josh/Vetting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
481b67fb69675099f9fc5c33210e93043244f27d
Vetting/internal/config/config.go
T
josh 23c689aa5b
CI / Lint + build + test (push) Failing after 1m57s
Details
Release / release (push) Has been cancelled
Details
deep profile + threshold gating + firmware stage + Burn super-stage 
Ships all five phases of the deep-profile overhaul together. Runs now
carry a profile (quick/deep/soak); every profile walks the same
11-stage order — Inventory → Firmware → SpecValidate → SMART →
CPUStress → Storage → Network → Burn → GPU → PSU → Reporting —
with only per-stage durations and concurrency scaled.

Phase 1: profiles.ProfileRegistry loaded from vetting.yaml; runs.profile
column + CreateWithProfile; threshold table + evaluator seeded per-run
from the shared vetting.thresholds block; breach flips result at
/sensor + /result.

Phase 2: upgraded CPUStress (stress-ng --cpu-method=all --verify +
EDAC/MCE poll), Storage (fio --verify=md5 + SMART start/end delta),
Network (sustained iperf + /proc/net/dev deltas) with per-profile
knobs from Deps.

Phase 3: Burn super-stage with goroutine fan-out for CPU + memory +
fio + iperf, PSU rails sampled across the Burn window, SensorMux
(2 s flush, 500-sample cap) to absorb backpressure.

Phase 4: Firmware stage + firmware_snapshots table; probes dmidecode
(BIOS), ipmitool (BMC), ethtool -i (NIC), nvme (sysfs + id-ctrl),
lspci (HBA), /proc/cpuinfo (microcode). spec.DiffFirmware folds into
SpecValidate with pin-by-identifier and fan-out-across-component
matching; mismatches park the run in FailedHolding.

Phase 5: profile radio on the host start form, profile chip on the
run header, Firmware section in the HTML report, coverage artifact
uploaded from CI, agent/tests/fakes/ scaffold with Deps.LookPath
seam + stress_ng and dmidecode example fakes.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-18 22:50:57 -04:00

160 lines
4.8 KiB
Go
Raw Blame History

package config
import (
"fmt"
"os"
"path/filepath"
"gopkg.in/yaml.v3"
)
type Config struct {
Server Server `yaml:"server"`
Database Database `yaml:"database"`
Artifacts Artifacts `yaml:"artifacts"`
Logs Logs `yaml:"logs"`
Dispatcher Dispatcher `yaml:"dispatcher"`
Janitor Janitor `yaml:"janitor"`
PXE PXE `yaml:"pxe"`
Network Network `yaml:"network"`
Agent Agent `yaml:"agent"`
Notifiers []Notifier `yaml:"notifiers"`
Routes []Route `yaml:"routes"`
// Profiles holds the Phase-1 quick/deep/soak registry (stage order,
// threshold defaults, per-profile stage timeouts + probe knobs).
// Populated from the `vetting:` and `profiles:` top-level blocks
// during Load. Nil is never returned — Load installs a default
// registry when those blocks are absent.
Profiles *ProfileRegistry `yaml:"-"`
}
type Server struct {
Bind string `yaml:"bind"`
PublicURL string `yaml:"public_url"` // user-visible base URL, e.g. https://vetting.lan:8443; used in notification click-throughs
TLS TLS `yaml:"tls"`
}
type TLS struct {
Enabled bool `yaml:"enabled"`
CertFile string `yaml:"cert_file"`
KeyFile string `yaml:"key_file"`
}
type Database struct {
Path string `yaml:"path"`
}
type Artifacts struct {
Dir string `yaml:"dir"`
RetentionDays int `yaml:"retention_days"` // 0 = keep forever
}
type Logs struct {
Dir string `yaml:"dir"`
RetentionDays int `yaml:"retention_days"` // 0 = keep forever
}
type Janitor struct {
IntervalMinutes int `yaml:"interval_minutes"` // 0 = 60
}
type Dispatcher struct {
MaxConcurrentRuns int `yaml:"max_concurrent_runs"`
}
type Network struct {
IperfPort int `yaml:"iperf_port"`
}
// PXE / Notifier / Route are declared up front so the config file is
// forward-compatible across phases. Phase 1 does not act on these.
type PXE struct {
Enabled bool `yaml:"enabled"`
Interface string `yaml:"interface"`
Subnet string `yaml:"subnet"` // LAN CIDR, e.g. "192.168.1.0/24"; dnsmasq runs in proxy-DHCP mode scoped to this subnet
OrchestratorURL string `yaml:"orchestrator_url"`
TFTPRoot string `yaml:"tftp_root"` // holds ipxe.efi + undionly.kpxe
LiveDir string `yaml:"live_dir"` // holds vmlinuz + initrd.img; served at /live
}
// Agent holds settings related to the host-mode vetting-agent binary
// that operators install on their hosts. AssetDir is served at
// /assets/*, which is where the quick-register script downloads
// `vetting-agent-linux-amd64` from.
type Agent struct {
AssetDir string `yaml:"asset_dir"` // directory containing vetting-agent-linux-amd64; "" disables /assets
}
type Notifier struct {
Name string `yaml:"name"`
Type string `yaml:"type"`
Topic string `yaml:"topic,omitempty"`
Server string `yaml:"server,omitempty"`
WebhookURL string `yaml:"webhook_url,omitempty"`
SMTP SMTP `yaml:"smtp,omitempty"`
}
type SMTP struct {
Host string `yaml:"host,omitempty"`
Port int `yaml:"port,omitempty"`
From string `yaml:"from,omitempty"`
To []string `yaml:"to,omitempty"`
}
type Route struct {
MatchKind []string `yaml:"match_kind"`
MatchSeverity []string `yaml:"match_severity,omitempty"`
Notifier string `yaml:"notifier"`
}
func Load(path string) (*Config, error) {
b, err := os.ReadFile(path)
if err != nil {
return nil, fmt.Errorf("read config: %w", err)
}
var c Config
if err := yaml.Unmarshal(b, &c); err != nil {
return nil, fmt.Errorf("parse config: %w", err)
}
// The `vetting:` + `profiles:` blocks live alongside the existing
// fields but we decode them into the raw shape because YAML
// durations arrive as strings. Reusing the same byte buffer is
// safe: yaml.Unmarshal is happy to ignore keys the target doesn't
// know about.
var rawProfiles rawProfilesBlock
if err := yaml.Unmarshal(b, &rawProfiles); err != nil {
return nil, fmt.Errorf("parse profiles: %w", err)
}
reg, err := buildProfileRegistry(rawProfiles)
if err != nil {
return nil, fmt.Errorf("profiles: %w", err)
}
c.Profiles = reg
if c.Server.Bind == "" {
c.Server.Bind = "127.0.0.1:8080"
}
if c.Database.Path == "" {
c.Database.Path = "./var/vetting.db"
}
if c.Artifacts.Dir == "" {
c.Artifacts.Dir = "./var/artifacts"
}
if c.Logs.Dir == "" {
c.Logs.Dir = "./var/logs"
}
if c.Dispatcher.MaxConcurrentRuns == 0 {
c.Dispatcher.MaxConcurrentRuns = 3
}
// Default the agent asset dir alongside the database file so upgrades
// from configs predating the agent.asset_dir field pick up a sensible
// location automatically — install.sh creates exactly this directory
// and drops vetting-agent-linux-amd64 into it, so /assets/* serves
// without the operator having to touch vetting.yaml.
if c.Agent.AssetDir == "" {
c.Agent.AssetDir = filepath.Join(filepath.Dir(c.Database.Path), "assets")
}
return &c, nil
}
Reference in New Issue View Git Blame Copy Permalink