyrings/kubernetes-apt-keyring.gpg
echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.32/deb/ /" | sudo tee /etc/apt/sources.list.d/kubernetes.list >/dev/null
# 2. 更新包列表
echo "更新包列表..."
sudo apt update
# 3. 安装 Kubernetes 组件(使用 v1.32 通道的最新补丁版本)
echo "安装 Kubernetes 组件..."
sudo apt install -y kubelet kubeadm kubectl
# 4. 锁定版本防止自动更新
echo "锁定 Kubernetes 版本..."
sudo apt-mark hold kubelet kubeadm kubectl
# 5. 配置 kubelet
echo "配置 kubelet..."
sudo mkdir -p /var/lib/kubelet
cat <<EOF_KUBELET | sudo tee /var/lib/kubelet/config.yaml
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
authentication:
anonymous:
enabled: false
webhook:
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
mode: Webhook
clusterDomain: cluster.local
clusterDNS:
- 10.96.0.10
containerRuntimeEndpoint: unix:///var/run/containerd/containerd.sock
cgroupDriver: systemd
failSwapOn: false
hairpinMode: promiscuous-bridge
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 20s
imageMinimumGCAge: 2m0s
imageGCHighThresholdPercent: 85
imageGCLowThresholdPercent: 80
iptablesDropBit: 15
iptablesMasqueradeBit: 15
kubeAPIBurst: 10
kubeAPIQPS: 5
makeIPTablesUtilChains: true
maxOpenFiles: 1000000
maxPods: 110
nodeStatusUpdateFrequency: 10s
oomScoreAdj: -999
podCIDR: 10.244.0.0/16
registryBurst: 10
registryPullQPS: 5
resolvConf: /etc/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 2m0s
serializeImagePulls: true
serverTLSBootstrap: true
streamingConnectionIdleTimeout: 4h0m0s
syncFrequency: 1m0s
volumeStatsAggPeriod: 1m0s
EOF_KUBELET
# 6. 启动 kubelet
echo "启动 kubelet..."
sudo systemctl daemon-reload
sudo systemctl enable kubelet
sudo systemctl start kubelet
# 7. 验证安装
echo "==== 验证 Kubernetes 组件安装 ===="
kubelet --version
kubeadm version
kubectl version --client
echo "==== Kubernetes 组件安装完成 ===="
EOF_OUTER
chmod +x k8s-install-components.sh
copy_to_all_nodes k8s-install-components.sh
execute_on_all_nodes "./k8s-install-components.sh" "安装 Kubernetes 组件"
echo "==== Kubernetes 组件安装完成 ===="

40
docs/kubernetes/k8s-step4-init-cluster.sh Normal file
repo.diff.view_file

@@ -0,0 +1,40 @@
#!/bin/bash
set -e
# Kubernetes 集群初始化脚本
# 功能: 在 Master 节点初始化 Kubernetes 集群
echo "==== 初始化 Kubernetes 集群 ===="
# 1. 初始化集群
echo "初始化 Kubernetes 集群..."
sudo kubeadm init \
--apiserver-advertise-address=172.17.0.15 \
--control-plane-endpoint=172.17.0.15:6443 \
--kubernetes-version=v1.32.3 \
--service-cidr=10.96.0.0/12 \
--pod-network-cidr=10.244.0.0/16 \
--image-repository=registry.aliyuncs.com/google_containers \
--upload-certs \
--ignore-preflight-errors=Swap
# 2. 配置 kubectl
echo "配置 kubectl..."
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
# 3. 生成节点加入命令
echo "生成节点加入命令..."
JOIN_COMMAND=$(kubeadm token create --print-join-command)
echo "节点加入命令:"
echo "$JOIN_COMMAND"
echo "$JOIN_COMMAND" > node-join-command.txt
# 4. 验证集群状态
echo "==== 验证集群状态 ===="
kubectl get nodes
kubectl get pods -n kube-system
echo "==== 集群初始化完成 ===="
echo "请保存节点加入命令,稍后用于将 node1 和 node2 加入集群"

77
docs/kubernetes/k8s-step5-install-flannel.sh Normal file
repo.diff.view_file

@@ -0,0 +1,77 @@
#!/bin/bash
set -e
# Kubernetes 网络插件安装脚本
# 功能: 在 Master 节点安装 Flannel 网络插件
echo "==== 安装 Flannel 网络插件 ===="
# 1. 下载 Flannel 配置文件
echo "下载 Flannel 配置文件..."
FLANNEL_VER="v0.27.4"
curl -fsSL https://raw.githubusercontent.com/flannel-io/flannel/${FLANNEL_VER}/Documentation/kube-flannel.yml -O
# 2. 修改 Flannel 配置
echo "修改 Flannel 配置..."
sed -i 's|"Network": "10.244.0.0/16"|"Network": "10.244.0.0/16"|g' kube-flannel.yml
echo "预拉取 Flannel 相关镜像(优先国内镜像域名,拉取后回标官方名)..."
DOCKER_MIRROR="docker.m.daocloud.io"
REGISTRY_K8S_MIRROR="registry-k8s-io.mirrors.sjtug.sjtu.edu.cn"
GHCR_MIRROR="ghcr.tencentcloudcr.com"
IMAGES=(
"registry.k8s.io/pause:3.8"
"ghcr.io/flannel-io/flannel:${FLANNEL_VER}"
)
pull_and_tag() {
local origin_ref="$1" # e.g. registry.k8s.io/pause:3.8
local mirror_ref="$2" # e.g. registry-k8s-io.mirrors.sjtug.sjtu.edu.cn/pause:3.8
echo "尝试从镜像 ${mirror_ref} 预拉取..."
for i in $(seq 1 5); do
if sudo ctr -n k8s.io images pull "${mirror_ref}"; then
echo "打官方标签: ${origin_ref} <- ${mirror_ref}"
sudo ctr -n k8s.io images tag "${mirror_ref}" "${origin_ref}" || true
return 0
fi
echo "pull 失败,重试 ${i}/5..."; sleep 2
done
return 1
}
# 预拉取 pause 镜像
echo "预拉取: registry.k8s.io/pause:3.8"
if pull_and_tag "registry.k8s.io/pause:3.8" "${REGISTRY_K8S_MIRROR}/pause:3.8"; then
echo "pause 镜像拉取成功"
else
echo "WARN: pause 镜像拉取失败,将由 kubelet 重试"
fi
# 预拉取 flannel 镜像
echo "预拉取: ghcr.io/flannel-io/flannel:${FLANNEL_VER}"
if pull_and_tag "ghcr.io/flannel-io/flannel:${FLANNEL_VER}" "${GHCR_MIRROR}/flannel-io/flannel:${FLANNEL_VER}"; then
echo "flannel 镜像拉取成功"
else
echo "WARN: flannel 镜像拉取失败,将由 kubelet 重试"
fi
# 3. 安装 Flannel
echo "安装 Flannel..."
kubectl apply -f kube-flannel.yml
# 4. 等待 Flannel 启动
echo "等待 Flannel 组件就绪..."
kubectl -n kube-flannel rollout status daemonset/kube-flannel-ds --timeout=600s || true
kubectl wait --for=condition=ready pod -l app=flannel -n kube-flannel --timeout=600s || true
echo "等待 CoreDNS 由 Pending 变为 Ready..."
kubectl -n kube-system rollout status deploy/coredns --timeout=600s || true
# 5. 验证网络插件
echo "==== 验证 Flannel 安装 ===="
kubectl get pods -n kube-flannel
kubectl get nodes
echo "==== Flannel 网络插件安装完成 ===="

53
docs/kubernetes/k8s-step6-join-nodes.sh Normal file
repo.diff.view_file

@@ -0,0 +1,53 @@
#!/bin/bash
set -e
# Kubernetes 节点加入脚本
# 功能: 将 Node1 和 Node2 加入 Kubernetes 集群
echo "==== 将节点加入 Kubernetes 集群 ===="
# 检查是否存在加入命令文件
if [ ! -f "node-join-command.txt" ]; then
echo "错误: 找不到 node-join-command.txt 文件"
echo "请先运行 k8s-step4-init-cluster.sh 初始化集群"
exit 1
fi
# 读取加入命令
JOIN_COMMAND=$(cat node-join-command.txt)
# SSH 选项与密钥
SSH_OPTS='-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o BatchMode=yes'
SSH_KEY_PATH=${SSH_KEY:-$HOME/.ssh/id_rsa}
[ -f "$SSH_KEY_PATH" ] && SSH_ID="-i $SSH_KEY_PATH" || SSH_ID=""
echo "使用加入命令: $JOIN_COMMAND"
# 定义节点列表
NODES=("172.17.0.43:node1" "172.17.0.34:node2")
# 将节点加入集群
for node in "${NODES[@]}"; do
IFS=':' read -r ip hostname <<< "$node"
echo "==== 将 $hostname ($ip) 加入集群 ===="
ssh $SSH_OPTS $SSH_ID ubuntu@$ip "sudo $JOIN_COMMAND"
echo "$hostname 加入完成"
done
# 等待节点加入
echo "==== 等待节点加入集群 ===="
sleep 30
# 验证集群状态
echo "==== 验证集群状态 ===="
kubectl get nodes
kubectl get pods -n kube-system
kubectl get pods -n kube-flannel
echo "==== 节点加入完成 ===="
echo "集群信息:"
echo "- Master: 172.17.0.15"
echo "- Node1: 172.17.0.43"
echo "- Node2: 172.17.0.34"
echo "- Kubernetes 版本: v1.32.3"
echo "- 网络插件: Flannel"
echo "- 容器运行时: containerd"

211
docs/kubernetes/kube-flannel.yml Normal file
repo.diff.view_file

@@ -0,0 +1,211 @@
---
kind: Namespace
apiVersion: v1
metadata:
name: kube-flannel
labels:
k8s-app: flannel
pod-security.kubernetes.io/enforce: privileged
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: flannel
name: flannel
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: flannel
name: flannel
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: flannel
subjects:
- kind: ServiceAccount
name: flannel
namespace: kube-flannel
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: flannel
name: flannel
namespace: kube-flannel
---
kind: ConfigMap
apiVersion: v1
metadata:
name: kube-flannel-cfg
namespace: kube-flannel
labels:
tier: node
k8s-app: flannel
app: flannel
data:
cni-conf.json: |
{
"name": "cbr0",
"cniVersion": "0.3.1",
"plugins": [
{
"type": "flannel",
"delegate": {
"hairpinMode": true,
"isDefaultGateway": true
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
}
]
}
net-conf.json: |
{
"Network": "10.244.0.0/16",
"EnableNFTables": false,
"Backend": {
"Type": "vxlan"
}
}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kube-flannel-ds
namespace: kube-flannel
labels:
tier: node
app: flannel
k8s-app: flannel
spec:
selector:
matchLabels:
app: flannel
template:
metadata:
labels:
tier: node
app: flannel
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
hostNetwork: true
priorityClassName: system-node-critical
tolerations:
- operator: Exists
effect: NoSchedule
serviceAccountName: flannel
initContainers:
- name: install-cni-plugin
image: ghcr.io/flannel-io/flannel-cni-plugin:v1.8.0-flannel1
command:
- cp
args:
- -f
- /flannel
- /opt/cni/bin/flannel
volumeMounts:
- name: cni-plugin
mountPath: /opt/cni/bin
- name: install-cni
image: ghcr.io/flannel-io/flannel:v0.27.4
command:
- cp
args:
- -f
- /etc/kube-flannel/cni-conf.json
- /etc/cni/net.d/10-flannel.conflist
volumeMounts:
- name: cni
mountPath: /etc/cni/net.d
- name: flannel-cfg
mountPath: /etc/kube-flannel/
containers:
- name: kube-flannel
image: ghcr.io/flannel-io/flannel:v0.27.4
command:
- /opt/bin/flanneld
args:
- --ip-masq
- --kube-subnet-mgr
resources:
requests:
cpu: "100m"
memory: "50Mi"
securityContext:
privileged: false
capabilities:
add: ["NET_ADMIN", "NET_RAW"]
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: EVENT_QUEUE_DEPTH
value: "5000"
- name: CONT_WHEN_CACHE_NOT_READY
value: "false"
volumeMounts:
- name: run
mountPath: /run/flannel
- name: flannel-cfg
mountPath: /etc/kube-flannel/
- name: xtables-lock
mountPath: /run/xtables.lock
volumes:
- name: run
hostPath:
path: /run/flannel
- name: cni-plugin
hostPath:
path: /opt/cni/bin
- name: cni
hostPath:
path: /etc/cni/net.d
- name: flannel-cfg
configMap:
name: kube-flannel-cfg
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate

51
docs/kubernetes/setup-master-gateway.sh Normal file
repo.diff.view_file

@@ -0,0 +1,51 @@
#!/bin/bash
set -e
echo "==== 配置 Master 节点作为网关 ===="
# 1. 启用 IP 转发
echo "启用 IP 转发..."
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
# 2. 配置 iptables NAT 规则
echo "配置 iptables NAT 规则..."
# 清空现有规则
sudo iptables -F
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -X
sudo iptables -t nat -X
sudo iptables -t mangle -X
# 设置默认策略
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
# 配置 NAT 规则 - 允许内网节点通过 master 访问外网
sudo iptables -t nat -A POSTROUTING -s 172.17.0.0/20 -o eth0 -j MASQUERADE
# 允许转发来自内网的流量
sudo iptables -A FORWARD -s 172.17.0.0/20 -j ACCEPT
sudo iptables -A FORWARD -d 172.17.0.0/20 -j ACCEPT
# 3. 保存 iptables 规则
echo "保存 iptables 规则..."
sudo apt update
sudo apt install -y iptables-persistent
sudo netfilter-persistent save
# 4. 验证配置
echo "==== 验证配置 ===="
echo "IP 转发状态:"
cat /proc/sys/net/ipv4/ip_forward
echo "当前 iptables NAT 规则:"
sudo iptables -t nat -L -n -v
echo "当前 iptables FORWARD 规则:"
sudo iptables -L FORWARD -n -v
echo "==== Master 网关配置完成 ===="
echo "Master 节点现在可以作为内网节点的网关使用"

26
docs/kubernetes/setup-node1.sh Normal file
repo.diff.view_file

@@ -0,0 +1,26 @@
#!/bin/bash
set -e
echo "==== 配置 Node1 (172.17.0.43) 网络路由 ===="
echo "==== 当前状态 ===="
echo "当前主机名: $(hostname)"
echo "当前 IP: $(ip route get 1 | awk '{print $7; exit}')"
# 配置网络路由 - 通过 master 访问外网
echo "配置网络路由..."
# 删除默认网关(如果存在)
sudo ip route del default 2>/dev/null || true
# 添加默认网关指向 master
sudo ip route add default via 172.17.0.15
echo "==== 验证网络配置 ===="
echo "当前路由表:"
ip route show
echo "测试网络连通性:"
ping -c 2 172.17.0.15 && echo "✓ 可以访问 master" || echo "✗ 无法访问 master"
ping -c 2 8.8.8.8 && echo "✓ 可以访问外网" || echo "✗ 无法访问外网"
echo "==== Node1 网络路由配置完成 ===="

26
docs/kubernetes/setup-node2.sh Normal file
repo.diff.view_file

@@ -0,0 +1,26 @@
#!/bin/bash
set -e
echo "==== 配置 Node2 (172.17.0.34) 网络路由 ===="
echo "==== 当前状态 ===="
echo "当前主机名: $(hostname)"
echo "当前 IP: $(ip route get 1 | awk '{print $7; exit}')"
# 配置网络路由 - 通过 master 访问外网
echo "配置网络路由..."
# 删除默认网关(如果存在)
sudo ip route del default 2>/dev/null || true
# 添加默认网关指向 master
sudo ip route add default via 172.17.0.15
echo "==== 验证网络配置 ===="
echo "当前路由表:"
ip route show
echo "测试网络连通性:"
ping -c 2 172.17.0.15 && echo "✓ 可以访问 master" || echo "✗ 无法访问 master"
ping -c 2 8.8.8.8 && echo "✓ 可以访问外网" || echo "✗ 无法访问外网"
echo "==== Node2 网络路由配置完成 ===="

9
models/user/user.go
repo.diff.view_file

@@ -125,7 +125,6 @@ type User struct {
AllowImportLocal bool // Allow migrate repository by local path
AllowCreateOrganization bool `xorm:"DEFAULT true"`
AllowCreateDevcontainer bool `xorm:"DEFAULT false"`
AllowCreateActRunner bool `xorm:"DEFAULT false"`
// true: the user is not allowed to log in Web UI. Git/SSH access could still be allowed (please refer to Git/SSH access related code/documents)
ProhibitLogin bool `xorm:"NOT NULL DEFAULT false"`
@@ -275,11 +274,6 @@ func (u *User) CanCreateDevcontainer() bool {
return u.AllowCreateDevcontainer
}
// CanCreateActrunner returns true if user can create organisation.
func (u *User) CanCreateActrunner() bool {
return u.AllowCreateActRunner
}
// CanEditGitHook returns true if user can edit Git hooks.
func (u *User) CanEditGitHook() bool {
return !setting.DisableGitHooks && (u.IsAdmin || u.AllowGitHook)
@@ -646,7 +640,6 @@ type CreateUserOverwriteOptions struct {
Visibility *structs.VisibleType
AllowCreateOrganization optional.Option[bool]
AllowCreateDevcontainer optional.Option[bool]
AllowCreateActRunner optional.Option[bool]
EmailNotificationsPreference *string
MaxRepoCreation *int
Theme *string
@@ -674,8 +667,6 @@ func createUser(ctx context.Context, u *User, meta *Meta, createdByAdmin bool, o
u.KeepEmailPrivate = setting.Service.DefaultKeepEmailPrivate
u.Visibility = setting.Service.DefaultUserVisibilityMode
u.AllowCreateOrganization = setting.Service.DefaultAllowCreateOrganization && !setting.Admin.DisableRegularOrgCreation
u.AllowCreateDevcontainer = setting.Service.DefaultAllowCreateDevcontainer
u.AllowCreateActRunner = setting.Service.DefaultAllowCreateActRunner
u.EmailNotificationsPreference = setting.Admin.DefaultEmailNotification
u.MaxRepoCreation = -1
u.Theme = setting.UI.DefaultTheme

1
models/user/user_system.go
repo.diff.view_file

@@ -59,7 +59,6 @@ func NewActionsUser() *User {
Type: UserTypeBot,
AllowCreateOrganization: true,
AllowCreateDevcontainer: false,
AllowCreateActRunner: false,
Visibility: structs.VisibleTypePublic,
}
}

10
modules/docker/docker_api.go
repo.diff.view_file

@@ -89,22 +89,24 @@ func GetContainerStatus(cli *client.Client, containerID string) (string, error)
if err != nil {
return "", err
}
state := containerInfo.State
return state.Status, nil
}
func PushImage(dockerHost string, username string, password string, registryUrl string, imageRef string) error {
script := "docker " + "-H " + dockerHost + " login -u " + username + " -p " + password + " " + registryUrl + " "
cmd := exec.Command("sh", "-c", script)
output, err := cmd.CombinedOutput()
_, err := cmd.CombinedOutput()
if err != nil {
return fmt.Errorf("%s \n 镜像登录失败: %s", string(output), err.Error())
return err
}
// 推送到仓库
script = "docker " + "-H " + dockerHost + " push " + imageRef
cmd = exec.Command("sh", "-c", script)
output, err = cmd.CombinedOutput()
_, err = cmd.CombinedOutput()
if err != nil {
return fmt.Errorf("%s \n 镜像推送失败: %s", string(output), err.Error())
return err
}
return nil
}

4
modules/setting/service.go
repo.diff.view_file

@@ -71,8 +71,6 @@ var Service = struct {
McaptchaURL string
DefaultKeepEmailPrivate bool
DefaultAllowCreateOrganization bool
DefaultAllowCreateDevcontainer bool
DefaultAllowCreateActRunner bool
DefaultUserIsRestricted bool
EnableTimetracking bool
DefaultEnableTimetracking bool
@@ -207,8 +205,6 @@ func loadServiceFrom(rootCfg ConfigProvider) {
Service.McaptchaSitekey = sec.Key("MCAPTCHA_SITEKEY").MustString("")
Service.DefaultKeepEmailPrivate = sec.Key("DEFAULT_KEEP_EMAIL_PRIVATE").MustBool()
Service.DefaultAllowCreateOrganization = sec.Key("DEFAULT_ALLOW_CREATE_ORGANIZATION").MustBool(true)
Service.DefaultAllowCreateDevcontainer = sec.Key("DEFAULT_ALLOW_CREATE_DEVCONTAINER").MustBool(true)
Service.DefaultAllowCreateActRunner = sec.Key("DEFAULT_ALLOW_CREATE_ACTRUNNER").MustBool(false)
Service.DefaultUserIsRestricted = sec.Key("DEFAULT_USER_IS_RESTRICTED").MustBool(false)
Service.EnableTimetracking = sec.Key("ENABLE_TIMETRACKING").MustBool(true)
if Service.EnableTimetracking {

1
modules/structs/admin_user.go
repo.diff.view_file

@@ -55,7 +55,6 @@ type EditUserOption struct {
ProhibitLogin *bool `json:"prohibit_login"`
AllowCreateOrganization *bool `json:"allow_create_organization"`
AllowCreateDevcontainer *bool `json:"allow_create_devcontainer"`
AllowCreateActRunner *bool `json:"allow_create_actrunner"`
Restricted *bool `json:"restricted"`
Visibility string `json:"visibility" binding:"In(,public,limited,private)"`
}

30
options/locale/locale_en-US.ini
repo.diff.view_file

@@ -362,11 +362,7 @@ invalid_log_root_path = The log path is invalid: %v
default_keep_email_private = Hide Email Addresses by Default
default_keep_email_private_popup = Hide email addresses of new user accounts by default.
default_allow_create_organization = Allow Creation of Organizations by Default
default_allow_create_devcontainer = Allow Creation of DevContainers by Default
default_allow_create_actrunner = Allow Creation of ActionRunners by Default
default_allow_create_organization_popup = Allow new user accounts to create organizations by default.
default_allow_create_devcontainer_popup = Allow new user accounts to create devcontainers by default.
default_allow_create_actrunner_popup = Allow new user accounts to create ActionRunner by default.
default_enable_timetracking = Enable Time Tracking by Default
default_enable_timetracking_popup = Enable time tracking for new repositories by default.
no_reply_address = Hidden Email Domain
@@ -3164,7 +3160,6 @@ users.allow_git_hook_tooltip = Git Hooks are executed as the OS user running Git
users.allow_import_local = May Import Local Repositories
users.allow_create_organization = May Create Organizations
users.allow_create_devcontainer= May Create Devcontainers
users.allow_create_actrunner= May Create ActRunners
users.update_profile = Update User Account
users.delete_account = Delete User Account
users.cannot_delete_self = "You cannot delete yourself"
@@ -3425,7 +3420,6 @@ config.active_code_lives = Active Code Lives
config.reset_password_code_lives = Recover Account Code Expiry Time
config.default_keep_email_private = Hide Email Addresses by Default
config.default_allow_create_organization = Allow Creation of Organizations by Default
config.default_allow_create_devcontainer = Allow Creation of Dev Containers by Default
config.enable_timetracking = Enable Time Tracking
config.default_enable_timetracking = Enable Time Tracking by Default
config.default_allow_only_contributors_to_track_time = Let Only Contributors Track Time
@@ -3980,30 +3974,6 @@ variables.update.success = The variable has been edited.
logs.always_auto_scroll = Always auto scroll logs
logs.always_expand_running = Always expand running logs
debug_workflow = Debug Workflow
debug_workflow.title = Debug Workflow Online
debug_workflow.description = Input a custom GitHub Actions workflow YAML script to quickly test and debug workflows.
debug_workflow.yaml_content = Workflow YAML Content
debug_workflow.yaml_help = Enter the complete workflow script, including name, on, jobs and other configurations.
debug_workflow.validate = Validate
debug_workflow.run = Run Debug Workflow
debug_workflow.running = Running
debug_workflow.empty_content = Workflow content cannot be empty
debug_workflow.no_jobs = No jobs defined in the workflow
debug_workflow.valid = Workflow validation passed
debug_workflow.run_error = Error running workflow
debug_workflow.output = Execution Output
debug_workflow.status = Status
debug_workflow.run_id = Run ID
debug_workflow.created = Created
debug_workflow.logs = Execution Logs
debug_workflow.loading = Loading...
debug_workflow.copy_logs = Copy Logs
debug_workflow.download_logs = Download Logs
debug_workflow.copy_success = Logs copied to clipboard
debug_workflow.workflow_used = Workflow Script Used
debug_workflow.recent_runs = Recent Debug Runs
[projects]
deleted.display_name = Deleted Project
type-1.display_name = Individual Project

31
options/locale/locale_zh-CN.ini
repo.diff.view_file

@@ -357,11 +357,7 @@ invalid_log_root_path=日志路径无效: %v
default_keep_email_private=默认情况下隐藏邮箱地址
default_keep_email_private_popup=默认情况下,隐藏新用户帐户的邮箱地址。
default_allow_create_organization=默认情况下允许创建组织
default_allow_create_devcontainer=默认情况下允许创建容器
default_allow_create_actrunner=默认情况下允许创建工作流运行器
default_allow_create_organization_popup=默认情况下, 允许新用户帐户创建组织。
default_allow_create_devcontainer_popup=默认情况下, 允许新用户帐户创建容器。
default_allow_create_actrunner_popup=默认情况下, 允许新用户帐户创建工作流运行器。
default_enable_timetracking=默认情况下启用时间跟踪
default_enable_timetracking_popup=默认情况下启用新仓库的时间跟踪。
no_reply_address=隐藏邮件域
@@ -3154,7 +3150,6 @@ users.allow_git_hook_tooltip=Git 钩子将会以操作系统用户运行,拥
users.allow_import_local=允许导入本地仓库
users.allow_create_organization=允许创建组织
users.allow_create_devcontainer=允许创建开发容器
users.allow_create_actrunner=允许创建工作流运行器
users.update_profile=更新帐户
users.delete_account=删除帐户
users.cannot_delete_self=您不能删除自己
@@ -3413,8 +3408,6 @@ config.active_code_lives=激活用户链接有效期
config.reset_password_code_lives=恢复账户验证码过期时间
config.default_keep_email_private=默认隐藏邮箱地址
config.default_allow_create_organization=默认情况下允许创建组织
config.default_allow_create_devcontainer=默认情况下允许创建 DevContainer
config.default_allow_create_actrunner=默认情况下允许创建 ActRunner
config.enable_timetracking=启用时间跟踪
config.default_enable_timetracking=默认情况下启用时间跟踪
config.default_allow_only_contributors_to_track_time=仅允许成员跟踪时间
@@ -3969,30 +3962,6 @@ variables.update.success=变量已编辑。
logs.always_auto_scroll=总是自动滚动日志
logs.always_expand_running=总是展开运行日志
debug_workflow=调试工作流
debug_workflow.title=在线调试工作流
debug_workflow.description=输入自定义的 GitHub Actions 工作流 YAML 脚本,快速测试和调试工作流。
debug_workflow.yaml_content=工作流 YAML 内容
debug_workflow.yaml_help=输入完整的工作流脚本,包括 name、on、jobs 等配置。
debug_workflow.validate=验证
debug_workflow.run=运行调试工作流
debug_workflow.running=运行中
debug_workflow.empty_content=工作流内容不能为空
debug_workflow.no_jobs=工作流中没有定义任何 jobs
debug_workflow.valid=工作流验证通过
debug_workflow.run_error=运行工作流出错
debug_workflow.output=执行输出
debug_workflow.status=状态
debug_workflow.run_id=运行 ID
debug_workflow.created=创建时间
debug_workflow.logs=执行日志
debug_workflow.loading=加载中...
debug_workflow.copy_logs=复制日志
debug_workflow.download_logs=下载日志
debug_workflow.copy_success=日志已复制到剪贴板
debug_workflow.workflow_used=使用的工作流脚本
debug_workflow.recent_runs=最近的调试运行
[projects]
deleted.display_name=已删除项目
type-1.display_name=个人项目

15
public/assets/install.sh
repo.diff.view_file

@@ -86,12 +86,12 @@ function install {
sudo docker pull devstar.cn/devstar/$IMAGE_NAME:$VERSION
IMAGE_REGISTRY_USER=devstar.cn/devstar
fi
if sudo docker pull mengning997/webterminal:latest; then
sudo docker tag mengning997/webterminal:latest devstar.cn/devstar/webterminal:latest
success "Successfully pulled mengning997/webterminal:latest renamed to devstar.cn/devstar/webterminal:latest"
if sudo docker pull devstar.cn/devstar/webterminal:latest; then
success "Successfully pulled devstar.cn/devstar/webterminal:latest"
else
sudo docker pull devstar.cn/devstar/webterminal:latest
success "Successfully pulled devstar.cn/devstar/webterminal:latest"
sudo docker pull mengning997/webterminal:latest
success "Successfully pulled mengning997/webterminal:latest renamed to devstar.cn/devstar/webterminal:latest"
sudo docker tag mengning997/webterminal:latest devstar.cn/devstar/webterminal:latest
fi
}
@@ -137,10 +137,7 @@ function stop {
fi
if [ $(docker ps -a --filter "name=^/devstar-studio$" -q | wc -l) -gt 0 ]; then
sudo docker stop devstar-studio && sudo docker rm -f devstar-studio
fi
if [ $(docker ps -a --filter "name=^/webterminal-" -q | wc -l) -gt 0 ]; then
sudo docker stop $(docker ps -a --filter "name=^/webterminal-" -q) && sudo docker rm -f $(docker ps -a --filter "name=^/webterminal-" -q)
fi
fi
}
# Function to logs

1
routers/api/v1/admin/user.go
repo.diff.view_file

@@ -246,7 +246,6 @@ func EditUser(ctx *context.APIContext) {
MaxRepoCreation: optional.FromPtr(form.MaxRepoCreation),
AllowCreateOrganization: optional.FromPtr(form.AllowCreateOrganization),
AllowCreateDevcontainer: optional.FromPtr(form.AllowCreateDevcontainer),
AllowCreateActRunner: optional.FromPtr(form.AllowCreateActRunner),
IsRestricted: optional.FromPtr(form.Restricted),
}

5
routers/api/v1/api.go
repo.diff.view_file

@@ -1205,11 +1205,6 @@ func Routes() *web.Router {
m.Post("/{workflow_id}/dispatches", reqRepoWriter(unit.TypeActions), bind(api.CreateActionWorkflowDispatch{}), repo.ActionsDispatchWorkflow)
}, context.ReferencesGitRepo(), reqToken(), reqRepoReader(unit.TypeActions))
m.Group("/actions/debug-workflow", func() {
m.Post("", reqRepoWriter(unit.TypeActions), bind(actions.DebugWorkflowOptions{}), repo.DebugWorkflow)
m.Get("/{run_id}", reqRepoWriter(unit.TypeActions), repo.GetDebugWorkflowOutput)
}, context.ReferencesGitRepo(), reqToken())
m.Group("/actions/jobs", func() {
m.Get("/{job_id}", repo.GetWorkflowJob)
m.Get("/{job_id}/logs", repo.DownloadActionsRunJobLogs)

129
routers/api/v1/repo/actions_debug.go
repo.diff.view_file

@@ -1,129 +0,0 @@
// Copyright 2025 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package repo
import (
"net/http"
"code.gitea.io/gitea/models/unit"
"code.gitea.io/gitea/modules/gitrepo"
"code.gitea.io/gitea/modules/web"
actions_service "code.gitea.io/gitea/services/actions"
"code.gitea.io/gitea/services/context"
)
// DebugWorkflow 调试工作流API端点
// POST /repos/{owner}/{repo}/actions/debug-workflow
func DebugWorkflow(ctx *context.APIContext) {
// swagger:operation POST /repos/{owner}/{repo}/actions/debug-workflow repo repoDebugWorkflow
// ---
// summary: Debug a workflow with custom content
// description: Execute a workflow with custom YAML content for debugging purposes
// parameters:
// - name: owner
// in: path
// description: owner of the repo
// type: string
// required: true
// - name: repo
// in: path
// description: name of the repo
// type: string
// required: true
// - name: body
// in: body
// required: true
// schema:
// type: object
// properties:
// workflow_content:
// type: string
// description: The YAML content of the workflow
// ref:
// type: string
// description: Git branch/tag reference (defaults to default branch)
// inputs:
// type: object
// description: Optional input parameters
// responses:
// "201":
// description: Workflow run created successfully
// "400":
// "$ref": "#/responses/error"
// "403":
// "$ref": "#/responses/forbidden"
// 权限检查 - 需要 Actions 单元写权限
if !ctx.Repo.CanWrite(unit.TypeActions) {
ctx.APIError(http.StatusForbidden, "must have write permission")
return
}
opts := web.GetForm(ctx).(*actions_service.DebugWorkflowOptions)
// 打开git仓库
gitRepo, err := gitrepo.OpenRepository(ctx, ctx.Repo.Repository)
if err != nil {
ctx.APIErrorInternal(err)
return
}
defer gitRepo.Close()
// 执行调试工作流
run, err := actions_service.DebugActionWorkflow(ctx, ctx.Doer, ctx.Repo.Repository, gitRepo, opts)
if err != nil {
ctx.APIError(http.StatusBadRequest, err)
return
}
ctx.JSON(http.StatusCreated, run)
}
// GetDebugWorkflowOutput 获取调试工作流的完整输出
// GET /repos/{owner}/{repo}/actions/debug-workflow/{run_id}
func GetDebugWorkflowOutput(ctx *context.APIContext) {
// swagger:operation GET /repos/{owner}/{repo}/actions/debug-workflow/{run_id} repo repoGetDebugWorkflowOutput
// ---
// summary: Get debug workflow output
// description: Retrieve the workflow execution output for debugging
// parameters:
// - name: owner
// in: path
// description: owner of the repo
// type: string
// required: true
// - name: repo
// in: path
// description: name of the repo
// type: string
// required: true
// - name: run_id
// in: path
// description: run id
// type: integer
// required: true
// responses:
// "200":
// description: Debug workflow details
// "403":
// "$ref": "#/responses/forbidden"
// "404":
// "$ref": "#/responses/notFound"
// 权限检查
if !ctx.Repo.CanWrite(unit.TypeActions) {
ctx.APIError(http.StatusForbidden, "must have write permission")
return
}
runID := ctx.PathParamInt64("run_id")
run, err := actions_service.GetDebugWorkflowRun(ctx, ctx.Repo.Repository.ID, runID)
if err != nil {
ctx.APIError(http.StatusNotFound, err)
return
}
ctx.JSON(http.StatusOK, run)
}

4
routers/install/install.go
repo.diff.view_file

@@ -155,8 +155,6 @@ func Install(ctx *context.Context) {
form.RequireSignInView = setting.Service.RequireSignInViewStrict
form.DefaultKeepEmailPrivate = setting.Service.DefaultKeepEmailPrivate
form.DefaultAllowCreateOrganization = setting.Service.DefaultAllowCreateOrganization
form.DefaultAllowCreateDevcontainer = setting.Service.DefaultAllowCreateDevcontainer
form.DefaultAllowCreateActRunner = setting.Service.DefaultAllowCreateActRunner
form.DefaultEnableTimetracking = setting.Service.DefaultEnableTimetracking
form.NoReplyAddress = setting.Service.NoReplyAddress
form.PasswordAlgorithm = hash.ConfigHashAlgorithm(setting.PasswordHashAlgo)
@@ -492,8 +490,6 @@ func SubmitInstall(ctx *context.Context) {
cfg.Section("service").Key("REQUIRE_SIGNIN_VIEW").SetValue(strconv.FormatBool(form.RequireSignInView))
cfg.Section("service").Key("DEFAULT_KEEP_EMAIL_PRIVATE").SetValue(strconv.FormatBool(form.DefaultKeepEmailPrivate))
cfg.Section("service").Key("DEFAULT_ALLOW_CREATE_ORGANIZATION").SetValue(strconv.FormatBool(form.DefaultAllowCreateOrganization))
cfg.Section("service").Key("DEFAULT_ALLOW_CREATE_DEVCONTAINER").SetValue(strconv.FormatBool(form.DefaultAllowCreateDevcontainer))
cfg.Section("service").Key("DEFAULT_ALLOW_CREATE_ACTRUNNER").SetValue(strconv.FormatBool(form.DefaultAllowCreateActRunner))
cfg.Section("service").Key("DEFAULT_ENABLE_TIMETRACKING").SetValue(strconv.FormatBool(form.DefaultEnableTimetracking))
cfg.Section("service").Key("NO_REPLY_ADDRESS").SetValue(form.NoReplyAddress)
cfg.Section("cron.update_checker").Key("ENABLED").SetValue(strconv.FormatBool(form.EnableUpdateChecker))

2
routers/web/admin/users.go
repo.diff.view_file

@@ -437,7 +437,6 @@ func EditUserPost(ctx *context.Context) {
MaxRepoCreation: optional.Some(form.MaxRepoCreation),
AllowCreateOrganization: optional.Some(form.AllowCreateOrganization),
AllowCreateDevcontainer: optional.Some(form.AllowCreateDevcontainer),
AllowCreateActRunner: optional.Some(form.AllowCreateActRunner),
IsRestricted: optional.Some(form.Restricted),
Visibility: optional.Some(form.Visibility),
Language: optional.Some(form.Language),
@@ -451,6 +450,7 @@ func EditUserPost(ctx *context.Context) {
}
return
}
log.Trace("Account profile updated by admin (%s): %s", ctx.Doer.Name, u.Name)
if form.Reset2FA {
tf, err := auth.GetTwoFactorByUID(ctx, u.ID)

61
routers/web/devcontainer/devcontainer.go
repo.diff.view_file

@@ -55,22 +55,21 @@ func GetDevContainerDetails(ctx *context.Context) {
ctx.Data["ValidateDevContainerConfiguration"] = false
}
ctx.Data["HasDevContainerDockerfile"], ctx.Data["DockerfilePath"], err = devcontainer_service.HasDevContainerDockerFile(ctx, ctx.Repo)
ctx.Data["HasDevContainerDockerfile"], err = devcontainer_service.HasDevContainerDockerFile(ctx, ctx.Repo)
if err != nil {
log.Info(err.Error())
ctx.Flash.Error(err.Error(), true)
}
if ctx.Data["HasDevContainer"] == true {
if ctx.Data["HasDevContainerConfiguration"] == true {
configurationString, _ := devcontainer_service.GetDevcontainerConfigurationString(ctx, ctx.Repo.Repository)
configurationModel, _ := devcontainer_service.UnmarshalDevcontainerConfigContent(configurationString)
imageName := configurationModel.Image
registry, namespace, repo, tag := devcontainer_service.ParseImageName(imageName)
log.Info("%v %v", repo, tag)
ctx.Data["RepositoryAddress"] = registry
ctx.Data["RepositoryUsername"] = namespace
ctx.Data["ImageName"] = "dev-" + ctx.Repo.Repository.Name + ":latest"
}
configurationString, _ := devcontainer_service.GetDevcontainerConfigurationString(ctx, ctx.Repo.Repository)
configurationModel, _ := devcontainer_service.UnmarshalDevcontainerConfigContent(configurationString)
imageName := configurationModel.Image
registry, namespace, repo, tag := devcontainer_service.ParseImageName(imageName)
log.Info("%v %v", repo, tag)
ctx.Data["RepositoryAddress"] = registry
ctx.Data["RepositoryUsername"] = namespace
ctx.Data["ImageName"] = "dev-" + ctx.Repo.Repository.Name + ":latest"
if cfg.Section("k8s").Key("ENABLE").Value() == "true" {
// 获取WebSSH服务端口
webTerminalURL, err := devcontainer_service.GetWebTerminalURL(ctx, ctx.Doer.ID, ctx.Repo.Repository.ID)
@@ -112,6 +111,7 @@ func GetDevContainerDetails(ctx *context.Context) {
}
ctx.Redirect(path.Join(ctx.Repo.RepoLink, "/devcontainer"))
} else {
rootPort, err := devcontainer_service.GetPortFromURL(cfg.Section("server").Key("ROOT_URL").Value())
if err != nil {
ctx.Flash.Error(err.Error(), true)
@@ -136,6 +136,7 @@ func GetDevContainerDetails(ctx *context.Context) {
}
ctx.Data["WebSSHUrl"] = webTerminalURL + "?type=docker&" + terminalParams
}
}
terminalURL, err := devcontainer_service.Get_IDE_TerminalURL(ctx, ctx.Doer, ctx.Repo)
if err == nil {
@@ -144,6 +145,7 @@ func GetDevContainerDetails(ctx *context.Context) {
ctx.Data["WindsurfUrl"] = "windsurf" + terminalURL
}
}
// 3. 携带数据渲染页面,返回
ctx.Data["Title"] = ctx.Locale.Tr("repo.dev_container")
ctx.Data["PageIsDevContainer"] = true
@@ -298,7 +300,7 @@ func UpdateDevContainer(ctx *context.Context) {
ctx.JSON(http.StatusOK, map[string]string{"message": err.Error()})
return
}
err = devcontainer_service.UpdateDevContainer(ctx, ctx.Doer, ctx.Repo, &updateInfo)
err = devcontainer_service.UpdateDevContainer(ctx, ctx.Doer, ctx.Repo.Repository, &updateInfo)
if err != nil {
ctx.JSON(http.StatusOK, map[string]string{"message": err.Error()})
return
@@ -316,43 +318,18 @@ func GetTerminalCommand(ctx *context.Context) {
log.Info(err.Error())
status = "error"
}
ctx.JSON(http.StatusOK, map[string]string{"command": cmd, "status": status, "workdir": "/workspace/" + ctx.Repo.Repository.Name})
ctx.JSON(http.StatusOK, map[string]string{"command": cmd, "status": status})
}
func GetDevContainerOutput(ctx *context.Context) {
// 设置 CORS 响应头
ctx.Resp.Header().Set("Access-Control-Allow-Origin", "*")
ctx.Resp.Header().Set("Access-Control-Allow-Methods", "*")
ctx.Resp.Header().Set("Access-Control-Allow-Headers", "*")
query := ctx.Req.URL.Query()
output, err := devcontainer_service.GetDevContainerOutput(ctx, query.Get("user"), ctx.Repo.Repository)
output, err := devcontainer_service.GetDevContainerOutput(ctx, ctx.Doer, ctx.Repo.Repository)
if err != nil {
log.Info(err.Error())
}
ctx.JSON(http.StatusOK, map[string]string{"output": output})
}
func SaveDevContainerOutput(ctx *context.Context) {
// 设置 CORS 响应头
ctx.Resp.Header().Set("Access-Control-Allow-Origin", "*")
ctx.Resp.Header().Set("Access-Control-Allow-Methods", "*")
ctx.Resp.Header().Set("Access-Control-Allow-Headers", "*")
// 处理 OPTIONS 预检请求
if ctx.Req.Method == "OPTIONS" {
ctx.JSON(http.StatusOK, "")
return
}
query := ctx.Req.URL.Query()
// 从请求体中读取输出内容
body, err := io.ReadAll(ctx.Req.Body)
if err != nil {
log.Error("Failed to read request body: %v", err)
ctx.JSON(http.StatusBadRequest, map[string]string{"error": "Failed to read request body"})
return
}
err = devcontainer_service.SaveDevContainerOutput(ctx, query.Get("user"), ctx.Repo.Repository, string(body))
if err != nil {
log.Info(err.Error())
}
ctx.JSON(http.StatusOK, "")
ctx.JSON(http.StatusOK, output)
}

8
routers/web/repo/actions/actions.go
repo.diff.view_file

@@ -429,11 +429,3 @@ func decodeNode(node yaml.Node, out any) bool {
}
return true
}
// DebugWorkflow 显示调试工作流界面
func DebugWorkflow(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("actions.debug_workflow")
ctx.Data["PageIsActions"] = true
ctx.Data["DefaultBranch"] = ctx.Repo.Repository.DefaultBranch
ctx.HTML(http.StatusOK, "repo/actions/debug_workflow")
}

19
routers/web/repo/editor.go
repo.diff.view_file

@@ -11,7 +11,6 @@ import (
"path"
"strings"
"code.gitea.io/gitea/models/db"
git_model "code.gitea.io/gitea/models/git"
"code.gitea.io/gitea/models/issues"
"code.gitea.io/gitea/models/unit"
@@ -26,7 +25,6 @@ import (
"code.gitea.io/gitea/modules/web"
"code.gitea.io/gitea/services/context"
"code.gitea.io/gitea/services/context/upload"
devcontainer_service "code.gitea.io/gitea/services/devcontainer"
"code.gitea.io/gitea/services/forms"
files_service "code.gitea.io/gitea/services/repository/files"
)
@@ -413,23 +411,6 @@ func DeleteFilePost(ctx *context.Context) {
editorHandleFileOperationError(ctx, parsed.NewBranchName, err)
return
}
log.Info("File deleted: %s", treePath)
if treePath == `.devcontainer/devcontainer.json` {
var userIds []int64
err = db.GetEngine(ctx).
Table("devcontainer").
Select("user_id").
Where("repo_id = ?", ctx.Repo.Repository.ID).
Find(&userIds)
if err != nil {
ctx.ServerError("GetEngine", err)
return
}
for _, userId := range userIds {
devcontainer_service.DeleteDevContainer(ctx, userId, ctx.Repo.Repository.ID)
}
}
ctx.Flash.Success(ctx.Tr("repo.editor.file_delete_success", treePath))
redirectTreePath := getClosestParentWithFiles(ctx.Repo.GitRepo, parsed.NewBranchName, treePath)

4
routers/web/web.go
repo.diff.view_file

@@ -1434,14 +1434,13 @@ func registerWebRoutes(m *web.Router) {
m.Get("/status", devcontainer_web.GetDevContainerStatus)
m.Get("/command", devcontainer_web.GetTerminalCommand)
m.Get("/output", devcontainer_web.GetDevContainerOutput)
m.Methods("POST, OPTIONS", "/output", devcontainer_web.SaveDevContainerOutput)
},
// 解析仓库信息
// 具有code读取权限
context.RepoAssignment, reqUnitCodeReader,
)
m.Get("/devstar-home", devcontainer_web.VscodeHome) // 旧地址,保留兼容性
m.Get("/vscode-home", devcontainer_web.VscodeHome)
m.Get("/vscode-home", devcontainer_web.VscodeHome)
m.Group("/api/devcontainer", func() {
// 获取 某用户在某仓库中的 DevContainer 细节包括SSH连接信息默认不会等待 (wait = false)
// 请求方式: GET /api/devcontainer?repoId=${repoId}&wait=true // 无需传入 userId直接从 token 中提取
@@ -1539,7 +1538,6 @@ func registerWebRoutes(m *web.Router) {
m.Group("/{username}/{reponame}/actions", func() {
m.Get("", actions.List)
m.Get("/debug-workflow", reqRepoActionsWriter, actions.DebugWorkflow)
m.Post("/disable", reqRepoAdmin, actions.DisableWorkflowFile)
m.Post("/enable", reqRepoAdmin, actions.EnableWorkflowFile)
m.Post("/run", reqRepoActionsWriter, actions.Run)

146
services/actions/debug_workflow.go
repo.diff.view_file

@@ -1,146 +0,0 @@
// Copyright 2025 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package actions
import (
"fmt"
"strings"
actions_model "code.gitea.io/gitea/models/actions"
"code.gitea.io/gitea/models/db"
"code.gitea.io/gitea/models/perm"
access_model "code.gitea.io/gitea/models/perm/access"
repo_model "code.gitea.io/gitea/models/repo"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/git"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/reqctx"
api "code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/services/convert"
"github.com/nektos/act/pkg/jobparser"
)
// DebugWorkflowOptions 调试工作流的选项
type DebugWorkflowOptions struct {
WorkflowContent string `json:"workflow_content"`
Ref string `json:"ref"`
Inputs map[string]string `json:"inputs"`
}
// DebugActionWorkflow 执行调试工作流
func DebugActionWorkflow(ctx reqctx.RequestContext, doer *user_model.User, repo *repo_model.Repository, gitRepo *git.Repository, opts *DebugWorkflowOptions) (*actions_model.ActionRun, error) {
if opts == nil || opts.WorkflowContent == "" {
return nil, fmt.Errorf("workflow content is empty")
}
if opts.Ref == "" {
opts.Ref = repo.DefaultBranch
}
// 验证工作流内容
if err := validateWorkflowContent(opts.WorkflowContent); err != nil {
return nil, fmt.Errorf("invalid workflow content: %w", err)
}
// 获取目标提交
refName := git.RefName(opts.Ref)
var runTargetCommit *git.Commit
var err error
if refName.IsTag() {
runTargetCommit, err = gitRepo.GetTagCommit(refName.TagName())
} else if refName.IsBranch() {
runTargetCommit, err = gitRepo.GetBranchCommit(refName.BranchName())
} else {
runTargetCommit, err = gitRepo.GetCommit(opts.Ref)
}
if err != nil {
return nil, fmt.Errorf("get target commit: %w", err)
}
// 创建临时工作流运行记录
run := &actions_model.ActionRun{
Title: "[DEBUG] " + strings.SplitN(runTargetCommit.CommitMessage, "\n", 2)[0],
RepoID: repo.ID,
Repo: repo,
OwnerID: repo.OwnerID,
WorkflowID: "debug-workflow.yml",
TriggerUserID: doer.ID,
TriggerUser: doer,
Ref: string(refName),
CommitSHA: runTargetCommit.ID.String(),
IsForkPullRequest: false,
Event: "workflow_dispatch",
TriggerEvent: "workflow_dispatch",
Status: actions_model.StatusWaiting,
}
// 验证工作流内容并获取任务信息
giteaCtx := GenerateGiteaContext(run, nil)
workflows, err := jobparser.Parse([]byte(opts.WorkflowContent), jobparser.WithGitContext(giteaCtx.ToGitHubContext()))
if err != nil {
return nil, fmt.Errorf("parse workflow: %w", err)
}
if len(workflows) == 0 {
return nil, fmt.Errorf("no jobs found in workflow")
}
// 如果工作流定义了名称,使用它
if len(workflows) > 0 && workflows[0].RunName != "" {
run.Title = "[DEBUG] " + workflows[0].RunName
}
// 创建事件负载
inputsAny := make(map[string]any)
for k, v := range opts.Inputs {
inputsAny[k] = v
}
workflowDispatchPayload := &api.WorkflowDispatchPayload{
Workflow: run.WorkflowID,
Ref: opts.Ref,
Repository: convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm.AccessModeNone}),
Inputs: inputsAny,
Sender: convert.ToUserWithAccessMode(ctx, doer, perm.AccessModeNone),
}
eventPayload, err := workflowDispatchPayload.JSONPayload()
if err != nil {
return nil, fmt.Errorf("marshal event payload: %w", err)
}
run.EventPayload = string(eventPayload)
// 插入数据库
if err := db.Insert(ctx, run); err != nil {
return nil, fmt.Errorf("insert action run: %w", err)
}
log.Trace("Debug workflow created for run %d", run.ID)
return run, nil
}
// validateWorkflowContent 验证工作流内容
func validateWorkflowContent(content string) error {
_, err := jobparser.Parse([]byte(content))
return err
}
// GetDebugWorkflowRun 获取调试工作流运行详情
func GetDebugWorkflowRun(ctx reqctx.RequestContext, repoID, runID int64) (*actions_model.ActionRun, error) {
run, err := actions_model.GetRunByRepoAndID(ctx, repoID, runID)
if err != nil {
return nil, fmt.Errorf("get run: %w", err)
}
// 检查这是否是调试工作流
if run.WorkflowID != "debug-workflow.yml" {
return nil, fmt.Errorf("not a debug workflow")
}
return run, nil
}

3
services/context/repo.go
repo.diff.view_file

@@ -399,8 +399,6 @@ func repoAssignment(ctx *Context, repo *repo_model.Repository) {
ctx.Data["Permission"] = &ctx.Repo.Permission
if ctx.Doer != nil {
ctx.Data["AllowCreateDevcontainer"] = ctx.Doer.AllowCreateDevcontainer
ctx.Data["AllowCreateActRunner"] = ctx.Doer.AllowCreateActRunner
} else {
query := ctx.Req.URL.Query()
userID := query.Get("user")
@@ -418,7 +416,6 @@ func repoAssignment(ctx *Context, repo *repo_model.Repository) {
return
}
ctx.Data["AllowCreateDevcontainer"] = u.AllowCreateDevcontainer
ctx.Data["AllowCreateActRunner"] = u.AllowCreateActRunner
}
if repo.IsMirror {

256
services/devcontainer/devcontainer.go
repo.diff.view_file

@@ -6,6 +6,8 @@ import (
"context"
"fmt"
"math"
"net"
"net/url"
"regexp"
"strconv"
"strings"
@@ -68,21 +70,21 @@ func HasDevContainerConfiguration(ctx context.Context, repo *gitea_context.Repos
return true, nil
}
}
func HasDevContainerDockerFile(ctx context.Context, repo *gitea_context.Repository) (bool, string, error) {
func HasDevContainerDockerFile(ctx context.Context, repo *gitea_context.Repository) (bool, error) {
_, err := FileExists(".devcontainer/devcontainer.json", repo)
if err != nil {
if git.IsErrNotExist(err) {
return false, "", nil
return false, nil
}
return false, "", err
return false, err
}
configurationString, err := GetDevcontainerConfigurationString(ctx, repo.Repository)
if err != nil {
return false, "", err
return false, err
}
configurationModel, err := UnmarshalDevcontainerConfigContent(configurationString)
if err != nil {
return false, "", err
return false, err
}
// 执行验证
if errs := configurationModel.Validate(); len(errs) > 0 {
@@ -90,34 +92,20 @@ func HasDevContainerDockerFile(ctx context.Context, repo *gitea_context.Reposito
for _, err := range errs {
fmt.Printf(" - %s\n", err.Error())
}
return false, "", fmt.Errorf("配置格式错误")
return false, fmt.Errorf("配置格式错误")
} else {
log.Info("%v", configurationModel)
if configurationModel.Build == nil || configurationModel.Build.Dockerfile == "" {
_, err := FileExists(".devcontainer/Dockerfile", repo)
if err != nil {
if git.IsErrNotExist(err) {
return false, "", nil
}
return false, "", err
}
return true, ".devcontainer/Dockerfile", nil
return false, nil
}
_, err := FileExists(".devcontainer/"+configurationModel.Build.Dockerfile, repo)
if err != nil {
if git.IsErrNotExist(err) {
_, err := FileExists(".devcontainer/Dockerfile", repo)
if err != nil {
if git.IsErrNotExist(err) {
return false, "", nil
}
return false, "", err
}
return true, ".devcontainer/Dockerfile", nil
return false, nil
}
return false, "", err
return false, err
}
return true, ".devcontainer/" + configurationModel.Build.Dockerfile, nil
return true, nil
}
}
func CreateDevcontainerConfiguration(repo *repo.Repository, doer *user.User) error {
@@ -447,7 +435,7 @@ func StopDevContainer(ctx context.Context, userID, repoID int64) error {
return nil
}
func UpdateDevContainer(ctx context.Context, doer *user.User, repo *gitea_context.Repository, updateInfo *UpdateInfo) error {
func UpdateDevContainer(ctx context.Context, doer *user.User, repo *repo.Repository, updateInfo *UpdateInfo) error {
dbEngine := db.GetEngine(ctx)
var devContainerInfo devcontainer_models.Devcontainer
cfg, err := setting.NewConfigProviderFromFile(setting.CustomConf)
@@ -457,24 +445,25 @@ func UpdateDevContainer(ctx context.Context, doer *user.User, repo *gitea_contex
_, err = dbEngine.
Table("devcontainer").
Select("*").
Where("user_id = ? AND repo_id = ?", doer.ID, repo.Repository.ID).
Where("user_id = ? AND repo_id = ?", doer.ID, repo.ID).
Get(&devContainerInfo)
if err != nil {
return err
}
_, err = dbEngine.Table("devcontainer").
Where("user_id = ? AND repo_id = ? ", doer.ID, repo.Repository.ID).
Where("user_id = ? AND repo_id = ? ", doer.ID, repo.ID).
Update(&devcontainer_models.Devcontainer{DevcontainerStatus: 5})
if err != nil {
return err
}
otherCtx := context.Background()
if cfg.Section("k8s").Key("ENABLE").Value() == "true" {
//k8s的逻辑
} else {
updateErr := UpdateDevContainerByDocker(otherCtx, &devContainerInfo, updateInfo, repo, doer)
_, err = dbEngine.Table("devcontainer").
Where("user_id = ? AND repo_id = ? ", doer.ID, repo.Repository.ID).
Where("user_id = ? AND repo_id = ? ", doer.ID, repo.ID).
Update(&devcontainer_models.Devcontainer{DevcontainerStatus: 4})
if err != nil {
return err
@@ -545,72 +534,58 @@ func GetTerminalCommand(ctx context.Context, userID string, repo *repo.Repositor
return "", "", err
}
}
}
break
case 2:
//正在创建容器,创建容器成功,则状态转移
if cfg.Section("k8s").Key("ENABLE").Value() == "true" {
//k8s的逻辑
} else {
exist, _, err := ContainerExists(ctx, devContainerInfo.Name)
status, err := GetDevContainerStatusFromDocker(ctx, devContainerInfo.Name)
if err != nil {
return "", "", err
}
if !exist {
_, err = dbEngine.Table("devcontainer_output").
Select("command").
Where("user_id = ? AND repo_id = ? AND list_id = ?", userID, repo.ID, realTimeStatus).
Get(&cmd)
if err != nil {
return "", "", err
}
} else {
status, err := GetDevContainerStatusFromDocker(ctx, devContainerInfo.Name)
if err != nil {
return "", "", err
}
if status == "created" {
//添加脚本文件
if cfg.Section("k8s").Key("ENABLE").Value() == "true" {
} else {
userNum, err := strconv.ParseInt(userID, 10, 64)
if err != nil {
return "", "", err
}
var scriptContent string
scriptContent, err = GetCommandContent(ctx, userNum, repo)
log.Info("command: %s", scriptContent)
if err != nil {
return "", "", err
}
// 创建 tar 归档文件
var buf bytes.Buffer
tw := tar.NewWriter(&buf)
defer tw.Close()
// 添加文件到 tar 归档
AddFileToTar(tw, "webTerminal.sh", string(scriptContent), 0777)
// 创建 Docker 客户端
cli, err := docker_module.CreateDockerClient(ctx)
if err != nil {
return "", "", err
}
// 获取容器 ID
containerID, err := docker_module.GetContainerID(cli, devContainerInfo.Name)
if err != nil {
return "", "", err
}
err = cli.CopyToContainer(ctx, containerID, "/home", bytes.NewReader(buf.Bytes()), types.CopyToContainerOptions{})
if err != nil {
log.Info("%v", err)
return "", "", err
}
if status == "created" {
//添加脚本文件
if cfg.Section("k8s").Key("ENABLE").Value() == "true" {
} else {
userNum, err := strconv.ParseInt(userID, 10, 64)
if err != nil {
return "", "", err
}
realTimeStatus = 3
var scriptContent string
scriptContent, err = GetCommandContent(ctx, userNum, repo)
log.Info("command: %s", scriptContent)
if err != nil {
return "", "", err
}
// 创建 tar 归档文件
var buf bytes.Buffer
tw := tar.NewWriter(&buf)
defer tw.Close()
// 添加文件到 tar 归档
AddFileToTar(tw, "webTerminal.sh", string(scriptContent), 0777)
// 创建 Docker 客户端
cli, err := docker_module.CreateDockerClient(ctx)
if err != nil {
return "", "", err
}
// 获取容器 ID
containerID, err := docker_module.GetContainerID(cli, devContainerInfo.Name)
if err != nil {
return "", "", err
}
err = cli.CopyToContainer(ctx, containerID, "/home", bytes.NewReader(buf.Bytes()), types.CopyToContainerOptions{})
if err != nil {
log.Info("%v", err)
return "", "", err
}
}
}
realTimeStatus = 3
}
}
break
case 3:
@@ -639,27 +614,6 @@ func GetTerminalCommand(ctx context.Context, userID string, repo *repo.Repositor
if err != nil {
return "", "", err
}
configurationString, err := GetDevcontainerConfigurationString(ctx, repo)
if err != nil {
return "", "", err
}
configurationModel, err := UnmarshalDevcontainerConfigContent(configurationString)
if err != nil {
return "", "", err
}
postAttachCommand := strings.TrimSpace(strings.Join(configurationModel.ParseCommand(configurationModel.PostAttachCommand), "\n"))
if _, ok := configurationModel.PostAttachCommand.(map[string]interface{}); ok {
// 是 map[string]interface{} 类型
cmdObj := configurationModel.PostAttachCommand.(map[string]interface{})
if pathValue, hasPath := cmdObj["path"]; hasPath {
fileCommand, err := GetFileContentByPath(ctx, repo, ".devcontainer/"+pathValue.(string))
if err != nil {
return "", "", err
}
postAttachCommand += "\n" + fileCommand
}
}
cmd += postAttachCommand
}
break
}
@@ -682,59 +636,67 @@ func GetTerminalCommand(ctx context.Context, userID string, repo *repo.Repositor
}
return cmd, fmt.Sprintf("%d", realTimeStatus), nil
}
func GetDevContainerOutput(ctx context.Context, user_id string, repo *repo.Repository) (string, error) {
var devContainerOutput string
func GetDevContainerOutput(ctx context.Context, doer *user.User, repo *repo.Repository) (OutputResponse, error) {
var devContainerOutput []devcontainer_models.DevcontainerOutput
dbEngine := db.GetEngine(ctx)
resp := OutputResponse{}
var status string
var containerName string
_, err := dbEngine.
Table("devcontainer").
Select("devcontainer_status, name").
Where("user_id = ? AND repo_id = ?", doer.ID, repo.ID).
Get(&status, &containerName)
if err != nil {
return resp, err
}
_, err := dbEngine.Table("devcontainer_output").
Select("output").
Where("user_id = ? AND repo_id = ? AND list_id = ?", user_id, repo.ID, 4).
Get(&devContainerOutput)
err = dbEngine.Table("devcontainer_output").
Where("user_id = ? AND repo_id = ?", doer.ID, repo.ID).
Find(&devContainerOutput)
if err != nil {
return "", err
return resp, err
}
if devContainerOutput != "" {
_, err = dbEngine.Table("devcontainer_output").
Where("user_id = ? AND repo_id = ? AND list_id = ?", user_id, repo.ID, 4).
Update(map[string]interface{}{
"output": "",
if len(devContainerOutput) > 0 {
resp.CurrentJob.Title = repo.Name + " Devcontainer Info"
resp.CurrentJob.Detail = status
if status == "4" {
// 获取WebSSH服务端口
webTerminalURL, err := GetWebTerminalURL(ctx, doer.ID, repo.ID)
if err == nil {
return resp, err
}
// 解析URL
u, err := url.Parse(webTerminalURL)
if err != nil {
return resp, err
}
// 分离主机和端口
terminalHost, terminalPort, err := net.SplitHostPort(u.Host)
resp.CurrentJob.IP = terminalHost
resp.CurrentJob.Port = terminalPort
if err != nil {
return resp, err
}
}
for _, item := range devContainerOutput {
logLines := []ViewStepLogLine{}
logLines = append(logLines, ViewStepLogLine{
Index: 1,
Message: item.Output,
})
if err != nil {
return "", err
resp.CurrentJob.Steps = append(resp.CurrentJob.Steps, &ViewJobStep{
Summary: item.Command,
Status: item.Status,
Logs: logLines,
})
}
}
return devContainerOutput, nil
}
func SaveDevContainerOutput(ctx context.Context, user_id string, repo *repo.Repository, newoutput string) error {
var devContainerOutput string
var finalOutput string
dbEngine := db.GetEngine(ctx)
// 从数据库中获取现有的输出内容
_, err := dbEngine.Table("devcontainer_output").
Select("output").
Where("user_id = ? AND repo_id = ? AND list_id = ?", user_id, repo.ID, 4).
Get(&devContainerOutput)
if err != nil {
return err
}
devContainerOutput = strings.TrimSuffix(devContainerOutput, "\r\n")
if newoutput == "\b \b" {
finalOutput = devContainerOutput[:len(devContainerOutput)-1]
} else {
finalOutput = devContainerOutput + newoutput
}
_, err = dbEngine.Table("devcontainer_output").
Where("user_id = ? AND repo_id = ? AND list_id = ?", user_id, repo.ID, 4).
Update(map[string]interface{}{
"output": finalOutput + "\r\n",
})
if err != nil {
return err
}
return nil
return resp, nil
}
func GetMappedPort(ctx context.Context, containerName string, port string) (uint16, error) {
cfg, err := setting.NewConfigProviderFromFile(setting.CustomConf)
@@ -975,6 +937,7 @@ func GetCommandContent(ctx context.Context, userId int64, repo *repo.Repository)
script = append(script, v)
}
scriptCommand := strings.TrimSpace(strings.Join(script, "\n"))
userCommand := scriptCommand + "\n" + onCreateCommand + "\n" + updateCommand + "\n" + postCreateCommand + "\n" + postStartCommand + "\n"
assetFS := templates.AssetFS()
Content_tmpl, err := assetFS.ReadFile("repo/devcontainer/devcontainer_tmpl.sh")
@@ -1026,7 +989,6 @@ func AddPublicKeyToAllRunningDevContainer(ctx context.Context, userId int64, pub
if err != nil {
return err
}
if len(devcontainerList) > 0 {
// 将公钥写入这些打开的容器中
for _, repoDevContainer := range devcontainerList {

90
services/devcontainer/docker_agent.go
repo.diff.view_file

@@ -16,13 +16,10 @@ import (
"code.gitea.io/gitea/models/repo"
"code.gitea.io/gitea/models/user"
docker_module "code.gitea.io/gitea/modules/docker"
"code.gitea.io/gitea/modules/git"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
gitea_context "code.gitea.io/gitea/services/context"
"github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/container"
"github.com/docker/docker/api/types/filters"
"github.com/docker/docker/client"
"github.com/docker/docker/errdefs"
"github.com/docker/go-connections/nat"
@@ -132,7 +129,6 @@ func CreateDevContainerByDockerCommand(ctx context.Context, newDevcontainer *dev
if err != nil {
return "", err
}
var imageName = configurationModel.Image
dockerSocket, err := docker_module.GetDockerSocketPath()
if err != nil {
@@ -217,8 +213,7 @@ func CreateDevContainerByDockerCommand(ctx context.Context, newDevcontainer *dev
var envFlags string = ` -e RepoLink="` + strings.TrimSuffix(cfg.Section("server").Key("ROOT_URL").Value(), `/`) + repo.Link() + `" ` +
` -e DevstarHost="` + newDevcontainer.DevcontainerHost + `"` +
` -e WorkSpace="` + newDevcontainer.DevcontainerWorkDir + `/` + repo.Name + `" ` +
` -e DEVCONTAINER_STATUS="start" ` +
` -e WEB_TERMINAL_HELLO="Successfully connected to the devcontainer" `
` -e DEVCONTAINER_STATUS="start" `
// 遍历 ContainerEnv 映射中的每个环境变量
for name, value := range configurationModel.ContainerEnv {
// 将每个环境变量转换为 "-e name=value" 格式
@@ -288,7 +283,7 @@ func CreateDevContainerByDockerCommand(ctx context.Context, newDevcontainer *dev
Status: "waitting",
UserId: newDevcontainer.UserId,
RepoId: newDevcontainer.RepoId,
Command: `docker -H ` + dockerSocket + ` exec -it --workdir ` + newDevcontainer.DevcontainerWorkDir + "/" + repo.Name + ` ` + newDevcontainer.Name + ` sh -c 'echo "$WEB_TERMINAL_HELLO";bash'` + "\n",
Command: `docker -H ` + dockerSocket + ` exec -it --workdir ` + newDevcontainer.DevcontainerWorkDir + "/" + repo.Name + ` ` + newDevcontainer.Name + ` sh -c "echo 'Successfully connected to the container';bash"` + "\n",
ListId: 4,
DevcontainerId: newDevcontainer.Id,
}); err != nil {
@@ -396,16 +391,17 @@ func StopDevContainerByDocker(ctx context.Context, devContainerName string) erro
}
return nil
}
func UpdateDevContainerByDocker(ctx context.Context, devContainerInfo *devcontainer_models.Devcontainer, updateInfo *UpdateInfo, repo *gitea_context.Repository, doer *user.User) error {
func UpdateDevContainerByDocker(ctx context.Context, devContainerInfo *devcontainer_models.Devcontainer, updateInfo *UpdateInfo, repo *repo.Repository, doer *user.User) error {
// 创建docker client
cli, err := docker_module.CreateDockerClient(ctx)
if err != nil {
return err
}
defer cli.Close()
// update容器
imageRef := updateInfo.RepositoryAddress + "/" + updateInfo.RepositoryUsername + "/" + updateInfo.ImageName
configurationString, err := GetDevcontainerConfigurationString(ctx, repo.Repository)
configurationString, err := GetDevcontainerConfigurationString(ctx, repo)
if err != nil {
return err
}
@@ -415,45 +411,16 @@ func UpdateDevContainerByDocker(ctx context.Context, devContainerInfo *devcontai
}
if updateInfo.SaveMethod == "on" {
// 创建构建上下文包含Dockerfile的tar包
var buf bytes.Buffer
tw := tar.NewWriter(&buf)
defer tw.Close()
// 添加Dockerfile到tar包
var dockerfileContent string
dockerfile := "Dockerfile"
if configurationModel.Build == nil || configurationModel.Build.Dockerfile == "" {
_, err := FileExists(".devcontainer/Dockerfile", repo)
if err != nil {
return err
}
dockerfileContent, err = GetFileContentByPath(ctx, repo.Repository, ".devcontainer/Dockerfile")
if err != nil {
return err
}
} else {
_, err := FileExists(".devcontainer/"+configurationModel.Build.Dockerfile, repo)
if err != nil {
if git.IsErrNotExist(err) {
_, err := FileExists(".devcontainer/Dockerfile", repo)
if err != nil {
return err
}
dockerfileContent, err = GetFileContentByPath(ctx, repo.Repository, ".devcontainer/Dockerfile")
if err != nil {
return err
}
}
return err
} else {
dockerfileContent, err = GetFileContentByPath(ctx, repo.Repository, ".devcontainer/"+configurationModel.Build.Dockerfile)
if err != nil {
return err
}
}
dockerfileContent, err := GetFileContentByPath(ctx, repo, ".devcontainer/"+configurationModel.Build.Dockerfile)
if err != nil {
return err
}
content := []byte(dockerfileContent)
header := &tar.Header{
Name: dockerfile,
@@ -501,12 +468,11 @@ func UpdateDevContainerByDocker(ctx context.Context, devContainerInfo *devcontai
if err != nil {
return err
}
// 定义正则表达式来匹配 image 字段
re := regexp.MustCompile(`"image"\s*:\s*"([^"]+)"`)
// 使用正则表达式查找并替换 image 字段的值
newConfiguration := re.ReplaceAllString(configurationString, `"image": "`+imageRef+`"`)
err = UpdateDevcontainerConfiguration(newConfiguration, repo.Repository, doer)
err = UpdateDevcontainerConfiguration(newConfiguration, repo, doer)
if err != nil {
return err
}
@@ -518,6 +484,7 @@ func UpdateDevContainerByDocker(ctx context.Context, devContainerInfo *devcontai
// - bool: 镜像是否存在true=存在false=不存在)
// - error: 非空表示检查过程中发生错误
func ImageExists(ctx context.Context, imageName string) (bool, error) {
// 创建 Docker 客户端
cli, err := docker_module.CreateDockerClient(ctx)
if err != nil {
@@ -552,6 +519,7 @@ func CheckDirExistsFromDocker(ctx context.Context, containerName, dirPath string
AttachStdout: true,
AttachStderr: true,
}
// 创建 exec 实例
execResp, err := cli.ContainerExecCreate(context.Background(), containerID, execConfig)
if err != nil {
@@ -574,7 +542,6 @@ func CheckDirExistsFromDocker(ctx context.Context, containerName, dirPath string
exitCode = resp.ExitCode
return exitCode == 0, nil // 退出码为 0 表示目录存在
}
func CheckFileExistsFromDocker(ctx context.Context, containerName, filePath string) (bool, error) {
// 上下文
// 创建 Docker 客户端
@@ -631,7 +598,7 @@ func RegistWebTerminal(ctx context.Context) error {
// 拉取镜像
err = docker_module.PullImage(ctx, cli, dockerHost, setting.DevContainerConfig.Web_Terminal_Image)
if err != nil {
fmt.Errorf("拉取web_terminal镜像失败:%v", err)
return fmt.Errorf("拉取web_terminal镜像失败:%v", err)
}
timestamp := time.Now().Format("20060102150405")
@@ -665,36 +632,3 @@ func RegistWebTerminal(ctx context.Context) error {
}
return nil
}
// ContainerExists 检查容器是否存在返回存在状态和容器ID如果存在
func ContainerExists(ctx context.Context, containerName string) (bool, string, error) {
cli, err := docker_module.CreateDockerClient(ctx)
if err != nil {
return false, "", err
}
// 设置过滤器,根据容器名称过滤
filter := filters.NewArgs()
filter.Add("name", containerName)
// 获取容器列表,使用过滤器
containers, err := cli.ContainerList(context.Background(), types.ContainerListOptions{
All: true, // 包括所有容器(运行的和停止的)
Filters: filter,
})
if err != nil {
return false, "", err
}
// 遍历容器,检查名称是否完全匹配
for _, container := range containers {
for _, name := range container.Names {
// 容器名称在Docker API中是以斜杠开头的例如 "/my-container"
// 所以我们需要检查去掉斜杠后的名称是否匹配
if strings.TrimPrefix(name, "/") == containerName {
return true, container.ID, nil
}
}
}
return false, "", nil
}

5
services/forms/admin.go
repo.diff.view_file

@@ -48,9 +48,8 @@ type AdminEditUserForm struct {
Restricted bool
AllowGitHook bool
AllowImportLocal bool
AllowCreateOrganization bool `form:"allow_create_organization"`
AllowCreateDevcontainer bool `form:"allow_create_devcontainer"`
AllowCreateActRunner bool `form:"allow_create_actrunner"`
AllowCreateOrganization bool
AllowCreateDevcontainer bool
ProhibitLogin bool
Reset2FA bool `form:"reset_2fa"`
Visibility structs.VisibleType

2
services/forms/user_form.go
repo.diff.view_file

@@ -61,8 +61,6 @@ type InstallForm struct {
RequireSignInView bool
DefaultKeepEmailPrivate bool
DefaultAllowCreateOrganization bool
DefaultAllowCreateDevcontainer bool
DefaultAllowCreateActRunner bool
DefaultEnableTimetracking bool
EnableUpdateChecker bool
NoReplyAddress string

1
services/runners/runners.go
repo.diff.view_file

@@ -40,7 +40,6 @@ func checkK8sIsEnable() bool {
func RegistRunner(ctx context.Context, token string) error {
log.Info("开始注册Runner...")
var err error
if checkK8sIsEnable() {
err = registK8sRunner(ctx, token)

6
services/user/update.go
repo.diff.view_file

@@ -52,7 +52,6 @@ type UpdateOptions struct {
DiffViewStyle optional.Option[string]
AllowCreateOrganization optional.Option[bool]
AllowCreateDevcontainer optional.Option[bool]
AllowCreateActRunner optional.Option[bool]
IsActive optional.Option[bool]
IsAdmin optional.Option[UpdateOptionField[bool]]
EmailNotificationsPreference optional.Option[string]
@@ -171,11 +170,6 @@ func UpdateUser(ctx context.Context, u *user_model.User, opts *UpdateOptions) er
cols = append(cols, "allow_create_devcontainer")
}
if opts.AllowCreateActRunner.Has() {
u.AllowCreateActRunner = opts.AllowCreateActRunner.Value()
cols = append(cols, "allow_create_act_runner")
}
if opts.RepoAdminChangeTeamAccess.Has() {
u.RepoAdminChangeTeamAccess = opts.RepoAdminChangeTeamAccess.Value()

4
templates/admin/config.tmpl
repo.diff.view_file

@@ -153,10 +153,6 @@
<dd>{{svg (Iif .Service.DefaultKeepEmailPrivate "octicon-check" "octicon-x")}}</dd>
<dt>{{ctx.Locale.Tr "admin.config.default_allow_create_organization"}}</dt>
<dd>{{svg (Iif .Service.DefaultAllowCreateOrganization "octicon-check" "octicon-x")}}</dd>
<dt>{{ctx.Locale.Tr "admin.config.default_allow_create_devcontainer"}}</dt>
<dd>{{svg (Iif .Service.DefaultAllowCreateDevcontainer "octicon-check" "octicon-x")}}</dd>
<dt>{{ctx.Locale.Tr "admin.config.default_allow_create_actrunner"}}</dt>
<dd>{{svg (Iif .Service.DefaultAllowCreateActRunner "octicon-check" "octicon-x")}}</dd>
<dt>{{ctx.Locale.Tr "admin.config.enable_timetracking"}}</dt>
<dd>{{svg (Iif .Service.EnableTimetracking "octicon-check" "octicon-x")}}</dd>
{{if .Service.EnableTimetracking}}

7
templates/admin/user/edit.tmpl
repo.diff.view_file

@@ -155,13 +155,6 @@
</div>
</div>
<div class="inline field">
<div class="ui checkbox">
<label><strong>{{ctx.Locale.Tr "admin.users.allow_create_actrunner"}}</strong></label>
<input name="allow_create_actrunner" type="checkbox" {{if .User.AllowCreateActRunner}}checked{{end}}>
</div>
</div>
{{if .TwoFactorEnabled}}
<div class="divider"></div>
<div class="inline field">

12
templates/install.tmpl
repo.diff.view_file

@@ -304,18 +304,6 @@
<input name="default_allow_create_organization" type="checkbox" {{if .default_allow_create_organization}}checked{{end}}>
</div>
</div>
<div class="inline field">
<div class="ui checkbox">
<label data-tooltip-content="{{ctx.Locale.Tr "install.default_allow_create_devcontainer_popup"}}">{{ctx.Locale.Tr "install.default_allow_create_devcontainer"}}</label>
<input name="default_allow_create_devcontainer" type="checkbox" {{if .default_allow_create_devcontainer}}checked{{end}}>
</div>
</div>
<div class="inline field">
<div class="ui checkbox">
<label data-tooltip-content="{{ctx.Locale.Tr "install.default_allow_create_actrunner_popup"}}">{{ctx.Locale.Tr "install.default_allow_create_actrunner"}}</label>
<input name="default_allow_create_actrunner" type="checkbox" {{if .DefaultAllowCreateActRunner}}checked{{end}}>
</div>
</div>
<div class="inline field">
<div class="ui checkbox">
<label data-tooltip-content="{{ctx.Locale.Tr "install.default_enable_timetracking_popup"}}">{{ctx.Locale.Tr "install.default_enable_timetracking"}}</label>

368
templates/repo/actions/debug_workflow.tmpl
repo.diff.view_file

@@ -1,368 +0,0 @@
{{template "base/head" .}}
<div role="main" aria-label="{{.Title}}" class="page-content repository actions">
{{template "repo/header" .}}
<div class="ui container">
{{template "base/alert" .}}
<div class="debug-workflow-container">
<div class="ui segment">
<h2>{{ctx.Locale.Tr "actions.debug_workflow.title"}}</h2>
<p class="help-text">{{ctx.Locale.Tr "actions.debug_workflow.description"}}</p>
<!-- Workflow Editor Section -->
<div class="workflow-editor-section">
<label for="workflow-content">{{ctx.Locale.Tr "actions.debug_workflow.yaml_content"}}</label>
<div class="editor-wrapper">
<textarea
id="workflow-content"
class="form-control monospace"
rows="15"
placeholder="name: My Debug Workflow&#10;on: workflow_dispatch&#10;jobs:&#10; test:&#10; runs-on: ubuntu-latest&#10; steps:&#10; - uses: actions/checkout@v3&#10; - run: echo 'Hello'"></textarea>
</div>
<small class="help-text">{{ctx.Locale.Tr "actions.debug_workflow.yaml_help"}}</small>
</div>
<!-- Action Buttons -->
<div class="debug-workflow-actions">
<button id="validate-workflow" class="ui button">
{{svg "octicon-check"}} {{ctx.Locale.Tr "actions.debug_workflow.validate"}}
</button>
<button id="run-workflow" class="ui primary button">
{{svg "octicon-play"}} {{ctx.Locale.Tr "actions.debug_workflow.run"}}
</button>
<div id="validation-message" class="hidden alert"></div>
</div>
</div>
<!-- Output Section -->
<div id="debug-output" class="hidden">
<div class="ui segment">
<h3>{{ctx.Locale.Tr "actions.debug_workflow.output"}}</h3>
<!-- Run Info -->
<div class="run-info">
<div class="info-item">
<strong>{{ctx.Locale.Tr "actions.debug_workflow.status"}}:</strong>
<span id="run-status" class="label"></span>
</div>
<div class="info-item">
<strong>{{ctx.Locale.Tr "actions.debug_workflow.run_id"}}:</strong>
<span id="run-id"></span>
</div>
<div class="info-item">
<strong>{{ctx.Locale.Tr "actions.debug_workflow.created"}}:</strong>
<span id="run-created"></span>
</div>
</div>
<!-- Logs Viewer -->
<div class="logs-section">
<h4>{{ctx.Locale.Tr "actions.debug_workflow.logs"}}</h4>
<div class="logs-viewer">
<pre id="workflow-logs" class="logs-content">{{ctx.Locale.Tr "actions.debug_workflow.loading"}}</pre>
</div>
<div class="logs-controls">
<button id="copy-logs" class="ui button">
{{svg "octicon-copy"}} {{ctx.Locale.Tr "actions.debug_workflow.copy_logs"}}
</button>
<button id="download-logs" class="ui button">
{{svg "octicon-download"}} {{ctx.Locale.Tr "actions.debug_workflow.download_logs"}}
</button>
</div>
</div>
<!-- Workflow Content -->
<div class="workflow-content-section">
<h4>{{ctx.Locale.Tr "actions.debug_workflow.workflow_used"}}</h4>
<pre id="workflow-content-display" class="workflow-yaml"></pre>
</div>
</div>
</div>
<!-- Recent Debug Runs -->
<div class="ui segment">
<h3>{{ctx.Locale.Tr "actions.debug_workflow.recent_runs"}}</h3>
<table class="ui table">
<thead>
<tr>
<th>{{ctx.Locale.Tr "actions.debug_workflow.run_id"}}</th>
<th>{{ctx.Locale.Tr "actions.debug_workflow.status"}}</th>
<th>{{ctx.Locale.Tr "actions.debug_workflow.created"}}</th>
<th>{{ctx.Locale.Tr "common.actions"}}</th>
</tr>
</thead>
<tbody>
{{range .DebugRuns}}
<tr>
<td><a href="{{$.RepoLink}}/actions/runs/{{.Index}}">{{.Index}}</a></td>
<td><span class="ui label">{{.Status}}</span></td>
<td>{{.Created}}</td>
<td>
<a href="{{$.RepoLink}}/actions/runs/{{.Index}}" class="ui mini button">{{ctx.Locale.Tr "common.view"}}</a>
</td>
</tr>
{{end}}
</tbody>
</table>
</div>
</div>
</div>
</div>
<style>
.debug-workflow-container {
margin-top: 20px;
}
.workflow-editor-section {
margin-bottom: 20px;
}
.editor-wrapper {
width: 100%;
margin-bottom: 10px;
}
#workflow-content {
width: 100%;
box-sizing: border-box;
font-family: 'Monaco', 'Courier New', monospace;
font-size: 12px;
line-height: 1.5;
background-color: #f5f5f5;
border: 1px solid #ddd;
padding: 10px;
}
.debug-workflow-options {
margin: 20px 0;
padding: 15px;
background-color: #f9f9f9;
border-left: 4px solid #0066cc;
border-radius: 4px;
}
.debug-workflow-options .field {
margin-bottom: 15px;
}
.debug-workflow-options label {
font-weight: 600;
display: block;
margin-bottom: 5px;
}
.debug-workflow-actions {
margin: 20px 0;
}
.debug-workflow-actions button {
margin-right: 10px;
}
#debug-output {
margin-top: 30px;
}
.run-info {
display: flex;
gap: 20px;
padding: 15px;
background-color: #f0f0f0;
border-radius: 4px;
margin-bottom: 20px;
}
.info-item {
flex: 1;
}
.logs-viewer {
background-color: #1e1e1e;
color: #d4d4d4;
padding: 15px;
border-radius: 4px;
overflow-x: auto;
max-height: 500px;
overflow-y: auto;
font-size: 12px;
font-family: 'Monaco', 'Courier New', monospace;
line-height: 1.5;
}
.logs-content {
margin: 0;
}
.logs-controls {
margin-top: 10px;
text-align: right;
}
.logs-controls button {
margin-left: 10px;
}
.workflow-content-section {
margin-top: 20px;
}
.workflow-yaml {
background-color: #f5f5f5;
border: 1px solid #ddd;
padding: 10px;
border-radius: 4px;
font-size: 12px;
max-height: 400px;
overflow-y: auto;
}
.help-text {
display: block;
margin-top: 5px;
color: #666;
}
#validation-message {
margin-top: 10px;
padding: 10px;
border-radius: 4px;
}
#validation-message.success {
background-color: #dff0d8;
border: 1px solid #d6e9c6;
color: #3c763d;
}
#validation-message.error {
background-color: #f2dede;
border: 1px solid #ebccd1;
color: #a94442;
}
</style>
<script>
document.addEventListener('DOMContentLoaded', function() {
const validateBtn = document.getElementById('validate-workflow');
const runBtn = document.getElementById('run-workflow');
const contentArea = document.getElementById('workflow-content');
const debugOutput = document.getElementById('debug-output');
const validationMsg = document.getElementById('validation-message');
// 验证工作流
validateBtn.addEventListener('click', function() {
const content = contentArea.value.trim();
if (!content) {
showValidationMessage('{{ctx.Locale.Tr "actions.debug_workflow.empty_content"}}', 'error');
return;
}
// 简单的 YAML 验证(检查基本结构)
try {
// 这里可以添加更复杂的验证逻辑
if (!content.includes('jobs:')) {
throw new Error('{{ctx.Locale.Tr "actions.debug_workflow.no_jobs"}}');
}
showValidationMessage('{{ctx.Locale.Tr "actions.debug_workflow.valid"}}', 'success');
} catch (e) {
showValidationMessage(e.message, 'error');
}
});
// 运行工作流
runBtn.addEventListener('click', function() {
const content = contentArea.value.trim();
if (!content) {
showValidationMessage('{{ctx.Locale.Tr "actions.debug_workflow.empty_content"}}', 'error');
return;
}
runBtn.disabled = true;
runBtn.innerText = '{{ctx.Locale.Tr "actions.debug_workflow.running"}}...';
fetch('{{.RepoLink}}/api/v1/repos/{{.RepoOwner}}/{{.RepoName}}/actions/debug-workflow', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-CSRF-Token': document.querySelector('meta[name="csrf-token"]').content
},
body: JSON.stringify({
workflow_content: content,
ref: '',
inputs: {}
})
})
.then(response => {
if (!response.ok) throw new Error('Failed to run workflow');
return response.json();
})
.then(data => {
displayRunOutput(data);
// 定期检查运行状态
pollRunStatus(data.id);
})
.catch(error => {
showValidationMessage('{{ctx.Locale.Tr "actions.debug_workflow.run_error"}}: ' + error.message, 'error');
runBtn.disabled = false;
runBtn.innerText = '{{ctx.Locale.Tr "actions.debug_workflow.run"}}';
});
});
function showValidationMessage(msg, type) {
validationMsg.textContent = msg;
validationMsg.className = type;
validationMsg.classList.remove('hidden');
}
function displayRunOutput(run) {
debugOutput.classList.remove('hidden');
document.getElementById('run-status').textContent = run.status;
document.getElementById('run-id').textContent = run.id;
document.getElementById('run-created').textContent = new Date(run.created).toLocaleString();
}
function pollRunStatus(runId) {
// 定期轮询运行状态和日志
const pollInterval = setInterval(function() {
fetch('{{.RepoLink}}/api/v1/repos/{{.RepoOwner}}/{{.RepoName}}/actions/debug-workflow/' + runId)
.then(response => response.json())
.then(data => {
document.getElementById('workflow-logs').textContent = data.logs || '{{ctx.Locale.Tr "actions.debug_workflow.no_logs"}}';
document.getElementById('workflow-content-display').textContent = data.workflow_content;
document.getElementById('run-status').textContent = data.run.status;
if (data.run.status !== 'running' && data.run.status !== 'waiting') {
clearInterval(pollInterval);
document.getElementById('run-workflow').disabled = false;
document.getElementById('run-workflow').innerText = '{{ctx.Locale.Tr "actions.debug_workflow.run"}}';
}
})
.catch(error => console.error('Poll error:', error));
}, 2000); // 每2秒轮询一次
}
// 复制日志
document.getElementById('copy-logs').addEventListener('click', function() {
const logs = document.getElementById('workflow-logs').textContent;
navigator.clipboard.writeText(logs).then(() => {
alert('{{ctx.Locale.Tr "actions.debug_workflow.copy_success"}}');
});
});
// 下载日志
document.getElementById('download-logs').addEventListener('click', function() {
const logs = document.getElementById('workflow-logs').textContent;
const element = document.createElement('a');
element.setAttribute('href', 'data:text/plain;charset=utf-8,' + encodeURIComponent(logs));
element.setAttribute('download', 'workflow-logs-' + Date.now() + '.txt');
element.style.display = 'none';
document.body.appendChild(element);
element.click();
document.body.removeChild(element);
});
});
</script>
{{template "base/footer" .}}

6
templates/repo/actions/list.tmpl
repo.diff.view_file

@@ -26,12 +26,6 @@
</div>
<div class="twelve wide column content">
<div class="ui secondary filter menu tw-justify-end tw-flex tw-items-center">
<!-- Debug Workflow Button -->
<a href="{{$.Link}}/debug-workflow" class="ui primary button" title="{{ctx.Locale.Tr "actions.debug_workflow.title"}}">
{{svg "octicon-bug" 16}}
{{ctx.Locale.Tr "actions.debug_workflow"}}
</a>
<!-- Actor -->
<div class="ui{{if not .Actors}} disabled{{end}} dropdown jump item">
<span class="text">{{ctx.Locale.Tr "actions.runs.actor"}}</span>

4
templates/repo/devcontainer/default_devcontainer.json
repo.diff.view_file

@@ -14,10 +14,6 @@
"echo \"postCreateCommand\"",
"echo \"OK\""
],
"postAttachCommand": [
"echo \"postAttachCommand\"",
"echo \"OK\""
],
"runArgs": [
"-p 8888"
]

195
templates/repo/devcontainer/details.tmpl
repo.diff.view_file

@@ -22,7 +22,6 @@
{{else}}
<div class="ui container">
<form class="ui edit form">
<div class="repo-editor-header">
<div class="ui breadcrumb field">
@@ -37,9 +36,7 @@
</div>
</form>
{{if and .ValidateDevContainerConfiguration .HasDevContainer}}
<iframe id="webTerminalContainer" src="{{.WebSSHUrl}}" width="100%" style="height: 100vh; display: none;" frameborder="0">您的浏览器不支持iframe</iframe>
{{end}}
</div>
{{end}}
</div>
@@ -50,7 +47,7 @@
<strong>{{ctx.Locale.Tr "repo.dev_container_control"}}</strong>
<div class="ui relaxed list">
{{if and .ValidateDevContainerConfiguration .HasDevContainer}}
{{if .HasDevContainer}}
<div style=" display: none;" id="deleteContainer" class="item"><a class="delete-button flex-text-inline" data-modal="#delete-repo-devcontainer-of-user-modal" href="#" data-url="{{.Repository.Link}}/devcontainer/delete">{{svg "octicon-trash" 14}}{{ctx.Locale.Tr "repo.dev_container_control.delete"}}</a></div>
{{if .isAdmin}}
<div style=" display: none;" id="updateContainer" class="item"><a class="delete-button flex-text-inline" style="color:black; " data-modal-id="updatemodal" href="#">{{svg "octicon-database"}}{{ctx.Locale.Tr "repo.dev_container_control.update"}}</a></div>
@@ -69,7 +66,7 @@
<div style=" display: none;" id="createContainer" class="item">
<div>
<form method="get" action="{{.Repository.Link}}/devcontainer/create" class="ui edit form">
<button class="flex-text-inline" type="submit">{{svg "octicon-terminal" 14 "tw-mr-2"}} {{ctx.Locale.Tr "repo.dev_container_control.create"}}</button>
<button class="flex-text-inline" type="submit">{{svg "octicon-terminal" 14 "tw-mr-2"}} Create Dev Container</button>
</form>
</div>
</div>
@@ -87,16 +84,6 @@
<!-- 结束Dev Container 正文内容 -->
</div>
</div>
<!-- 自定义警告框 -->
<div id="customAlert" class="custom-alert">
<div class="alert-content">
<div class="alert-header">
<strong>提示信息</strong>
<button class="alert-close" onclick="closeCustomAlert()">&times;</button>
</div>
<div id="alertText" class="alert-body"></div>
</div>
</div>
<!-- 确认删除 Dev Container 模态对话框 -->
<div class="ui g-modal-confirm delete modal" id="delete-repo-devcontainer-of-user-modal">
@@ -109,14 +96,24 @@
</div>
{{template "base/modal_actions_confirm" .}}
</div>
<!-- 保存 Dev Container 模态对话框 -->
<!-- 确认 Dev Container 模态对话框 -->
<div class="ui g-modal-confirm delete modal" style="width: 35%" id="updatemodal">
<div class="header">
{{ctx.Locale.Tr "repo.dev_container_control.update"}}
</div>
<div class="content">
<form class="ui form tw-max-w-2xl tw-m-auto" id="updateForm" onsubmit="submitForm(event)">
<div class="inline field">
<div class="ui checkbox">
{{if not .HasDevContainerDockerfile}}
<input type="checkbox" id="SaveMethod" name="SaveMethod" disabled>
{{else}}
<input type="checkbox" id="SaveMethod" name="SaveMethod" value="on">
{{end}}
<label for="SaveMethod">Build From Dockerfile</label>
</div>
</div>
<div class="required field ">
<label for="RepositoryAddress">Registry:</label>
<input style="border: 1px solid black;" type="text" id="RepositoryAddress" name="RepositoryAddress" value="{{.RepositoryAddress}}">
@@ -127,38 +124,13 @@
</div>
<div class="required field ">
<label for="RepositoryPassword">Registry Password:</label>
<div style="position: relative; display: inline-block; width: 100%;">
<input style="border: 1px solid black; width: 100%; padding-right: 80px;"
type="password"
id="RepositoryPassword"
name="RepositoryPassword"
required
autocomplete="current-password">
<button type="button"
style="position: absolute; right: 5px; top: 50%; transform: translateY(-50%);
background: none; border: none; cursor: pointer; color: #666;
font-size: 12px; padding: 5px 8px;"
onclick="togglePasswordVisibility('RepositoryPassword', this)">
显示密码
</button>
</div>
<input style="border: 1px solid black;" type="text" id="RepositoryPassword" name="RepositoryPassword" required>
</div>
<div class="required field ">
<label for="ImageName">Image(name:tag):</label>
<input style="border: 1px solid black;" type="text" id="ImageName" name="ImageName" value="{{.ImageName}}">
</div>
<div class="inline field">
<div class="ui checkbox">
{{if not .HasDevContainerDockerfile}}
<input type="checkbox" id="SaveMethod" name="SaveMethod" disabled>
<label for="SaveMethod">There is no Dockerfile</label>
{{else}}
<input type="checkbox" id="SaveMethod" name="SaveMethod" value="on">
<label for="SaveMethod">Build From Dockerfile: {{.DockerfilePath}}</label>
{{end}}
</div>
</div>
<div class="actions">
<button class="ui primary button" type="submit" id="updateSubmitButton" >Submit</button>
<button class="ui cancel button" id="updateCloseButton">Close</button>
@@ -171,21 +143,6 @@
<script>
document.getElementById('updateSubmitButton').addEventListener('click', function() {
const form = document.getElementById('updateForm');
const formData = new FormData(form);
var RepositoryAddress = formData.get('RepositoryAddress');
var RepositoryUsername = formData.get('RepositoryUsername');
var RepositoryPassword = formData.get('RepositoryPassword');
var SaveMethod = formData.get('SaveMethod');
var ImageName = formData.get('ImageName');
if(ImageName != "" && SaveMethod != "" && RepositoryPassword != "" && RepositoryUsername != "" && RepositoryAddress != ""){
document.getElementById('updatemodal').classList.add('is-loading')
}
});
var status = '-1'
var intervalID
const createContainer = document.getElementById('createContainer');
@@ -276,13 +233,13 @@ function getStatus() {
if(status !== '9' && status !== '-1' && data.status == '9'){
window.location.reload();
}
else if(status !== '-1' && data.status == '-1'){
if(status !== '-1' && data.status == '-1'){
window.location.reload();
}
else if(status !== '4' && status !== '-1' && data.status == '4'){
//window.location.reload();
if(status !== '4' && status !== '-1' && data.status == '4'){
window.location.reload();
}
else if (data.status == '-1' || data.status == '') {
if (data.status == '-1' || data.status == '') {
if (loadingElement) {
loadingElement.style.display = 'none';
}
@@ -376,7 +333,7 @@ function getStatus() {
console.error('Error:', error);
});
}
intervalID = setInterval(getStatus, 5000);
intervalID = setInterval(getStatus, 3000);
if (restartContainer) {
restartContainer.addEventListener('click', function(event) {
// 处理点击逻辑
@@ -385,7 +342,7 @@ if (restartContainer) {
loadingElement.style.display = 'block';
}
fetch('{{.Repository.Link}}' + '/devcontainer/restart')
.then(response => {intervalID = setInterval(getStatus, 5000);})
.then(response => {intervalID = setInterval(getStatus, 3000);})
});
}
if (stopContainer) {
@@ -396,7 +353,7 @@ if (stopContainer) {
}
// 处理点击逻辑
fetch('{{.Repository.Link}}' + '/devcontainer/stop')
.then(response => {intervalID = setInterval(getStatus, 5000);})
.then(response => {intervalID = setInterval(getStatus, 3000);})
});
}
@@ -406,46 +363,10 @@ if (deleteContainer) {
});
}
function togglePasswordVisibility(passwordFieldId, button) {
const passwordInput = document.getElementById(passwordFieldId);
if (passwordInput.type === 'password') {
passwordInput.type = 'text';
button.textContent = '隐藏密码';
button.style.color = '#2185d0'; // 主色调,表示激活状态
} else {
passwordInput.type = 'password';
button.textContent = '显示密码';
button.style.color = '#666'; // 恢复默认颜色
}
}
function showCustomAlert(message, title = "提示信息") {
const alertBox = document.getElementById('customAlert');
const alertText = document.getElementById('alertText');
const alertHeader = alertBox.querySelector('.alert-header strong');
alertHeader.textContent = title;
alertText.textContent = message;
alertBox.style.display = 'block';
}
function closeCustomAlert() {
document.getElementById('customAlert').style.display = 'none';
}
// 点击背景关闭
document.getElementById('customAlert').addEventListener('click', function(e) {
if (e.target === this) {
closeCustomAlert();
}
});
function submitForm(event) {
event.preventDefault(); // 阻止默认的表单提交行为
const {csrfToken} = window.config;
const {appSubUrl} = window.config;
const formModal = document.getElementById('updatemodal');
const form = document.getElementById('updateForm');
const submitButton = document.getElementById('updateSubmitButton');
const closeButton = document.getElementById('updateCloseButton');
@@ -469,10 +390,9 @@ function submitForm(event) {
.then(response => response.json())
.then(data => {
submitButton.disabled = false;
formModal.classList.remove('is-loading')
showCustomAlert(data.message);
alert(data.message);
if(data.redirect){
closeCustomAlert()
closeButton.click()
}
intervalID = setInterval(getStatus, 3000);
})
@@ -502,69 +422,6 @@ function submitForm(event) {
0%{-webkit-transform:rotate(0deg)}
100%{-webkit-transform:rotate(360deg)}
}
.custom-alert {
display: none;
position: fixed;
top: 0;
left: 0;
width: 100%;
height: 100%;
background: rgba(0,0,0,0.5);
z-index: 10000;
}
.alert-content {
color: black;
position: absolute;
top: 50%;
left: 50%;
transform: translate(-50%, -50%);
background: white;
padding: 0; /* 移除内边距,在内部元素中设置 */
border-radius: 8px;
width: 80%;
max-width: 600px;
max-height: 80%;
display: flex;
flex-direction: column;
box-shadow: 0 4px 6px rgba(0,0,0,0.1);
}
.alert-header {
padding: 15px 20px;
border-bottom: 1px solid #eee;
background: #f8f9fa;
border-radius: 8px 8px 0 0;
position: sticky;
top: 0;
z-index: 10;
display: flex;
justify-content: space-between;
align-items: center;
}
.alert-close {
cursor: pointer;
font-size: 24px;
font-weight: bold;
color: #666;
background: none;
border: none;
padding: 0;
width: 30px;
height: 30px;
display: flex;
align-items: center;
justify-content: center;
border-radius: 50%;
}
.alert-close:hover {
background: #e9ecef;
color: #000;
}
.alert-body {
padding: 20px;
overflow-y: auto;
max-height: calc(80vh - 100px); /* 减去头部高度 */
white-space: pre-wrap;
word-wrap: break-word;
}
</style>
{{template "base/footer" .}}

2
templates/shared/actions/runner_list.tmpl
repo.diff.view_file

@@ -9,11 +9,9 @@
{{svg "octicon-triangle-down" 14 "dropdown icon"}}
</button>
<div class="menu">
{{if or (.AllowCreateActRunner) (.Permission.IsAdmin)}}
<div class="item">
<a href="{{$.Link}}/regist_runner">{{ctx.Locale.Tr "actions.runners.regist_runner"}}</a>
</div>
{{end}}
<div class="item">
<a href="https://docs.gitea.com/usage/actions/act-runner">{{ctx.Locale.Tr "actions.runners.new_notice"}}</a>
</div>

14
tests/integration/debug_workflow_test.go
repo.diff.view_file

@@ -1,14 +0,0 @@
// Copyright 2025 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package integration
import (
"testing"
)
// TestDebugWorkflow 是调试工作流功能的占位符测试
// 完整的测试需要正确的测试工具和设置
func TestDebugWorkflow(t *testing.T) {
t.Skip("Debug workflow tests require full integration test setup")
}