ci: bump version to 1.12.1

* fix(upgrade): split olares version update and upgrade of settings chart

* feat: upgrade l4-proxy image to v0.3.2

* fix: update appservice tag

---------

Co-authored-by: hys <hysyeah@gmail.com>

.github/workflows/check.yaml

@@ -59,7 +59,7 @@ jobs:
     steps:
       - id: generate
         run: |
-          v=1.12.0-$(echo $RANDOM$RANDOM)
+          v=1.12.1-$(echo $RANDOM$RANDOM)
           echo "version=$v" >> "$GITHUB_OUTPUT"
 
   upload-cli:

.github/workflows/release-daily.yaml

@@ -17,7 +17,7 @@ jobs:
     steps:
       - id: generate
         run: |
-          v=1.12.0-$(date +"%Y%m%d")
+          v=1.12.1-$(date +"%Y%m%d")
           echo "version=$v" >> "$GITHUB_OUTPUT"
 
   release-cli:
@@ -129,7 +129,7 @@ jobs:
 
 
   release:
-    needs: [daily-version, upload-package]
+    needs: [daily-version, upload-package, release-cli]
     runs-on: ubuntu-latest
 
     steps:

.github/workflows/release.yaml

@@ -59,8 +59,46 @@ jobs:
           export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
           bash build/image-manifest.sh && bash build/upload-images.sh .manifest/images.mf linux/arm64
 
+  push-deps:
+    needs: [release-daemon]
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: "Checkout source code"
+        uses: actions/checkout@v3
+
+      # test
+      - env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: "us-east-1"
+          VERSION: ${{ github.event.inputs.tags }}
+          REPO_PATH: '${{ secrets.REPO_PATH }}'
+        run: |
+          bash build/deps-manifest.sh && bash build/upload-deps.sh
+
+  push-deps-arm64:
+    needs: [release-daemon]
+    runs-on: [self-hosted, linux, ARM64]
+
+    steps:
+      - name: "Checkout source code"
+        uses: actions/checkout@v3
+
+      # test
+      - env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: "us-east-1"
+          VERSION: ${{ github.event.inputs.tags }}
+          REPO_PATH: '${{ secrets.REPO_PATH }}'
+        run: |
+          export PATH=$PATH:/usr/local/bin:/home/ubuntu/.local/bin
+          bash build/deps-manifest.sh linux/arm64 && bash build/upload-deps.sh linux/arm64
+
+
   upload-package:
-    needs: [push, push-arm64, release-daemon]
+    needs: [push, push-arm64, push-deps, push-deps-arm64, release-daemon]
     runs-on: ubuntu-latest
 
     steps:
@@ -85,7 +123,7 @@ jobs:
 
   release:
     runs-on: ubuntu-latest
-    needs: [upload-package]
+    needs: [upload-package, release-cli]
 
     steps:
       - name: 'Checkout source code'

README_JP.md

@@ -108,8 +108,7 @@ Olaresは以下のLinuxプラットフォームで動作検証を完了してい
 自分のデバイスでOlaresを始めるには、[はじめにガイド](https://docs.olares.com/manual/get-started/)に従ってステップバイステップの手順を確認してください。
 
 
-## プロジェクトナビゲーション
-
+## プロジェクトナビゲーションx
 このセクションでは、Olares リポジトリ内の主要なディレクトリをリストアップしています：
 
 * **[`apps`](./apps)**: システムアプリケーションのコードが含まれており、主に `larepass` 用です。

apps/.olares/config/user/helm-charts/studio/.helmignore

@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/

apps/.olares/config/user/helm-charts/studio/Chart.yaml

@@ -1,26 +0,0 @@
-apiVersion: v2
-name: studio
-description: A Terminus app development tool
-maintainers:
-- name: bytetrade
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.3
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "4.9.1"

apps/.olares/config/user/helm-charts/studio/templates/deployment.yaml

@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: studio-server
-  namespace: user-space-{{ .Values.bfl.username }}
-spec:
-  type: ExternalName
-  externalName: studio-server.os-framework.svc.cluster.local
-  ports:
-    - protocol: TCP
-      name: studio-server
-      port: 8080
-      targetPort: 8080

apps/.olares/config/user/helm-charts/studio/values.yaml

@@ -1,42 +0,0 @@
-bfl:
-  nodeport: 30883
-  nodeport_ingress_http: 30083
-  nodeport_ingress_https: 30082
-  username: 'test'
-  url: 'test'
-  nodeName: test
-pvc:
-  userspace: test
-userspace:
-  userData: test/Home
-  appData: test/Data
-  appCache: test
-  dbdata: test
-docs:
-  nodeport: 30881
-desktop:
-  nodeport: 30180
-os:
-  portfolio:
-    appKey: '${ks[0]}'
-    appSecret: test
-  vault:
-    appKey: '${ks[0]}'
-    appSecret: test
-  desktop:
-    appKey: '${ks[0]}'
-    appSecret: test
-  message:
-    appKey: '${ks[0]}'
-    appSecret: test
-  rss:
-    appKey: '${ks[0]}'
-    appSecret: test
-  search:
-    appKey: '${ks[0]}'
-    appSecret: test
-  studio:
-    appKey: '${ks[0]}'
-    appSecret: test
-kubesphere:
-  redis_password: ""

apps/.olares/config/user/helm-charts/system-apps/templates/system-frontend.yaml

@@ -1,4 +1,5 @@
 {{- $namespace := printf "%s%s" "user-system-" .Values.bfl.username -}}
+{{- $userspacenamespace := printf "%s%s" "user-space-" .Values.bfl.username -}}
 {{- $zinc_files_secret := (lookup "v1" "Secret" $namespace "zinc-files-secrets") -}}
 {{- $user_service_secret := (lookup "v1" "Secret" $namespace "user-service-secrets") -}}
 
@@ -50,7 +51,7 @@
 {{ $user_service_redis_password = randAlphaNum 16 | b64enc }}
 {{- end -}}
 
-{{- $user_service_nats_secret := (lookup "v1" "Secret" $namespace "user-service-nats-secret") -}}
+{{- $user_service_nats_secret := (lookup "v1" "Secret" $userspacenamespace "user-service-nats-secret") -}}
 {{- $nats_password := "" -}}
 {{ if $user_service_nats_secret -}}
 {{ $nats_password = (index $user_service_nats_secret "data" "nats_password") }}
@@ -165,19 +166,6 @@ spec:
 ---
 apiVersion: v1
 kind: Service
-metadata:
-  name: studio-svc
-  namespace: {{ .Release.Namespace }}
-spec:
-  selector:
-    app: system-frontend
-  ports:
-    - protocol: TCP
-      port: 8080
-      targetPort: 87
----
-apiVersion: v1
-kind: Service
 metadata:
   name: files-fe-service
   namespace: user-space-{{ .Values.bfl.username }}
@@ -246,11 +234,11 @@ metadata:
     applications.app.bytetrade.io/group: 'true'
     applications.app.bytetrade.io/author: bytetrade.io
   annotations:
-    applications.app.bytetrade.io/icon: '{"dashboard":"https://file.bttcdn.com/appstore/dashboard/icon.png","control-hub":"https://file.bttcdn.com/appstore/control-hub/icon.png","profile":"https://file.bttcdn.com/appstore/profile/icon.png","headscale": "https://file.bttcdn.com/appstore/headscale/icon.png","settings": "https://file.bttcdn.com/appstore/settings/icon.png","studio":"https://file.bttcdn.com/appstore/devbox/icon.png","files":"https://file.bttcdn.com/appstore/files/icon.png","vault":"https://file.bttcdn.com/appstore/vault/icon.png","market":"https://file.bttcdn.com/appstore/appstore/icon.png"}'
-    applications.app.bytetrade.io/title: '{"dashboard": "Dashboard","control-hub":"Control Hub","profile":"Profile","headscale":"Headscale","settings":"Settings","studio":"Studio","files":"Files","vault":"Vault","market":"Market"}'
-    applications.app.bytetrade.io/version: '{"dashboard": "0.0.1","control-hub":"0.0.1","profile":"0.0.1","headscale":"0.0.1","settings":"0.0.1","studio":"0.0.1","files":"0.0.1","vault":"0.0.1","market":"0.0.1"}'
+    applications.app.bytetrade.io/icon: '{"dashboard":"https://file.bttcdn.com/appstore/dashboard/icon.png","control-hub":"https://file.bttcdn.com/appstore/control-hub/icon.png","profile":"https://file.bttcdn.com/appstore/profile/icon.png","headscale": "https://file.bttcdn.com/appstore/headscale/icon.png","settings": "https://file.bttcdn.com/appstore/settings/icon.png","files":"https://file.bttcdn.com/appstore/files/icon.png","vault":"https://file.bttcdn.com/appstore/vault/icon.png","market":"https://file.bttcdn.com/appstore/appstore/icon.png"}'
+    applications.app.bytetrade.io/title: '{"dashboard": "Dashboard","control-hub":"Control Hub","profile":"Profile","headscale":"Headscale","settings":"Settings","files":"Files","vault":"Vault","market":"Market"}'
+    applications.app.bytetrade.io/version: '{"dashboard": "0.0.1","control-hub":"0.0.1","profile":"0.0.1","headscale":"0.0.1","settings":"0.0.1","files":"0.0.1","vault":"0.0.1","market":"0.0.1"}'
     applications.app.bytetrade.io/policies: '{"dashboard":{"policies":[{"entranceName":"dashboard","uriRegex":"/js/script.js", "level":"public"},{"entranceName":"dashboard","uriRegex":"/js/api/send", "level":"public"}]}}'
-    applications.app.bytetrade.io/entrances: '{"dashboard":[{"name":"dashboard","host":"dashboard-service","port":80,"title":"Dashboard","windowPushState":true}],"control-hub":[{"name":"control-hub","host":"control-hub-service","port":80,"title":"Control Hub","windowPushState":true}],"profile":[{"name":"profile", "host":"profile-service", "port":80,"title":"Profile","windowPushState":true}],"headscale":[{"name":"headscale", "host":"headscale-svc", "port":80,"title":"Headscale","invisible": true}],"settings":[{"name":"settings", "host":"settings-service", "port":80,"title":"Settings"}],"studio":[{"name":"studio","host":"studio-svc","port":8080,"title":"Studio","openMethod":"window"}],"files":[{"name":"files", "host":"files-fe-service", "port":80,"title":"Files","windowPushState":true}],"vault":[{"name":"vault", "host":"vault-service", "port":80,"title":"Vault","windowPushState":true}],"market":[{"name":"appstore", "host":"appstore-fe-service", "port":80,"title":"Market","windowPushState":true}]}'
+    applications.app.bytetrade.io/entrances: '{"dashboard":[{"name":"dashboard","host":"dashboard-service","port":80,"title":"Dashboard","windowPushState":true}],"control-hub":[{"name":"control-hub","host":"control-hub-service","port":80,"title":"Control Hub","windowPushState":true}],"profile":[{"name":"profile", "host":"profile-service", "port":80,"title":"Profile","windowPushState":true}],"headscale":[{"name":"headscale", "host":"headscale-svc", "port":80,"title":"Headscale","invisible": true}],"settings":[{"name":"settings", "host":"settings-service", "port":80,"title":"Settings"}],"files":[{"name":"files", "host":"files-fe-service", "port":80,"title":"Files","windowPushState":true}],"vault":[{"name":"vault", "host":"vault-service", "port":80,"title":"Vault","windowPushState":true}],"market":[{"name":"appstore", "host":"appstore-fe-service", "port":80,"title":"Market","windowPushState":true}]}'
 spec:
   replicas: 1
   selector:
@@ -345,7 +333,7 @@ spec:
             - name: PGDB
               value: user_space_{{ .Values.bfl.username }}_cloud_drive_integration
         - name: system-frontend-init
-          image: beclab/system-frontend:v1.3.109
+          image: beclab/system-frontend:v1.3.116
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh
@@ -467,7 +455,7 @@ spec:
             - name: NATS_SUBJECT_VAULT
               value: os.vault.{{ .Values.bfl.username}}
         - name: user-service
-          image: beclab/user-service:v0.0.35
+          image: beclab/user-service:v0.0.41
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 3000
@@ -1030,31 +1018,6 @@ status:
 ---
 apiVersion: sys.bytetrade.io/v1alpha1
 kind: ApplicationPermission
-metadata:
-  name: studio
-  namespace: user-system-{{ .Values.bfl.username }}
-spec:
-  app: studio
-  appid: studio
-  key: {{ .Values.os.studio.appKey }}
-  secret: {{ .Values.os.studio.appSecret }}
-  permissions:
-    - dataType: app
-      group: service.appstore
-      ops:
-        - InstallDevApp
-        - UninstallDevApp
-      version: v1
-    - dataType: legacy_api
-      group: api.intent
-      ops:
-        - POST
-      version: v2
-status:
-  state: active
----
-apiVersion: sys.bytetrade.io/v1alpha1
-kind: ApplicationPermission
 metadata:
   name: settings
   namespace: user-system-{{ .Values.bfl.username }}

apps/.olares/config/user/helm-charts/wizard/templates/wizard_deploy.yaml

@@ -29,7 +29,7 @@ spec:
 
       containers:
       - name: wizard
-        image: beclab/wizard:v1.3.103
+        image: beclab/wizard:v1.3.111
         imagePullPolicy: IfNotPresent
         ports:
         - containerPort: 80

build/base-package/install.sh

@@ -10,7 +10,7 @@ function command_exists() {
 if [[ x"$VERSION" == x"" ]]; then
     if [[ "$LOCAL_RELEASE" == "1" ]]; then
         ts=$(date +%Y%m%d%H%M%S)
-        export VERSION="1.12.0-$ts"
+        export VERSION="1.12.1-$ts"
         echo "will build and use a local release of Olares with version: $VERSION"
         echo ""
     else
@@ -20,7 +20,7 @@ fi
 
 if [[ "x${VERSION}" == "x" || "x${VERSION:3}" == "xVERSION__" ]]; then
     echo "error: Olares version is unspecified, please set the VERSION env var and rerun this script."
-    echo "for example: VERSION=1.12.0-20241124 bash $0"
+    echo "for example: VERSION=1.12.1-20241124 bash $0"
     exit 1
 fi
 

build/base-package/joincluster.sh

@@ -149,7 +149,7 @@ export VERSION="#__VERSION__"
 
 if [[ "x${VERSION}" == "x" || "x${VERSION:3}" == "xVERSION__" ]]; then
     echo "error: Olares version is unspecified, please set the VERSION env var and rerun this script."
-    echo "for example: VERSION=1.12.0-20241124 bash $0"
+    echo "for example: VERSION=1.12.1-20241124 bash $0"
     exit 1
 fi
 

build/base-package/version.hint

@@ -1,2 +1,2 @@
 upgrade:
-  minVersion: 1.12.0-1
+  minVersion: 1.12.1-0

build/base-package/wizard/config/os-chart-template/templates/_helpers.tpl

@@ -76,7 +76,7 @@ Create the name of the service account to use
 {{- $caCertEnc = index $prevSecret "data" "ca.crt" }}
 {{- else }}
 {{- $altNames := list ( printf "%s-webhook.%s" (include "opentelemetry-operator.fullname" .) .Release.Namespace ) ( printf "%s-webhook.%s.svc" (include "opentelemetry-operator.fullname" .) .Release.Namespace ) -}}
-{{- $tmpperioddays := 3650 }}
+{{- $tmpperioddays := 36500 }}
 {{- $ca := genCA "opentelemetry-operator-operator-ca" $tmpperioddays }}
 {{- $cert := genSignedCert (include "opentelemetry-operator.fullname" .) nil $altNames $tmpperioddays $ca }}
 {{- $certCrtEnc = b64enc $cert.Cert }}

build/base-package/wizard/config/settings/templates/terminus_cr.yaml

@@ -1,12 +1,14 @@
 # chart-testing: ignore-file
 
 {{ $cluster_id := randAlphaNum 16 }}
+{{ $version := "#__VERSION__" }}
 {{ if .Values.cluster_id }}
 {{ $cluster_id = .Values.cluster_id }}
 {{ end }}
-{{ $cr := (lookup "sys.bytetrade.io/v1alpha1" "terminus.sys.bytetrade.io" "" "terminus") }}
+{{ $cr := (lookup "sys.bytetrade.io/v1alpha1" "Terminus" "" "terminus") }}
 {{ if $cr }}
 {{ $cluster_id = (index $cr "metadata" "labels" "bytetrade.io/cluster-id") }}
+{{ $version = (index $cr "spec" "version") }}
 {{ end }}
 
 ---
@@ -22,7 +24,7 @@ metadata:
     bytetrade.io/s3-sk: '{{ .Values.s3_sk }}'
 spec:
   name: terminus-1
-  version: #__VERSION__
+  version: {{ .Values.version | default $version }}
   display: Terminus One
   releaseServer:
     serverType: github

build/build.sh

@@ -5,6 +5,22 @@ rm -rf ${BASE_DIR}/../.dist
 DIST_PATH="${BASE_DIR}/../.dist/install-wizard" 
 export VERSION=$1
 
+
+# vendor replace
+if [[ "${REPO_PATH}" != "" && "$REPO_PATH" != "/" ]]; then
+    path="vendor${REPO_PATH}"
+    echo "replace vendor path: ${path}"
+    find ${BASE_DIR}/../$path -type f | while read l; 
+    do 
+        file=$(awk -F "$path" '{print $1$2}' <<< "$l")  
+        if [[ "$file" != ".gitkeep" ]]; then
+            echo "replace [$file] with [$l]"
+            cp -f "$l" "$file"
+        fi
+    done
+fi
+
+
 DIST_PATH=${DIST_PATH} bash ${BASE_DIR}/package.sh
 
 bash ${BASE_DIR}/image-manifest.sh
@@ -43,7 +59,6 @@ else
     VERSION="debug"
 fi
 
-
 $TAR --exclude=wizard/tools --exclude=.git -zcvf ${BASE_DIR}/../install-wizard-${VERSION}.tar.gz .
 
 popd

build/deps-manifest.sh

@@ -20,6 +20,21 @@ function get_key(){
     fi
 }
 
+# vendor replace
+if [[ "${REPO_PATH}" != "" && "$REPO_PATH" != "/" ]]; then
+    path="vendor${REPO_PATH}"
+    echo "replace vendor path: ${path}"
+    find ${BASE_DIR}/../$path -type f | while read l; 
+    do 
+        file=$(awk -F "$path" '{print $1$2}' <<< "$l")  
+        if [[ "$file" != ".gitkeep" ]]; then
+            echo "replace [$file] with [$l]"
+            cp -f "$l" "$file"
+        fi
+    done
+fi
+
+
 find $BASE_DIR/../ -type f -name Olares.yaml | while read f; do
   echo "Processing $f"
   declare -a bins

cli/.goreleaser.yaml

@@ -27,6 +27,14 @@ builds:
       - -s
       - -w
       - -X github.com/beclab/Olares/cli/version.VERSION={{ .Version }}
+      - >-
+        {{- if index .Env "OLARES_VENDOR_TYPE" }}
+        -X github.com/beclab/Olares/cli/version.VENDOR={{ .Env.OLARES_VENDOR_TYPE }}
+        {{- end }}
+      - >-
+        {{- if index .Env "OLARES_VENDOR_REPO_PATH" }}
+        -X github.com/beclab/Olares/cli/version.VENDOR_REPO_PATH={{ .Env.OLARES_VENDOR_REPO_PATH }}
+        {{- end }}
 dist: ./output
 archives:
   - id: olares-cli

cli/cmd/ctl/os/release.go

@@ -49,7 +49,7 @@ func NewCmdRelease() *cobra.Command {
 			}
 
 			if version == "" {
-				version = fmt.Sprintf("1.12.0-%s", time.Now().Format("20060102150405"))
+				version = fmt.Sprintf("1.12.1-%s", time.Now().Format("20060102150405"))
 				fmt.Printf("--version unspecified, using: %s\n", version)
 				time.Sleep(1 * time.Second)
 			}

cli/cmd/ctl/root.go

@@ -10,12 +10,22 @@ import (
 )
 
 func NewDefaultCommand() *cobra.Command {
+	var showVendor bool
 	cmds := &cobra.Command{
 		Use:               "olares-cli",
 		Short:             "Olares Installer",
 		CompletionOptions: cobra.CompletionOptions{DisableDefaultCmd: true},
 		Version:           version.VERSION,
+		Run: func(cmd *cobra.Command, args []string) {
+			if showVendor {
+				println(version.VENDOR)
+			} else {
+				cmd.Usage()
+			}
+			return
+		},
 	}
+	cmds.Flags().BoolVar(&showVendor, "vendor", false, "show the vendor type of olares-cli")
 
 	cmds.AddCommand(osinfo.NewCmdInfo())
 	cmds.AddCommand(os.NewOSCommands()...)

cli/go.mod

@@ -22,6 +22,7 @@ require (
 	github.com/containerd/containerd v1.7.27
 	github.com/decentralized-identity/web5-go v0.25.0
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0
+	github.com/distribution/reference v0.6.0
 	github.com/dominodatalab/os-release v0.0.0-20190522011736-bcdb4a3e3c2f
 	github.com/go-playground/validator/v10 v10.22.0
 	github.com/google/uuid v1.6.0
@@ -93,7 +94,6 @@ require (
 	github.com/containerd/typeurl/v2 v2.1.1 // indirect
 	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/ebitengine/purego v0.8.4 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.1 // indirect

cli/pkg/certs/templates/certs_renew_service.go

@@ -40,6 +40,7 @@ Description=Timer to renew K8S control plane certificates
 [Timer]
 OnCalendar=Mon *-*-* 03:00:00
 Unit=k8s-certs-renew.service
+Persistent=true
 [Install]
 WantedBy=multi-user.target
     `)))

cli/pkg/common/common.go

@@ -23,8 +23,8 @@ import (
 )
 
 const (
-	DefaultK8sVersion          = "v1.32.2"
-	DefaultK3sVersion          = "v1.32.2-k3s"
+	DefaultK8sVersion          = "v1.33.3"
+	DefaultK3sVersion          = "v1.33.3-k3s"
 	DefaultKubernetesVersion   = ""
 	DefaultKubeSphereVersion   = "v3.3.0"
 	DefaultTokenMaxAge         = 31536000

cli/pkg/common/kube_runtime.go

@@ -256,13 +256,14 @@ type Frp struct {
 }
 
 func NewArgument() *Argument {
+	si := connector.GetSystemInfo()
 	arg := &Argument{
 		KsEnable:         true,
 		KsVersion:        DefaultKubeSphereVersion,
 		InstallPackages:  false,
 		SKipPushImages:   false,
 		ContainerManager: Containerd,
-		SystemInfo:       connector.GetSystemInfo(),
+		SystemInfo:       si,
 		Storage: &Storage{
 			StorageType: ManagedMinIO,
 		},
@@ -286,6 +287,7 @@ func NewArgument() *Argument {
 	arg.IsCloudInstance, _ = strconv.ParseBool(os.Getenv(ENV_TERMINUS_IS_CLOUD_VERSION))
 	arg.PublicNetworkInfo.PubliclyAccessible, _ = strconv.ParseBool(os.Getenv(ENV_PUBLICLY_ACCESSIBLE))
 	arg.IsOlaresInContainer = os.Getenv("CONTAINER_MODE") == "oic"
+	si.IsOIC = arg.IsOlaresInContainer
 
 	if err := arg.LoadReleaseInfo(); err != nil {
 		fmt.Printf("error loading release info: %v", err)

cli/pkg/container/containerd.go

@@ -404,3 +404,14 @@ func (t *KillContainerdProcess) Execute(runtime connector.Runtime) error {
 
 	return nil
 }
+
+type RestartContainerd struct {
+	common.KubeAction
+}
+
+func (t *RestartContainerd) Execute(runtime connector.Runtime) error {
+	if _, err := runtime.GetRunner().SudoCmd("systemctl restart containerd", false, true); err != nil {
+		return errors.Wrap(errors.WithStack(err), "Failed to restart containerd")
+	}
+	return nil
+}

cli/pkg/container/templates/containerd_config.go

@@ -29,151 +29,27 @@ root = {{ .DataRoot }}
 {{ else }}
 root = "/var/lib/containerd"
 {{- end }}
-state = "/run/containerd"
-
-[cgroup]
-  path = ""
-
-[debug]
-  address = ""
-  format = ""
-  gid = 0
-  level = ""
-  uid = 0
-
-[grpc]
-  address = "/run/containerd/containerd.sock"
-  gid = 0
-  max_recv_message_size = 16777216
-  max_send_message_size = 16777216
-	tcp_address = ""
-  tcp_tls_ca = ""
-  tcp_tls_cert = ""
-  tcp_tls_key = ""
-  uid = 0
-
-[metrics]
-  address = ""
-  grpc_histogram = false
-
-[ttrpc]
-  address = ""
-  uid = 0
-  gid = 0
-
-[timeouts]
-  "io.containerd.timeout.shim.cleanup" = "5s"
-  "io.containerd.timeout.shim.load" = "5s"
-  "io.containerd.timeout.shim.shutdown" = "3s"
-  "io.containerd.timeout.task.state" = "2s"
 
 [plugins]
-	[plugins."io.containerd.gc.v1.scheduler"]
-    deletion_threshold = 0
-    mutation_threshold = 100
-    pause_threshold = 0.02
-    schedule_delay = "0s"
-    startup_delay = "100ms"
 
   [plugins."io.containerd.grpc.v1.cri"]
-		device_ownership_from_security_context = false
-    disable_apparmor = false
-    disable_cgroup = false
-    disable_hugetlb_controller = true
-    disable_proc_mount = false
-    disable_tcp_service = true
-    enable_selinux = false
-    enable_tls_streaming = false
-    enable_unprivileged_icmp = false
-    enable_unprivileged_ports = false
-    ignore_image_defined_volumes = false
-    max_concurrent_downloads = 3
-    max_container_log_line_size = 16384
-    netns_mounts_under_state_dir = false
-    restrict_oom_score_adj = false
-    selinux_category_range = 1024
-    stats_collect_period = 10
-    stream_idle_timeout = "4h0m0s"
-    stream_server_address = "127.0.0.1"
-    stream_server_port = "10010"
-    systemd_cgroup = false
-    tolerate_missing_hugetlb_controller = true
-    unset_seccomp_profile = ""
     sandbox_image = "{{ .SandBoxImage }}"
 
-    [plugins."io.containerd.grpc.v1.cri".cni]
-      bin_dir = "/opt/cni/bin"
-      conf_dir = "/etc/cni/net.d"
-      max_conf_num = 1
-      conf_template = ""
-
-		[plugins."io.containerd.grpc.v1.cri".containerd]
+    [plugins."io.containerd.grpc.v1.cri".containerd]
       default_runtime_name = "runc"
-      disable_snapshot_annotations = true
-      discard_unpacked_layers = false
-      ignore_rdt_not_enabled_errors = false
-      no_pivot = false
-      snapshotter = "{{ .FsType }}"
-
-      [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime]
-        base_runtime_spec = ""
-        cni_conf_dir = ""
-        cni_max_conf_num = 0
-        container_annotations = []
-        pod_annotations = []
-        privileged_without_host_devices = false
-        runtime_engine = ""
-        runtime_path = ""
-        runtime_root = ""
-        runtime_type = ""
-
-        [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime.options]
 
       [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
 
         [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
-          base_runtime_spec = ""
-          cni_conf_dir = ""
-          cni_max_conf_num = 0
-          container_annotations = []
-          pod_annotations = []
-          privileged_without_host_devices = false
-          runtime_engine = ""
-          runtime_path = ""
-          runtime_root = ""
-          runtime_type = "io.containerd.runc.v2"
+          runtime_type = 'io.containerd.runc.v2'
+          sandboxer = 'podsandbox'
+          snapshotter = "{{ .FsType }}"
 
           [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
-            BinaryName = ""
-            CriuImagePath = ""
-            CriuPath = ""
-            CriuWorkPath = ""
-            IoGid = 0
-            IoUid = 0
-            NoNewKeyring = false
-            NoPivotRoot = false
-            Root = ""
-            ShimCgroup = ""
             SystemdCgroup = true
 
-      [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime]
-        base_runtime_spec = ""
-        cni_conf_dir = ""
-        cni_max_conf_num = 0
-        container_annotations = []
-        pod_annotations = []
-        privileged_without_host_devices = false
-        runtime_engine = ""
-        runtime_path = ""
-        runtime_root = ""
-        runtime_type = ""
-
-        [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime.options]
-
-    [plugins."io.containerd.grpc.v1.cri".image_decryption]
-      key_model = "node"
-
     [plugins."io.containerd.grpc.v1.cri".registry]
+
       [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
         {{- if .Mirrors }}
         [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
@@ -201,84 +77,6 @@ state = "/run/containerd"
           {{- end}}
         {{- end}}
 
-	[plugins."io.containerd.internal.v1.opt"]
-    path = "/opt/containerd"
-
-  [plugins."io.containerd.internal.v1.restart"]
-    interval = "10s"
-
-  [plugins."io.containerd.internal.v1.tracing"]
-    sampling_ratio = 1.0
-    service_name = "containerd"
-
-  [plugins."io.containerd.metadata.v1.bolt"]
-    content_sharing_policy = "shared"
-
-  [plugins."io.containerd.monitor.v1.cgroups"]
-    no_prometheus = false
-
-  [plugins."io.containerd.runtime.v1.linux"]
-    no_shim = false
-    runtime = "runc"
-    runtime_root = ""
-    shim = "containerd-shim"
-    shim_debug = false
-
-  [plugins."io.containerd.runtime.v2.task"]
-    platforms = ["linux/amd64"]
-    sched_core = false
-
-  [plugins."io.containerd.service.v1.diff-service"]
-    default = ["walking"]
-
-  [plugins."io.containerd.service.v1.tasks-service"]
-    rdt_config_file = ""
-
-  [plugins."io.containerd.snapshotter.v1.aufs"]
-    root_path = ""
-
-  [plugins."io.containerd.snapshotter.v1.btrfs"]
-    root_path = ""
-
-  [plugins."io.containerd.snapshotter.v1.devmapper"]
-    async_remove = false
-    base_image_size = ""
-    discard_blocks = false
-    fs_options = ""
-    fs_type = ""
-    pool_name = ""
-    root_path = ""
-
-  [plugins."io.containerd.snapshotter.v1.native"]
-    root_path = ""
-
-  [plugins."io.containerd.snapshotter.v1.overlayfs"]
-    root_path = ""
-    upperdir_label = false
-
   [plugins."io.containerd.snapshotter.v1.zfs"]
     root_path = "{{ .ZfsRootPath }}"
-
-  [plugins."io.containerd.tracing.processor.v1.otlp"]
-    endpoint = ""
-    insecure = false
-    protocol = ""
-
-[proxy_plugins]
-
-[stream_processors]
-
-  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
-    accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
-    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
-    env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
-    path = "ctd-decoder"
-    returns = "application/vnd.oci.image.layer.v1.tar"
-
-  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
-    accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
-    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
-    env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
-    path = "ctd-decoder"
-    returns = "application/vnd.oci.image.layer.v1.tar+gzip"
 `)))

cli/pkg/core/connector/system.go

@@ -114,6 +114,7 @@ type SystemInfo struct {
 	LocalIp    string          `json:"local_ip"`
 	NatGateway string          `json:"nat_gateway"`
 	PkgManager string          `json:"pkg_manager"`
+	IsOIC      bool            `json:"is_oic,omitempty"`
 }
 
 func (s *SystemInfo) IsSupport() error {
@@ -217,7 +218,7 @@ func (s *SystemInfo) IsPveOrPveLxc() bool {
 }
 
 func (s *SystemInfo) IsWsl() bool {
-	return s.HostInfo.OsPlatform == common.WSL
+	return s.HostInfo.OsPlatform == common.WSL && !s.IsOIC
 }
 
 func (s *SystemInfo) IsRaspbian() bool {

cli/pkg/core/util/file.go

@@ -344,7 +344,7 @@ func Untar(src, dst string) error {
 				}
 			}
 
-			file, err := os.OpenFile(dstPath, os.O_CREATE|os.O_RDWR, os.FileMode(hdr.Mode))
+			file, err := os.OpenFile(dstPath, os.O_CREATE|os.O_RDWR|os.O_TRUNC, os.FileMode(hdr.Mode))
 			if err != nil {
 				return err
 			}

cli/pkg/files/file.go

@@ -21,9 +21,11 @@ import (
 	_ "compress/bzip2"
 	"context"
 	"fmt"
+	cliversion "github.com/beclab/Olares/cli/version"
 	"io"
 	"math"
 	"net/http"
+	"net/url"
 	"os"
 	"os/exec"
 	"path"
@@ -330,7 +332,7 @@ func NewKubeBinary(name, arch, osType, osVersion, osPlatformFamily, version, pre
 	case installwizard:
 		component.Type = WIZARD
 		component.FileName = fmt.Sprintf("install-wizard-v%s.tar.gz", version)
-		component.Url = fmt.Sprintf("%s/install-wizard-v%s.tar.gz", component.getDownloadMirrors(downloadMirrors), version)
+		component.Url, _ = url.JoinPath(component.getDownloadMirrors(downloadMirrors), cliversion.VENDOR_REPO_PATH, fmt.Sprintf("install-wizard-v%s.tar.gz", version))
 		component.CheckSum = false
 		component.BaseDir = filepath.Join(prePath, fmt.Sprintf("v%s", version))
 	case cudakeyring: // + gpu

cli/pkg/gpu/module.go

@@ -1,6 +1,7 @@
 package gpu
 
 import (
+	"github.com/beclab/Olares/cli/pkg/container"
 	"time"
 
 	"github.com/beclab/Olares/cli/pkg/common"
@@ -174,7 +175,7 @@ func (m *RestartContainerdModule) Init() {
 		Prepare: &prepare.PrepareCollection{
 			new(ContainerdInstalled),
 		},
-		Action:   new(RestartContainerd),
+		Action:   new(container.RestartContainerd),
 		Parallel: false,
 		Retry:    1,
 	}

cli/pkg/gpu/tasks.go

@@ -290,24 +290,13 @@ type ConfigureContainerdRuntime struct {
 }
 
 func (t *ConfigureContainerdRuntime) Execute(runtime connector.Runtime) error {
-	if _, err := runtime.GetRunner().SudoCmd("nvidia-ctk runtime configure --runtime=containerd --set-as-default --config-source=command", false, true); err != nil {
+	if _, err := runtime.GetRunner().SudoCmd("nvidia-ctk runtime configure --runtime=containerd --set-as-default --config-source=file", false, true); err != nil {
 		return errors.Wrap(errors.WithStack(err), "Failed to nvidia-ctk runtime configure")
 	}
 
 	return nil
 }
 
-type RestartContainerd struct {
-	common.KubeAction
-}
-
-func (t *RestartContainerd) Execute(runtime connector.Runtime) error {
-	if _, err := runtime.GetRunner().SudoCmd("systemctl restart containerd", false, true); err != nil {
-		return errors.Wrap(errors.WithStack(err), "Failed to restart containerd")
-	}
-	return nil
-}
-
 type InstallPlugin struct {
 	common.KubeAction
 }

cli/pkg/images/load.go

@@ -2,20 +2,19 @@ package images
 
 import (
 	"fmt"
+	"github.com/distribution/reference"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 
-	"github.com/containerd/containerd/pkg/cri/labels"
-	"github.com/containerd/containerd/reference/docker"
-
 	"github.com/beclab/Olares/cli/pkg/common"
 	"github.com/beclab/Olares/cli/pkg/core/cache"
 	"github.com/beclab/Olares/cli/pkg/core/connector"
 	"github.com/beclab/Olares/cli/pkg/core/logger"
 	"github.com/beclab/Olares/cli/pkg/manifest"
 	"github.com/beclab/Olares/cli/pkg/utils"
+	"github.com/containerd/containerd/pkg/cri/labels"
 )
 
 const MAX_IMPORT_RETRY int = 5
@@ -120,8 +119,13 @@ func (t *LoadImages) Execute(runtime connector.Runtime) (reserr error) {
 			case "crio":
 				loadCmd = "ctr" // not implement
 			case "containerd":
+				parsedRef, err := reference.ParseNormalizedNamed(imageRepoTag)
+				if err != nil {
+					logger.Warnf("parse image name %s error: %v, skip importing", imageRepoTag, err)
+					continue
+				}
 				if HasSuffixI(imgFileName, ".tar.gz", ".tgz") {
-					loadCmd = fmt.Sprintf("gunzip -c %s | ctr -n k8s.io images import %s -", imageFileName, loadParm)
+					loadCmd = fmt.Sprintf("gunzip -c %s | ctr -n k8s.io images import --index-name %s %s -", imageFileName, parsedRef, loadParm)
 				} else {
 					loadCmd = fmt.Sprintf("ctr -n k8s.io images import %s %s", imageFileName, loadParm)
 				}
@@ -157,12 +161,15 @@ func (a *PinImages) Execute(runtime connector.Runtime) error {
 		return nil
 	}
 	for _, ref := range manifests {
-		parsedRef, err := docker.ParseNormalizedNamed(ref)
+		parsedRef, err := reference.ParseNormalizedNamed(ref)
 		if err != nil {
 			logger.Warnf("parse image name %s error: %v, skip pinning", ref, err)
 			continue
 		}
 		if _, err := runtime.GetRunner().SudoCmd(fmt.Sprintf("ctr -n k8s.io i label %s %s=%s", parsedRef.String(), labels.PinnedImageLabelKey, labels.PinnedImageLabelValue), false, false); err != nil {
+			if strings.Contains(err.Error(), "DEPRECATION") {
+				continue
+			}
 			// tolerate cases where some images are not found
 			// e.g., like in the cloud environment and some images are not in the ami
 			logger.Warnf("pin image %s error: %v", parsedRef.String(), err)

cli/pkg/k3s/templates/k3sServiceEnv.go

@@ -42,5 +42,6 @@ K3S_KUBECONFIG_MODE=644
 K3S_TOKEN={{ .Token }}
 {{ end }}
 GODEBUG=netdns=go
+CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS=36500
 
     `)))

cli/pkg/kubesphere/plugins/files/build/prometheus/node-exporter/node-exporter-daemonset.yaml

@@ -42,7 +42,7 @@ spec:
         - --collector.netdev.address-info
         - --collector.filesystem.ignored-mount-points=^/(dev|proc|sys|var/lib/docker/.+)($|/)
         - --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|cgroup|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|mqueue|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|sysfs|tracefs)$
-        image: beclab/node-exporter:0.0.3
+        image: beclab/node-exporter:0.0.4
         name: node-exporter
         securityContext:
           privileged: true

cli/pkg/storage/juicefs.go

@@ -269,3 +269,14 @@ func getManagedMinIOAccessFlags(localIp string) (string, error) {
 	return fmt.Sprintf(" --storage minio --bucket http://%s:9000/%s --access-key %s --secret-key %s",
 		localIp, cc.OlaresDir, MinioRootUser, minioPassword), nil
 }
+
+func GetRootFSType() string {
+	if util.IsExist(JuiceFsServiceFile) {
+		return "jfs"
+	}
+	return "fs"
+}
+
+func init() {
+	common.TerminusGlobalEnvs["OLARES_FS_TYPE"] = GetRootFSType()
+}

cli/pkg/terminus/apps.go

@@ -96,7 +96,7 @@ func (u *PrepareAppValues) Execute(runtime connector.Runtime) error {
 	if err != nil {
 		return err
 	}
-	fsType := getRootFSType()
+	fsType := storage.GetRootFSType()
 	gpuType := getGpuType(u.KubeConf.Arg.GPU.Enable)
 	appValues := getAppSecrets(getAppPatches())
 

cli/pkg/terminus/ossystem.go

@@ -70,7 +70,7 @@ func (t *InstallOsSystem) Execute(runtime connector.Runtime) error {
 		},
 		"gpu":                                  getGpuType(t.KubeConf.Arg.GPU.Enable),
 		"s3_bucket":                            t.KubeConf.Arg.Storage.StorageBucket,
-		"fs_type":                              getRootFSType(),
+		"fs_type":                              storage.GetRootFSType(),
 		common.HelmValuesKeyTerminusGlobalEnvs: common.TerminusGlobalEnvs,
 		common.HelmValuesKeyOlaresRootFSPath:   storage.OlaresRootDir,
 	}
@@ -296,13 +296,6 @@ func cloudValue(cloudInstance bool) string {
 	return ""
 }
 
-func getRootFSType() string {
-	if util.IsExist(storage.JuiceFsServiceFile) {
-		return "jfs"
-	}
-	return "fs"
-}
-
 func getRedisPassword(client clientset.Client, runtime connector.Runtime) (string, error) {
 	secret, err := client.Kubernetes().CoreV1().Secrets(common.NamespaceKubesphereSystem).Get(context.Background(), "redis-secret", metav1.GetOptions{})
 	if err != nil {

cli/pkg/terminus/tasks.go

@@ -5,10 +5,12 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
+	"github.com/beclab/Olares/cli/version"
 	"io/fs"
 	"io/ioutil"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"os/exec"
 	"path"
@@ -91,7 +93,8 @@ func (t *CheckKeyPodsRunning) Execute(runtime connector.Runtime) error {
 			logger.Debugf("skipping pod %s that's not on node %s", pod.Name, t.Node)
 			continue
 		}
-		if strings.HasPrefix(pod.Namespace, "user-") || strings.HasPrefix(pod.Namespace, "os-") {
+		if !strings.HasPrefix(pod.Namespace, "user-") && !strings.HasPrefix(pod.Namespace, "os-") {
+			continue
 		}
 		if pod.Status.Phase != corev1.PodRunning {
 			return fmt.Errorf("pod %s/%s is not running", pod.Namespace, pod.Name)
@@ -171,7 +174,8 @@ func (t *Download) Execute(runtime connector.Runtime) error {
 	var wizard = files.NewKubeBinary("install-wizard", osArch, osType, osVersion, osPlatformFamily, t.Version, prePath, t.DownloadCdnUrl)
 
 	if t.UrlOverride == "" {
-		var fetchMd5 = fmt.Sprintf("curl -sSfL %s/install-wizard-v%s.md5sum.txt |awk '{print $1}'", t.DownloadCdnUrl, t.Version)
+		md5URL, _ := url.JoinPath(t.DownloadCdnUrl, version.VENDOR_REPO_PATH, fmt.Sprintf("install-wizard-v%s.md5sum.txt", t.Version))
+		var fetchMd5 = fmt.Sprintf("curl -sSfL %s |awk '{print $1}'", md5URL)
 		md5sum, err := runtime.GetRunner().Cmd(fetchMd5, false, false)
 		if err != nil {
 			return errors.New("get md5sum failed")

cli/pkg/upgrade/1_12_0_20250723.go

@@ -0,0 +1,50 @@
+package upgrade
+
+import (
+	"github.com/Masterminds/semver/v3"
+	"github.com/beclab/Olares/cli/pkg/common"
+	"github.com/beclab/Olares/cli/pkg/container"
+	"github.com/beclab/Olares/cli/pkg/core/connector"
+	"github.com/beclab/Olares/cli/pkg/core/task"
+	"github.com/beclab/Olares/cli/pkg/manifest"
+)
+
+type upgrader_1_12_0_20250723 struct {
+	upgraderBase
+}
+
+func (u upgrader_1_12_0_20250723) Version() *semver.Version {
+	return semver.MustParse("1.12.0-20250723")
+}
+
+func (u upgrader_1_12_0_20250723) PrepareForUpgrade() []task.Interface {
+	preTasks := []task.Interface{
+		&task.LocalTask{
+			Name:   "UpgradeContainerd",
+			Action: new(upgradeContainerd),
+		},
+		&task.LocalTask{
+			Name:   "RestartContainerd",
+			Action: new(container.RestartContainerd),
+		},
+	}
+	return append(preTasks, u.upgraderBase.PrepareForUpgrade()...)
+}
+
+type upgradeContainerd struct {
+	common.KubeAction
+}
+
+func (u *upgradeContainerd) Execute(runtime connector.Runtime) error {
+	m, err := manifest.ReadAll(u.KubeConf.Arg.Manifest)
+	if err != nil {
+		return err
+	}
+	action := &container.SyncContainerd{
+		ManifestAction: manifest.ManifestAction{
+			Manifest: m,
+			BaseDir:  runtime.GetBaseDir(),
+		},
+	}
+	return action.Execute(runtime)
+}

cli/pkg/upgrade/1_12_0_20250730.go

@@ -0,0 +1,112 @@
+package upgrade
+
+import (
+	"fmt"
+	"github.com/Masterminds/semver/v3"
+	"github.com/beclab/Olares/cli/pkg/bootstrap/precheck"
+	"github.com/beclab/Olares/cli/pkg/common"
+	"github.com/beclab/Olares/cli/pkg/core/connector"
+	"github.com/beclab/Olares/cli/pkg/core/task"
+	"github.com/beclab/Olares/cli/pkg/core/util"
+	"github.com/beclab/Olares/cli/pkg/gpu"
+	k3stemplates "github.com/beclab/Olares/cli/pkg/k3s/templates"
+	"github.com/beclab/Olares/cli/pkg/manifest"
+	"github.com/beclab/Olares/cli/pkg/terminus"
+	"github.com/pkg/errors"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+type upgrader_1_12_0_20250730 struct {
+	upgraderBase
+}
+
+func (u upgrader_1_12_0_20250730) Version() *semver.Version {
+	return semver.MustParse("1.12.0-20250730")
+}
+
+func (u upgrader_1_12_0_20250730) PrepareForUpgrade() []task.Interface {
+	var preTasks []task.Interface
+	if util.IsExist(filepath.Join("/etc/systemd/system/", k3stemplates.K3sService.Name())) {
+		preTasks = append(preTasks,
+			&task.LocalTask{
+				Name:   "UpgradeK3sBinary",
+				Action: new(upgradeK3sBinary),
+			},
+			&task.LocalTask{
+				Name:   "UpdateK3sServiceEnv",
+				Action: new(injectK3sCertExpireTime),
+			},
+			&task.LocalTask{
+				Name: "RestartK3sService",
+				Action: &terminus.SystemctlCommand{
+					UnitNames:           []string{common.K3s},
+					Command:             "restart",
+					DaemonReloadPreExec: true,
+				},
+			},
+			&task.LocalTask{
+				Name:   "WaitForKubeAPIServerUp",
+				Action: new(precheck.GetKubernetesNodesStatus),
+				Retry:  10,
+				Delay:  10,
+			})
+	}
+	return append(preTasks, u.upgraderBase.PrepareForUpgrade()...)
+}
+
+func (u upgrader_1_12_0_20250730) UpgradeSystemComponents() []task.Interface {
+	preTasks := []task.Interface{
+		&task.LocalTask{
+			Name:   "UpgradeGPUPlugin",
+			Action: new(gpu.InstallPlugin),
+		},
+	}
+	return append(preTasks, u.upgraderBase.UpgradeSystemComponents()...)
+}
+
+type upgradeK3sBinary struct {
+	common.KubeAction
+}
+
+func (u *upgradeK3sBinary) Execute(runtime connector.Runtime) error {
+	m, err := manifest.ReadAll(u.KubeConf.Arg.Manifest)
+	if err != nil {
+		return err
+	}
+	binary, err := m.Get(common.K3s)
+	if err != nil {
+		return fmt.Errorf("get k3s binary info failed: %v", err)
+	}
+
+	path := binary.FilePath(runtime.GetBaseDir())
+	dst := filepath.Join(common.BinDir, common.K3s)
+	// replacing the binary does not interrupt the running k3s server
+	if err := runtime.GetRunner().SudoScp(path, dst); err != nil {
+		return errors.Wrap(errors.WithStack(err), fmt.Sprintf("upgrade k3s binary failed"))
+	}
+	if _, err := runtime.GetRunner().SudoCmd(fmt.Sprintf("chmod +x %s", dst), false, false); err != nil {
+		return err
+	}
+	return nil
+}
+
+type injectK3sCertExpireTime struct {
+	common.KubeAction
+}
+
+func (u *injectK3sCertExpireTime) Execute(runtime connector.Runtime) error {
+	expireTimeEnv := "CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS"
+	envFile := filepath.Join("/etc/systemd/system/", k3stemplates.K3sServiceEnv.Name())
+	content, err := os.ReadFile(envFile)
+	if err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("failed to read k3s service env file: %v", err)
+	}
+	if strings.Contains(string(content), expireTimeEnv) {
+		return nil
+	}
+	newContent := string(content) + fmt.Sprintf("\n%s=36500\n", expireTimeEnv)
+	err = os.WriteFile(envFile, []byte(newContent), 0644)
+	return err
+}

cli/pkg/upgrade/base.go

@@ -31,7 +31,7 @@ type upgraderBase struct{}
 func (u upgraderBase) PrepareForUpgrade() []task.Interface {
 	return []task.Interface{
 		&task.LocalTask{
-			Name:   "prepareUserInfoForUpgrade",
+			Name:   "PrepareUserInfoForUpgrade",
 			Action: new(prepareUserInfoForUpgrade),
 			Retry:  5,
 		},
@@ -69,7 +69,7 @@ func (u upgraderBase) UpdateChartsInAppService() []task.Interface {
 func (u upgraderBase) UpgradeUserComponents() []task.Interface {
 	return []task.Interface{
 		&task.LocalTask{
-			Name:   "upgradeUserComponents",
+			Name:   "UpgradeUserComponents",
 			Action: new(upgradeUserComponents),
 			Retry:  5,
 			Delay:  15 * time.Second,
@@ -92,7 +92,7 @@ func (u upgraderBase) UpgradeSystemComponents() []task.Interface {
 	// reentrant
 	return []task.Interface{
 		&task.LocalTask{
-			Name:   "upgradeSystemComponents",
+			Name:   "UpgradeSystemComponents",
 			Action: new(upgradeSystemComponents),
 			Retry:  10,
 			Delay:  15 * time.Second,
@@ -100,6 +100,15 @@ func (u upgraderBase) UpgradeSystemComponents() []task.Interface {
 	}
 }
 
+func (u upgraderBase) UpdateOlaresVersion() []task.Interface {
+	return []task.Interface{
+		&task.LocalTask{
+			Name:   "UpdateOlaresVersion",
+			Action: new(updateOlaresVersion),
+		},
+	}
+}
+
 func (u upgraderBase) PostUpgrade() []task.Interface {
 	return []task.Interface{
 		&task.LocalTask{
@@ -245,7 +254,7 @@ func (u *upgradeUserComponents) Execute(runtime connector.Runtime) error {
 		}
 
 		var wizardNeedUpgrade bool
-		if wizardStatus, ok := user.Annotations["bytetrade.io/wizard-status"]; ok && wizardStatus == "completed" {
+		if wizardStatus, ok := user.Annotations["bytetrade.io/wizard-status"]; !ok || wizardStatus != "completed" {
 			wizardNeedUpgrade = true
 		}
 
@@ -313,3 +322,27 @@ func (u *upgradeSystemComponents) Execute(runtime connector.Runtime) error {
 	}
 	return nil
 }
+
+type updateOlaresVersion struct {
+	common.KubeAction
+}
+
+func (u *updateOlaresVersion) Execute(runtime connector.Runtime) error {
+	config, err := ctrl.GetConfig()
+	if err != nil {
+		return fmt.Errorf("failed to get rest config: %s", err)
+	}
+	actionConfig, settings, err := utils.InitConfig(config, common.NamespaceDefault)
+	if err != nil {
+		return err
+	}
+	ctx, cancelSettings := context.WithTimeout(context.Background(), 3*time.Minute)
+	defer cancelSettings()
+	settingsChartPath := path.Join(runtime.GetInstallerDir(), "wizard", "config", "settings")
+
+	vals := map[string]interface{}{"version": u.KubeConf.Arg.OlaresVersion}
+	if err := utils.UpgradeCharts(ctx, actionConfig, settings, common.ChartNameSettings, settingsChartPath, "", common.NamespaceDefault, vals, true); err != nil {
+		return err
+	}
+	return nil
+}

cli/pkg/upgrade/interfaces.go

@@ -13,6 +13,7 @@ type upgrader interface {
 	UpgradeUserComponents() []task.Interface
 	UpdateReleaseFile() []task.Interface
 	UpgradeSystemComponents() []task.Interface
+	UpdateOlaresVersion() []task.Interface
 	PostUpgrade() []task.Interface
 }
 

cli/pkg/upgrade/modules.go

@@ -2,6 +2,7 @@ package upgrade
 
 import (
 	"github.com/beclab/Olares/cli/pkg/bootstrap/precheck"
+	"github.com/beclab/Olares/cli/pkg/manifest"
 
 	"github.com/Masterminds/semver/v3"
 	"github.com/beclab/Olares/cli/pkg/common"
@@ -10,6 +11,7 @@ import (
 
 type Module struct {
 	common.KubeModule
+	manifest.ManifestModule
 	TargetVersion *semver.Version
 }
 
@@ -21,9 +23,10 @@ func (m *Module) Init() {
 	m.Tasks = append(m.Tasks, u.ClearAppChartValues()...)
 	m.Tasks = append(m.Tasks, u.ClearBFLChartValues()...)
 	m.Tasks = append(m.Tasks, u.UpdateChartsInAppService()...)
+	m.Tasks = append(m.Tasks, u.UpgradeSystemComponents()...)
 	m.Tasks = append(m.Tasks, u.UpgradeUserComponents()...)
 	m.Tasks = append(m.Tasks, u.UpdateReleaseFile()...)
-	m.Tasks = append(m.Tasks, u.UpgradeSystemComponents()...)
+	m.Tasks = append(m.Tasks, u.UpdateOlaresVersion()...)
 	m.Tasks = append(m.Tasks, u.PostUpgrade()...)
 }
 

cli/pkg/upgrade/version.go

@@ -16,6 +16,8 @@ var (
 
 	dailyUpgraders = []breakingUpgrader{
 		upgrader_1_12_0_20250702{},
+		upgrader_1_12_0_20250723{},
+		upgrader_1_12_0_20250730{},
 	}
 	mainUpgraders = []breakingUpgrader{}
 )

cli/pkg/utils/certs/certs.go

@@ -34,7 +34,7 @@ import (
 
 const (
 	// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
-	CertificateValidity = time.Hour * 24 * 365 * 10
+	CertificateValidity = time.Hour * 24 * 365 * 100
 	// CertificateBlockType is a possible value for pem.Block.Type.
 	CertificateBlockType = "CERTIFICATE"
 	rsaKeySize           = 2048

cli/version/vendor.go

@@ -0,0 +1,4 @@
+package version
+
+var VENDOR = "main"
+var VENDOR_REPO_PATH = ""

daemon/.goreleaser.yml

@@ -1,44 +1,35 @@
 project_name: olaresd
 builds:
-- id: linux_amd64 
-  env:
-  - CGO_ENABLED=1
-  main: ./cmd/terminusd/main.go
-  binary: olaresd
-  goarch:
-    - amd64
-  goos:
-    - linux
-  tags:
-    containers_image_openpgp
-  ldflags:
-    - -w
-    - -s
-    - -X 'github.com/beclab/Olares/daemon/cmd/terminusd/version.version=v{{ .Version }}'
-- id: linux_arm64 
-  env:
+- env:
   - CGO_ENABLED=0
   # - CC=aarch64-linux-gnu-gcc
   # - CXX=aarch64-linux-gnu-g++
   main: ./cmd/terminusd/main.go
   binary: olaresd
   goarch:
+    - amd64
     - arm64
   goos:
     - linux
+  overrides:
+    - goarch: amd64
+      goos: linux
+      goamd64: v1
+      env:
+        - CGO_ENABLED=1
   tags:
     containers_image_openpgp
   ldflags:
     - -w
     - -s
     - -X 'github.com/beclab/Olares/daemon/cmd/terminusd/version.version=v{{ .Version }}'
+    - >-
+      {{- if index .Env "OLARES_VENDOR_TYPE" }}
+      -X github.com/beclab/Olares/daemon/cmd/terminusd/version.VENDOR={{ .Env.OLARES_VENDOR_TYPE }}
+      {{- end }}
 dist: output
 archives:
 - name_template: "olaresd-v{{ .Version }}-{{ .Os }}-{{ .Arch }}"
-  replacements:
-    linux: linux
-    amd64: amd64
-    arm64: arm64
   files:
     - none*
 checksum:

daemon/cmd/terminusd/main.go

@@ -33,10 +33,12 @@ func main() {
 
 	port := 18088
 	var showVersion bool
+	var showVendor bool
 
 	klog.InitFlags(nil)
 	pflag.CommandLine.AddGoFlagSet(flag.CommandLine)
 	pflag.CommandLine.BoolVar(&showVersion, "version", false, "show olaresd version")
+	pflag.CommandLine.BoolVar(&showVendor, "vendor", false, "show the vendor type of olaresd")
 
 	pflag.Parse()
 
@@ -45,6 +47,11 @@ func main() {
 		return
 	}
 
+	if showVendor {
+		fmt.Println(version.VENDOR)
+		return
+	}
+
 	commands.Init()
 
 	mainCtx, cancel := context.WithCancel(context.Background())

daemon/cmd/terminusd/version/vendor.go

@@ -0,0 +1,3 @@
+package version
+
+var VENDOR = "main"

daemon/internel/apiserver/handlers/command_group.go

@@ -37,6 +37,9 @@ func init() {
 		handlers.RequireOwner(
 			handlers.RunCommand(handlers.CancelOlaresUpgrade, upgrade.NewRemoveUpgradeTarget))))
 
+	cmd.Post("/upgrade/confirm", handlers.RequireSignature(
+		handlers.RequireOwner(handlers.ConfirmOlaresUpgrade)))
+
 	cmd.Post("/reboot", handlers.RequireSignature(
 		handlers.RequireOwner(
 			handlers.WaitServerRunning(

daemon/internel/apiserver/handlers/handler_olares_upgrade.go

@@ -33,3 +33,28 @@ func (h *Handlers) CancelOlaresUpgrade(ctx *fiber.Ctx, cmd commands.Interface) e
 
 	return h.OkJSON(ctx, "successfully cancelled upgrade/download")
 }
+
+func (h *Handlers) ConfirmOlaresUpgrade(ctx *fiber.Ctx) error {
+	target, err := state.GetOlaresUpgradeTarget()
+	if err != nil {
+		return h.ErrJSON(ctx, http.StatusInternalServerError, err.Error())
+	}
+	if target == nil {
+		return h.ErrJSON(ctx, http.StatusNotFound, "upgrade target not found")
+	}
+	if target.DownloadOnly {
+		target.DownloadOnly = false
+		err = target.Save()
+		if err != nil {
+			return h.ErrJSON(ctx, http.StatusInternalServerError, err.Error())
+		}
+		if target.Downloaded {
+			err = state.CheckCurrentStatus(ctx.Context())
+			if err != nil {
+				klog.Warning("failed to refresh current status immediately after confirmation, ", err)
+			}
+		}
+	}
+
+	return h.OkJSON(ctx, "successfully confirmed upgrade")
+}

daemon/internel/watcher/upgrade/upgrade_watcher.go

@@ -200,10 +200,10 @@ var downloadPhases = []upgradePhase{
 
 var upgradePhases = []upgradePhase{
 	{upgrade.NewVersionCompatibilityCheck, 0, 5},
-	{upgrade.NewHealthCheck, 5, 5},
+	{upgrade.NewPreCheck, 5, 5},
 	{upgrade.NewInstallCLI, 10, 10},
-	{upgrade.NewImportImages, 20, 30},
-	{upgrade.NewInstallOlaresd, 50, 10},
+	{upgrade.NewInstallOlaresd, 20, 10},
+	{upgrade.NewImportImages, 30, 30},
 	{upgrade.NewUpgrade, 60, 35},
 	{upgrade.NewRemoveTarget, 95, 5},
 }

daemon/pkg/commands/operations.go

@@ -22,7 +22,7 @@ const (
 	DownloadCLI               Operations = "downloadCLI"
 	DownloadWizard            Operations = "downloadWizard"
 	VersionCompatibilityCheck Operations = "versionCompatibilityCheck"
-	UpgradeHealthCheck        Operations = "upgradeHealthCheck"
+	UpgradePreCheck           Operations = "PreCheck"
 	DownloadSpaceCheck        Operations = "downloadSpaceCheck"
 	DownloadComponent         Operations = "downloadComponent"
 	ImportImages              Operations = "importImages"

daemon/pkg/commands/upgrade/check.go

@@ -8,6 +8,7 @@ import (
 	"github.com/beclab/Olares/daemon/pkg/containerd"
 	"github.com/dustin/go-humanize"
 	v1 "k8s.io/cri-api/pkg/apis/runtime/v1"
+	"k8s.io/utils/strings/slices"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -81,22 +82,22 @@ func (i *versionCompatibilityCheck) Execute(ctx context.Context, p any) (res any
 	return newExecutionRes(true, nil), nil
 }
 
-type healthCheck struct {
+type preCheck struct {
 	commands.Operation
 }
 
-var _ commands.Interface = &healthCheck{}
+var _ commands.Interface = &preCheck{}
 
-func NewHealthCheck() commands.Interface {
-	return &healthCheck{
+func NewPreCheck() commands.Interface {
+	return &preCheck{
 		Operation: commands.Operation{
-			Name: commands.UpgradeHealthCheck,
+			Name: commands.UpgradePreCheck,
 		},
 	}
 }
 
-func (i *healthCheck) Execute(ctx context.Context, p any) (res any, err error) {
-	klog.Info("Starting upgrade health check")
+func (i *preCheck) Execute(ctx context.Context, p any) (res any, err error) {
+	klog.Info("Starting upgrade pre check")
 
 	target, ok := p.(state.UpgradeTarget)
 	if !ok {
@@ -146,14 +147,8 @@ func (i *healthCheck) Execute(ctx context.Context, p any) (res any, err error) {
 		}
 	}
 	klog.Infof("Required space for image import: %s", humanize.Bytes(requiredSpace))
-	availableSpace, err := utils.GetDiskAvailableSpace(containerd.DefaultContainerdRootPath)
-	if err != nil {
-		return nil, fmt.Errorf("error checking disk space: %s", err)
-	}
-	klog.Infof("Available space of %s: %s", containerd.DefaultContainerdRootPath, humanize.Bytes(availableSpace))
-	if availableSpace < requiredSpace {
-		return nil, fmt.Errorf("insufficient disk space in: %s, required: %s, available: %s",
-			commands.TERMINUS_BASE_DIR, humanize.Bytes(requiredSpace), humanize.Bytes(availableSpace))
+	if err := tryToUseDiskSpace(containerd.DefaultContainerdRootPath, requiredSpace); err != nil {
+		return nil, err
 	}
 
 	client, err := utils.GetKubeClient()
@@ -181,19 +176,25 @@ func (i *healthCheck) Execute(ctx context.Context, p any) (res any, err error) {
 		//	continue
 		//}
 		if node.Spec.Unschedulable {
-			return nil, fmt.Errorf("node %s is unschedulable", node.Name)
+			return nil, fmt.Errorf("node %s: unschedulable", node.Name)
 		}
 		var readyConditionExists bool
 		for _, condition := range node.Status.Conditions {
-			if condition.Type == corev1.NodeReady {
+			switch condition.Type {
+			case corev1.NodeReady:
 				readyConditionExists = true
 				if condition.Status != corev1.ConditionTrue {
-					return nil, fmt.Errorf("node %s is not ready", node.Name)
+					return nil, fmt.Errorf("node %s: not ready", node.Name)
+				}
+			case corev1.NodeMemoryPressure, corev1.NodeDiskPressure,
+				corev1.NodePIDPressure, corev1.NodeNetworkUnavailable:
+				if condition.Status == corev1.ConditionTrue {
+					return nil, fmt.Errorf("node %s: %s", node.Name, condition.Type)
 				}
 			}
 		}
 		if !readyConditionExists {
-			return nil, fmt.Errorf("node %s's condition is unknown", node.Name)
+			return nil, fmt.Errorf("node %s: condition unknown", node.Name)
 		}
 	}
 
@@ -223,7 +224,35 @@ func (i *healthCheck) Execute(ctx context.Context, p any) (res any, err error) {
 		}
 	}
 
-	klog.Info("health checks passed for upgrade")
+	// if any user is in the progress of activation
+	// upgrade cannot start
+	dynamicClient, err := utils.GetDynamicClient()
+	if err != nil {
+		err = fmt.Errorf("failed to get dynamic client: %v", err)
+		klog.Error(err.Error())
+		return nil, err
+	}
+
+	users, err := utils.ListUsers(ctx, dynamicClient)
+	if err != nil {
+		err = fmt.Errorf("failed to list users: %v", err)
+		klog.Error(err.Error())
+		return nil, err
+	}
+
+	var activatingUsers []string
+	for _, user := range users {
+		status, ok := user.GetAnnotations()["bytetrade.io/wizard-status"]
+		if !ok || slices.Contains([]string{"", "wait_activate_vault", "completed"}, status) {
+			continue
+		}
+		activatingUsers = append(activatingUsers, user.GetName())
+	}
+	if len(activatingUsers) > 0 {
+		return nil, fmt.Errorf("waiting for user to finish activation: %s", strings.Join(activatingUsers, ", "))
+	}
+
+	klog.Info("pre checks passed for upgrade")
 
 	return newExecutionRes(true, nil), nil
 }
@@ -271,14 +300,9 @@ func (i *downloadSpaceCheck) Execute(ctx context.Context, p any) (res any, err e
 		return nil, fmt.Errorf("failed to check existence of file %s: %v", path, err)
 	}
 	klog.Infof("Required space for download: %s", humanize.Bytes(requiredSpace))
-	availableSpace, err := utils.GetDiskAvailableSpace(commands.TERMINUS_BASE_DIR)
-	if err != nil {
-		return nil, fmt.Errorf("error checking disk space: %s", err)
-	}
-	klog.Infof("Available space of %s: %s", commands.TERMINUS_BASE_DIR, humanize.Bytes(availableSpace))
-	if availableSpace < requiredSpace {
-		return nil, fmt.Errorf("insufficient disk space in: %s, required: %s, available: %s",
-			commands.TERMINUS_BASE_DIR, humanize.Bytes(requiredSpace), humanize.Bytes(availableSpace))
+
+	if err := tryToUseDiskSpace(commands.TERMINUS_BASE_DIR, requiredSpace); err != nil {
+		return nil, err
 	}
 
 	klog.Info("Space check passed for download")

daemon/pkg/commands/upgrade/download_component.go

@@ -76,7 +76,7 @@ func (i *downloadComponent) Execute(ctx context.Context, p any) (res any, err er
 func (i *downloadComponent) watch(ctx context.Context) {
 	go func() {
 		defer close(i.progressChan)
-		ticker := time.NewTicker(2 * time.Second)
+		ticker := time.NewTicker(10 * time.Second)
 		defer ticker.Stop()
 		for {
 			select {
@@ -119,15 +119,18 @@ func (i *downloadComponent) refreshProgress() error {
 	updated := false
 	for line := range t.Lines {
 		for _, p := range i.progressKeywords {
-			var lineProgress int
+			var lineProgress, nextProgress int
 			if strings.Contains(line.Text, p.KeyWord) {
 				lineProgress = p.ProgressNum
 			} else {
-				lineProgress = parseComponentDownloadProgressByItemProgress(line.Text)
+				lineProgress, nextProgress = parseComponentDownloadProgressByItemProgress(line.Text)
 			}
 			if i.progress < lineProgress {
 				i.progress = lineProgress
 				updated = true
+			} else if i.progress+1 < nextProgress {
+				i.progress += 1
+				updated = true
 			}
 		}
 	}
@@ -139,10 +142,10 @@ func (i *downloadComponent) refreshProgress() error {
 	return nil
 }
 
-func parseComponentDownloadProgressByItemProgress(line string) int {
+func parseComponentDownloadProgressByItemProgress(line string) (int, int) {
 	// filter out other item progress lines to avoid confusion
 	if !strings.Contains(line, "file") || !strings.Contains(line, "downloading") {
-		return 0
+		return 0, 0
 	}
 	return parseProgressFromItemProgress(line)
 }

daemon/pkg/commands/upgrade/import_images.go

@@ -116,15 +116,18 @@ func (i *prepareImages) refreshProgress() error {
 	updated := false
 	for line := range t.Lines {
 		for _, p := range i.progressKeywords {
-			var lineProgress int
+			var lineProgress, nextProgress int
 			if strings.Contains(line.Text, p.KeyWord) {
 				lineProgress = p.ProgressNum
 			} else {
-				lineProgress = parseImagePrepareProgressByItemProgress(line.Text)
+				lineProgress, nextProgress = parseImagePrepareProgressByItemProgress(line.Text)
 			}
 			if i.progress < lineProgress {
 				i.progress = lineProgress
 				updated = true
+			} else if i.progress+1 < nextProgress {
+				i.progress += 1
+				updated = true
 			}
 		}
 	}
@@ -136,10 +139,10 @@ func (i *prepareImages) refreshProgress() error {
 	return nil
 }
 
-func parseImagePrepareProgressByItemProgress(line string) int {
+func parseImagePrepareProgressByItemProgress(line string) (int, int) {
 	// filter out other item progress lines to avoid confusion
 	if !strings.Contains(line, "imported image") {
-		return 0
+		return 0, 0
 	}
 	return parseProgressFromItemProgress(line)
 }

daemon/pkg/commands/upgrade/types.go

@@ -44,21 +44,28 @@ type progressKeyword struct {
 // matches against "(x/y)"
 var itemProcessProgressRE = regexp.MustCompile(`\((\d+)/(\d+)\)`)
 
-func parseProgressFromItemProgress(line string) int {
+func parseProgressFromItemProgress(line string) (int, int) {
 	matches := itemProcessProgressRE.FindAllStringSubmatch(line, 2)
 	if len(matches) != 1 || len(matches[0]) != 3 {
-		return 0
+		return 0, 0
 	}
 	indexStr, totalStr := matches[0][1], matches[0][2]
 	index, err := strconv.ParseFloat(indexStr, 64)
 	if index == 0 || err != nil {
-		return 0
+		return 0, 0
 	}
 	total, err := strconv.ParseFloat(totalStr, 64)
 	if total == 0 || err != nil {
-		return 0
+		return 0, 0
 	}
-	return int(math.Round((index / total) * 90.0))
+	cur := int(math.Round(index / total * 90))
+	var next int
+	if index < total {
+		next = int(math.Round((index + 1) / total * 90))
+	} else {
+		next = 99
+	}
+	return cur, next
 }
 
 type manifestComponent struct {

daemon/pkg/commands/upgrade/upgrade.go

@@ -37,9 +37,11 @@ func NewUpgrade() commands.Interface {
 			{"ClearAppChartValues success", 10},
 			{"ClearBFLChartValues success", 15},
 			{"UpdateChartsInAppService success", 20},
-			{"UpgradeUserComponents success", 25},
-			{"UpdateReleaseFile success", 30},
-			{"UpgradeSystemComponents success", 35},
+			{"UpgradeSystemComponents success", 40},
+			{"UpgradeUserComponents success", 50},
+			{"UpdateReleaseFile success", 55},
+			{"UpdateOlaresVersion success", 60},
+			{"EnsurePodsUpAndRunningAgain", 70},
 			{"[Job] UpgradeOlares execute successfully", commands.ProgressNumFinished},
 		},
 	}
@@ -111,7 +113,7 @@ func (i *upgrade) refreshProgress() error {
 	}
 
 	filesize := info.Size()
-	tailsize := min(filesize, 4096)
+	tailsize := min(filesize, 8192)
 
 	t, err := tail.TailFile(i.logFile,
 		tail.Config{Follow: false, Location: &tail.SeekInfo{Offset: -tailsize, Whence: io.SeekEnd}})

daemon/pkg/commands/upgrade/utils.go

@@ -2,13 +2,16 @@ package upgrade
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"github.com/beclab/Olares/daemon/cmd/terminusd/version"
+	"github.com/dustin/go-humanize"
 	"io"
 	"net/http"
 	"os"
 	"os/exec"
 	"strings"
+	"syscall"
 
 	"github.com/Masterminds/semver/v3"
 )
@@ -99,3 +102,40 @@ func unmarshalComponentManifestFile(path string) (map[string]manifestComponent,
 	}
 	return ret, nil
 }
+
+// checks:
+// 1. whether available space is enough
+// 2. if the path is at the same partition with K8s root, whether disk space remains more than 10% after use
+func tryToUseDiskSpace(path string, size uint64) error {
+	fs := syscall.Statfs_t{}
+	err := syscall.Statfs(path, &fs)
+	if err != nil {
+		return fmt.Errorf("failed to statfs path %s: %v", path, err)
+	}
+
+	kfs := syscall.Statfs_t{}
+	err = syscall.Statfs("/var/lib", &fs)
+	if err != nil {
+		return fmt.Errorf("failed to statfs K8s root path %s: %v", path, err)
+	}
+
+	total := fs.Blocks * uint64(fs.Bsize)
+	available := fs.Bavail * uint64(fs.Bsize)
+
+	var ksize uint64
+	if fs.Fsid == kfs.Fsid {
+		ksize = uint64(float64(total) * 0.11)
+	}
+
+	if available > size+ksize {
+		return nil
+	}
+
+	errStr := fmt.Sprintf("insufficient disk space, available: %s, required: %s", humanize.Bytes(available), humanize.Bytes(size))
+	if ksize > 0 {
+		errStr += fmt.Sprintf(", reserved for K8s: %s", humanize.Bytes(ksize))
+	}
+
+	return errors.New(errStr)
+
+}

docs/.vitepress/en.ts

@@ -4,27 +4,21 @@ const side = {
   "/manual/": [
     {
       text: "What is Olares",
-      link: "/manual/docs-home",
+      link: "/manual/overview",
       items: [
-       // A{ text: "Why Olares", link: "/manual/why-olares" },
-        //{ text: "Feature comparison", link: "/manual/feature-overview" },
-        { text: "Olares architecture", link: "/manual/system-architecture" },
         { text: "Compare Olares and NAS", link: "/manual/olares-vs-nas" },
-        {
-          text: "Help and support",
-          collapsed: true,
-          items: [
-            { text: "FAQs", link: "/manual/help/faqs" },
-            {
-              text: "Request support",
-              link: "/manual/help/request-technical-support",
-            },
+        { text: "Help and support", link: "/manual/help/request-technical-support"}
+          //  collapsed: true,
+          //   items: [
+            // { text: "FAQs", link: "/manual/help/faqs" },
+            //    {
+            //     text: "Request support",
+          //     link: "/manual/help/request-technical-support",
+          //  },
             //{
             //  text: "Troubleshooting Guide",
             //  link: "/manual/help/troubleshooting-guide",
             // },
-          ],
-        },
       ],
     },
     {
@@ -197,14 +191,10 @@ const side = {
           items: [
             {
               text: "My Olares",
-              collapsed: true,
-              items: [
-                {text: "Account and device", link: "/manual/olares/settings/my-olares"},
-                {text: "Update system", link: "/manual/olares/settings/update"},
-              ],
+              link: "/manual/olares/settings/my-olares"
             },
             {
-              text: "Manage accounts",
+              text: "Manage users",
               collapsed: true,
               items: [
                 {
@@ -212,7 +202,7 @@ const side = {
                   link: "/manual/olares/settings/roles-permissions",
                 },
                 {
-                  text: "Create member accounts",
+                  text: "Create and manage users",
                   link: "/manual/olares/settings/manage-team",
                 }
               ],
@@ -232,16 +222,16 @@ const side = {
               ],
               },
             {
-              text: "Manage integrations", 
+              text: "Manage integrations",
               link:"/manual/olares/settings/integrations",
              },
              {
-              text: "Customize appearance", 
+              text: "Customize appearance",
               link:"/manual/olares/settings/language-appearance",
              },
             {text: "Manage VPN", link: "/manual/olares/settings/remote-access",},
             {
-              text: "Configure network", 
+              text: "Configure network",
               collapsed: true,
               items: [
                 {
@@ -249,7 +239,7 @@ const side = {
                   link: "/manual/olares/settings/change-frp",
                 },
                 {
-                  text: "Set up hosts file", 
+                  text: "Set up hosts file",
                   link:"/manual/olares/settings/set-up-hosts",
                 },
               ],
@@ -294,9 +284,8 @@ const side = {
       collapsed: true,
       link: "/manual/concepts/",
       items: [
-        { text: "Architecture", link: "/manual/concepts/architecture" },
-        { text: 
-          "Olares ID", 
+        { text: "Olares architecture", link: "/manual/concepts/system-architecture" },
+        { text: "Olares ID",
           link: "/manual/concepts/olares-id",
           collapsed: true,
           items: [
@@ -620,51 +609,50 @@ const side = {
             },
           ],
         },
-        {
-          text: "Advanced",
-          collapsed: true,
-          items: [
-            {
-              text: "terminus-info",
-              link: "/developer/develop/advanced/terminus-info",
-            },
-            {
-              text: "Service provider",
-              link: "/developer/develop/advanced/provider",
-            },
-            {
-              text: "AI",
-              link: "/developer/develop/advanced/ai",
-            },
-            { text: "Cookie", link: "/developer/develop/advanced/cookie" },
-            { text: "Database", link: "/developer/develop/advanced/database" },
-            {
-              text: "Account",
-              link: "/developer/develop/advanced/account",
-            },
-            {
-              text: "Market",
-              link: "/developer/develop/advanced/market",
-            },
-            {
-              text: "Websocket",
-              link: "/developer/develop/advanced/websocket",
-            },
-            {
-              text: "File upload",
-              link: "/developer/develop/advanced/file-upload",
-            },
-            {
-              text: "Secret",
-              link: "/developer/develop/advanced/secret",
-            },
-            {
-              text: "Kubesphere",
-              link: "/developer/develop/advanced/kubesphere",
-            },
-          ],
-        },
-
+        //  {
+        //   text: "Advanced",
+        //   collapsed: true,
+        //  items: [
+        //    {
+        //       text: "terminus-info",
+      //      link: "/developer/develop/advanced/terminus-info",
+        //     },
+        //     {
+        //       text: "Service provider",
+      //      link: "/developer/develop/advanced/provider",
+        //      },
+        //     {
+        //        text: "AI",
+      //        link: "/developer/develop/advanced/ai",
+        //       },
+        //      { text: "Cookie", link: "/developer/develop/advanced/cookie" },
+        //     { text: "Database", link: "/developer/develop/advanced/database" },
+        //     {
+        //       text: "Account",
+      //       link: "/developer/develop/advanced/account",
+        //      },
+        //     {
+        //       text: "Market",
+      //       link: "/developer/develop/advanced/market",
+        //      },
+        //       {
+        //       text: "Websocket",
+      //       link: "/developer/develop/advanced/websocket",
+        //     },
+        //      {
+        //       text: "File upload",
+      //       link: "/developer/develop/advanced/file-upload",
+        //      },
+        //     {
+        //       text: "Secret",
+      //       link: "/developer/develop/advanced/secret",
+        //      },
+        //      {
+        //        text: "Kubesphere",
+      //      link: "/developer/develop/advanced/kubesphere",
+        //      },
+      //   ],
+        //   },
         {
           text: "Submit application",
           collapsed: true,
@@ -793,7 +781,7 @@ export const en = defineConfig({
     socialLinks: [{ icon: "github", link: "https://github.com/beclab/olares" }],
 
     nav: [
-      { text: "Olares", link: "/manual/docs-home" },
+      { text: "Olares", link: "/manual/overview" },
       { text: "Olares Space", link: "/space/" },
       { text: "Use Cases", link: "/use-cases/" },
       { text: "Developer Guide", link: "/developer/install/" },

docs/.vitepress/zh.ts

@@ -3,30 +3,26 @@ import { defineConfig, type DefaultTheme } from "vitepress";
 const side = {
   "/zh/manual/": [
     {
-      text: "文档站",
-      link: "/zh/manual/docs-home",
+      text: "Olares 是什么？",
+      link: "/zh/manual/overview",
       items: [
         // { text: "应用场景", link: "/zh/manual/why-olares" },
         //{ text: "功能对比", link: "/zh/manual/feature-overview" },
-        { text: "系统架构", link: "/zh/manual/system-architecture" },
         { text: "比较 Olares 和 NAS", link: "/zh/manual/olares-vs-nas" },
-        {
-          text: "帮助与支持",
-          collapsed: true,
-          items: [
-            { text: "常见问题", link: "/zh/manual/help/faqs" },
-            {
-              text: "技术支持",
-              link: "/zh/manual/help/request-technical-support",
-            },
+        {text: "帮助与支持", link: "/zh/manual/help/request-technical-support",}
+        //      collapsed: true,
+        //      items: [
+        //     { text: "常见问题", link: "/zh/manual/help/faqs" },
+        //     {
+        //       text: "技术支持",
+      //      link: "/zh/manual/help/request-technical-support",
+        //       },
             //     {
             //       text: "Troubleshooting Guide",
             //       link: "/zh/manual/help/troubleshooting-guide",
             //     },
           ],
         },
-      ],
-    },
     {
       text: "快速开始",
       collapsed: false,
@@ -196,16 +192,9 @@ const side = {
           "collapsed": true,
           "link": "/zh/manual/olares/settings/",
           "items": [
+            {"text": "我的 Olares", link: "/zh/manual/olares/settings/my-olares"},
             {
-              "text": "我的 Olares",
-              "collapsed": true,
-              "items": [
-                {text: "账户与设备", link: "/zh/manual/olares/settings/my-olares"},
-                {text: "更新系统", link: "/zh/manual/olares/settings/update"},
-              ],
-            },
-            {
-              "text": "管理账户",
+              "text": "管理用户",
               "collapsed": true,
               "items": [
                 {
@@ -213,7 +202,7 @@ const side = {
                   "link": "/zh/manual/olares/settings/roles-permissions",
                 },
                 {
-                  "text": "创建成员账户",
+                  "text": "创建管理用户",
                   "link": "/zh/manual/olares/settings/manage-team",
                 }
               ],
@@ -233,16 +222,16 @@ const side = {
               ],
               },
             {
-              "text": "管理集成", 
+              "text": "管理集成",
               "link":"/zh/manual/olares/settings/integrations",
              },
              {
-              "text": "自定义外观", 
+              "text": "自定义外观",
               "link":"/zh/manual/olares/settings/language-appearance",
              },
             {text: "管理 VPN", link: "/zh/manual/olares/settings/remote-access",},
             {
-              "text": "配置网络", 
+              "text": "配置网络",
               "collapsed": true,
               "items": [
                 {
@@ -250,7 +239,7 @@ const side = {
                   "link": "/zh/manual/olares/settings/change-frp",
                 },
                 {
-                  "text": "设置 hosts 文件", 
+                  "text": "设置 hosts 文件",
                   "link":"/zh/manual/olares/settings/set-up-hosts",
                 },
               ],
@@ -299,7 +288,7 @@ const side = {
       collapsed: true,
       link: "/zh/manual/concepts/",
       items: [
-        { text: "架构", link: "/zh/manual/concepts/architecture" },
+        { text: "系统架构", link: "/zh/manual/concepts/system-architecture" },
         { text: "Olares ID",
           link: "/zh/manual/concepts/olares-id",
           collapsed: true,
@@ -626,52 +615,52 @@ const side = {
             },
           ],
         },
-        {
-          text: "进阶",
-          collapsed: true,
-          items: [
-            {
-              text: "terminus-info",
-              link: "/zh/developer/develop/advanced/terminus-info",
-            },
-            {
-              text: "Service Provider",
-              link: "/zh/developer/develop/advanced/provider",
-            },
-            {
-              text: "AI",
-              link: "/zh/developer/develop/advanced/ai",
-            },
-            { text: "Cookie", link: "/zh/developer/develop/advanced/cookie" },
-            { text: "数据库", link: "/zh/developer/develop/advanced/database" },
-            {
-              text: "账户",
-              link: "/zh/developer/develop/advanced/account",
-            },
-            {
-              text: "应用市场",
-              link: "/zh/developer/develop/advanced/market",
-            },
+      //  {
+        //      text: "进阶",
+        //     collapsed: true,
+        //    items: [
+        //      {
+        //        text: "terminus-info",
+      //       link: "/zh/developer/develop/advanced/terminus-info",
+        //      },
+        //      {
+        //       text: "Service Provider",
+      //       link: "/zh/developer/develop/advanced/provider",
+        //      },
+        //     {
+        //       text: "AI",
+      //       link: "/zh/developer/develop/advanced/ai",
+        //     },
+        //      { text: "Cookie", link: "/zh/developer/develop/advanced/cookie" },
+        //      { text: "数据库", link: "/zh/developer/develop/advanced/database" },
+        //     {
+        //       text: "账户",
+      //       link: "/zh/developer/develop/advanced/account",
+        //      },
+        //      {
+        //       text: "应用市场",
+      //       link: "/zh/developer/develop/advanced/market",
+        //      },
             // {
             //   text: "Analytic",
             //   link: "/zh/developer/develop/advanced/analytic",
             // },
-            {
-              text: "Websocket",
-              link: "/zh/developer/develop/advanced/websocket",
-            },
-            {
-              text: "文件上传",
-              link: "/zh/developer/develop/advanced/file-upload",
-            },
+        //       {
+        //        text: "Websocket",
+      //        link: "/zh/developer/develop/advanced/websocket",
+        //      },
+        //      {
+        //        text: "文件上传",
+      //       link: "/zh/developer/develop/advanced/file-upload",
+      //      },
             // {
             //   text: "Rss",
             //   link: "/zh/developer/develop/advanced/rss",
             // },
-            {
-              text: "密钥",
-              link: "/zh/developer/develop/advanced/secret",
-            },
+    //      {
+    //         text: "密钥",
+      //         link: "/zh/developer/develop/advanced/secret",
+        //      },
             // {
             //   text: "Notification",
             //   link: "/zh/developer/develop/advanced/notification",
@@ -680,13 +669,12 @@ const side = {
             //   text: "Frontend",
             //   link: "/zh/developer/develop/advanced/frontend",
             // },
-            {
-              text: "Kubesphere",
-              link: "/zh/developer/develop/advanced/kubesphere",
-            },
-          ],
-        },
-
+    //        {
+    //          text: "Kubesphere",
+    //          link: "/zh/developer/develop/advanced/kubesphere",
+    //         },
+    //       ],
+    //      },
         {
           text: "提交应用",
           collapsed: true,
@@ -815,7 +803,7 @@ export const zh = defineConfig({
     socialLinks: [{ icon: "github", link: "https://github.com/beclab/olares" }],
 
     nav: [
-      { text: "Olares", link: "zh/manual/docs-home" },
+      { text: "Olares", link: "zh/manual/overview" },
       { text: "Olares Space", link: "/zh/space/" },
       { text: "应用示例", link: "/zh/use-cases/" },
       { text: "开发者文档", link: "/zh/developer/install/" },

docs/manual/best-practices/install-olares-multi-node.md

@@ -150,7 +150,7 @@ Once your cluster is set up, changes in network configurations can disrupt the m
 
 ## Learn more
 
-- [Olares system architecture](../system-architecture.md#distributed-file-system): Understand the distributed file system that underpins Olares, ensuring scalability, high availability, and seamless data management.
+- [Olares system architecture](../concepts/system-architecture.md#distributed-file-system): Understand the distributed file system that underpins Olares, ensuring scalability, high availability, and seamless data management.
 - [The system daemon: olaresd](../../developer/install/installation-overview.md#system-daemon-olaresd): Learn about the central system process that orchestrates and manages core Olares functions.
 - [Data](../concepts/data.md#juicefs): Dive into how Olares leverages JuiceFS to provide a unified file system for efficient data storage and retrieval.
 - [Olares CLI](../../developer/install/cli/olares-cli.md): Explore the command-line interface for managing Olares installation.

docs/manual/concepts/system-architecture.md

@@ -59,14 +59,14 @@ Currently, Olares GPU support is restricted to deployments with one GPU per node
 Starting with Olares v1.11, [CUDA](https://developer.nvidia.com/cuda-toolkit) (12.4 and above) is supported. Changes in the host environment's CUDA configuration can be synchronized with the Olares cluster using `olares-cli`.
 
 ### Container management
-Olares uses [containerd](../developer/install/installation-overview.md#container-runtime-containerd), a lightweight container runtime, for containerized deployments.
+Olares uses [containerd](../../developer/install/installation-overview.md#container-runtime-containerd), a lightweight container runtime, for containerized deployments.
 
 ### Olares Controller Panel
 
 The management of Olares is implemented through the following:
 
-- [olares-cli](../developer/install/cli/olares-cli.md): A command-line tool for managing Olares clusters, applications, and hardware nodes.
-- [olaresd](../developer/install/installation-overview.md#container-runtime-containerd): A daemon process that monitors hardware and network changes, while also managing cluster upgrades, restarts, and other maintenance operations.
+- [olares-cli](../../developer/install/cli/olares-cli.md): A command-line tool for managing Olares clusters, applications, and hardware nodes.
+- [olaresd](../../developer/install/installation-overview.md#container-runtime-containerd): A daemon process that monitors hardware and network changes, while also managing cluster upgrades, restarts, and other maintenance operations.
 
 These tools streamline installation, maintenance, and scaling for Olares.
 
@@ -215,6 +215,6 @@ The console for Olares, providing precise and autonomous control over the system
 A development tool for building and deploying Olares applications.
 
 ## Learn more
-- To get started with Olares, see the [Getting Started guide](get-started/index.md).
-- To learn more about the internals of Olares, see the topics in [Concept](concepts/index.md).
-- For in-depth details about how each component of Olares is orchestrated, see [Olares installation overview](../developer/install/index.md).
+- To get started with Olares, see the [Getting Started guide](../get-started/index.md).
+- To learn more about the internals of Olares, see the topics in [Concept](index.md).
+- For in-depth details about how each component of Olares is orchestrated, see [Olares installation overview](../../developer/install/index.md).

docs/manual/get-started/install-olares.md

@@ -38,10 +38,10 @@ While these specific versions are confirmed to work, the process may still work
 
 In your terminal, run the following command:
 
-<!--@include: ./reusables.md{4,33}-->
+<!--@include: ./reusables.md{4,36}-->
 
 <!--@include: ./activate-olares.md-->
 
 <!--@include: ./log-in-to-olares.md-->
 
-<!--@include: ./reusables.md{35,39}-->
+<!--@include: ./reusables.md{38,42}-->

docs/manual/get-started/log-in-to-olares.md

@@ -3,7 +3,7 @@ search: false
 ---
 ## Log in to Olares
 
-1. Enter the Olares desktop address in your browser, and press any key to continue.
+1. Enter the Olares desktop address (`https://desktop.{olares-id}.olares.com`) in your browser, and press any key to continue.
 2. On the login page, enter your Olares login password.
 
    ![Log in](/images/manual/get-started/log-in.png#bordered)

docs/manual/larepass/index.md

@@ -1,4 +1,5 @@
 ---
+description: User documentation for LarePass. Learn how to access and manage Olares through the LarePass client, including account management, file synchronization, device management, system upgrade, password management, and content collection.
 outline: [2, 3]
 ---
 
@@ -26,6 +27,7 @@ Access and sync your Olares files across devices.
 ### Device & network management
 Activate and manage Olares devices, and securely connect to Olares via LarePass VPN.
 - [Activate your Olares device](activate-olares.md)
+- [Upgrade Olares](manage-olares.md#upgrade-olares)
 - [Log in to Olares with 2FA](activate-olares.md#two-factor-verification-with-larepass)
 - [Manage Olares](manage-olares.md)
 - [Switch networks](manage-olares.md#switch-from-wired-to-wireless-network)

docs/manual/larepass/manage-olares.md

@@ -1,6 +1,6 @@
 # Manage Olares with LarePass
 
-The LarePass app allows you to easily manage your Olares device. You can monitor system status, manage network connections, perform remote controls, and access key device information from your phone.
+The LarePass app allows you to easily manage your Olares device. You can upgrade Olares，monitor system status, manage network connections, perform remote controls, and access key device information from your phone.
 
 This guide walks you through the core management features available in LarePass.
 
@@ -20,6 +20,24 @@ To access the Olares management page:
 1. Open LarePass app, and go to **Settings**.
 2. Tap your Olares ID to enter the Olares management interface.
 
+## Upgrade Olares
+
+:::warning Olares admin required
+Only Olares admin can perform system updates. Updates will apply to all members within the same Olares cluster.
+:::
+
+When a new version of Olares is available, you’ll see a `Found new version` prompt on the **Olares management** page.
+
+![Upgrade Olares](/images/manual/larepass/olares-upgrade.png#bordered)
+
+1. Tap on the version prompt, for example, `Found new version 1.12.0-20250728`.
+2. Select an upgrade method:
+    - **Download and upgrade**: Olares will download the update package and install it immediately. The system is temporarily unavailable during the upgrade process.
+    - **Download only**: Only downloads the update package. You can trigger the upgrade later when convenient, and Olares remains available during the download.
+
+3. Confirm the option. A progress indicator on LarePass will show the operation status. If you selected **Download only**, you need to tap **Upgrade now** to start upgrade after download completes.
+4. Wait for the upgrade to complete. Olares will resume normal operation when the upgrade finishes. You can verify the update by checking the **System version** shown in the device card at the top of the **Olares management** page.
+
 ## Remote device control
 
 In the upper-right corner of the Olares management page, tap the <i class="material-symbols-outlined">power_settings_new</i> icon to access remote control options:

docs/manual/olares/settings/gpu-resource.md

@@ -19,7 +19,7 @@ Currently, only Nvidia GPU is supported.
 
 Olares supports three GPU allocation modes. Choosing the right mode helps optimize performance based on your needs.
 
-### Time slicing 
+### Time Slicing 
 
 In this mode, the GPU's processing power is shared among multiple applications.  
 
@@ -27,14 +27,14 @@ In this mode, the GPU's processing power is shared among multiple applications.
 
 * Suitable for General-purpose use and running multiple lightweight applications.
 
-### App exclusive
+### App Exclusive
 
 In this mode, the entire GPU processing power and memory is dedicated to a single application. 
 
 * Best for intensive, performance-critical applications like AI-generated imagery or high-performance gaming servers.
 * Large memory demands may limit availability for other tasks.
 
-### Memory slicing
+### Memory Slicing
 In this mode, GPU memory (VRAM) is partitioned into fixed, dedicated amounts for specific applications.
 
 * Ideal for running multiple GPU-intensive applications simultaneously, each with guaranteed VRAM allocation.
@@ -44,41 +44,43 @@ In this mode, GPU memory (VRAM) is partitioned into fixed, dedicated amounts for
 
 To view your GPU status:
 
-1. Navigate to **Settings > GPU**. The GPU list shows each GPU’s model, associated node, total VRAM, and current GPU mode.
+1. Navigate to **Settings** > **GPU**. The GPU list shows each GPU’s model, associated node, total VRAM, and current GPU mode.
 2. Click on a specific GPU to visit its details.
 
 ::: tip Note
-If your Olares only contains one GPU, navigating to the GPU section will take you directly to the GPU details page. If you have multiple GPUs, you will see a list first.
+If your Olares only has one GPU, navigating to the GPU section will take you directly to the GPU details page. If you have multiple GPUs, you will see a list first.
 :::
 
 ## Configure GPU mode
 
 On the **GPU details** page, select your desired mode from the **GPU mode** dropdown. Depending on your selected mode, different follow-up options apply.
 
-* **Time slicing**：   
+* **Time Slicing**：
   1. Select this mode from the GPU mode dropdown.
-  2. In the **Application pinning** section, click **+Add an application** button to manually pin an application to this specific GPU in a multi-GPU setup.
+  2. In the **Pin application** section, click **+Add an application** to manually pin an application to this specific GPU in a multi-GPU setup.
+
+  ![Time slicing](/images/manual/olares/gpu-time-slicing.png#bordered)
 
 :::tip Note
 No manual pinning is required if you only have one GPU in your cluster.
 :::
   
-* **App exclusive**
+* **App Exclusive**
   1. Select this mode from the GPU mode dropdown.
   2. In the **Select exclusive app** dropbox, choose your target application.
   3. Click **Confirm**.
     ![App exclusive](/images/manual/olares/gpu-app-exclusive.png#bordered)
 
-* **Memory slicing**
-    1. Select this mode from the dropdown.
-    2. In the **Allocate VRAM** section, click **Add application**. 
-    3. Select your target application and assign it a specific amount of VRAM (in GB).
-    4. Repeat for other applications and click **Confirm**.
-       ![VRAM slicing](/images/manual/olares/gpu-memory-slicing.png#bordered)
+  * **Memory Slicing**
+      1. Select this mode from the dropdown.
+      2. In the **Allocate VRAM** section, click **Add an application**. 
+      3. Select your target application and assign it a specific amount of VRAM (in GB).
+      4. Repeat for other applications and click **Confirm**.
+         ![VRAM slicing](/images/manual/olares/gpu-memory-slicing.png#bordered)
      
-  ::: tip Note
-  You can't assign a VRAM that's larger than the total VRAM.
-   :::
+    ::: tip Note
+    You can't assign a VRAM that's larger than the total VRAM.
+    :::
 
 ## Learn more
 - [Monitor GPU usage in Olares](../resources-usage.md)

docs/manual/olares/settings/manage-team.md

@@ -2,68 +2,76 @@
 description: Comprehensive guide to managing teams in Olares, including creating accounts, assigning roles, setting permissions, and maintaining efficient team collaboration within your Olares cluster.
 ---
 # Manage your team
-As an administrator, you can create and manage team members while ensuring optimal system performance through efficient resource controls.
+As an administrator, you can create and manage users in your team while ensuring system security and resource efficiency.
+
+:::tip Note on role permissions
+As an administrator, Super Admin and Admin share most system management permissions, but only the **Super Admin** can create or remove Admin accounts. Admins can only create and manage Member accounts. See [Roles and permissions](roles-permissions.md) for more information.
+:::
+
+![Manage users](/images/manual/olares/manage-users.png#bordered)
+
 ## Before you begin
 Ensure that:
 
-* You have Olares admin privileges
+* You have Super Admin or Admin privileges
 * Your system has sufficient available resources
-* Team members have created their Olares IDs
+* The new users have created their Olares IDs
 
-    :::info
-    When creating a new member account in Olares, make sure the domain part of their Olares ID matches yours.
-    :::
-## Create a new member
+:::info
+When creating a new user in Olares, make sure the domain part of their Olares ID matches yours.
+:::
+## Create a new user
 
-1. Navigate to the page **Settings** > **Account**.
+1. Navigate to the page **Settings** > **Users**.
 2. Click **Create account**.
 3. In the dialog, fill in the required fields.
    - **Olares ID**: Enter the local name only.
+   - **Role**: Choose **Member** or **Admin** (only Super Admin can assign this role).
    - **CPU**: Allocate CPU cores (minimum 1 core)
    - **Memory**: Allocate memory (minimum 3GB)
 4. Click **Save**.
    Once created, you will see activation credentials for the specific Olares ID:
    - Activation wizard URL
    - One-time password
-5. Share activation credentials with the new member.
+5. Share activation credentials with the new user.
 
-You can verify whether they have completed the activation in the **Accounts** page.
+You can verify whether they have completed the activation in the **Users** page.
 
 :::tip
-New members can activate their account through the wizard without installing Olares locally.
+New users can activate their account through the wizard without installing Olares locally.
 For detailed instructions, see [Activate Olares](../../get-started/activate-olares).
 :::
 
-## Remove a member
+## Remove a user
 :::warning
 Ensure users backup important data before deletion - some data cannot be recovered.
 :::
 
-1. Navigate to the page **Settings** > **Account**.
-2. Click the member you want to delete to view its account details.
+1. Navigate to the page **Settings** > **Users**.
+2. Click the user you want to delete to view its account details.
 3. Scroll to the bottom, and click **Delete user**.
 4. In the dialog, click **OK** to confirm.
 
 ## Manage resource quotas
-You can adjust the allocated resources for members in your Olares cluster.
+You can adjust the allocated resources for users in your Olares cluster.
 
-1. Navigate to the page **Settings** > **Account**.
-2. Click the member you need to adjust resource quotas.
+1. Navigate to the page **Settings** > **Users**.
+2. Click the user you need to adjust resource quotas.
 3. In the **Account info** page, scroll to the bottom and click **Modify limits**.
 4. In the dialog, adjust CPU and memory quotas.
 5. Click **OK** to apply changes.
 
 ## Reset passwords
-1. Navigate to the page **Settings** > **Account**.
-2. Click the member you need to reset password fo.
+1. Navigate to the page **Settings** > **Users**.
+2. Click the user whose password you need to reset.
 3. In the **Account info** page, scroll down and click **Reset password**. The new password will be generated immediately.
-4. Share the new password with the member.
+4. Share the new password with the user.
 
 ## FAQ
 ### Why can't I create a new user?
-If you're an administrator:
 
-* Ensure the new member has obtained their Olares ID. See [Create an Olares ID](../../get-started/create-olares-id).
+* You must be a Super Admin to create a new Admin. You must be a Super Admin or Admin to create a new Member.
+* Ensure the new user has obtained their Olares ID. See [Create an Olares ID](../../get-started/create-olares-id).
 * The name you entered is correctly spelled.
 * There are sufficient system resources to allocate.
 

docs/manual/olares/settings/my-olares.md

@@ -9,6 +9,8 @@ The **My Olares** page in **Settings** serves as your central hub for managing y
 
 To access My Olares, open **Settings** and click your avatar in the top-left corner.
 
+![My Olares](/images/manual/olares/my-olares.png#bordered)
+
 ## Olares Space
 
 Check your subscribed plan details and usage in Olares Space, including reverse proxy solution, backup storage, and traffic consumption. Log in to Olares Space as prompted to use this feature.
@@ -37,6 +39,11 @@ Define system-level access and authentication policies to control how users conn
 
 Review a detailed record of all login attempts to your Olares account. Each entry displays the **Time**, **Status**, **Source IP Address**, and the **Reason for the attempt**.
 
+## Current Version
+
+Check the current version of your Olares. If a new version is available, go to the **Settings > Olares management** page in the LarePass mobile client to complete the system upgrade.  
+For detailed steps, see [Upgrade Olares](../../larepass/manage-olares.md#upgrade-olares).
+
 ## Device management
 
 The **Devices** section allows you to view and manage all devices authorized to access your Olares. Each entry provides details about the connected device, such as its name, operating system, connection method, device IP address, and last connection time.

docs/manual/olares/settings/roles-permissions.md

@@ -7,40 +7,30 @@ Olares supports multi-user operations, allowing multiple users to access the sys
 
 ## Role types
 Olares has two default user roles:
-- **Admin**: Automatically assigned to the first user who activates and logs into Olares
-- **Member**: Standard user role with limited permissions
 
-<table>
-    <tr>
-        <td><b>Role</b></td>
-        <td><b>Permissions</b></td>
-    </tr>
-    <tr>
-        <td>Member</td>
-        <td>
-            <ul>
-                <li>Use system apps: Files, Vault, Wise, Profile, Dashboard, and Control Hub</li>
-                <li>Enable VPN for private entrances</li>
-                <li>Connect to Olares Space</li>
-                <li>Customize app entrances</li>
-                <li>Install regular apps in Market</li>
-                <li>Access shared vaults with assigned read/write permissions</li>
-                <li>View basic system status in Control Hub</li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <td>Admin</td>
-        <td>
-        All Member permissions, plus:
-            <ul>
-                <li>Create and manage user accounts</li>
-                <li>Manage vault teams, create shared vaults, and assign read/write permissions for shared vaults</li>
-                <li>Install and manage shared applications</li>
-                <li>Monitor and manage system resources</li>
-                <li>Set GPU usage mode</li>
-                <li>Update Olares</li>
-            </ul>
-        </td>
-    </tr>
-</table>
+- **Super Admin**: The first user to activate and log into Olares. Has full, unrestricted control of the system and can create other Admin and Member accounts.
+- **Admin**: Created by the Super Admin. Has nearly the same system management permissions as the Super Admin. **Can only create and manage Members**, not other Admin accounts.
+- **Member**: Standard users created by Super Admin or Admin, with limited system resources and access permissions.
+
+This structure ensures organizations can scale Olares management securely, with multiple Admins sharing responsibility while the Super Admin retains ultimate authority.
+
+## Role permissions
+
+| Permission Area | Member | Admin | Super Admin |
+|-----------------|--------|-------|-------------|
+| Use system apps (Files, Vault, Wise, Profile, Dashboard, Control Hub) | ✅ | ✅ | ✅ |
+| Enable VPN for private entrances | ✅ | ✅ | ✅ |
+| Connect to Olares Space | ✅ | ✅ | ✅ |
+| Customize app entrances | ✅ | ✅ | ✅ |
+| Install regular apps from Market | ✅ | ✅ | ✅ |
+| Access shared vaults with assigned permissions | ✅ | ✅ | ✅ |
+| View basic system status in Control Hub | ✅ | ✅ | ✅ |
+| Manage Vault teams & shared vaults | ❌ | ✅ | ✅ |
+| Install and manage shared apps | ❌ | ✅ | ✅ |
+| Monitor and manage system resources | ❌ | ✅ | ✅ |
+| Set GPU usage modes | ❌ | ✅ | ✅ |
+| Update Olares versions | ❌ | ✅ | ✅ |
+| Create, edit, and delete Members | ❌ | ✅ | ✅ |
+| Create, edit, and delete Admins | ❌ |❌| ✅ |
+
+

docs/manual/overview.md

@@ -10,10 +10,6 @@ This documentation provides a preview of features for an upcoming Olares version
 
 Olares is an open-source personal cloud operating system designed to empower you to own and manage your digital assets locally. Instead of relying on public cloud services, you can deploy powerful open-source alternatives locally on Olares, such as Ollama for hosting LLMs, SD WebUI for image generation, and Mastodon for building censor free social space. Imagine the power of the cloud, but with you in complete command.
 
-With Olares, self-hosting is no longer a daunting task. It simplifies complex processes like network setup, domain management, and service orchestration, enabling both beginners or experienced users to focus on what truly matters.
-
-Privacy and independence are at the core of Olares. It is perfect for individuals or teams who want to avoid relying on centralized platforms. Your data stays on your hardware, and all tasks are processed locally, so your sensitive information never leaves your control. Olares gives you complete ownership of your data and infrastructure without sacrificing performance or simplicity.
-
 <div class="cta">
   <a href="./get-started/">
     <div class="content">
@@ -24,6 +20,16 @@ Privacy and independence are at the core of Olares. It is perfect for individual
   </a>
 </div>
 
+## Core components
+
+Olares comprises the following core components:
+
+- [**Olares ID**](./concepts/olares-id.md): A decentralized identity and credit system that facilitates secure, trustless exchanges of information and value. It serves as your digital identity across the Olares ecosystem.
+
+- [**Olares OS**](https://github.com/beclab/Olares): An open-source, self-hosted operating system that transforms edge devices into robust personal cloud.
+
+- [**LarePass**](./larepass): A secure, cross-platform client that bridges you and your Olares system. It provides seamless access, unified identity management, fast file synchronization, and comprehensive device management across all your devices.
+
 ## Highlighted features
 
 Olares offers a wide array of features designed to enhance security, ease of use, and development flexibility:

docs/zh/manual/best-practices/install-olares-multi-node.md

@@ -150,7 +150,7 @@ olares-cli olares uninstall
 
 ## 了解更多
 
-- [Olares 系统架构](../system-architecture.md#分布式存储)：了解支持 Olares 的分布式文件系统，确保可扩展性、高可用性以及无缝的数据管理。
+- [Olares 系统架构](../concepts/system-architecture.md#分布式存储)：了解支持 Olares 的分布式文件系统，确保可扩展性、高可用性以及无缝的数据管理。
 - [系统守护进程](../../developer/install/installation-overview.md#系统守护进程olaresd)：olaresd：了解 orchestrates 和管理 Olares 核心功能的中央系统进程。
 - [数据](../concepts/data.md#juicefs)：探索 Olares 如何利用 JuiceFS 提供统一文件系统，实现高效的数据存储和检索。
 - [Olares CLI](../../developer/install/cli/olares-cli.md)：深入了解用于管理 Olares 安装的命令行工具。

docs/zh/manual/concepts/system-architecture.md

@@ -59,14 +59,14 @@ Olares 目前的 GPU 管理功能仅支持单节点单 GPU 的部署场景。
 从 Olares v1.11 开始，支持 [CUDA](https://developer.nvidia.com/cuda-toolkit)（12.4 及以上版本）。当宿主机环境的 CUDA 配置变更时，可以通过 `olares-cli` 通知 Olares 集群进行配置。
 
 ### 容器管理
-Olares 使用轻量级容器运行时 [containerd](../developer/install/installation-overview.md#容器运行时containerd) 进行容器化部署。
+Olares 使用轻量级容器运行时 [containerd](../../developer/install/installation-overview.md#容器运行时containerd) 进行容器化部署。
 
 ### Olares Controller Panel
 
 Olares 的集群管理通过以下工具实现：
 
-- [olares-cli](../developer/install/cli/olares-cli.md)：命令行工具，用于管理 Olares 集群、应用和硬件节点等。
-- [olaresd](../developer/install/installation-overview.md#系统守护进程olaresd)：Olares 的守护进程，用于监控硬件和网络变更、处理集群升级和重启等。
+- [olares-cli](../../developer/install/cli/olares-cli.md)：命令行工具，用于管理 Olares 集群、应用和硬件节点等。
+- [olaresd](../../developer/install/installation-overview.md#系统守护进程olaresd)：Olares 的守护进程，用于监控硬件和网络变更、处理集群升级和重启等。
 
 这些工具简化了 Olares 的安装、维护和扩展过程。
 
@@ -215,6 +215,6 @@ Olares 的控制台，提供对系统及其环境的精确和自主控制。
 用于构建和部署 Olares 应用的开发工具。
 
 ## 了解更多
-- 要开始使用 Olares，请参阅[快速开始](get-started/index.md)。
-- 要深入了解 Olares 的内部原理，请参阅[概念](concepts/index.md)中的主题。
-- 要详细了解 Olares 中各组件如何被编排，请参阅 [Olares 安装概述](../developer/install/index.md)。
+- 要开始使用 Olares，请参阅[快速开始](../get-started/index.md)。
+- 要深入了解 Olares 的内部原理，请参阅[概念](index.md)中的主题。
+- 要详细了解 Olares 中各组件如何被编排，请参阅 [Olares 安装概述](../../developer/install/index.md)。

docs/zh/manual/get-started/install-olares.md

@@ -33,10 +33,10 @@ description: 在 Linux 系统上通过一键脚本，快速上手 Olares。
 
 在 Linux 命令行中，执行以下命令：
 
-<!--@include: ./reusables.md{4,28}-->
+<!--@include: ./reusables.md{4,32}-->
 
 <!--@include: ./activate-olares.md-->
 
 <!--@include: ./log-in-to-olares.md-->
 
-<!--@include: ./reusables.md{30,34}-->
+<!--@include: ./reusables.md{34,38}-->

docs/zh/manual/larepass/index.md

@@ -1,6 +1,6 @@
 ---
 outline: [2, 3]
-description: LarePass 用户文档。了解 LarePass 的核心功能与使用方法，包括账户管理、文件同步、设备与网络管理、密码管理，内容收藏等，并提供下载与安装指南。
+description: LarePass 用户文档。了解 LarePass 的核心功能与使用方法，包括账户管理、文件同步、设备与网络管理、系统升级、密码管理，内容收藏等，并提供下载与安装指南。
 ---
 
 # LarePass 使用文档
@@ -26,6 +26,7 @@ description: LarePass 用户文档。了解 LarePass 的核心功能与使用方
 ### 设备管理
 激活并管理 Olares 设备，通过 LarePass VPN 安全连接。
 - [激活 Olares 设备](activate-olares.md)
+- [升级 Olares](manage-olares.md#升级-olares)
 - [双因素登录 Olares](activate-olares.md#使用-larepass-进行双因素验证)
 - [管理 Olares](manage-olares.md)
 - [切换有线/无线网络](manage-olares.md#有线切换至无线)

docs/zh/manual/larepass/manage-olares.md

@@ -4,7 +4,7 @@ description: 使用 LarePass 移动端远程管理 Olares，包括监控状态
 
 # 使用 LarePass 管理 Olares
 
-**LarePass** 应用让你在手机端即可远程管理 Olares 设备：监控系统状态、配置网络、执行远程控制，并查看关键设备信息。
+**LarePass** 应用让你在手机端即可远程管理 Olares 设备：升级 Olares，监控系统状态、配置网络、执行远程控制，并查看关键设备信息。
 
 ## 前提条件
 
@@ -20,11 +20,30 @@ description: 使用 LarePass 移动端远程管理 Olares，包括监控状态
 1. 打开 LarePass，进入**设置**。  
 2. 点击你的 **Olares ID**，进入 Olares 管理页面。  
 
+
+## 升级 Olares
+
+:::warning 仅管理员可以升级
+只有 Olares 管理员可以执行系统更新。更新将应用于同一 Olares 集群内的所有用户。
+:::
+
+当有新的 Olares 版本可用时，你将在 **Olares 管理** 页面看到`发现新版本`提示。
+
+![升级设备](/images/zh/manual/larepass/olares-upgrade.png#bordered))
+
+1. 点击版本提示，例如`发现新版本 1.12.0-20250728`。
+2. 选择升级方式：
+   - **下载并升级**：Olares 将立即下载更新包并安装。在升级过程中系统将暂时不可用。
+   - **仅下载**：只下载更新包，您可以在方便的时候手动触发升级。在下载过程中，Olares 可继续使用。
+3. 确认操作。LarePass 上将显示操作进度指示，Olares 会进入升级页面。  
+   如果选择了**仅下载**，下载完成后你需要点击**立即升级**才会开始安装。
+4. 等待升级完成。升级结束后 Olares 会自动恢复正常运行。你可以在**Olares 管理**页面顶部的设备卡片查看系统版本以确认升级是否成功。
+
 ## 远程设备控制
 
 在 Olares 管理页右上角点击 <i class="material-symbols-outlined">power_settings_new</i>，可执行：
 
- ![控制设备](/images/zh/manual/larepass/device-control.png)
+ ![控制设备](/images/zh/manual/larepass/device-control.png#bordered))
 - **重启 Olares** – 设备将重启，状态显示 `正在重启`，约 5–8 分钟后恢复为 `Olares 运行中`。  
 - **关闭 Olares** – 设备关机，状态显示 `Olares 已关机`，需手动开机。  
 
@@ -36,7 +55,7 @@ description: 使用 LarePass 移动端远程管理 Olares，包括监控状态
 
 若 Olares 通过有线网络激活，可用 LarePass 切换至同一网络的 Wi-Fi：
 
-![Wi-Fi 切换](/images/zh/manual/larepass/switch-wifi.png)
+![Wi-Fi 切换](/images/zh/manual/larepass/switch-wifi.png#bordered))
 
 1. 在 Olares 管理页面，点击**Wi-Fi 配置**选项，进入**选择连接方式**页面。 
 2. 点击列表里的 Wi-Fi 网络以连接。 若 Wi-Fi 有密码，在弹出窗口里输入密码并确认。  
@@ -61,7 +80,7 @@ description: 使用 LarePass 移动端远程管理 Olares，包括监控状态
 
 如果在激活 Olares 时无法连接有线网络，或者 Olares 连接到的有线网络与你的手机网络不同，LarePass 在局域网里无法发现 Olares，你也无法顺利完成激活或设备管理。在这种情况下，可使用蓝牙配网功能将 Olares 连接到你手机的 Wi-Fi 网络。
 
-![蓝牙配网](/images/zh/manual/larepass/bluetooth-network.png)
+![蓝牙配网](/images/zh/manual/larepass/bluetooth-network.png#bordered))
 
 1. 在**未发现 Olares**提示页面底部，点击**蓝牙配网**选项。LarePass 将使用手机蓝牙扫描与当前登录账号匹配的 Olares 设备。
 
@@ -92,7 +111,7 @@ description: 使用 LarePass 移动端远程管理 Olares，包括监控状态
 ## 卸载 Olares
 
 此操作会将设备恢复到待安装状态，届时可在局域网重新扫描、安装并激活 Olares。
-![卸载 Olares](/images/manual/larepass/restore-to-factory.png)
+![卸载 Olares](/images/manual/larepass/restore-to-factory.png#bordered))
 
 ::: warning 谨慎操作
 该操作将永久删除所有账户信息与数据。

docs/zh/manual/olares/settings/gpu-resource.md

@@ -63,13 +63,16 @@ Olares 提供三种分配方式，可按场景灵活选择。
   1. 在 GPU 模式下拉菜单中选择该模式。
   2. 在**选择独占应用**下拉框中选择目标应用。
   3. 点击**确认**。
-         ![独占](/images/zh/manual/olares/gpu-app-exclusive.png#bordered)
-- **显存切片**：
+  ![独占](/images/zh/manual/olares/gpu-app-exclusive.png#bordered)
+- **显存分片**：
     1. 在下拉菜单中选择该模式。
     2. 在**分配显存**窗口，点击 **+ 添加应用**。
     3. 选择目标应用，并指定分配给该应用的显存大小（以 GB 为单位）。
     4. 如需为其他应用分配显存，可重复以上操作，然后点击**确认**。
        ![显存分片](/images/zh/manual/olares/gpu-memory-slicing.png#bordered)
+    ::: tip 注意
+    分配的显存必须小于显卡总显存。
+    :::
 
 ## 了解更多
 - [监控 Olares 中的显卡使用情况](../resources-usage.md)

docs/zh/manual/olares/settings/manage-team.md

@@ -1,9 +1,15 @@
 ---
-description: 在 Olares 中管理团队成员账户。掌握团队成员添加、权限设置和资源分配方法，提升团队运营效率。
+description: 在 Olares 中管理团队成员用户。掌握团队成员添加、权限设置和资源分配方法，提升团队运营效率。
 ---
 # 管理多用户
 
-Olares 支持多用户。作为管理员，你可以创建并管理团队成员，同时通过高效的资源控制确保系统的最佳性能。
+Olares 支持多用户。作为管理员，你可以创建并管理团队成员，同时确保系统安全和资源高效使用。
+
+:::tip 角色权限说明
+作为管理员角色，超级管理员和管理员在大多数系统管理权限上相同，但只有**超级管理员**可以创建或管理管理员用户。管理员只能创建和管理成员用户。详情见[角色与权限](roles-permissions.md)。
+:::
+
+![管理多用户](/images/zh/manual/olares/manage-users.png#bordered)
 
 ## 开始之前
 
@@ -14,40 +20,40 @@ Olares 支持多用户。作为管理员，你可以创建并管理团队成员
 * 团队成员已创建 Olares ID。
 
     :::info
-    在 Olares 中创建新成员账户时，请确保其 Olares ID 的域名部分与你的一致。
+    在 Olares 中创建新用户时，请确保其 Olares ID 的域名部分与你的一致。
     :::
 
-## 创建新成员
+## 创建新用户
 
-1. 进入**设置** > **账户**页面。
+1. 进入**设置** > **用户**页面。
 2. 点击**创建账户**。
 3. 在对话框中填写必填字段：
    - **Olares ID**：仅输入本地名称。
+   - **角色（Role）**：选择**成员**或**管理员**（只有超级管理员可以分配该角色）。
    - **CPU**：分配 CPU 核心（最低 1 核）。
    - **内存**：分配内存（最低 3GB）。
 4. 点击**保存**。
-
    创建完成后，你将看到该 Olares ID 的激活凭据：
    - 激活向导 URL
    - 一次性密码
 
-5. 将激活凭据分享给新成员。
+5. 将激活凭据分享给新用户。
 
-你可以在**账户**页面验证他们是否已完成激活。
+你可以在**用户**页面验证他们是否已完成激活。
 
 :::tip
-新成员无需本地安装 Olares 即可通过激活向导激活账户。
+新用户无需本地安装 Olares 即可通过激活向导激活用户。
 详细说明请参阅[激活 Olares](../../get-started/activate-olares){target="_blank"}。
 :::
 
-## 删除成员
+## 删除用户
 
-:::warning
+:::warning 注意
 确保用户在删除前备份重要数据——部分数据无法恢复。
 :::
 
-1. 进入**设置** > **账户**页面。
-2. 点击要删除的成员以查看其账户详情。
+1. 进入**设置** > **用户**页面。
+2. 点击要删除的用户以查看其用户详情。
 3. 滚动到页面底部，点击**删除用户**。
 4. 在对话框中点击**确定**。
 
@@ -55,25 +61,24 @@ Olares 支持多用户。作为管理员，你可以创建并管理团队成员
 
 你可以调整分配给 Olares 集群成员的资源。
 
-1. 进入**设置** > **账户**页面。
-2. 点击需要调整资源配额的成员。
-3. 在**账户信息**页面，滚动到底部，点击**修改限制**。
+1. 进入**设置** > **用户**页面。
+2. 点击需要调整资源配额的用户。
+3. 在**用户信息**页面，滚动到底部，点击**修改限制**。
 4. 在对话框中调整 CPU 和内存配额。
 5. 点击**确定**应用更改。
 
 ## 重置密码
 
-1. 进入**设置** > **账户**页面。
+1. 进入**设置** > **用户**页面。
 2. 点击需要重置密码的成员。
-3. 在**账户信息**页面，向下滚动，点击**重置密码**。新密码将即刻生成。
-4. 将新密码分享给成员。
+3. 在**用户信息**页面，向下滚动，点击**重置密码**。新密码将即刻生成。
+4. 将新密码分享给用户。
 
 ## 常见问题
 
 ### 为什么我无法创建新用户？
 
-如果你是管理员：
-
+* 你必须是超级管理员才可以创建管理员用户；你必须是超级管理员或管理员才可以创建成员用户。
 * 确保新成员已获取其 Olares ID。请参阅[创建 Olares ID](../../get-started/create-olares-id)。
 * 检查你输入的名称是否正确拼写。
-* 确保有足够的系统资源可供分配。
+* 确保有足够的系统资源可供分配。

docs/zh/manual/olares/settings/my-olares.md

@@ -7,6 +7,8 @@ description: 了解如何利用“我的 Olares”页面管理账户、设备、
 
 你可以通过设置中的**我的 Olares** 功能管理 Olares 账户、连接设备和安全策略。点击**设置**页面左上角的个人头像即可进入**我的 Olares**。
 
+![My Olares](/images/zh/manual/olares/my-olares.png#bordered)
+
 ## Olares Space
 在 Olares Space 中查看你的订阅计划详情和使用情况，包括反向代理方案、
 备份、流量消耗等。首次使用时需按提示登录 Olares Space。
@@ -30,6 +32,10 @@ description: 了解如何利用“我的 Olares”页面管理账户、设备、
   * **双因素**（推荐）：需要你的登录密码和 LarePass 生成的两步验证码，安全性更高。
   * **单因素**：仅需要你的登录密码（安全性较低）。
 
+## 当前版本
+
+查看当前 Olares 系统的版本。如果提示有可用的新版本，请转至 LarePass 手机客户端**设置** > **Olares 管理**页面下完成系统升级。详细步骤请参考[升级 Olares](../../larepass/manage-olares.md#升级-olares)
+
 ## 查看登录历史
 
 查看所有登录 Olares 账户的详细记录。每个登录条目包含登录时间、状态、源 IP 地址和登录原因等信息。

docs/zh/manual/olares/settings/roles-permissions.md

@@ -1,47 +1,37 @@
 ---
 description: Olares 团队中的用户角色和权限体系说明。了解不同角色的权限范围，确保团队成员安全高效协作。
 ---
+
 # 用户角色与权限
 
-Olares 支持多用户操作，允许多个用户同时访问系统。每位用户可以根据分配的角色和权限安全访问资源。
+Olares 支持多用户操作，允许多个用户同时访问和管理系统。 每个用户的能力取决于其分配的**角色**和相应的**权限**，以确保安全有序的访问。
 
 ## 角色类型
 
-Olares 提供两种默认用户角色：
-- **管理员 (Admin)**：首次激活并登录 Olares 的用户为管理员。
-- **成员 (Member)**：标准用户角色，权限受限。
+Olares 包含三种默认角色：
+
+- **超级管理员（Super Admin）** – 首位激活并登录 Olares 的用户。拥有系统的完全控制权，可以**创建、管理和删除**管理员和成员账户账户。
+- **管理员（Admin）** – 由超级管理员创建。拥有与超级管理员几乎相同的系统管理权限，但**只能创建和管理成员**，无法创建、管理或删除其他管理员账户。
+- **成员（Member）** – 标准用户，由管理员角色创建、管理。访问权限和系统资源受限。
+
+这一角色结构确保了组织能够在安全的前提下扩展 Olares 的管理能力，多个管理员可共同分担管理任务，而超级管理员保留最终的控制权。
+
+## 角色权限
+
+| 权限范围 | 成员 | 管理员 | 超级管理员 |
+|-----------------|--------|-------|-------------|
+| 使用系统应用 | ✅ | ✅ | ✅ |
+| 启用 VPN 访问私有入口 | ✅ | ✅ | ✅ |
+| 连接 Olares Space | ✅ | ✅ | ✅ |
+| 自定义应用入口 | ✅ | ✅ | ✅ |
+| 从 Market 安装普通应用 | ✅ | ✅ | ✅ |
+| 访问被分配权限的共享 Vault | ✅ | ✅ | ✅ |
+| 查看 Control Hub 中的基础系统状态 | ✅ | ✅ | ✅ |
+| 管理 Vault 团队和共享 Vault | ❌ | ✅ | ✅ |
+| 安装和管理共享应用 | ❌ | ✅ | ✅ |
+| 监控和管理系统资源 | ❌ | ✅ | ✅ |
+| 设置 GPU 使用模式 | ❌ | ✅ | ✅ |
+| 升级 Olares 系统 | ❌ | ✅ | ✅ |
+| 创建、编辑和删除成员 | ❌ | ✅ | ✅ |
+| 创建、编辑和删除管理员 | ❌ | ❌ | ✅ |
 
-<table>
-    <tr>
-        <td><b>角色</b></td>
-        <td><b>权限</b></td>
-    </tr>
-    <tr>
-        <td>成员</td>
-        <td>
-            <ul>
-                <li>使用系统应用：文件管理器、Vault、Wise、Profile、仪表盘和控制面板</li>
-                <li>启用专用网络访问私有入口</li>
-                <li>连接 Olares Space</li>
-                <li>自定义应用入口</li>
-                <li>在应用市场中安装常规应用</li>
-                <li>访问具有分配读/写权限的共享 Vault</li>
-                <li>在控制面板中查看基本系统状态</li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <td>管理员</td>
-        <td>
-        成员的所有权限，此外还包括：
-            <ul>
-                <li>创建和管理用户账户</li>
-                <li>管理 Vault 团队，创建共享 Vault，并为共享 Vault 分配读/写权限</li>
-                <li>安装和管理共享应用</li>
-                <li>监控和管理系统资源</li>
-                <li>设置 GPU 使用模式</li>
-                <li>更新 Olares</li>
-            </ul>
-        </td>
-    </tr>
-</table>

docs/zh/manual/olares/settings/update.md

@@ -13,15 +13,6 @@ Olares 定期发布新版本，带来功能改进和用户体验优化。本文
 有关 Olares 的版本控制实践及当前跨次版本升级（比如从 `1.10.5` 升到 `1.11.0`）的限制，请参阅 [Olares 版本说明](../../../developer/install/versioning.md)。
 :::
 
-## 检查并安装更新
-:::tip 提示
-在更新前，请查看发布说明以了解新功能和重要更改。
-:::
-
-1. 打开**设置** > **我的 Olares** > **当前版本**。
-2. 如果有可用的新版本，点击**立即升级**。
-
-更新完成后，系统将显示确认消息。
 
 ## 手动升级 `olaresd`
 

docs/zh/manual/overview.md

@@ -10,10 +10,6 @@ description: Olares 是为本地 AI 打造的开源私有云操作系统，支
 ## Olares 是什么？
 Olares 是一款开源个人云操作系统，旨在让你能够轻松在本地拥有并管理自己的数字资产。你无需再依赖公有云服务，而可以在 Olares 上本地部署强大的开源平替服务或应用，例如可以使用 Ollama 托管大语言模型，使用 SD WebUI 用于图像生成，以及使用 Mastodon 构建不受审查的社交空间。Olares 让你坐拥云计算的强大威力，又能完全将其置于自己掌控之下。
 
-有了 Olares，自托管不再是复杂艰难的任务。它简化了诸如网络设置、域名管理和服务编排等繁琐流程，无论是初学者还是资深用户，都可以专注于真正重要的事情。
-
-隐私和自主性是 Olares 的核心理念。对于希望避免依赖中心化平台的个人或团队来说，Olares 是理想之选。你的数据始终保存在自己的设备上，所有任务均在本地处理，确保应用数据和敏感信息始终掌握在手中。Olares 在保持性能和易用性的同时，赋予你对数据和应用设备完全的掌控权。
-
 <div class="cta">
   <a href="./get-started/">
     <div class="content">
@@ -24,6 +20,16 @@ Olares 是一款开源个人云操作系统，旨在让你能够轻松在本地
   </a>
 </div>
 
+## Olares 组成部分
+
+Olares 由以下核心组件组成：
+
+- [Olares ID](./concepts/olares-id.md)：一种去中心化的身份与信用系统，支持信息和价值的安全、无信任交换。Olares ID 是你在整个 Olares 生态中的数字身份。
+
+- [**Olares OS**](https://github.com/beclab/Olares)：一个开源自主托管操作系统，可将边缘设备转化为强大的个人云。
+
+- [**LarePass**](./larepass)：一款安全的跨平台客户端，连接您与 Olares 系统。它提供无缝访问、统一身份管理、快速文件同步，以及强大的设备管理能力。
+
 ## 功能亮点
 
 Olares 提供了丰富的功能，旨在提升安全性、易用性和开发灵活性：

framework/app-service/.olares/config/cluster/crds/app.bytetrade.io_applicationmanagers.yaml

@@ -65,6 +65,9 @@ spec:
                 type: string
               config:
                 type: string
+              opType:
+                description: OpType represents the type of operation being performed.
+                type: string
               source:
                 type: string
               type:
@@ -72,6 +75,7 @@ spec:
                 type: string
             required:
             - appName
+            - opType
             - source
             - type
             type: object
@@ -144,14 +148,8 @@ spec:
               updateTime:
                 format: date-time
                 type: string
-            required:
-            - opGeneration
-            - opType
-            - statusTime
-            - updateTime
             type: object
         type: object
     served: true
     storage: true
-    subresources:
-      status: {}
+    subresources: {}