Linux on Yarang's Tech Lairhttps://blog.fcoinfup.com/tags/linux/Recent content in Linux on Yarang's Tech LairHugo -- gohugo.ioenMon, 04 May 2026 20:49:16 +0900Beyond Hardware Limits: Unraveling Disk Physical Structure with Microbenchmarkinghttps://blog.fcoinfup.com/post/beyond-hardware-limits-unraveling-disk-physical-structure-with-microbenchmarking/Mon, 04 May 2026 20:49:16 +0900https://blog.fcoinfup.com/post/beyond-hardware-limits-unraveling-disk-physical-structure-with-microbenchmarking/<h1 id="beyond-hardware-limits-unraveling-disk-physical-structure-with-microbenchmarking">Beyond Hardware Limits: Unraveling Disk Physical Structure with Microbenchmarking </h1><p>Recently, an interesting 2019 article was brought back into the spotlight via Hacker News: &ldquo;Discovering hard disk physical geometry through microbenchmarking.&rdquo; In an era where high-performance SSDs are commonplace, why is it important to understand the physical structure of rotational media (HDDs)?</p> <p>In fact, the core of this article goes beyond the simple structure of a hard disk, focusing on <strong>&ldquo;a methodology for inferring hardware&rsquo;s internal operations through Observable Performance.&rdquo;</strong> This principle is applicable not only to analyzing the performance characteristics of modern NVMe SSDs with ZNS (Zoned Namespace) storage but also to low-power network devices like the recently discussed BYOMesh based on LoRa.</p> <p>In this post, we will practice the microbenchmarking technique of uncovering the hardware&rsquo;s &ldquo;Physical Geometry&rdquo; by writing a simple code ourselves.</p> <h2 id="why-microbenchmarking">Why Microbenchmarking? </h2><p>Software developers can work without knowing complex hardware details thanks to the abstraction layers between the OS and hardware. However, this changes when developing systems that require high performance, such as e-commerce platforms handling high transaction volumes or analytical systems processing large amounts of data.</p> <p>It is difficult to accurately know the actual sector layout, cache memory size, or rotational latency using only OS commands like <code>fstat</code> or <code>lsblk</code>. At this point, <strong>microbenchmarking, which involves performing read/write operations and measuring the time taken, becomes the most powerful tool.</strong></p> <h2 id="fundamental-principles-of-benchmarking">Fundamental Principles of Benchmarking </h2><p>The data access speed of a hard disk drive (HDD) is determined by the following three factors:</p> <ol> <li><strong>Seek Time:</strong> The time it takes for the head to move to the relevant track (physical movement).</li> <li><strong>Rotational Latency:</strong> The time until the sector containing the data rotates under the head.</li> <li><strong>Transfer Time:</strong> The time to actually read the data.</li> </ol> <p>We will focus on <strong>&lsquo;Seek Time&rsquo;</strong>. The further the head has to move, the longer it takes. By measuring the time difference between reading adjacent sectors and sectors far apart, we can infer the disk&rsquo;s physical layout (track and cylinder structure).</p> <h2 id="hands-on-exploring-disk-structure-with-python">Hands-on: Exploring Disk Structure with Python </h2><p>Now, let&rsquo;s use Python to measure the performance difference between random and sequential access. This code is a simple example to measure the cost of moving between the &lsquo;Outer Zone&rsquo; and &lsquo;Inner Zone&rsquo; of a disk.</p> <blockquote> <p><strong>Caution:</strong> This script accesses actual disk devices (e.g., <code>/dev/sdX</code>). <strong>Be sure to use a test disk with no data on it</strong> or run it in a <strong>VM environment.</strong> Accessing the wrong device can lead to data corruption.</p> </blockquote> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#f92672">import</span> os </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> time </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> sys </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Disk path to test (needs to be changed to a VM or separate test disk)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Example: &#39;/dev/sdb&#39; for Linux, &#39;/dev/rdisk2&#39; for macOS</span> </span></span><span style="display:flex;"><span>DISK_PATH <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;/dev/sdb&#39;</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Read block size (4KB)</span> </span></span><span style="display:flex;"><span>BLOCK_SIZE <span style="color:#f92672">=</span> <span style="color:#ae81ff">4096</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Number of measurements</span> </span></span><span style="display:flex;"><span>ITERATIONS <span style="color:#f92672">=</span> <span style="color:#ae81ff">1000</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">benchmark_random_access</span>(fd, size): </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;&#34;&#34;Measures performance when accessing random locations&#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> total_bytes <span style="color:#f92672">=</span> os<span style="color:#f92672">.</span>path<span style="color:#f92672">.</span>getsize(DISK_PATH) <span style="color:#66d9ef">if</span> os<span style="color:#f92672">.</span>path<span style="color:#f92672">.</span>exists(DISK_PATH) <span style="color:#66d9ef">else</span> size </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> start_time <span style="color:#f92672">=</span> time<span style="color:#f92672">.</span>time() </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> _ <span style="color:#f92672">in</span> range(ITERATIONS): </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Calculate random offset (maintain block alignment)</span> </span></span><span style="display:flex;"><span> offset <span style="color:#f92672">=</span> os<span style="color:#f92672">.</span>urandom(<span style="color:#ae81ff">8</span>) </span></span><span style="display:flex;"><span> offset_int <span style="color:#f92672">=</span> int<span style="color:#f92672">.</span>from_bytes(offset, <span style="color:#e6db74">&#39;big&#39;</span>) <span style="color:#f92672">%</span> (total_bytes <span style="color:#f92672">-</span> BLOCK_SIZE) </span></span><span style="display:flex;"><span> aligned_offset <span style="color:#f92672">=</span> (offset_int <span style="color:#f92672">//</span> BLOCK_SIZE) <span style="color:#f92672">*</span> BLOCK_SIZE </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> os<span style="color:#f92672">.</span>lseek(fd, aligned_offset, os<span style="color:#f92672">.</span>SEEK_SET) </span></span><span style="display:flex;"><span> os<span style="color:#f92672">.</span>read(fd, BLOCK_SIZE) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> end_time <span style="color:#f92672">=</span> time<span style="color:#f92672">.</span>time() </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> (end_time <span style="color:#f92672">-</span> start_time) <span style="color:#f92672">*</span> <span style="color:#ae81ff">1000</span> <span style="color:#75715e"># Convert to ms</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">benchmark_sequential_access</span>(fd): </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;&#34;&#34;Measures performance when accessing sequential locations&#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> start_time <span style="color:#f92672">=</span> time<span style="color:#f92672">.</span>time() </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> _ <span style="color:#f92672">in</span> range(ITERATIONS): </span></span><span style="display:flex;"><span> os<span style="color:#f92672">.</span>read(fd, BLOCK_SIZE) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> end_time <span style="color:#f92672">=</span> time<span style="color:#f92672">.</span>time() </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> (end_time <span style="color:#f92672">-</span> start_time) <span style="color:#f92672">*</span> <span style="color:#ae81ff">1000</span> <span style="color:#75715e"># Convert to ms</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> __name__ <span style="color:#f92672">==</span> <span style="color:#e6db74">&#34;__main__&#34;</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> <span style="color:#f92672">not</span> os<span style="color:#f92672">.</span>path<span style="color:#f92672">.</span>exists(DISK_PATH): </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;Error: </span><span style="color:#e6db74">{</span>DISK_PATH<span style="color:#e6db74">}</span><span style="color:#e6db74"> not found. Please update DISK_PATH.&#34;</span>) </span></span><span style="display:flex;"><span> sys<span style="color:#f92672">.</span>exit(<span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;Benchmarking </span><span style="color:#e6db74">{</span>DISK_PATH<span style="color:#e6db74">}</span><span style="color:#e6db74">...&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">try</span>: </span></span><span style="display:flex;"><span> <span style="color:#75715e"># It is recommended to use the O_DIRECT flag to minimize buffering when opening the file (Linux).</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Here, we proceed with the default mode for compatibility, but O_DIRECT is necessary for actual hardware access.</span> </span></span><span style="display:flex;"><span> fd <span style="color:#f92672">=</span> os<span style="color:#f92672">.</span>open(DISK_PATH, os<span style="color:#f92672">.</span>O_RDONLY <span style="color:#f92672">|</span> os<span style="color:#f92672">.</span>O_SYNC) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">&#34;1. Measuring Random Access (Simulating Head Seek)...&#34;</span> ) </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Random access is slow due to continuous head movement</span> </span></span><span style="display:flex;"><span> random_time <span style="color:#f92672">=</span> benchmark_random_access(fd, <span style="color:#ae81ff">1024</span><span style="color:#f92672">*</span><span style="color:#ae81ff">1024</span><span style="color:#f92672">*</span><span style="color:#ae81ff">1024</span>) <span style="color:#75715e"># Assume 1GB</span> </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34; Random Access Time: </span><span style="color:#e6db74">{</span>random_time<span style="color:#e6db74">:</span><span style="color:#e6db74">.2f</span><span style="color:#e6db74">}</span><span style="color:#e6db74"> ms&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">&#34;2. Measuring Sequential Access (Minimal Head Movement)...&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Reset file pointer to the beginning</span> </span></span><span style="display:flex;"><span> os<span style="color:#f92672">.</span>lseek(fd, <span style="color:#ae81ff">0</span>, os<span style="color:#f92672">.</span>SEEK_SET) </span></span><span style="display:flex;"><span> sequential_time <span style="color:#f92672">=</span> benchmark_sequential_access(fd) </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34; Sequential Access Time: </span><span style="color:#e6db74">{</span>sequential_time<span style="color:#e6db74">:</span><span style="color:#e6db74">.2f</span><span style="color:#e6db74">}</span><span style="color:#e6db74"> ms&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">--- Analysis ---&#34;</span>) </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;Performance Gap (Seek Cost): </span><span style="color:#e6db74">{</span>random_time <span style="color:#f92672">-</span> sequential_time<span style="color:#e6db74">:</span><span style="color:#e6db74">.2f</span><span style="color:#e6db74">}</span><span style="color:#e6db74"> ms&#34;</span>) </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">&#34;The gap represents the time spent moving the disk head physically.&#34;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> os<span style="color:#f92672">.</span>close(fd) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">except</span> <span style="color:#a6e22e">PermissionError</span>: </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">&#34;Error: Permission denied. Try running with &#39;sudo&#39;.&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">except</span> <span style="color:#a6e22e">Exception</span> <span style="color:#66d9ef">as</span> e: </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;Error: </span><span style="color:#e6db74">{</span>e<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span></code></pre></div><h2 id="interpreting-and-utilizing-results">Interpreting and Utilizing Results </h2><p>Running the code above, you will observe that random access is significantly slower than sequential access. This &lsquo;Gap&rsquo; is precisely the time spent on physical seeking and rotation.</p> <p>If you were to perform this measurement separately at the beginning of the disk (outer tracks) and at the end (inner tracks), you might discover that the outer tracks have a faster transfer rate than the inner tracks due to the disk&rsquo;s <strong>Zone Bit Recording (ZBR)</strong> structure. In the past, this was utilized to tune data placement to the front of the disk.</p> <h2 id="modern-relevance-lessons-from-the-ssd-and-cloud-era">Modern Relevance: Lessons from the SSD and Cloud Era </h2><p>Although spinning disk technology is becoming a thing of the past, the principle of <strong>&ldquo;understanding a system&rsquo;s internals through performance measurement&rdquo;</strong> remains unchanged.</p> <ol> <li><strong>SSD Internal Parallelism:</strong> SSDs internally operate multiple channels and planes in parallel. If performance dramatically increases when we induce sequential reads using multithreading, this can be a signal to infer the internal controller&rsquo;s parallel processing capabilities.</li> <li><strong>Cloud Storage I/O:</strong> By capturing phenomena like the &lsquo;Burst&rsquo; followed by a &lsquo;Baseline&rsquo; drop in disk I/O performance on AWS or Azure through microbenchmarking, you can design cost-effective architectures.</li> </ol> <h2 id="conclusion">Conclusion </h2><p>The &lsquo;Discovering hard disk physical geometry&rsquo; article, which regained attention on Hacker News, goes beyond mere curiosity to remind us of <strong>the most fundamental stance in diagnosing system performance bottlenecks.</strong></p> <p>Instead of vaguely concluding &ldquo;the disk is slow,&rdquo; <strong>proving with data &ldquo;where and why it is slow&rdquo;</strong> by running simple scripts yourself. This is the first step towards true performance tuning.</p> <p>We encourage you to run the benchmarking code written in today&rsquo;s post in your development environment. Discovering unexpected hardware characteristics and directly observing their impact on system performance will be a very interesting experience.</p> <h2 id="references">References </h2><ul> <li><a class="link" href="https://www.codesynthesis.com/~boris/blog/2019/04/17/geometry/" target="_blank" rel="noopener" >Discovering hard disk physical geometry through microbenchmarking (2019)</a></li> <li><a class="link" href="https://www.kernel.org/doc/html/latest/block/index.html" target="_blank" rel="noopener" >Linux Block Layer internals</a></li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-fallback" data-lang="fallback"></code></pre></div>Building a Blog AI Auto-Comment System (3/3): Deployment and Troubleshootinghttps://blog.fcoinfup.com/post/ai-auto-comment-system-part3-deployment/Sun, 03 May 2026 01:20:00 +0900https://blog.fcoinfup.com/post/ai-auto-comment-system-part3-deployment/<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">## Overview</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>In [Part <span style="color:#ae81ff">1</span>](<span style="color:#f92672">/</span>ko<span style="color:#f92672">/</span>post<span style="color:#f92672">/</span>ai<span style="color:#f92672">-</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>system<span style="color:#f92672">-</span>part1<span style="color:#f92672">-</span>architecture<span style="color:#f92672">/</span>), we covered the architecture <span style="color:#f92672">and</span> implementation, <span style="color:#f92672">and</span> <span style="color:#f92672">in</span> [Part <span style="color:#ae81ff">2</span>](<span style="color:#f92672">/</span>ko<span style="color:#f92672">/</span>post<span style="color:#f92672">/</span>ai<span style="color:#f92672">-</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>system<span style="color:#f92672">-</span>part2<span style="color:#f92672">-</span>security<span style="color:#f92672">/</span>), we looked at security enhancements<span style="color:#f92672">.</span> In this <span style="color:#ae81ff">3</span>rd part, we record the process of deploying to an actual OCI ARM server <span style="color:#f92672">and</span> the troubleshooting encountered<span style="color:#f92672">.</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>In particular, we share <span style="color:#f92672">in</span> detail the actual debugging process where we tracked <span style="color:#f92672">and</span> resolved the issue of <span style="color:#f92672">**</span>GITHUB_TOKEN <span style="color:#f92672">not</span> loading<span style="color:#f92672">**</span> over <span style="color:#ae81ff">4</span> steps<span style="color:#f92672">.</span> The core of this article is how we narrowed down the cause <span style="color:#f92672">in</span> a situation where <span style="color:#e6db74">&#34;it&#39;s set up, so why isn&#39;t it working?&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">---</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">## Infrastructure Configuration</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">### Server Configuration</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">|</span> Server <span style="color:#f92672">|</span> Role <span style="color:#f92672">|</span> Specs <span style="color:#f92672">|</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">|------|------|------|</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">|</span> ec1 (x86) <span style="color:#f92672">|</span> Web Server (nginx, Hugo blog) <span style="color:#f92672">|</span> OCI <span style="color:#f92672">|</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">|</span> arm1 (ARM) <span style="color:#f92672">|</span> Worker Server (Flask, Claude Code) <span style="color:#f92672">|</span> OCI ARM <span style="color:#f92672">|</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>The blog is built <span style="color:#f92672">and</span> served with Hugo on ec1, <span style="color:#66d9ef">while</span> the AI comment worker runs on arm1<span style="color:#f92672">.</span> The GitHub Webhook is delivered directly to arm1<span style="color:#f92672">.</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">### Worker Server Directory Structure</span> </span></span></code></pre></div><p>/var/www/auto-comment-worker/ # Application ├── scripts/ │ └── auto-comment-worker.py ├── deploy/ │ └── auto-comment-worker.service ├── venv/ # Python virtual environment └── logs/</p> <p>/etc/auto-comment-worker/ # Credentials ├── github-token # 640, ubuntu:ubuntu └── credentials/ └── webhook-secret # 600, ubuntu:ubuntu</p> <p>/home/ubuntu/.local/bin/claude # Claude Code CLI</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">---</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">## systemd Service Configuration</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">### Service File</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">```</span>ini </span></span><span style="display:flex;"><span>[Unit] </span></span><span style="display:flex;"><span>Description<span style="color:#f92672">=</span>Auto Comment Worker <span style="color:#66d9ef">for</span> Blog </span></span><span style="display:flex;"><span>After<span style="color:#f92672">=</span>network<span style="color:#f92672">.</span>target </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>[Service] </span></span><span style="display:flex;"><span>Type<span style="color:#f92672">=</span>simple </span></span><span style="display:flex;"><span>User<span style="color:#f92672">=</span>ubuntu </span></span><span style="display:flex;"><span>WorkingDirectory<span style="color:#f92672">=/</span><span style="color:#66d9ef">var</span><span style="color:#f92672">/</span>www<span style="color:#f92672">/</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>worker </span></span><span style="display:flex;"><span><span style="color:#a6e22e">Environment</span><span style="color:#f92672">=</span>PORT<span style="color:#f92672">=</span><span style="color:#ae81ff">8081</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">Environment</span><span style="color:#f92672">=</span>CLAUDE_CODE_PATH<span style="color:#f92672">=/</span>home<span style="color:#f92672">/</span>ubuntu<span style="color:#f92672">/.</span>local<span style="color:#f92672">/</span>bin<span style="color:#f92672">/</span>claude </span></span><span style="display:flex;"><span><span style="color:#a6e22e">Environment</span><span style="color:#f92672">=</span>BLOG_OWNERS<span style="color:#f92672">=</span>yarang </span></span><span style="display:flex;"><span><span style="color:#a6e22e">Environment</span><span style="color:#f92672">=</span>GITHUB_TOKEN_FILE<span style="color:#f92672">=/</span>etc<span style="color:#f92672">/</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>worker<span style="color:#f92672">/</span>github<span style="color:#f92672">-</span>token </span></span><span style="display:flex;"><span><span style="color:#a6e22e">Environment</span><span style="color:#f92672">=</span>GITHUB_WEBHOOK_SECRET_FILE<span style="color:#f92672">=/</span>etc<span style="color:#f92672">/</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>worker<span style="color:#f92672">/</span>credentials<span style="color:#f92672">/</span>webhook<span style="color:#f92672">-</span>secret </span></span><span style="display:flex;"><span>ExecStart<span style="color:#f92672">=/</span><span style="color:#66d9ef">var</span><span style="color:#f92672">/</span>www<span style="color:#f92672">/</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>worker<span style="color:#f92672">/</span>venv<span style="color:#f92672">/</span>bin<span style="color:#f92672">/</span>python <span style="color:#f92672">/</span><span style="color:#66d9ef">var</span><span style="color:#f92672">/</span>www<span style="color:#f92672">/</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>worker<span style="color:#f92672">/</span>scripts<span style="color:#f92672">/</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>worker<span style="color:#f92672">.</span>py </span></span><span style="display:flex;"><span>Restart<span style="color:#f92672">=</span>always </span></span><span style="display:flex;"><span>RestartSec<span style="color:#f92672">=</span><span style="color:#ae81ff">10</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Logging</span> </span></span><span style="display:flex;"><span>StandardOutput<span style="color:#f92672">=</span>journal </span></span><span style="display:flex;"><span>StandardError<span style="color:#f92672">=</span>journal </span></span><span style="display:flex;"><span>SyslogIdentifier<span style="color:#f92672">=</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>worker </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Security</span> </span></span><span style="display:flex;"><span>NoNewPrivileges<span style="color:#f92672">=</span>true </span></span><span style="display:flex;"><span>PrivateTmp<span style="color:#f92672">=</span>true </span></span><span style="display:flex;"><span>ProtectSystem<span style="color:#f92672">=</span>strict </span></span><span style="display:flex;"><span>ProtectHome<span style="color:#f92672">=</span>false </span></span><span style="display:flex;"><span>ReadWritePaths<span style="color:#f92672">=/</span><span style="color:#66d9ef">var</span><span style="color:#f92672">/</span>www<span style="color:#f92672">/</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>worker <span style="color:#f92672">/</span><span style="color:#66d9ef">var</span><span style="color:#f92672">/</span>log<span style="color:#f92672">/</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>worker </span></span><span style="display:flex;"><span>ReadOnlyPaths<span style="color:#f92672">=</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Resource Limits</span> </span></span><span style="display:flex;"><span>MemoryMax<span style="color:#f92672">=</span><span style="color:#ae81ff">512</span>M </span></span><span style="display:flex;"><span>CPUQuota<span style="color:#f92672">=</span><span style="color:#ae81ff">50</span><span style="color:#f92672">%</span> </span></span><span style="display:flex;"><span>TasksMax<span style="color:#f92672">=</span><span style="color:#ae81ff">100</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>[Install] </span></span><span style="display:flex;"><span>WantedBy<span style="color:#f92672">=</span>multi<span style="color:#f92672">-</span>user<span style="color:#f92672">.</span>target </span></span></code></pre></div><h3 id="key-configuration-explanation">Key Configuration Explanation </h3><p><strong><code>Type=simple</code></strong>: Since the Flask worker runs in the foreground, <code>simple</code> is appropriate. <code>forking</code> is used for processes that daemonize.</p> <p><strong><code>User=ubuntu</code></strong>: Although a dedicated service account could be created, it runs as <code>ubuntu</code> because the Claude Code CLI depends on the <code>ubuntu</code> user&rsquo;s home directory configuration.</p> <p><strong><code>ProtectHome=false</code></strong>: Usually set to <code>true</code>, but allows home directory access because Claude Code requires the <code>~/.agent_forge_for_zai.json</code> configuration file.</p> <p><strong><code>ReadOnlyPaths=</code></strong> (Empty value): Initially specified <code>/etc/auto-comment-worker</code>, but left empty due to conflict with <code>ProtectSystem=strict</code>.</p> <h3 id="service-management-commands">Service Management Commands </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Copy service file</span> </span></span><span style="display:flex;"><span>sudo cp deploy/auto-comment-worker.service /etc/systemd/system/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Register and start service</span> </span></span><span style="display:flex;"><span>sudo systemctl daemon-reload </span></span><span style="display:flex;"><span>sudo systemctl enable auto-comment-worker </span></span><span style="display:flex;"><span>sudo systemctl start auto-comment-worker </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Check status</span> </span></span><span style="display:flex;"><span>sudo systemctl status auto-comment-worker </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Check logs (real-time)</span> </span></span><span style="display:flex;"><span>sudo journalctl -u auto-comment-worker -f </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Check recent logs</span> </span></span><span style="display:flex;"><span>sudo journalctl -u auto-comment-worker --since <span style="color:#e6db74">&#34;10 minutes ago&#34;</span> </span></span></code></pre></div><hr> <h2 id="nginx-reverse-proxy">nginx Reverse Proxy </h2><h3 id="webhook-endpoint-configuration">Webhook Endpoint Configuration </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#66d9ef">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">443</span> <span style="color:#e6db74">ssl</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">server_name</span> <span style="color:#e6db74">your-domain.com</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># SSL Configuration </span></span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_certificate</span> <span style="color:#e6db74">/etc/letsencrypt/live/your-domain.com/fullchain.pem</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_certificate_key</span> <span style="color:#e6db74">/etc/letsencrypt/live/your-domain.com/privkey.pem</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Webhook Proxy </span></span></span><span style="display:flex;"><span> <span style="color:#f92672">location</span> <span style="color:#e6db74">/webhook</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_pass</span> <span style="color:#e6db74">http://localhost:8081</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">Host</span> $host; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">X-Real-IP</span> $remote_addr; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">X-Forwarded-For</span> $proxy_add_x_forwarded_for; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">X-Forwarded-Proto</span> $scheme; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># GitHub Webhook signature header forwarding (Required!) </span></span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">X-Hub-Signature-256</span> $http_x_hub_signature_256; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Timeout (Waiting for Claude Code response) </span></span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_read_timeout</span> <span style="color:#e6db74">120s</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_connect_timeout</span> <span style="color:#e6db74">10s</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Health check </span></span></span><span style="display:flex;"><span> <span style="color:#f92672">location</span> <span style="color:#e6db74">/health</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_pass</span> <span style="color:#e6db74">http://localhost:8081</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p><code>proxy_read_timeout 120s</code> is set generously because the Claude Code CLI can take up to 60 seconds to generate an AI response. Since the default timeout for GitHub Webhooks is 10 seconds, asynchronous processing could be considered in practice.</p> <hr> <h2 id="deployment-process">Deployment Process </h2><h3 id="manual-deployment-after-rsync-failure">Manual Deployment (After rsync Failure) </h3><p>Initially, we attempted deployment with rsync, but it failed because the target directory did not exist on the server:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span>rsync: [Receiver] mkdir <span style="color:#e6db74">&#34;/var/www/auto-comment-worker/scripts&#34;</span> failed: </span></span><span style="display:flex;"><span>No such file <span style="color:#f92672">or</span> directory </span></span></code></pre></div><p>As an alternative, we proceeded with scp-based manual deployment:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 1. Create directory on server</span> </span></span><span style="display:flex;"><span>ssh ubuntu@arm1 <span style="color:#e6db74">&#34;sudo mkdir -p /var/www/auto-comment-worker/scripts&#34;</span> </span></span><span style="display:flex;"><span>ssh ubuntu@arm1 <span style="color:#e6db74">&#34;sudo chown -R ubuntu:ubuntu /var/www/auto-comment-worker&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 2. Transfer files</span> </span></span><span style="display:flex;"><span>scp scripts/auto-comment-worker.py ubuntu@arm1:/var/www/auto-comment-worker/scripts/ </span></span><span style="display:flex;"><span>scp deploy/auto-comment-worker.service ubuntu@arm1:/tmp/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 3. Install service file</span> </span></span><span style="display:flex;"><span>ssh ubuntu@arm1 <span style="color:#e6db74">&#34;sudo cp /tmp/auto-comment-worker.service /etc/systemd/system/&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 4. Set up Python virtual environment</span> </span></span><span style="display:flex;"><span>ssh ubuntu@arm1 <span style="color:#e6db74">&#34;cd /var/www/auto-comment-worker &amp;&amp; python3 -m venv venv&#34;</span> </span></span><span style="display:flex;"><span>ssh ubuntu@arm1 <span style="color:#e6db74">&#34;cd /var/www/auto-comment-worker &amp;&amp; venv/bin/pip install flask flask-limiter marshmallow requests&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 5. Configure authentication files</span> </span></span><span style="display:flex;"><span>ssh ubuntu@arm1 <span style="color:#e6db74">&#34;sudo mkdir -p /etc/auto-comment-worker/credentials&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Token file is created directly on the server (not transferred via scp)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 6. Start service</span> </span></span><span style="display:flex;"><span>ssh ubuntu@arm1 <span style="color:#e6db74">&#34;sudo systemctl daemon-reload &amp;&amp; sudo systemctl enable --now auto-comment-worker&#34;</span> </span></span></code></pre></div><h3 id="heredoc-variable-expansion-pitfall">Heredoc Variable Expansion Pitfall </h3><p>A common mistake when writing installation scripts with heredoc:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Single quotes: Variables are NOT expanded!</span> </span></span><span style="display:flex;"><span>ssh ubuntu@arm1 <span style="color:#e6db74">&lt;&lt; &#39;ENDSSH&#39; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">echo $CREDENTIALS_DIR # Prints empty string </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">ENDSSH</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># No quotes: Variables are expanded locally</span> </span></span><span style="display:flex;"><span>ssh ubuntu@arm1 <span style="color:#e6db74">&lt;&lt; ENDSSH </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">echo $CREDENTIALS_DIR # Expanded to local variable value </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">ENDSSH</span> </span></span></code></pre></div><p>To avoid this problem, we switched to executing commands individually instead of using a script.</p> <hr> <h2 id="troubleshooting-github_token-loading-failure">Troubleshooting: GITHUB_TOKEN Loading Failure </h2><p>This was the issue that consumed the most time while deploying this system. When the comment Webhook arrived, the following error repeated:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>INFO:__main__:GITHUB_TOKEN configured: False </span></span><span style="display:flex;"><span>INFO:__main__:GitHub API response status: 401 </span></span><span style="display:flex;"><span>ERROR:__main__:Failed to get Discussion GraphQL ID </span></span></code></pre></div><p>We record the process of tracking down the cause step by step.</p> <h3 id="step-1-loadcredential-path-issue">Step 1: LoadCredential Path Issue </h3><p>Initially, we used the <code>LoadCredential</code> directive in systemd:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#a6e22e">LoadCredential</span><span style="color:#f92672">=</span><span style="color:#e6db74">github-token:/etc/auto-comment-worker/github-token</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">Environment</span><span style="color:#f92672">=</span><span style="color:#e6db74">GITHUB_TOKEN_FILE=%d/github-token</span> </span></span></code></pre></div><p><code>%d</code> is a systemd special variable replaced with the credentials directory path. However, this variable was not interpreted as intended, causing the token file path to be set incorrectly.</p> <p><strong>Solution</strong>: Instead of <code>LoadCredential</code>, we specified the absolute path directly.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#a6e22e">Environment</span><span style="color:#f92672">=</span><span style="color:#e6db74">GITHUB_TOKEN_FILE=/etc/auto-comment-worker/github-token</span> </span></span></code></pre></div><h3 id="step-2-file-ownership-issue">Step 2: File Ownership Issue </h3><p><code>GITHUB_TOKEN configured: False</code> still appeared. Checking the file revealed:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ ls -la /etc/auto-comment-worker/github-token </span></span><span style="display:flex;"><span>-rw------- <span style="color:#ae81ff">1</span> root root <span style="color:#ae81ff">93</span> May <span style="color:#ae81ff">3</span> 01:10 github-token </span></span></code></pre></div><p>Since the file owner is <code>root</code> and permissions are <code>600</code>, the service running as the <code>ubuntu</code> user cannot read this file.</p> <p><strong>Solution</strong>:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo chown ubuntu:ubuntu /etc/auto-comment-worker/github-token </span></span><span style="display:flex;"><span>sudo chmod <span style="color:#ae81ff">640</span> /etc/auto-comment-worker/github-token </span></span></code></pre></div><h3 id="step-3-readonlypaths-conflict">Step 3: ReadOnlyPaths Conflict </h3><p>Even after changing ownership, <code>GITHUB_TOKEN configured: False</code> persisted. The cause was the <code>ReadOnlyPaths</code> setting in the systemd service file:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#75715e"># This setting blocked file reading</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">ReadOnlyPaths</span><span style="color:#f92672">=</span><span style="color:#e6db74">/etc/auto-comment-worker</span> </span></span></code></pre></div><p><code>ProtectSystem=strict</code> already mounts the entire filesystem read-only. Adding <code>ReadOnlyPaths</code> on top of that can cause mount namespace conflicts in some environments.</p> <p><strong>Solution</strong>: Changed <code>ReadOnlyPaths</code> to an empty value.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#a6e22e">ReadOnlyPaths</span><span style="color:#f92672">=</span> </span></span></code></pre></div><h3 id="step-4-python-file-permission-validation-code-root-cause">Step 4: Python File Permission Validation Code (Root Cause) </h3><p>Even after resolving all previous 3 steps, the token still did not load. The final cause was the overly strict file permission validation in the Python code:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e"># File permission 640 → Group read bit (0o040) is set → Denied!</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> st<span style="color:#f92672">.</span>st_mode <span style="color:#f92672">&amp;</span> (stat<span style="color:#f92672">.</span>S_IRWXO <span style="color:#f92672">|</span> stat<span style="color:#f92672">.</span>S_IRWXG): </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">raise</span> <span style="color:#a6e22e">PermissionError</span>(<span style="color:#e6db74">&#34;Token file must be 600 or 400&#34;</span>) </span></span></code></pre></div><p>Because we changed to <code>chmod 640</code> in Step 2, the group read bit was set, triggering this validation. However, the error message did not appear in the logs, delaying discovery — because the <code>PermissionError</code> occurred at the module import time, preventing the service from starting at all.</p> <p><strong>Solution</strong>: As explained in Part 2, we modified it to check only <code>stat.S_IWOTH</code>.</p> <h3 id="importance-of-debugging-logs">Importance of Debugging Logs </h3><p>The debugging logs added to track this issue:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span>logger<span style="color:#f92672">.</span>info(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;GITHUB_TOKEN configured: </span><span style="color:#e6db74">{</span>bool(GITHUB_TOKEN)<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span><span style="display:flex;"><span>logger<span style="color:#f92672">.</span>info(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;GitHub API response status: </span><span style="color:#e6db74">{</span>response<span style="color:#f92672">.</span>status_code<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span><span style="display:flex;"><span>logger<span style="color:#f92672">.</span>info(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;GitHub API response body: </span><span style="color:#e6db74">{</span>response<span style="color:#f92672">.</span>text[:<span style="color:#ae81ff">500</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span></code></pre></div><p>Without these logs, it would have taken much longer to identify the cause. Always log token load success/failure and API response status for authentication-related code.</p> <h3 id="debugging-flow-summary">Debugging Flow Summary </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-zed" data-lang="zed"><span style="display:flex;"><span>[<span style="color:#960050;background-color:#1e0010">1</span>] LoadCredential <span style="color:#f92672">%</span>d not interpreted <span style="color:#960050;background-color:#1e0010">→</span> Changed to absolute path </span></span><span style="display:flex;"><span> <span style="color:#960050;background-color:#1e0010">↓</span> (Still failed) </span></span><span style="display:flex;"><span>[<span style="color:#960050;background-color:#1e0010">2</span>] File owner root<span style="color:#f92672">:</span>root <span style="color:#960050;background-color:#1e0010">→</span> Changed to ubuntu<span style="color:#f92672">:</span>ubuntu </span></span><span style="display:flex;"><span> <span style="color:#960050;background-color:#1e0010">↓</span> (Still failed) </span></span><span style="display:flex;"><span>[<span style="color:#960050;background-color:#1e0010">3</span>] ReadOnlyPaths conflict <span style="color:#960050;background-color:#1e0010">→</span> Removed </span></span><span style="display:flex;"><span> <span style="color:#960050;background-color:#1e0010">↓</span> (Still failed) </span></span><span style="display:flex;"><span>[<span style="color:#960050;background-color:#1e0010">4</span>] Python <span style="color:#66d9ef">permission</span> check S_IRWXG <span style="color:#960050;background-color:#1e0010">→</span> Relaxed to S_IWOTH </span></span><span style="display:flex;"><span> <span style="color:#960050;background-color:#1e0010">↓</span> </span></span><span style="display:flex;"><span> [Resolved<span style="color:#f92672">!</span>] </span></span></code></pre></div><p>Lessons learned from this 4-step debugging:</p> <ol> <li><strong>Change one at a time and verify</strong>: If you change multiple settings at once, you won&rsquo;t know which one is the cause.</li> <li><strong>Trust logs, but suspect where there are no logs</strong>: Exceptions at module load time may not appear in standard logs.</li> <li><strong>Security validation code can also be a source of bugs</strong>: When security code blocks normal operation — balancing security and operations.</li> </ol> <hr> <h2 id="health-check">Health Check </h2><p>A health check endpoint to verify the service is running correctly:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#a6e22e">@app.route</span>(<span style="color:#e6db74">&#39;/health&#39;</span>, methods<span style="color:#f92672">=</span>[<span style="color:#e6db74">&#39;GET&#39;</span>]) </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">health</span>(): </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;&#34;&#34;Health check&#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> jsonify({<span style="color:#e6db74">&#39;status&#39;</span>: <span style="color:#e6db74">&#39;healthy&#39;</span>}) </span></span></code></pre></div><p>Monitoring systems periodically call <code>/health</code> to verify the service status:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>curl -s http://localhost:8081/health </span></span><span style="display:flex;"><span><span style="color:#75715e"># {&#34;status&#34;: &#34;healthy&#34;}</span> </span></span></code></pre></div><hr> <h2 id="future-improvements">Future Improvements </h2><ol> <li><strong>Asynchronous Processing</strong>: Asynchronize AI response generation using Celery or Redis Queue to respond within the GitHub Webhook timeout (10 seconds).</li> <li><strong>Retry Logic</strong>: Exponential backoff retry on GitHub API call failures.</li> <li><strong>Monitoring Dashboard</strong>: Monitor response time, success rate, and error rate with Prometheus + Grafana.</li> <li><strong>Automated Deployment</strong>: Build an automated deployment pipeline with GitHub Actions on code changes.</li> <li><strong>Testing</strong>: Write integration tests mocking Webhook payloads.</li> </ol> <hr> <h2 id="conclusion">Conclusion </h2><p>Over three parts, we have recorded the entire build process of the blog AI auto-comment system:</p> <ul> <li><strong>Part 1</strong>: Full architecture of giscus → GitHub Webhook → Flask → Claude Code → GraphQL</li> <li><strong>Part 2</strong>: File-based authentication, HMAC verification, input sanitization, systemd security</li> <li><strong>Part 3</strong>: Actual deployment, nginx proxy, 4-step debugging process</li> </ul> <p>The greatest value of this system is that it <strong>automates communication with blog readers</strong>. While it is difficult for blog operators to respond to every comment immediately, an AI assistant can provide a first response, improving the reader experience.</p> <p>The full code is available at the <a class="link" href="https://github.com/yarang/blogs" target="_blank" rel="noopener" >GitHub repository</a>.</p> <hr> <p><em>This article is Part 3 (the final part) of the AgentForge blog auto-comment system series.</em></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-fallback" data-lang="fallback"></code></pre></div>