diff --git a/docs/SERVICE_CATALOG.md b/docs/SERVICE_CATALOG.md index 09572fc..8f25d21 100644 --- a/docs/SERVICE_CATALOG.md +++ b/docs/SERVICE_CATALOG.md @@ -74,7 +74,7 @@ Secret-Werte sind nicht enthalten. Es werden nur Secret-Namen, Env-Key-Namen und | Service | Zweck | Autoritativer Pfad | URL / Zugang | Abhaengigkeiten | Datenpfade | Backup / Restore | Traefik | Besonderheiten / TODOs | |---|---|---|---|---|---|---|---|---| -| `posture-check` | Host-Posture-Audit fuer Filesystem, Mover-Drift, NVMe-SMART und Fuellstand | `services/posture-check/posture-check.sh` | Unraid User-Script / Cron / Borg Pre-Hook | `findmnt`, `df`, `nvme`, optional `curl` fuer ntfy | `/mnt/user/services/posture-check/last.json` | Repo-Skript + letzter JSON-Status | nein | Muss auf dem Unraid-Host bei Boot, stuendlich und vor Borg laufen; Warning/Critical alarmieren via ntfy | +| `posture-check` | Host-Posture-Audit fuer Filesystem, Mover-Drift, NVMe-SMART und Fuellstand | `services/posture-check/posture-check.sh` | Unraid User-Script / Cron / Borg Pre-Hook | `findmnt`, `df`, `nvme`, optional `curl` fuer ntfy | `/mnt/user/services/posture-check/last.json` | Repo-Skript + letzter JSON-Status | nein | Muss auf dem Unraid-Host bei Boot, stuendlich und vor Borg laufen; `ALLOW_DISK1_NTFS=1` ist die dokumentierte Uebergangsausnahme bis Disk1-Migration Phase 2; Warning/Critical alarmieren via ntfy | ## Backup- und Restore-Hinweise diff --git a/services/posture-check/posture-check.sh b/services/posture-check/posture-check.sh index 6cb5633..d89cf73 100755 --- a/services/posture-check/posture-check.sh +++ b/services/posture-check/posture-check.sh @@ -7,6 +7,7 @@ WARNING_TOPIC="${WARNING_TOPIC:-kallilab-warning}" CRITICAL_TOPIC="${CRITICAL_TOPIC:-kallilab-critical}" SEND_NTFY="${SEND_NTFY:-1}" TMP_DIR="${TMP_DIR:-/tmp/kallilab-posture-check}" +ALLOW_DISK1_NTFS="${ALLOW_DISK1_NTFS:-1}" mkdir -p "$TMP_DIR" RESULTS_FILE="$TMP_DIR/results.$$" @@ -64,15 +65,22 @@ check_fstype() { check_no_ntfs_on_core_mounts() { local hits + local pattern="^/mnt/(cache|disk1)(/|$)" if ! command -v findmnt >/dev/null 2>&1; then add_result "warning" "no_ntfs_core_mounts" "Cannot check NTFS mounts because findmnt is missing" return fi - hits="$(findmnt -rn -o TARGET,FSTYPE 2>/dev/null | awk '$1 ~ "^/mnt/(cache|disk1)(/|$)" && ($2 == "ntfs3" || $2 == "fuseblk") { print $1 ":" $2 }' | paste -sd ',' -)" + if [ "$ALLOW_DISK1_NTFS" = "1" ]; then + pattern="^/mnt/cache(/|$)" + fi + + hits="$(findmnt -rn -o TARGET,FSTYPE 2>/dev/null | awk -v pattern="$pattern" '$1 ~ pattern && ($2 == "ntfs3" || $2 == "fuseblk") { print $1 ":" $2 }' | paste -sd ',' -)" if [ -n "$hits" ]; then add_result "critical" "no_ntfs_core_mounts" "NTFS-like filesystem on core mount: $hits" + elif [ "$ALLOW_DISK1_NTFS" = "1" ]; then + add_result "warning" "no_ntfs_core_mounts" "No NTFS on /mnt/cache; /mnt/disk1 NTFS is temporarily allowed until Disk1 phase 2 migration" else add_result "ok" "no_ntfs_core_mounts" "No ntfs3/fuseblk mounts below /mnt/cache or /mnt/disk1" fi @@ -102,6 +110,10 @@ check_inode_usage() { add_result "warning" "$name" "Cannot read inode usage for $path" return fi + if ! printf '%s' "$use_percent" | grep -Eq '^[0-9]+$'; then + add_result "warning" "$name" "$path inode usage unavailable (${use_percent:-unknown})" + return + fi if [ "$use_percent" -lt "$max_percent" ]; then add_result "ok" "$name" "$path inode usage ${use_percent}%" @@ -246,7 +258,11 @@ main() { need_cmd awk || true check_fstype "/mnt/cache" "xfs" "critical" "cache_fstype" - check_fstype "/mnt/disk1" "xfs" "critical" "disk1_fstype" + if [ "$ALLOW_DISK1_NTFS" = "1" ]; then + check_fstype "/mnt/disk1" "ntfs3" "warning" "disk1_fstype" + else + check_fstype "/mnt/disk1" "xfs" "critical" "disk1_fstype" + fi check_no_ntfs_on_core_mounts check_mover_drift check_inode_usage "/mnt/cache" 80 "cache_inode_usage"