vps-checkup

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

VPS checkup (Ubuntu + Docker)

VPS 检查（Ubuntu + Docker）

Goal

目标

Produce a clear, read-only health/security/update report for an Ubuntu VPS running Docker.
Propose safe, minimal fixes; do not apply changes or restart anything unless the user explicitly confirms.

为运行Docker的Ubuntu VPS生成清晰的只读健康/安全/更新报告。
提出安全、最小化的修复方案；除非用户明确确认，否则不进行任何变更或重启操作。

Inputs to ask for (if missing)

需要询问的输入信息（若缺失）

SSH target host alias (from
```
~/.ssh/config
```
on Windows:
```
$HOME\\.ssh\\config
```
) or
```
user@ip
```
.
Confirm
```
sudo
```
access and whether running
```
apt update
```
is allowed (it modifies package lists).
Required open ports (e.g.,
```
22
```
,
```
80
```
,
```
443
```
) and any non-standard SSH port.
Where deployments live: confirm if Docker Compose is used on the VPS (common), and whether compose files are in a known path.
If the local
```
ssh
```
client or required tools are missing, tell the user and ask whether to install them or provide command output manually.

SSH目标主机别名（来自
```
~/.ssh/config
```
，Windows系统为
```
$HOME\.ssh\config
```
）或
```
user@ip
```
格式的地址。
确认是否拥有
```
sudo
```
权限，以及是否允许执行
```
apt update
```
（该命令会修改软件包列表）。
需要开放的端口（如
```
22
```
、
```
80
```
、
```
443
```
）以及非标准SSH端口。
部署文件的存放位置：确认VPS上是否使用Docker Compose（较为常见），以及compose文件是否位于已知路径。
若本地缺少
```
ssh
```
客户端或所需工具，告知用户并询问是要安装这些工具还是手动提供命令输出结果。

Workflow (checklist)

工作流程（检查清单）

Connect safely
- Keep a second SSH session open before any SSH/firewall changes.
- Record identity/time/host:
```
whoami
```
  ,
```
hostname -f
```
  ,
```
date -Is
```
  ,
```
uptime
```
  .

Collect a read-only baseline (system)

OS/kernel:

lsb_release -a

(or

cat /etc/os-release

uname -a

CPU/mem/disk:
```
top
```
snapshot,
```
free -h
```
,
```
df -hT
```
,
```
lsblk
```
.

Services:

systemctl --failed

journalctl -p 3 -xb --no-pager

(use

sudo

if needed).

Check security posture (read-only)

SSH: prefer

sudo sshd -T

(fallback to

sudo cat /etc/ssh/sshd_config

sshd_config.d/

Firewall:

sudo ufw status verbose

(and

sudo ufw status numbered

Fail2ban:
```
sudo fail2ban-client status
```
(+
```
status sshd
```
if present).
Listening ports:
```
ss -tulpn
```
(use
```
sudo
```
if needed).

Check update posture (read-only by default)
- If user allows: run
```
sudo apt update
```
  to ensure accurate results.
- Then collect:
```
apt list --upgradable
```
  ,
```
ubuntu-security-status
```
  (if available), and
```
/var/run/reboot-required
```
  presence.
- Check unattended upgrades:
```
systemctl status unattended-upgrades --no-pager
```
  and
```
/var/log/unattended-upgrades/
```
  .
Check Docker health (read-only)
- Daemon status:
```
systemctl status docker --no-pager
```
  ,
```
docker info
```
  .
- Containers:
```
docker ps
```
  , unhealthy/restarting containers, recent restarts, and
```
docker stats --no-stream
```
  .
- Disk usage:
```
docker system df
```
  and large log growth indicators.
- Compose overview:
```
docker compose ls
```
  (then inspect key projects as needed).
Produce the report + recommendations
- Use
```
references/report-template.md
```
  .
- Use
```
references/ubuntu-docker-checkup-commands.md
```
  for a copy/paste command set.
- Rank findings by severity and explicitly list what requires confirmation (updates, firewall changes, SSH changes, restarts, pruning, reboot).
Apply fixes (ONLY with explicit confirmation)
- Do not run
```
apt upgrade
```
  , change UFW rules, change SSH auth, prune Docker, restart services/containers, or reboot unless the user says to.

安全连接
- 在进行任何SSH/防火墙变更前，保持第二个SSH会话处于开启状态。
- 记录身份/时间/主机信息：执行
```
whoami
```
  、
```
hostname -f
```
  、
```
date -Is
```
  、
```
uptime
```
  命令。
收集只读系统基准信息
- 操作系统/内核：执行
```
lsb_release -a
```
  （或
```
cat /etc/os-release
```
  ）、
```
uname -a
```
  命令。
- CPU/内存/磁盘：获取
```
top
```
  命令快照，执行
```
free -h
```
  、
```
df -hT
```
  、
```
lsblk
```
  命令。
- 服务状态：执行
```
systemctl --failed
```
  、
```
journalctl -p 3 -xb --no-pager
```
  命令（必要时使用
```
sudo
```
  ）。
检查安全状态（只读）
- SSH配置：优先执行
```
sudo sshd -T
```
  命令（备选方案为
```
sudo cat /etc/ssh/sshd_config
```
  +
```
sshd_config.d/
```
  ）。
- 防火墙：执行
```
sudo ufw status verbose
```
  （以及
```
sudo ufw status numbered
```
  ）命令。
- Fail2ban：执行
```
sudo fail2ban-client status
```
  命令（若存在则追加
```
status sshd
```
  ）。
- 监听端口：执行
```
ss -tulpn
```
  命令（必要时使用
```
sudo
```
  ）。
检查更新状态（默认只读）
- 若用户允许：执行
```
sudo apt update
```
  命令以确保结果准确。
- 随后收集信息：执行
```
apt list --upgradable
```
  、
```
ubuntu-security-status
```
  （若可用）命令，以及检查
```
/var/run/reboot-required
```
  文件是否存在。
- 检查无人值守更新：执行
```
systemctl status unattended-upgrades --no-pager
```
  命令并查看
```
/var/log/unattended-upgrades/
```
  目录。
检查Docker健康状态（只读）
- 守护进程状态：执行
```
systemctl status docker --no-pager
```
  、
```
docker info
```
  命令。
- 容器状态：执行
```
docker ps
```
  命令，检查异常/重启中的容器、近期重启记录，以及执行
```
docker stats --no-stream
```
  命令。
- 磁盘使用：执行
```
docker system df
```
  命令并检查日志是否大幅增长。
- Compose概览：执行
```
docker compose ls
```
  命令（必要时检查关键项目详情）。
生成报告与建议
- 使用
```
references/report-template.md
```
  模板。
- 参考
```
references/ubuntu-docker-checkup-commands.md
```
  获取可直接复制粘贴的命令集。
- 按严重程度对检查结果排序，并明确列出哪些操作需要确认（更新、防火墙变更、SSH配置变更、重启、清理、系统重启）。
执行修复（仅在获得明确确认后）
- 除非用户明确要求，否则不得执行
```
apt upgrade
```
  、修改UFW规则、变更SSH认证、清理Docker资源、重启服务/容器或重启系统。

Safety gates (non-negotiable)

安全准则（不可违反）

No restarts (Docker/system services) unless the user explicitly asks for restart.
No SSH/firewall changes unless you have a backup access path (second session open) and the user confirms the plan.
Never paste secrets (tokens, private keys) into chat or logs.

除非用户明确要求重启，否则不得重启任何服务（Docker/系统服务）。
除非有备用访问路径（第二个会话处于开启状态）且用户确认方案，否则不得进行SSH/防火墙变更。
切勿将密钥（令牌、私钥）粘贴到聊天或日志中。

Deliverable

交付成果

Provide:

A read-only report using
```
references/report-template.md
```
.
A prioritized list of recommended fixes and which ones require explicit confirmation.
The exact commands run (or requested if the user ran them manually).

提供：

使用
```
references/report-template.md
```
生成的只读报告。
按优先级排序的推荐修复方案列表，明确标注哪些需要用户的明确确认。
已执行的具体命令（若用户手动执行则为请求的命令）。