From 19a31ec4c4f8044839b6752513b99280363652ac Mon Sep 17 00:00:00 2001 From: Mike-Swanson Date: Sun, 24 May 2026 09:33:07 -0700 Subject: [PATCH] sync: auto-sync from GURU-KALI at 2026-05-24 09:33:07 Author: Mike Swanson Machine: GURU-KALI Timestamp: 2026-05-24 09:33:07 --- .claude/machines/guru-kali.md | 18 ++- session-logs/2026-05-24-session.md | 224 +++++++++++++++++++++++++++++ 2 files changed, 240 insertions(+), 2 deletions(-) create mode 100644 session-logs/2026-05-24-session.md diff --git a/.claude/machines/guru-kali.md b/.claude/machines/guru-kali.md index 266ac57..dc9165e 100644 --- a/.claude/machines/guru-kali.md +++ b/.claude/machines/guru-kali.md @@ -25,13 +25,15 @@ | Python | 3.13.12 | | Node.js | v24.15.0 / npm 11.12.1 | | Go | installed | +| Rust | 1.95.0 (rustc + cargo via rustup, `~/.cargo`) — added 2026-05-24 | | Git | 2.53.0 | | sops | 3.13.1 (`~/.local/bin/sops`) | | psql | 18.3 | | mysql/mariadb client | 11.8.6 | | nmap | 7.99 (Kali security tooling) | +| GuruRMM build dev libs | libgtk-3-dev, libayatana-appindicator3-dev, libxdo-dev, libssl-dev, pkg-config (for agent + tray builds) — added 2026-05-24 | | NVIDIA driver | nouveau (open-source) — NO proprietary driver / CUDA | -| jq / gh / docker / cargo / rustc / age / op / grepai / ollama | NOT installed | +| jq / gh / docker / age / op / grepai / ollama | NOT installed | --- @@ -54,6 +56,11 @@ nouveau). See `.claude/OLLAMA.md`. - **Vault:** /home/guru/vault (SOPS + age, decryption verified working) - **Age key:** `~/.config/sops/age/keys.txt` (mode 600), recipient #1 `age1qz7ct84m50u06h97artqddkj3c8se2yu4nxu59clq8rhj945jc0s5excpr` +- **Privileges:** guru in `sudo` group; **passwordless sudo enabled** + (`/etc/sudoers.d/guru-nopasswd`, 2026-05-24) — Claude can run privileged ops. +- **GuruRMM clone:** `/home/guru/gururmm` (canonical server-side path) — builds + agent + tray locally with cargo; also an enrolled managed agent (id `a73ba38e`, + systemd `gururmm-agent.service`). --- @@ -83,11 +90,13 @@ Verified 2026-05-24: coord API `172.16.3.30:8001` -> HTTP 200, remote Ollama - [x] coord API / DB reachable (via Tailscale subnet route 172.16.0.0/22) - [x] Tailscale (100.75.148.91) - [x] Tier 0 remote Ollama reachable over Tailscale (100.92.127.64) +- [x] Rust toolchain (1.95.0) + GuruRMM agent/tray build deps (GTK/appindicator/openssl) +- [x] Passwordless sudo (guru) +- [x] Enrolled GuruRMM managed agent (id a73ba38e, systemd service) - [ ] Ollama LOCAL (not installed — would add offline Tier 0) - [ ] GrepAI semantic search (not installed) - [ ] 1Password CLI (op not installed) - [ ] NVIDIA CUDA compute (nouveau driver — no CUDA) -- [ ] Rust toolchain (cargo/rustc missing — blocks local GuruRMM builds) - [ ] Docker --- @@ -103,3 +112,8 @@ Verified 2026-05-24: coord API `172.16.3.30:8001` -> HTTP 200, remote Ollama - Onboarding (`LINUX_PC_ONBOARDING.md`) status: /sync OK, vault OK, identity OK, Tailscale OK; PENDING — local Ollama (optional), GrepAI, 1Password CLI. - 2026-05-24: chose Tailscale-only for now; local Ollama + NVIDIA driver deferred. +- 2026-05-24: set up as the **GuruRMM Linux dev/test box** — Rust + GTK build env, + `gururmm` cloned, enrolled agent runs the new Linux tray (Unix-socket IPC + GTK) + build. See gururmm PR #13 (`feat/linux-tray-ipc`). The systemd unit was patched + locally with `RuntimeDirectory=gururmm`; service runs an unsigned local build + until the PR merges and the pipeline ships a signed agent. diff --git a/session-logs/2026-05-24-session.md b/session-logs/2026-05-24-session.md new file mode 100644 index 0000000..8ba87d6 --- /dev/null +++ b/session-logs/2026-05-24-session.md @@ -0,0 +1,224 @@ +# Session Log — 2026-05-24 + +## User +- **User:** Mike Swanson (mike) +- **Machine:** GURU-KALI +- **Role:** admin +- **Session span:** ~06:30–09:31 MST + +--- + +## Session Summary + +Provisioned GURU-KALI (Lenovo Legion Pro 5, Kali rolling) for full ClaudeTools/GuruRMM +work and then implemented Linux support for the GuruRMM agent tray, testing it end to +end on this machine. + +First half was machine onboarding. The SOPS vault was not present locally, so the vault +repo was cloned to `/home/guru/vault`; `sops` 3.13.1 was installed to `~/.local/bin` +(checksum-verified), the age key directory was created, and after the user supplied the +age private key, vault decryption was verified working. Tailscale was then installed — +this machine was off the company LAN (wifi 10.2.x) with no path to internal services, so +coord API, the internal DB, and the remote Ollama were all unreachable. After +`tailscale up --accept-routes`, pfSense-2's advertised `172.16.0.0/22` subnet route made +`172.16.3.30` reachable; coord API and remote Ollama were both confirmed (HTTP 200). A +per-machine spec was written to `.claude/machines/guru-kali.md` following the existing +fleet convention (the first attempt created a wrong-location `.claude/MACHINES.md`, which +was removed after the user pointed to the existing `.claude/machines/` + `LINUX_PC_ONBOARDING.md`). + +Second half was the GuruRMM Linux tray. The active repo was cloned to `/home/guru/gururmm`. +The parity matrix in `.claude/CODING_GUIDELINES.md` confirmed the gap: IPC/tray was +`[OK]` on Windows, `[GAP]` on Linux/macOS (a `cfg(not(windows))` no-op). After installing +the Rust toolchain (rustup, missing) and GTK/appindicator/openssl dev libs, a Coding Agent +implemented: a real Unix-domain-socket IPC server in the agent (transport-agnostic handler +shared with the Windows named pipe), the tray's Unix-socket client, and a Linux GTK +main-loop run path (winit does not pump libappindicator on Linux). Code Review returned +APPROVE WITH NITS; H1 (socket-dir hardening) was fixed in-diff, H2 (policy gating + Denied) +partly closed, and M2/M3 applied. + +The tray was verified live in the XFCE panel. Running the agent under the systemd service +surfaced a real deployment bug: `ProtectSystem=strict` with only `/var/log` writable made +`/run` read-only in the sandbox, so the agent could not create its socket. Fixed by adding +`RuntimeDirectory=gururmm` to the unit (both on this machine and in the agent's unit +template in `main.rs`). With the fix, the enrolled agent (this machine was already enrolled, +id `a73ba38e`) authenticated, served the socket, and the tray showed the green "Connected" +icon. XDG autostart + best-effort installer wiring were added. Work landed on branch +`feat/linux-tray-ipc` as PR #13 (not merged — branch+PR was chosen to avoid triggering the +fleet build pipeline). + +--- + +## Key Decisions + +- **Tailscale-only (not local Ollama) for onboarding now.** Tailscale restored coord API + + DB + remote Ollama in one step; local Ollama deferred (GPU is on nouveau, needs proprietary + driver + reboot for accel). +- **Passwordless sudo enabled for `guru`** (`/etc/sudoers.d/guru-nopasswd`) per user choice, + so privileged steps (apt, systemd, /run) run without per-command prompts. +- **Branch + PR, not push to main.** Pushing to `main` triggers the webhook build pipeline + and a fleet-wide stable-channel auto-update of the agent; a PR keeps it reviewable. +- **`cfg(unix)` for the socket IPC, `cfg(target_os="linux")` for GTK** (per platform-parity + standard) — the Unix-socket IPC advances macOS for free; macOS tray launch left as + `TODO(platform)`. +- **`RuntimeDirectory=gururmm` over loosening ProtectSystem** — the systemd-native, minimal + way to give the agent a writable `/run/gururmm` for its socket. +- **Tray policy left as-is** — the server already pushes this agent `enabled=true` + (with `allow_view_logs=false`), so "show the tray for this machine" was already satisfied; + no explicit override added. +- **Ran the agent as root / under systemd, tray as `guru`** — the 0666 socket bridges the + root-owned agent and the non-root user-session tray (Linux equivalent of the Windows + NULL-DACL pipe). + +--- + +## Problems Encountered + +- **Vault sync skipped** — `/home/guru/vault` was not a git repo. Resolved by cloning the + vault repo there. +- **No sops / no age key** — vault clone alone could not decrypt. Installed sops 3.13.1, + created `~/.config/sops/age/`, user supplied the private key; decryption verified. +- **Session not elevated** — assumed elevated but `sudo -n` required a password. Resolved by + the user enabling passwordless sudo. +- **Tailscale not in Kali apt** — used the official `install.sh` (it explicitly maps `kali`). +- **Wrong machine-doc artifact** — created `.claude/MACHINES.md`; the convention is + `.claude/machines/.md`. Removed the stray file, wrote `guru-kali.md`, repointed refs. +- **Rust missing** — installed via rustup (`~/.cargo`). GTK/appindicator/openssl dev libs + installed via apt. +- **Agent panicked on `--help` as `guru`** — it initializes a rolling file logger to + `/var/log/gururmm` (root-only). Runs fine as root. +- **`--config` rejected after `run`** — it is a global flag; correct form is + `gururmm-agent --config run`. +- **IPC socket failed under systemd** (`removing stale agent socket`) — `ProtectSystem=strict` + made `/run` read-only in the sandbox (EROFS). Fixed with `RuntimeDirectory=gururmm`. +- **Screenshot showed a screensaver** (xfce4-screensaver mice on black). Deactivated with + `xfce4-screensaver-command --deactivate` before re-capturing. +- **5.8 GB cgroup "memory" alarm walked back** — actual agent RSS was 32 MB; the figure was + the systemd cgroup peak, not resident memory. + +--- + +## Configuration Changes + +**ClaudeTools repo (`/home/guru/claudetools`):** +- Created `.claude/machines/guru-kali.md` — full machine spec (updated this session with Rust, + GTK build libs, passwordless sudo, gururmm clone, enrolled-agent note). +- `.claude/OLLAMA.md` — added GURU-KALI to the machine table + status note. +- `.claude/CLAUDE.md` — Reference pointer to `.claude/machines/`. +- Removed the mistakenly-created `.claude/MACHINES.md`. +- (Earlier commit `4383f9e` carried the first three; this session's `guru-kali.md` edits sync now.) + +**GuruRMM repo (`/home/guru/gururmm`) — PR #13, branch `feat/linux-tray-ipc`, commit `01fa6c4`:** +- `agent/src/ipc.rs` — Unix-socket IPC server; transport-agnostic shared handler; hardened + socket-dir creation; policy-gated StopAgent/ForceCheckin + `Denied` variant. +- `agent/src/main.rs` — added `RuntimeDirectory=gururmm` + `RuntimeDirectoryMode=0755` to the + generated systemd unit template. +- `agent/scripts/install.sh` — best-effort tray binary download + XDG autostart install. +- `agent/deploy/linux/gururmm-tray.desktop` — new XDG autostart entry. +- `tray/Cargo.toml` — gtk/glib 0.18 under linux cfg; tokio `net` for unix; winit gated to non-linux. +- `tray/src/ipc.rs` — Unix-socket client + capped exponential backoff; dropped redundant GetStatus. +- `tray/src/tray.rs` — Linux GTK main-loop run path; Linux ViewLogs branch. + +**Machine-level (GURU-KALI, not in any repo):** +- `/etc/sudoers.d/guru-nopasswd` — passwordless sudo for guru. +- `~/.local/bin/sops` (3.13.1), `~/.config/sops/age/keys.txt` (age private key, mode 600). +- `/home/guru/vault` (vault repo clone), `/home/guru/gururmm` (gururmm repo clone). +- Rust via rustup (`~/.cargo`); apt: libgtk-3-dev, libayatana-appindicator3-dev, libxdo-dev, + libssl-dev, pkg-config, build-essential. +- Tailscale installed; `tailscale up --accept-routes`. +- `/etc/systemd/system/gururmm-agent.service` — patched with `RuntimeDirectory=gururmm`. +- Deployed local dev builds to `/usr/local/bin/gururmm-agent` and `/usr/local/bin/gururmm-tray`; + `/etc/xdg/autostart/gururmm-tray.desktop` installed. + +--- + +## Credentials & Secrets + +- **age private key** at `~/.config/sops/age/keys.txt` (mode 600) — public key + `age1qz7ct84m50u06h97artqddkj3c8se2yu4nxu59clq8rhj945jc0s5excpr` (vault recipient #1). + Supplied by the user this session; matches the vault's first `.sops.yaml` recipient. +- **GuruRMM agent api_key** — in `/etc/gururmm/agent.toml` (root, mode 600), real enrolled key + for agent id `a73ba38e-cd02-4331-b8bf-474cd899ec22`. Not transcribed here (already on-machine). +- **Gitea API token** used for PR #13 — from vault `services/gitea.sops.yaml` field `api.api-token` + (whoami = azcomputerguru). No new secrets created. +- `/etc/gururmm/config.toml` — a generated test config with a placeholder api_key + (`your-api-key-here`); not a real credential. + +--- + +## Infrastructure & Servers + +- **GURU-KALI** — Tailscale `100.75.148.91` (mike@); wifi `10.2.209.225/16`. XFCE/X11, `DISPLAY=:0.0`. +- **Coord API / ClaudeTools DB** — `172.16.3.30:8001` (reachable via Tailscale subnet route + `172.16.0.0/22` advertised by pfSense-2 `100.119.153.74`). +- **Remote Ollama** — `100.92.127.64:11434` (DESKTOP-0O8A1RL), 5 models, reachable. +- **GuruRMM server** — `wss://rmm-api.azcomputerguru.com/ws` (agent WS endpoint); dashboard + `https://rmm.azcomputerguru.com`. +- **Gitea** — internal API `http://172.16.3.20:3000` (external `git.azcomputerguru.com` blocks curl/Cloudflare). +- **GuruRMM agent socket** — `/run/gururmm/agent.sock` (srw-rw-rw-, root); created via systemd + `RuntimeDirectory`. Agent logs to `/var/log/gururmm/agent.log`. + +--- + +## Commands & Outputs + +```bash +# Vault + sops +git clone /home/guru/vault +install -m 0755 sops ~/.local/bin/sops # 3.13.1, sha256 verified +bash .claude/scripts/vault.sh list # decryption OK after key placed + +# Tailscale +curl -fsSL https://tailscale.com/install.sh | sh +sudo tailscale up --accept-routes # node 100.75.148.91 +# pfSense-2 advertises 172.16.0.0/22 -> 172.16.3.30 reachable + +# Build env +curl --proto '=https' https://sh.rustup.rs | sh -s -- -y --profile minimal # rust 1.95.0 +sudo apt-get install -y libgtk-3-dev libayatana-appindicator3-dev libxdo-dev libssl-dev pkg-config build-essential + +# Build + run (local cargo, NOT build-agents.sh) +cd /home/guru/gururmm/agent && cargo build # clean (51 pre-existing warnings) +cd /home/guru/gururmm/tray && cargo build # clean +sudo /usr/local/bin/gururmm-agent --config /etc/gururmm/agent.toml run # via systemd after fix +DISPLAY=:0.0 /usr/local/bin/gururmm-tray # tray; green when agent connected + +# Verify tray registration +gdbus call --session --dest org.kde.StatusNotifierWatcher \ + --object-path /StatusNotifierWatcher \ + --method org.freedesktop.DBus.Properties.Get \ + org.kde.StatusNotifierWatcher RegisteredStatusNotifierItems +# -> org/ayatana/NotificationItem/tray_icon_tray_app +``` + +Key log lines: +- `Authentication successful, agent_id: Some(a73ba38e-cd02-4331-b8bf-474cd899ec22)` +- `[INFO] IPC server listening on /var/run/gururmm/agent.sock` +- tray: `Connected to agent` / `Updated status: connected=true` / `Updated policy: enabled=true` +- pre-fix error: `IPC server error: removing stale agent socket` (EROFS under ProtectSystem=strict) + +--- + +## Pending / Incomplete Tasks + +- **PR #13 review/merge** — https://git.azcomputerguru.com/azcomputerguru/gururmm/pulls/13. + Not merged; merging triggers the build pipeline + fleet auto-update. +- **Build pipeline must build + publish `gururmm-tray-linux-`** to the downloads dir, and + confirm `install.sh` `TRAY_DOWNLOAD_URL` matches the published name (installer is best-effort until then). +- **Phase-4 IPC hardening (task #10):** SO_PEERCRED on the 0666 socket, real StopAgent/ForceCheckin + enforcement + confirmation dialog (policy gating + Denied are in place; peer-cred + real action deferred). +- **macOS tray launch** (launchd user agent) — untested, `TODO(platform)`. +- **GURU-KALI service** runs an unsigned local dev build with a hand-patched unit; it realigns + when PR #13 merges and the pipeline ships a signed agent. +- **Optional onboarding leftovers:** local Ollama, GrepAI, 1Password CLI not installed. + +--- + +## Reference Information + +- GuruRMM PR: https://git.azcomputerguru.com/azcomputerguru/gururmm/pulls/13 (branch `feat/linux-tray-ipc`, commit `01fa6c4`) +- Agent id (GURU-KALI): `a73ba38e-cd02-4331-b8bf-474cd899ec22` +- Tailscale: GURU-KALI `100.75.148.91`, DESKTOP-0O8A1RL `100.92.127.64`, pfSense-2 `100.119.153.74` +- Repos: claudetools `/home/guru/claudetools`, vault `/home/guru/vault`, gururmm `/home/guru/gururmm` +- Coord lock used: `425f588c-b41d-4d5f-a926-60d3e342c416` (released) +- Machine doc: `.claude/machines/guru-kali.md`; onboarding: `.claude/machines/LINUX_PC_ONBOARDING.md` +- Standards referenced: `.claude/CODING_GUIDELINES.md`, `.claude/standards/gururmm/{platform-parity,build-pipeline,sqlx-migrations}.md`