ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

boc deploy

v1.0.1

博云BOC容器平台 部署工具。根据部署规划信息自动生成配置文件并执行部署。使用场景:用户需要部署 BOC容器平台时使用,包括生成 config.yaml、执行 bocctl run、监控部署状态。

0· 134·0 current·0 all-time
byRick@hongruiji

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for hongruiji/boc-deploy.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "boc deploy" (hongruiji/boc-deploy) from ClawHub.
Skill page: https://clawhub.ai/hongruiji/boc-deploy
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install boc-deploy

ClawHub CLI

Package manager switcher

npx clawhub@latest install boc-deploy
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes generating config.yaml, uploading it to the deploy host, and running bocctl/nerdctl/ansible/kubectl commands — all coherent with a deployment tool. However the registry metadata claims no required binaries or env vars, while the instructions clearly rely on system tools (ssh/scp/nerdctl/bocctl/kubectl/nohup/ansible). The missing declarations are an inconsistency.
!
Instruction Scope
Instructions ask the agent to collect SSH credentials (ssh_password), generate a config.yaml that includes node credentials, upload it to /root/config.yaml on the deployment host, and run long-lived deployment commands. This requires handling sensitive secrets and remote access; the SKILL.md does not specify how SSH/upload is performed or how secrets are protected. The scope is otherwise limited to deployment steps, but secret handling and unspecified remote execution are security-relevant gaps.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it does not write or execute bundled code on disk. That lowers install-time risk.
!
Credentials
The skill requires sensitive inputs at runtime (SSH username/password and per-node credentials) which are proportional to performing an automated installation, but the skill provides no guidance for secure handling (e.g., prefer SSH key, avoid embedding plaintext in logs), and metadata does not declare these as required secrets or provide secure-storage hooks. The practice of generating and uploading a config containing passwords to /root/config.yaml can expose credentials if not handled carefully.
Persistence & Privilege
The skill is not always-enabled and is instruction-only; it does not request persistent privileges or modify other skills or global agent settings. Autonomous invocation is allowed but is the platform default and not by itself flagged.
What to consider before installing
This skill appears to be a straightforward deployment recipe for the BOC container platform, but there are gaps you should consider before using it: - The SKILL.md expects tools like ssh/scp, nerdctl, bocctl, kubectl and ansible on the machine(s) it runs against, but the package metadata lists no required binaries — verify your environment has these installed. - You will be asked to provide SSH usernames and plaintext passwords. Prefer using SSH key-based auth and avoid supplying root passwords to untrusted skills. If you must provide passwords, ensure the agent will not log or leak them and remove the uploaded config.yaml after use. - The skill instructs uploading a config file to /root/config.yaml containing node credentials. That is typical for automated installs but increases risk if the deployment host is shared or compromised; review and harden access to the deployment host, and consider storing secrets in a vault instead. - There is no source or homepage and the owner is unknown; treat the skill as unvetted. If possible, obtain the official deployment playbooks directly from your vendor or run these steps manually or from a vetted automation repository. If you decide to proceed: run in a controlled environment, use key-based SSH, avoid giving unnecessary credentials, inspect the generated config.yaml before uploading, and monitor logs for accidental credential leakage.

Like a lobster shell, security has layers — review code before you run it.

latestvk978qcxyb96ygwpqrsmfnymv4583p99c
134downloads
0stars
2versions
Updated 1mo ago
v1.0.1
MIT-0
Rick@hongruiji
latest
Download

BOC容器平台 部署

自动化完成 BOC容器平台 的部署阶段(配置文件生成 → 部署执行 → 状态验证)。

输入参数

参数说明必填示例
deploy_server_ip部署机IP10.50.6.181
ssh_portSSH端口22
ssh_userSSH用户名root
ssh_passwordSSH密码Password
ci_ipCI节点IP10.50.6.182
node_ipsBOC节点IP列表(逗号分隔)10.50.6.183,10.50.6.184,10.50.6.185
master_vipK8s Master VIP10.50.6.186
cni_typeCNI类型ipip (默认) 或 bgp
k8s_versionKubernetes版本1.33.1 (默认)

节点角色说明

角色说明
deploy_server部署机
pipelineCI节点
chartmuseumChart仓库
docker_registryDocker镜像仓库
nfs_serverNFS存储
masterK8s master节点
etcdetcd节点
db数据库节点
nodeK8s worker节点

工作流程

1. 确认 bocctl init 已完成

验证方法:在部署机上执行以下命令检查容器状态:

nerdctl -n k8s.io ps -a

预期结果:应看到两个运行中的容器

  • yum_registry - 运行中
  • bocloud_deploy_registry_k8s - 运行中

如果容器未运行,需要先用skill boc-init 进行初始化:

cd /opt/BOC_k8s_noarch
./bocctl init

2. 生成配置文件

根据输入参数生成 config.yaml,包含:

  • 节点配置(IP、端口、用户、密码、角色)
  • VIP配置
  • NFS配置
  • 容器运行时配置
  • Kubernetes版本
  • 数据库配置
  • 网络配置(calico ipip/bgp)
  • BOC Portal组件配置

配置文件示例

高可用部署示例文件: /opt/BOC_k8s_noarch/playbooks/examples/config/install_portal_HA.yaml ALLINONE 部署示例文件: /opt/BOC_k8s_noarch/playbooks/examples/config/install_portal_allinone.yaml

3. 上传配置文件到部署机

将生成的 config.yaml 上传到部署机的 /root/config.yaml

4. 执行部署

cd /opt/BOC_k8s_noarch
nohup ./bocctl run -a install -c /root/config.yaml > log/bocctl.log 2>&1 &

部署过程约 40-60 分钟。

5. 监控部署

每5分钟检查一次进度:

# 检查进程数
ps aux | grep -E "bocctl|ansible" | grep -v grep | wc -l

# 查看日志
tail -100 /opt/BOC_k8s_noarch/log/bocctl.log

6. 验证结果

直接连接 master 节点验证

# 从本机直接连接 master 节点
ssh root@<master节点IP>

# 检查节点状态
kubectl get nodes

# 检查 Pod 状态
kubectl get pods -A

预期结果

  • 所有节点状态为 Ready
  • 所有 Pod 状态为 Running

7. 访问 BOC Portal

使用浏览器访问:

http://<master_vip>:30001

常用服务端口

服务地址
BOC Portalhttp://<master_vip>:30001
K8s API Serverhttps://<master_vip>:6443
Grafanahttp://<master_vip>:30902
Prometheushttp://<master_vip>:30909

使用示例

请使用 boc-deploy 部署 BOC容器平台:
- 部署机IP:10.50.6.181
- SSH用户:root
- SSH密码:Password
- CI节点IP:10.50.6.182
- BOC节点IP:10.50.6.183,10.50.6.184,10.50.6.185
- VIP:10.50.6.186
- CNI类型:ipip

输出

  • 配置文件生成状态
  • 部署执行状态
  • 部署日志末尾输出
  • 验证结果:
    • Node 状态
    • Pod 状态(所有 Pod 应为 Running)

注意事项

  1. 部署机需先完成初始化(使用 boc-init 技能),确认 nerdctl 容器已运行
  2. 确保所有节点间网络互通
  3. 部署过程耗时较长,建议后台运行
  4. 部署完成后验证所有 Pod 状态
  5. 如果无法从部署机 SSH 到 master 节点,可以从本机直接连接验证

常见问题

Q: 部署完成但无法访问 K8s 节点

A: 可能 SSH 互信未配置完成,直接从本机使用密码连接 master 节点验证

Q: Pod 状态不是 Running

A: 检查具体 Pod 状态 kubectl describe pod <pod-name> -n <namespace>

Q: BOC Portal 无法访问

A: 检查 kube-proxy 和 bocloud 组件是否正常运行

Comments

Loading comments...