jann/m2dev-server
1
0
Fork 0
forked from metin-server/m2dev-server
Code Pull Requests Activity
Files
ba6a0c239dd125c5611e9f3b3a1b8c1b26846cad
m2dev-server/docs/healthchecks.md
server f8178df853 docs: document login smoke advanced flags
2026-04-14 10:45:41 +02:00

122 lines
3.6 KiB
Markdown
Raw Blame History

# Healthchecks
This repository contains the operational wrapper for the headless login healthcheck. The underlying smoke client lives in `m2dev-server-src`.
## What Exists
Source repository:
- `tests/login_smoke.cpp`
- binary target: `metin_login_smoke`
Runtime repository:
- `deploy/healthcheck/metin-login-healthcheck.sh`
Installed on the VPS:
- `/usr/local/sbin/metin-login-healthcheck`
## What The Headless Login Check Verifies
The check performs the real two-step Metin login flow without a GUI client:
1. Connect to the auth socket.
2. Complete the secure handshake.
3. Send login credentials.
4. Receive `AUTH_SUCCESS` and the login key.
5. Open a second connection to the channel socket.
6. Complete the secure handshake again.
7. Send `LOGIN2` with `login` + `login_key`.
8. Verify `EMPIRE`.
9. Verify `LOGIN_SUCCESS4`.
10. Select a character slot.
11. Send `ENTERGAME`.
12. Verify `MAIN_CHARACTER`, `PHASE_GAME`, `TIME`, and `CHANNEL`.
This is an end-to-end login verification, not just a TCP port check.
## How The Wrapper Works
`metin-login-healthcheck.sh` does the following:
- creates a temporary account in MariaDB
- lets `metin_login_smoke` create a temporary character when the account is empty
- runs `metin_login_smoke`
- verifies a successful auth + channel + `ENTERGAME` flow
- deletes the temporary account and temporary character rows on exit
- passes the configured client version expected by the server
It is intended for manual admin use on the VPS.
## Usage
On the VPS:
```bash
ssh mt2
/usr/local/sbin/metin-login-healthcheck
```
The smoke binary can also be run directly:
```bash
sudo -iu mt2.jakubkadlec.dev \
/home/mt2.jakubkadlec.dev/metin/build/server-src/bin/metin_login_smoke \
173.249.9.66 11000 11011 <login> <password>
```
Or with password passed through the environment:
```bash
sudo -iu mt2.jakubkadlec.dev env METIN_LOGIN_SMOKE_PASSWORD='<password>' \
/home/mt2.jakubkadlec.dev/metin/build/server-src/bin/metin_login_smoke \
173.249.9.66 11000 11011 <login> --password-env=METIN_LOGIN_SMOKE_PASSWORD
```
If you want the smoke client to create a temporary character when the account is empty:
```bash
sudo -iu mt2.jakubkadlec.dev env METIN_LOGIN_SMOKE_PASSWORD='<password>' \
/home/mt2.jakubkadlec.dev/metin/build/server-src/bin/metin_login_smoke \
173.249.9.66 11000 11011 <login> --password-env=METIN_LOGIN_SMOKE_PASSWORD \
--create-character-name=smoketestchar \
--client-version=1215955205
```
Useful direct flags:
- `--json`
returns a machine-readable summary including timings and emitted events
- `--expect-auth-failure=STATUS`
treats an auth failure such as `NOID` or `WRONGPWD` as a successful negative test
- `--expect-channel-failure=STATUS`
treats a channel failure as a successful negative test
Example negative auth test:
```bash
sudo -iu mt2.jakubkadlec.dev env METIN_LOGIN_SMOKE_PASSWORD='wrongpass' \
/home/mt2.jakubkadlec.dev/metin/build/server-src/bin/metin_login_smoke \
173.249.9.66 11000 11011 someuser --password-env=METIN_LOGIN_SMOKE_PASSWORD \
--expect-auth-failure=WRONGPWD --json
```
## Security Notes
This does not open a new public network surface. It is a local operational tool.
Current guardrails:
- no new listening port
- root-only installed wrapper (`/usr/local/sbin/metin-login-healthcheck`, mode `700`)
- temporary credentials
- cleanup trap removes the test account
- wrapper passes the password through environment instead of command-line plaintext
- secrets are not committed to git
Remaining trust boundary:
- anyone with effective root access can still inspect or run the check
- therefore this tool assumes root is already trusted
View Git Blame Copy Permalink