Update enroll harvest
parent
ca2a278241
commit
06572f140e
1 changed files with 8 additions and 8 deletions
|
|
@ -1,6 +1,6 @@
|
|||
# enroll harvest
|
||||
|
||||
Harvest system/service/package/config/user state from a Debian host into a “harvest bundle” (`state.json` plus harvested file artifacts).
|
||||
Harvest system/service/package/config/user state from a Debian host into a "harvest bundle" (`state.json` plus harvested file artifacts).
|
||||
|
||||
---
|
||||
|
||||
|
|
@ -44,16 +44,16 @@ Behavior depends on whether you’re in **plain** or **SOPS** mode:
|
|||
|
||||
- **SOPS mode (`--sops ...`)**
|
||||
- `--out` may be:
|
||||
- a **directory** → the file `harvest.tar.gz.sops` is created inside it
|
||||
- a **file path** → that exact file is written
|
||||
- a **directory** - the file `harvest.tar.gz.sops` is created inside it
|
||||
- a **file path** - that exact file is written
|
||||
- If omitted, `enroll` writes into a secure per-user cache dir (see below).
|
||||
|
||||
### `--dangerous`
|
||||
Harvest files more aggressively.
|
||||
|
||||
This disables the built-in “likely secret” safety checks, including:
|
||||
This disables the built-in "likely secret" safety checks, including:
|
||||
- denylisted paths (e.g. `/etc/shadow`, `/etc/ssl/private/*`, `/etc/ssh/ssh_host_*`, `/etc/letsencrypt/*`)
|
||||
- heuristic content scanning for common secret patterns (private keys, “password=”, “token”, “secret”, etc.)
|
||||
- heuristic content scanning for common secret patterns (`PRIVATE KEY`, "password=", "token", "secret", etc.)
|
||||
- some other conservative skipping logic
|
||||
|
||||
**Use with care**, especially in plaintext mode.
|
||||
|
|
@ -83,7 +83,7 @@ SSH port. Default is `22`.
|
|||
#### `--no-sudo`
|
||||
Don’t use sudo on the remote host.
|
||||
|
||||
This may cause a **partial harvest** (missing files/metadata) if the SSH user can’t read everything.
|
||||
This may cause a **partial harvest** (missing files/metadata) if the SSH user can't read everything.
|
||||
|
||||
---
|
||||
|
||||
|
|
@ -108,14 +108,14 @@ Each run gets a timestamped directory with an unpredictable suffix, e.g.
|
|||
## Runtime notes / expectations
|
||||
|
||||
- **Root recommended:** If not running as root (or remote sudo is disabled), `enroll` may miss files or correct ownership/mode metadata.
|
||||
- **Symlinks/binaries/large files:** Harvesting skips files that are symlinks, “binary-like”, or above a size cap (unless you use `--dangerous`, which relaxes some checks).
|
||||
- **Symlinks/binaries/large files:** Harvesting skips files that are symlinks, "binary-like", or above a size cap (unless you use `--dangerous`, which relaxes some checks).
|
||||
- **Output is deterministic-enough to diff:** The bundle is designed so comparing two harvests is meaningful (via `enroll diff`).
|
||||
|
||||
---
|
||||
|
||||
## Permutations (valid combinations)
|
||||
|
||||
Below are the common “flag permutations” you’ll typically use.
|
||||
Below are the common "flag permutations" you’ll typically use.
|
||||
|
||||
### Local harvest, plaintext (safe)
|
||||
```bash
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue