Support Bundle Generation

Audience: operators triaging incidents or escalating to the AutonomyOps support team.

What is a support bundle?

A support bundle is a tar.gz archive containing sanitized diagnostic information collected from the local node. It includes system information, build metadata, a redacted configuration snapshot, HA status, recent audit events, and log extracts.

Secret redaction is automatic and mandatory:

  • fleet_salt values are replaced with <REDACTED>.

  • PostgreSQL URLs have their passwords replaced with REDACTED in a URL-safe manner.

  • No YAML parsing is required — redaction is applied via line scan with an explicit allow-list, so unrecognized secret patterns are not silently included.

Partial failure is tolerated: if one collector fails (e.g. HA status is unreachable), the bundle continues and records the error in manifest.json.

1. Generate a support bundle

Minimal (local node info only)

autonomy support-bundle generate \
  --output /tmp/support-bundles/autonomy-bundle-$(date -u +%Y%m%d-%H%M%S).tar.gz

Full bundle (with HA status and audit events)

autonomy support-bundle generate \
  --output /tmp/support-bundles/autonomy-bundle-$(date -u +%Y%m%d-%H%M%S).tar.gz \
  --config-file /etc/autonomy/config.yaml \
  --orchestrator-url "$AUTONOMY_ORCHESTRATOR_URL" \
  --audit-dir "$AUTONOMY_AUDIT_DIR" \
  --log-file /var/log/autonomy/edged.log

Expected output:

generating support bundle: /tmp/support-bundles/autonomy-bundle-20260318-103000.tar.gz
  collecting system_info...
  collecting build_info...
  collecting config...
  collecting ha_status...
  collecting audit_recent...
  collecting logs...
bundle written: /tmp/support-bundles/autonomy-bundle-20260318-103000.tar.gz

Example with a collector failure (HA unreachable):

generating support bundle: /tmp/support-bundles/autonomy-bundle-20260318-103000.tar.gz
  collecting system_info...
  collecting build_info...
  collecting config...
  collecting ha_status...
  warning: ha_status failed: GET http://localhost:8888/v1/ha/status: request failed: ...
  collecting audit_recent...
  collecting logs...
bundle written: /tmp/support-bundles/autonomy-bundle-20260318-103000.tar.gz

The collector warning does not abort the bundle. The error is recorded in the archive’s top-level manifest.json.

2. Bundle contents

The generated tar.gz contains:

File

Collector

Contents

<bundle-dir>/manifest.json

Bundle metadata, collector results, errors

<bundle-dir>/system_info.json

system_info

OS, hostname, architecture, Go version

<bundle-dir>/build_info.json

build_info

ADK version and Go build metadata

<bundle-dir>/config_redacted.yaml

config

Config with secrets replaced by <REDACTED> / REDACTED

<bundle-dir>/ha_status.json

ha_status

Output of /v1/ha/status

<bundle-dir>/audit_recent.json

audit_recent

Last 50 audit events from the audit store

<bundle-dir>/logs/autonomy.log

logs

Last 500 lines of the specified log file by default

3. Verify bundle contents (before sharing)

# List archive contents
tar -tzf /tmp/support-bundles/autonomy-bundle-*.tar.gz

# Inspect the manifest
tar -tzf /tmp/support-bundles/autonomy-bundle-*.tar.gz | head -n 1
# Suppose the top-level directory is autonomy-bundle-20260318-103000/
tar -xOzf /tmp/support-bundles/autonomy-bundle-*.tar.gz \
  autonomy-bundle-20260318-103000/manifest.json | jq .

# Verify config redaction
tar -xOzf /tmp/support-bundles/autonomy-bundle-*.tar.gz \
  autonomy-bundle-20260318-103000/config_redacted.yaml \
  | grep -E "fleet_salt|password|secret"
# Expect: no unredacted values; should show <REDACTED> or REDACTED

4. Common failure scenarios

HA status collector fails

If --orchestrator-url is unreachable:

[error] ha_status: connection refused

This is non-fatal. The bundle is still useful for system_info, build_info, and logs. Verify the control-plane URL:

curl -sf "${AUTONOMY_ORCHESTRATOR_URL}/v1/health/read-ready" | jq .

Config collector skipped

If --config-file is not provided, the config_redacted collector is skipped and the file does not appear in the bundle. Always provide --config-file for a full bundle.

Audit collector produces empty results

If --audit-dir does not exist or contains no events:

The bundle still records audit_recent as ok, but the exported JSON array may be empty.

Verify the audit directory:

ls -la "$AUTONOMY_AUDIT_DIR"

Log file too large

The logs collector captures only the last 500 lines by default. For long-running nodes with large log files, include a separate compressed log extract:

tail -5000 /var/log/autonomy/edged.log | gzip > /tmp/edged-log-extract.gz

5. Sharing bundles

Before sharing a bundle with external parties:

  1. Review config_redacted.yaml for any organization-specific values that should not be shared (domain names, IP addresses, peer IDs).

  2. Verify manifest.json does not contain sensitive path names.

  3. Confirm audit_recent.json does not include operator names or resource IDs that are confidential.

The bundle is designed for safe sharing, but final review before transmission is the operator’s responsibility.

Known gaps

  • No automatic bundle rotation: Bundles accumulate wherever --output points. Implement a retention policy (e.g. keep last 5 bundles) manually or via cron.

  • No relay deadletter snapshot: The bundle does not include edgectl relay deadletter list output. Add this manually when diagnosing relay issues:

    edgectl relay deadletter list --socket /run/edged/rpc.sock \
  >> /tmp/deadletter-snapshot.txt

  • No replication status: The bundle does not include ha replication or PostgreSQL pg_stat_replication output. Collect manually when diagnosing HA issues.

  • Audit collector reads from file store only: If the audit store is a future database-backed emitter, the file-based collector will need to be updated to query the database.