feat: add structured logging, process watchdog, and systemd hardening

- Add lib/logger.js: timestamped structured logging with 5MB x 5 file rotation - Add lib/watchdog.js: generic child process supervisor with rate-limited restarts - Enhance client.js: WS ping/pong liveness detection, uncaughtException/unhandledRejection handlers, systemd sd-notify integration - Refactor frpc.js: FrpcManager now delegates to Watchdog instead of manual spawn/exit - Enhance install.sh: environment file, log directory, systemd resource limits, security hardening, WatchdogSec=60 - Replace all console.log/warn/error with structured logger across modules Made-with: Cursor
2026-03-16 07:31:19 +08:00
parent 42d1d361dc
commit b3770d21d4
9 changed files with 545 additions and 149 deletions
--- a/install.sh
+++ b/install.sh
@@ -30,6 +30,8 @@ info "Node.js $NODE_VER ✓"

 # ── 安装 clawd ───────────────────────────────────────────────────────────────
 INSTALL_DIR="/opt/clawd"
+CONFIG_DIR="/etc/clawd"
+ENV_FILE="$CONFIG_DIR/env"
 info "安装到 $INSTALL_DIR ..."

 mkdir -p "$INSTALL_DIR"
@@ -43,7 +45,6 @@ if command -v git &>/dev/null; then
    git clone --depth=1 https://github.com/stswangzhiping/clawd.git .
  fi
 else
-  # 无 git 时用 curl 下载 tarball
  TARBALL_URL="https://github.com/stswangzhiping/clawd/archive/refs/heads/main.tar.gz"
  curl -fsSL "$TARBALL_URL" | tar -xz --strip-components=1
 fi
@@ -58,10 +59,11 @@ chmod +x "$INSTALL_DIR/bin/clawd.js"

 info "clawd 已安装到 /usr/local/bin/clawd ✓"

-# ── 创建配置目录 ──────────────────────────────────────────────────────────────
-mkdir -p /etc/clawd
-if [ ! -f /etc/clawd/config.json ]; then
-  cat > /etc/clawd/config.json <<EOF
+# ── 创建配置目录 + 环境变量文件 ──────────────────────────────────────────────
+mkdir -p "$CONFIG_DIR"
+
+if [ ! -f "$CONFIG_DIR/config.json" ]; then
+  cat > "$CONFIG_DIR/config.json" <<EOF
 {
  "server": "wss://claw.cutos.ai/ws",
  "claw_id": null,
@@ -69,10 +71,27 @@ if [ ! -f /etc/clawd/config.json ]; then
  "heartbeat_interval": 30
 }
 EOF
-  info "配置文件已创建：/etc/clawd/config.json ✓"
+  info "配置文件已创建：$CONFIG_DIR/config.json ✓"
 fi

-# ── 创建 systemd service ──────────────────────────────────────────────────────
+if [ ! -f "$ENV_FILE" ]; then
+  cat > "$ENV_FILE" <<EOF
+# clawd 环境变量（systemd EnvironmentFile）
+# 日志级别: debug / info / warn / error
+CLAWD_LOG_LEVEL=info
+# 是否写日志文件（0=仅 journald）
+CLAWD_LOG_FILE=1
+# 自定义服务器地址（留空则读 config.json）
+# CLAWD_SERVER=wss://claw.cutos.ai/ws
+EOF
+  info "环境变量文件已创建：$ENV_FILE ✓"
+fi
+
+# ── 创建日志目录 ─────────────────────────────────────────────────────────────
+mkdir -p "$CONFIG_DIR/logs"
+info "日志目录：$CONFIG_DIR/logs ✓"
+
+# ── 创建 systemd service ────────────────────────────────────────────────────
 NODE_BIN=$(command -v node)
 SERVICE_FILE="/etc/systemd/system/clawd.service"

@@ -85,18 +104,61 @@ Wants=network-online.target

 [Service]
 Type=simple
+EnvironmentFile=$ENV_FILE
 ExecStart=$NODE_BIN $INSTALL_DIR/bin/clawd.js
+WorkingDirectory=$INSTALL_DIR
+
+# 重启策略
 Restart=always
 RestartSec=5
+StartLimitIntervalSec=300
+StartLimitBurst=10
+
+# 优雅停止（10s 内 SIGTERM，超时 SIGKILL）
+TimeoutStopSec=10
+KillMode=mixed
+KillSignal=SIGTERM
+
+# 资源限制（防止失控）
+MemoryMax=256M
+CPUQuota=50%
+TasksMax=64
+
+# 安全加固
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=read-only
+ReadWritePaths=$CONFIG_DIR /tmp
+
+# 日志
 StandardOutput=journal
 StandardError=journal
 SyslogIdentifier=clawd

+# systemd Watchdog（60s 无响应视为挂死）
+WatchdogSec=60
+
 [Install]
 WantedBy=multi-user.target
 EOF

-# ── 启用并启动 ─────────────────────────────────────────────────────────────────
+info "systemd 服务文件已创建 ✓"
+
+# ── journald 日志限制（可选） ────────────────────────────────────────────────
+JOURNAL_CONF="/etc/systemd/journald.conf.d/clawd.conf"
+if [ ! -f "$JOURNAL_CONF" ]; then
+  mkdir -p /etc/systemd/journald.conf.d
+  cat > "$JOURNAL_CONF" <<EOF
+# clawd journald 限制
+[Journal]
+SystemMaxUse=100M
+MaxFileSec=7day
+EOF
+  systemctl restart systemd-journald 2>/dev/null || true
+  info "journald 日志限制已配置 ✓"
+fi
+
+# ── 启用并启动 ──────────────────────────────────────────────────────────────
 systemctl daemon-reload
 systemctl enable clawd
 systemctl restart clawd
@@ -105,10 +167,14 @@ sleep 2
 if systemctl is-active --quiet clawd; then
  info "clawd 服务运行中 ✓"
  echo ""
-  echo "  查看日志：journalctl -u clawd -f"
-  echo "  查看状态：systemctl status clawd"
-  echo "  停止服务：systemctl stop clawd"
+  echo "  查看日志：  journalctl -u clawd -f"
+  echo "  查看状态：  systemctl status clawd"
+  echo "  停止服务：  systemctl stop clawd"
+  echo "  配置文件：  $CONFIG_DIR/config.json"
+  echo "  环境变量：  $ENV_FILE"
+  echo "  文件日志：  $CONFIG_DIR/logs/clawd.log"
  echo ""
 else
-  warn "服务启动失败，请检查日志：journalctl -u clawd -n 30"
+  warn "服务启动失败，请检查日志："
+  echo "  journalctl -u clawd -n 50 --no-pager"
 fi