diff --git a/.memory/status.md b/.memory/status.md new file mode 100644 index 0000000..1f92688 --- /dev/null +++ b/.memory/status.md @@ -0,0 +1,170 @@ +# 沙箱项目当前状态(2026-04-20 休息前) + +## 一句话总结 + +**沙箱后端跑着,17 员工容器就绪;LobeChat 聊天界面的沙箱 UI 已全部隐藏(折中方案)。员工像用 ChatGPT 一样无感使用,管理员从 sandbox.milejoy.com 看监控。** + +--- + +## 运行中的东西 + +### VPS `2.24.28.41` +| 服务 | 状态 | 位置 | +|---|---|---| +| `sandbox-orchestrator.service` | **active**(Bun,PID 1156813,~46MB) | systemd,`/opt/lobe-sandbox/orchestrator` | +| Incus + btrfs 池 | active(19 容器,3.7GB 占用) | `/var/lib/incus/disks/lobe-sandbox-pool.img` | +| nginx 反代 | active | `/etc/nginx/sites-enabled/sandbox.milejoy.com` | +| LobeChat 容器 | running 镜像 `lobechat-custom:latest` = `820af0716863`(含沙箱后端路由 + UI 已隐藏) | `/opt/lobechat/docker-compose.yml` | + +### Incus 容器清单(`lobe-sandbox` project) +- 17 个员工:`sb-user-`(54 个 agent 的 plugins 都有 `lobe-cloud-sandbox`) +- 2 个 demo:`sb-demo-html`(贪吃蛇测试)、`sb-demo-term`(终端样式测试) +- 管理员 token:`0JicSkQZnVVe9zZWpqJKJkTv`(在 `/etc/lobe-sandbox/orchestrator.env`) + +--- + +## 关键 URL + 命令速查 + +### 管理员看监控(浏览器) +``` +https://sandbox.milejoy.com/admin/?token=0JicSkQZnVVe9zZWpqJKJkTv +``` + +### 命令行直接查 +```bash +# 所有容器 +ssh root@2.24.28.41 'incus list --project lobe-sandbox' + +# 进某用户沙箱 +ssh -t root@2.24.28.41 incus exec sb-user-NnpKbPqFJuBkSsAaeEUKSxkc0EX \ + --project lobe-sandbox --user 1000 -- bash + +# orchestrator 日志 +ssh root@2.24.28.41 'tail -50 /var/log/lobe-sandbox-orchestrator.log' + +# 重启 orchestrator +ssh root@2.24.28.41 'systemctl restart sandbox-orchestrator' +``` + +--- + +## 代码分支现状 + +### Lobe Sandbox Backend(本地 + Gitea) +- 路径:`~/Projects/business/20260418-lobe-sandbox-backend/` +- main 分支 = 最新代码(已 push Gitea) +- 关键文件: + - `orchestrator/src/` —— Bun HTTP 服务(index / admin / admin-ui / incus / events / export / reaper / state / tools) + - `scripts/host-init.sh` —— 宿主机幂等初始化 + - `scripts/deploy.sh` —— 一键部署 orchestrator 到 VPS + - `images/base/build.sh` + `patch-uv.sh` + `patch-venv.sh` —— base 镜像构建 + 两个补丁 + - `.memory/project.md` —— 设计文档 + - `.memory/status.md` —— **这个文件,当前状态快照** + +### LobeChat fork(feat 分支) +- 路径:`~/Projects/business/20260330-LobeChat公司AI平台/` +- 当前在 `feat/self-hosted-sandbox` 分支 HEAD `376849dc9d` +- main **不受影响**,可以随时切回去 +- feat 分支累计 7 个 commit,最后 1 个是"折中方案:后端保留,UI 全部隐藏" + +### 改过的 LobeChat 文件(feat/self-hosted-sandbox vs main) +1. `src/envs/app.ts` — 加 `SANDBOX_BACKEND_URL` / `_PUBLIC_URL` / `_SECRET` +2. `src/server/services/sandbox/localSandbox.ts` — 新文件,`LocalSandboxService implements ISandboxService` +3. `src/server/services/toolExecution/serverRuntimes/cloudSandbox.ts` — env 分叉 local/market +4. `src/server/routers/tools/market.ts` — execInSandbox + exportAndUploadFile 分叉 +5. `src/libs/better-auth/define-config.ts` — user.create.after provision +6. `src/app/(backend)/webapi/sandbox/view-url/route.ts` — (新)HMAC scoped URL 接口 + +### 被我删掉 / 注释的 LobeChat 变动(折中方案) +- `packages/builtin-tools/src/portals.ts` — CloudSandbox Portal **不再注册** +- `src/routes/(main)/agent/features/Conversation/index.tsx` — `` **已移除** +- `src/features/Conversation/SandboxAutoOpen.tsx` + `packages/builtin-tool-cloud-sandbox/src/client/Portal/index.tsx` 文件**保留**,只是没被引用(想恢复 UI 重新引入即可) + +--- + +## 日志 / Env 关键位置 + +``` +/etc/lobe-sandbox/orchestrator.env # ADMIN_TOKEN / SANDBOX_ORCH_SECRET / S3(RustFS) +/var/log/lobe-sandbox-orchestrator.log +/var/lib/lobe-sandbox/state.sqlite # 用户 provisioned/touch 记录 + +/opt/lobechat/.env # LobeChat env,含 SANDBOX_BACKEND_URL / SECRET / PUBLIC_URL +/opt/lobechat-build/ # VPS 上的 LobeChat 源码(git checkout feat/self-hosted-sandbox) + +/etc/nginx/sites-enabled/sandbox.milejoy.com +/etc/letsencrypt/live/ai.milejoy.com/ # 含 sandbox.milejoy.com subdomain +``` + +--- + +## 这两天踩过的所有坑(一次性整理) + +| # | 坑 | 修复 | +|---|---|---| +| 1 | UFW 默认 DROP incusbr0 的 DHCP/DNS(hermes 用静态 IP 绕过所以以前没踩) | 加 iptables 规则 + netfilter-persistent 持久化,写进 `scripts/host-init.sh` | +| 2 | uv 的环境变量是 `UV_INSTALL_DIR` 不是 `INSTALL_DIR` | 改 build.sh,已 patch | +| 3 | `nohup bash -s <` 挂回去即可(需 rebuild) +- [ ] 监控面板如果觉得 xterm 太重,可改成一个纯静态 HTML 只显示最近事件(~30KB) +- [ ] long-running command(getCommandOutput / killCommand)v2 实现 +- [ ] exportFile 真正对接 RustFS 的流程测一遍 +- [ ] `MARKET_TRUSTED_CLIENT_SECRET` 白名单申请(如果想让员工能发布 Agent 到社区) + +--- + +## 最简单的"重新开始"流程(如果将来全删了) + +```bash +# 1. 宿主机初始化 +scp ~/Projects/business/20260418-lobe-sandbox-backend/scripts/host-init.sh root@2.24.28.41:/root/ +ssh root@2.24.28.41 'bash /root/host-init.sh' + +# 2. base 镜像 +scp ~/Projects/business/20260418-lobe-sandbox-backend/images/base/build.sh root@2.24.28.41:/root/ +ssh root@2.24.28.41 'systemd-run --unit=sb-build bash /root/build.sh' + +# 3. orchestrator +cd ~/Projects/business/20260418-lobe-sandbox-backend/ && bash scripts/deploy.sh + +# 4. LobeChat 侧(如果 feat 分支还没 merge): +cd ~/Projects/business/20260330-LobeChat公司AI平台/ +git push origin feat/self-hosted-sandbox +ssh root@2.24.28.41 'cd /opt/lobechat-build && git pull' +# + docker build + docker tag + docker compose up -d --force-recreate lobe + +# 5. backfill 用户 +ssh root@2.24.28.41 'bun run /opt/lobe-sandbox/orchestrator/scripts/backfill-users.ts' +``` + +--- + +## 休息前最后提醒 + +**现在所有东西都稳的**: +- ai.milejoy.com 正常(员工聊天无感) +- sandbox.milejoy.com 管理台可用 +- 17 容器 + demo 在位 +- 没有任何后台服务挂掉的风险 + +**你新开对话时只需要**: +> "读 `~/Projects/business/20260418-lobe-sandbox-backend/.memory/status.md` 恢复上下文" + +就能从这里接着聊。 diff --git a/.memory/worklog.json b/.memory/worklog.json index 189b4c0..3b9a941 100644 --- a/.memory/worklog.json +++ b/.memory/worklog.json @@ -489,6 +489,13 @@ "message": "auto-save 2026-04-20 01:04 (~1)", "hash": "8953e29", "files_changed": 1 + }, + { + "ts": "2026-04-20T01:10:01+08:00", + "type": "commit", + "message": "auto-save 2026-04-20 01:09 (~1)", + "hash": "05ca4a7", + "files_changed": 1 } ] }