fix: 使用 setsid 确保重启命令独立于父进程执行

问题原因：
- cmd.Start() 启动的子进程与父进程在同一会话中
- 当 systemctl restart 发送 SIGTERM 给父进程时
- 子进程可能也会被终止，导致重启命令无法完成

修复内容：
- 使用 setsid 创建新会话，子进程完全独立于父进程
- 分离标准输入/输出/错误流
- 确保即使父进程被 kill，重启命令仍能执行完成

.github/workflows/release.yml

@@ -85,11 +85,25 @@ jobs:
           go-version: '1.24'
           cache-dependency-path: backend/go.sum
 
+      - name: Fetch tags with annotations
+        run: |
+          # 确保获取完整的 annotated tag 信息
+          git fetch --tags --force
+
       - name: Get tag message
         id: tag_message
         run: |
+          TAG_NAME=${GITHUB_REF#refs/tags/}
+          echo "Processing tag: $TAG_NAME"
+
           # 获取完整的 tag message（跳过第一行标题）
-          TAG_MESSAGE=$(git tag -l --format='%(contents:body)' ${GITHUB_REF#refs/tags/})
+          TAG_MESSAGE=$(git tag -l --format='%(contents:body)' "$TAG_NAME")
+
+          # 调试输出
+          echo "Tag message length: ${#TAG_MESSAGE}"
+          echo "Tag message preview:"
+          echo "$TAG_MESSAGE" | head -10
+
           # 使用 EOF 分隔符处理多行内容
           echo "message<<EOF" >> $GITHUB_OUTPUT
           echo "$TAG_MESSAGE" >> $GITHUB_OUTPUT

.gitignore

@@ -91,4 +91,5 @@ backend/data/
 # ===================
 tests
 CLAUDE.md
-.claude
+.claude
+scripts

README.md

@@ -107,7 +107,7 @@ sudo journalctl -u sub2api -f
 sudo systemctl restart sub2api
 
 # Uninstall
-curl -sSL https://raw.githubusercontent.com/Wei-Shaw/sub2api/main/deploy/install.sh | sudo bash -s uninstall
+curl -sSL https://raw.githubusercontent.com/Wei-Shaw/sub2api/main/deploy/install.sh | sudo bash -s -- uninstall -y
 ```
 
 ---

README_CN.md

@@ -107,7 +107,7 @@ sudo journalctl -u sub2api -f
 sudo systemctl restart sub2api
 
 # 卸载
-curl -sSL https://raw.githubusercontent.com/Wei-Shaw/sub2api/main/deploy/install.sh | sudo bash -s uninstall
+curl -sSL https://raw.githubusercontent.com/Wei-Shaw/sub2api/main/deploy/install.sh | sudo bash -s -- uninstall -y
 ```
 
 ---

backend/cmd/server/main.go

@@ -235,6 +235,18 @@ func registerRoutes(r *gin.Engine, h *handler.Handlers, s *service.Services, rep
 		c.JSON(http.StatusOK, gin.H{"status": "ok"})
 	})
 
+	// Setup status endpoint (always returns needs_setup: false in normal mode)
+	// This is used by the frontend to detect when the service has restarted after setup
+	r.GET("/setup/status", func(c *gin.Context) {
+		c.JSON(http.StatusOK, gin.H{
+			"code": 0,
+			"data": gin.H{
+				"needs_setup": false,
+				"step":        "completed",
+			},
+		})
+	})
+
 	// API v1
 	v1 := r.Group("/api/v1")
 	{

backend/internal/handler/admin/system_handler.go

@@ -2,8 +2,10 @@ package admin
 
 import (
 	"net/http"
+	"time"
 
 	"sub2api/internal/pkg/response"
+	"sub2api/internal/pkg/sysutil"
 	"sub2api/internal/service"
 
 	"github.com/gin-gonic/gin"
@@ -72,10 +74,14 @@ func (h *SystemHandler) Rollback(c *gin.Context) {
 // RestartService restarts the systemd service
 // POST /api/v1/admin/system/restart
 func (h *SystemHandler) RestartService(c *gin.Context) {
-	if err := h.updateSvc.RestartService(); err != nil {
+	// Schedule service restart in background after sending response
-		response.Error(c, http.StatusInternalServerError, err.Error())
+	// This ensures the client receives the success response before the service restarts
-		return
+	go func() {
-	}
+		// Wait a moment to ensure the response is sent
+		time.Sleep(500 * time.Millisecond)
+		sysutil.RestartServiceAsync()
+	}()
+
 	response.Success(c, gin.H{
 		"message": "Service restart initiated",
 	})

backend/internal/pkg/sysutil/restart.go

@@ -0,0 +1,96 @@
+package sysutil
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"runtime"
+)
+
+const serviceName = "sub2api"
+
+// findExecutable finds the full path of an executable
+// by checking common system paths
+func findExecutable(name string) string {
+	// First try exec.LookPath (uses current PATH)
+	if path, err := exec.LookPath(name); err == nil {
+		return path
+	}
+
+	// Fallback: check common paths
+	commonPaths := []string{
+		"/usr/bin/" + name,
+		"/bin/" + name,
+		"/usr/sbin/" + name,
+		"/sbin/" + name,
+	}
+
+	for _, path := range commonPaths {
+		if _, err := os.Stat(path); err == nil {
+			return path
+		}
+	}
+
+	// Return the name as-is and let exec fail with a clear error
+	return name
+}
+
+// RestartService triggers a service restart via systemd.
+//
+// IMPORTANT: This function initiates the restart and returns immediately.
+// The actual restart happens asynchronously - the current process will be killed
+// by systemd and a new process will be started.
+//
+// We use Start() instead of Run() because:
+//   - systemctl restart will kill the current process first
+//   - Run() waits for completion, but the process dies before completion
+//   - Start() spawns the command independently, allowing systemd to handle the full cycle
+//
+// Prerequisites:
+//   - Linux OS with systemd
+//   - NOPASSWD sudo access configured (install.sh creates /etc/sudoers.d/sub2api)
+func RestartService() error {
+	if runtime.GOOS != "linux" {
+		return fmt.Errorf("systemd restart only available on Linux")
+	}
+
+	log.Println("Initiating service restart...")
+
+	// Find full paths for sudo and systemctl
+	// This ensures the commands work even if PATH is limited in systemd service
+	sudoPath := findExecutable("sudo")
+	systemctlPath := findExecutable("systemctl")
+
+	log.Printf("Using sudo: %s, systemctl: %s", sudoPath, systemctlPath)
+
+	// The sub2api user has NOPASSWD sudo access for systemctl commands
+	// (configured by install.sh in /etc/sudoers.d/sub2api).
+	// Use -n (non-interactive) to prevent sudo from waiting for password input
+	//
+	// Use setsid to create a new session, ensuring the child process
+	// survives even if the parent process is killed by systemctl restart
+	setsidPath := findExecutable("setsid")
+	cmd := exec.Command(setsidPath, sudoPath, "-n", systemctlPath, "restart", serviceName)
+
+	// Detach from parent's stdio to ensure clean separation
+	cmd.Stdin = nil
+	cmd.Stdout = nil
+	cmd.Stderr = nil
+
+	if err := cmd.Start(); err != nil {
+		return fmt.Errorf("failed to initiate service restart: %w", err)
+	}
+
+	log.Println("Service restart initiated successfully")
+	return nil
+}
+
+// RestartServiceAsync is a fire-and-forget version of RestartService.
+// It logs errors instead of returning them, suitable for goroutine usage.
+func RestartServiceAsync() {
+	if err := RestartService(); err != nil {
+		log.Printf("Service restart failed: %v", err)
+		log.Println("Please restart the service manually: sudo systemctl restart sub2api")
+	}
+}

backend/internal/service/gateway_service.go

@@ -35,25 +35,25 @@ const (
 
 // allowedHeaders 白名单headers（参考CRS项目）
 var allowedHeaders = map[string]bool{
-	"accept":                                  true,
+	"accept":                                    true,
-	"x-stainless-retry-count":                 true,
+	"x-stainless-retry-count":                   true,
-	"x-stainless-timeout":                     true,
+	"x-stainless-timeout":                       true,
-	"x-stainless-lang":                        true,
+	"x-stainless-lang":                          true,
-	"x-stainless-package-version":             true,
+	"x-stainless-package-version":               true,
-	"x-stainless-os":                          true,
+	"x-stainless-os":                            true,
-	"x-stainless-arch":                        true,
+	"x-stainless-arch":                          true,
-	"x-stainless-runtime":                     true,
+	"x-stainless-runtime":                       true,
-	"x-stainless-runtime-version":             true,
+	"x-stainless-runtime-version":               true,
-	"x-stainless-helper-method":               true,
+	"x-stainless-helper-method":                 true,
 	"anthropic-dangerous-direct-browser-access": true,
-	"anthropic-version":                       true,
+	"anthropic-version":                         true,
-	"x-app":                                   true,
+	"x-app":                                     true,
-	"anthropic-beta":                          true,
+	"anthropic-beta":                            true,
-	"accept-language":                         true,
+	"accept-language":                           true,
-	"sec-fetch-mode":                          true,
+	"sec-fetch-mode":                            true,
-	"accept-encoding":                         true,
+	"accept-encoding":                           true,
-	"user-agent":                              true,
+	"user-agent":                                true,
-	"content-type":                            true,
+	"content-type":                              true,
 }
 
 // ClaudeUsage 表示Claude API返回的usage信息
@@ -418,13 +418,19 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *m
 	}
 
 	// 构建上游请求
-	upstreamReq, err := s.buildUpstreamRequest(ctx, c, account, body, token, tokenType)
+	upstreamResult, err := s.buildUpstreamRequest(ctx, c, account, body, token, tokenType)
 	if err != nil {
 		return nil, err
 	}
 
+	// 选择使用的client：如果有代理则使用独立的client，否则使用共享的httpClient
+	httpClient := s.httpClient
+	if upstreamResult.Client != nil {
+		httpClient = upstreamResult.Client
+	}
+
 	// 发送请求
-	resp, err := s.httpClient.Do(upstreamReq)
+	resp, err := httpClient.Do(upstreamResult.Request)
 	if err != nil {
 		return nil, fmt.Errorf("upstream request failed: %w", err)
 	}
@@ -437,11 +443,16 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *m
 		if err != nil {
 			return nil, fmt.Errorf("token refresh failed: %w", err)
 		}
-		upstreamReq, err = s.buildUpstreamRequest(ctx, c, account, body, token, tokenType)
+		upstreamResult, err = s.buildUpstreamRequest(ctx, c, account, body, token, tokenType)
 		if err != nil {
 			return nil, err
 		}
-		resp, err = s.httpClient.Do(upstreamReq)
+		// 重试时也需要使用正确的client
+		httpClient = s.httpClient
+		if upstreamResult.Client != nil {
+			httpClient = upstreamResult.Client
+		}
+		resp, err = httpClient.Do(upstreamResult.Request)
 		if err != nil {
 			return nil, fmt.Errorf("retry request failed: %w", err)
 		}
@@ -480,7 +491,13 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *m
 	}, nil
 }
 
-func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Context, account *model.Account, body []byte, token, tokenType string) (*http.Request, error) {
+// buildUpstreamRequestResult contains the request and optional custom client for proxy
+type buildUpstreamRequestResult struct {
+	Request *http.Request
+	Client  *http.Client // nil means use default s.httpClient
+}
+
+func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Context, account *model.Account, body []byte, token, tokenType string) (*buildUpstreamRequestResult, error) {
 	// 确定目标URL
 	targetURL := claudeAPIURL
 	if account.Type == model.AccountTypeApiKey {
@@ -549,7 +566,8 @@ func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Contex
 		req.Header.Set("anthropic-beta", s.getBetaHeader(body, c.GetHeader("anthropic-beta")))
 	}
 
-	// 配置代理
+	// 配置代理 - 创建独立的client避免并发修改共享httpClient
+	var customClient *http.Client
 	if account.ProxyID != nil && account.Proxy != nil {
 		proxyURL := account.Proxy.URL()
 		if proxyURL != "" {
@@ -566,12 +584,18 @@ func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Contex
 					IdleConnTimeout:       90 * time.Second,
 					ResponseHeaderTimeout: responseHeaderTimeout,
 				}
-				s.httpClient.Transport = transport
+				// 创建独立的client，避免并发时修改共享的s.httpClient.Transport
+				customClient = &http.Client{
+					Transport: transport,
+				}
 			}
 		}
 	}
 
-	return req, nil
+	return &buildUpstreamRequestResult{
+		Request: req,
+		Client:  customClient,
+	}, nil
 }
 
 // getBetaHeader 处理anthropic-beta header

backend/internal/service/update_service.go

@@ -13,7 +13,6 @@ import (
 	"net/http"
 	"net/url"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"runtime"
 	"strings"
@@ -244,23 +243,6 @@ func (s *UpdateService) Rollback() error {
 	return nil
 }
 
-// RestartService triggers a service restart via systemd
-func (s *UpdateService) RestartService() error {
-	if runtime.GOOS != "linux" {
-		return fmt.Errorf("systemd restart only available on Linux")
-	}
-
-	// Try direct systemctl first (works if running as root or with proper permissions)
-	cmd := exec.Command("systemctl", "restart", "sub2api")
-	if err := cmd.Run(); err != nil {
-		// Try with sudo (requires NOPASSWD sudoers entry)
-		sudoCmd := exec.Command("sudo", "systemctl", "restart", "sub2api")
-		if sudoErr := sudoCmd.Run(); sudoErr != nil {
-			return fmt.Errorf("systemctl restart failed: %w (sudo also failed: %v)", err, sudoErr)
-		}
-	}
-	return nil
-}
 
 func (s *UpdateService) fetchLatestRelease(ctx context.Context) (*UpdateInfo, error) {
 	url := fmt.Sprintf("https://api.github.com/repos/%s/releases/latest", githubRepo)

backend/internal/setup/handler.go

@@ -7,8 +7,10 @@ import (
 	"regexp"
 	"strings"
 	"sync"
+	"time"
 
 	"sub2api/internal/pkg/response"
+	"sub2api/internal/pkg/sysutil"
 
 	"github.com/gin-gonic/gin"
 )
@@ -337,8 +339,17 @@ func install(c *gin.Context) {
 		return
 	}
 
+	// Schedule service restart in background after sending response
+	// This ensures the client receives the success response before the service restarts
+	go func() {
+		// Wait a moment to ensure the response is sent
+		time.Sleep(500 * time.Millisecond)
+		sysutil.RestartServiceAsync()
+	}()
+
 	response.Success(c, gin.H{
-		"message": "Installation completed successfully",
+		"message": "Installation completed successfully. Service will restart automatically.",
 		"restart": true,
 	})
 }
+

backend/internal/web/embed.go

@@ -10,7 +10,7 @@ import (
 	"github.com/gin-gonic/gin"
 )
 
-//go:embed dist/*
+//go:embed all:dist
 var frontendFS embed.FS
 
 // ServeEmbeddedFrontend returns a Gin handler that serves embedded frontend assets

deploy/install.sh

@@ -483,9 +483,24 @@ download_and_extract() {
 create_user() {
     if id "$SERVICE_USER" &>/dev/null; then
         print_info "$(msg 'user_exists'): $SERVICE_USER"
+        # Fix: Ensure existing user has /bin/sh shell for sudo to work
+        # Previous versions used /bin/false which prevents sudo execution
+        local current_shell
+        current_shell=$(getent passwd "$SERVICE_USER" 2>/dev/null | cut -d: -f7)
+        if [ "$current_shell" = "/bin/false" ] || [ "$current_shell" = "/sbin/nologin" ]; then
+            print_info "Fixing user shell for sudo compatibility..."
+            if usermod -s /bin/sh "$SERVICE_USER" 2>/dev/null; then
+                print_success "User shell updated to /bin/sh"
+            else
+                print_warning "Failed to update user shell. Service restart may not work automatically."
+                print_warning "Manual fix: sudo usermod -s /bin/sh $SERVICE_USER"
+            fi
+        fi
     else
         print_info "$(msg 'creating_user') $SERVICE_USER..."
-        useradd -r -s /bin/false -d "$INSTALL_DIR" "$SERVICE_USER"
+        # Use /bin/sh instead of /bin/false to allow sudo execution
+        # The user still cannot login interactively (no password set)
+        useradd -r -s /bin/sh -d "$INSTALL_DIR" "$SERVICE_USER"
         print_success "$(msg 'user_created')"
     fi
 }
@@ -510,18 +525,18 @@ setup_directories() {
 setup_sudoers() {
     print_info "$(msg 'setting_up_sudoers')"
 
-    # Check if sudoers file exists in install dir
+    # Always generate sudoers file from script (not from tar.gz)
-    if [ -f "$INSTALL_DIR/sub2api-sudoers" ]; then
+    # This ensures the latest configuration is used even with older releases
-        cp "$INSTALL_DIR/sub2api-sudoers" /etc/sudoers.d/sub2api
+    # Support both /bin/systemctl and /usr/bin/systemctl for different distros
-    else
+    cat > /etc/sudoers.d/sub2api << 'EOF'
-        # Create sudoers file
-        cat > /etc/sudoers.d/sub2api << 'EOF'
 # Sudoers configuration for Sub2API
 sub2api ALL=(ALL) NOPASSWD: /bin/systemctl restart sub2api
 sub2api ALL=(ALL) NOPASSWD: /bin/systemctl stop sub2api
 sub2api ALL=(ALL) NOPASSWD: /bin/systemctl start sub2api
+sub2api ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart sub2api
+sub2api ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop sub2api
+sub2api ALL=(ALL) NOPASSWD: /usr/bin/systemctl start sub2api
 EOF
-    fi
 
     # Set correct permissions (required for sudoers files)
     chmod 440 /etc/sudoers.d/sub2api
@@ -683,7 +698,7 @@ uninstall() {
     # If not interactive (piped), require -y flag or skip confirmation
     if ! is_interactive; then
         if [ "${FORCE_YES:-}" != "true" ]; then
-            print_error "Non-interactive mode detected. Use 'bash -s -- uninstall -y' to confirm."
+            print_error "Non-interactive mode detected. Use 'curl ... | bash -s -- uninstall -y' to confirm."
             exit 1
         fi
     else

deploy/sub2api-sudoers

@@ -8,6 +8,10 @@
 # SECURITY NOTE: This grants limited sudo access only for service management
 
 # Allow sub2api user to restart the service without password
+# Support both /bin/systemctl (Debian/Ubuntu) and /usr/bin/systemctl (RHEL/CentOS)
 sub2api ALL=(ALL) NOPASSWD: /bin/systemctl restart sub2api
 sub2api ALL=(ALL) NOPASSWD: /bin/systemctl stop sub2api
 sub2api ALL=(ALL) NOPASSWD: /bin/systemctl start sub2api
+sub2api ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart sub2api
+sub2api ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop sub2api
+sub2api ALL=(ALL) NOPASSWD: /usr/bin/systemctl start sub2api

frontend/src/views/setup/SetupWizardView.vue

@@ -214,12 +214,18 @@
         <!-- Success Message -->
         <div v-if="installSuccess" class="mt-6 p-4 bg-green-50 dark:bg-green-900/20 border border-green-200 dark:border-green-800/50 rounded-xl">
           <div class="flex items-start gap-3">
-            <svg class="w-5 h-5 text-green-500 flex-shrink-0" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="1.5">
+            <svg v-if="!serviceReady" class="animate-spin w-5 h-5 text-green-500 flex-shrink-0" fill="none" viewBox="0 0 24 24">
+              <circle class="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" stroke-width="4"></circle>
+              <path class="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"></path>
+            </svg>
+            <svg v-else class="w-5 h-5 text-green-500 flex-shrink-0" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="1.5">
               <path stroke-linecap="round" stroke-linejoin="round" d="M9 12.75L11.25 15 15 9.75M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
             </svg>
             <div>
               <p class="text-sm font-medium text-green-700 dark:text-green-400">Installation completed!</p>
-              <p class="text-sm text-green-600 dark:text-green-500 mt-1">Please restart the service to apply changes.</p>
+              <p class="text-sm text-green-600 dark:text-green-500 mt-1">
+                {{ serviceReady ? 'Redirecting to login page...' : 'Service is restarting, please wait...' }}
+              </p>
             </div>
           </div>
         </div>
@@ -290,6 +296,7 @@ const dbConnected = ref(false);
 const redisConnected = ref(false);
 const installing = ref(false);
 const confirmPassword = ref('');
+const serviceReady = ref(false);
 
 // Get current server port from browser location (set by install.sh)
 const getCurrentPort = (): number => {
@@ -390,6 +397,8 @@ async function performInstall() {
   try {
     await install(formData);
     installSuccess.value = true;
+    // Start polling for service restart
+    waitForServiceRestart();
   } catch (error: unknown) {
     const err = error as { response?: { data?: { detail?: string } }; message?: string };
     errorMessage.value = err.response?.data?.detail || err.message || 'Installation failed';
@@ -397,4 +406,52 @@ async function performInstall() {
     installing.value = false;
   }
 }
+
+// Wait for service to restart and become available
+async function waitForServiceRestart() {
+  const maxAttempts = 30; // 30 attempts, ~30 seconds max
+  const interval = 1000; // 1 second between attempts
+
+  // Wait a moment for the service to start restarting
+  await new Promise(resolve => setTimeout(resolve, 2000));
+
+  for (let attempt = 0; attempt < maxAttempts; attempt++) {
+    try {
+      // Try to access the health endpoint
+      const response = await fetch('/health', {
+        method: 'GET',
+        cache: 'no-store'
+      });
+
+      if (response.ok) {
+        // Service is up, check if setup is no longer needed
+        const statusResponse = await fetch('/setup/status', {
+          method: 'GET',
+          cache: 'no-store'
+        });
+
+        if (statusResponse.ok) {
+          const data = await statusResponse.json();
+          // If needs_setup is false, service has restarted in normal mode
+          if (data.data && !data.data.needs_setup) {
+            serviceReady.value = true;
+            // Redirect to login page after a short delay
+            setTimeout(() => {
+              window.location.href = '/login';
+            }, 1500);
+            return;
+          }
+        }
+      }
+    } catch {
+      // Service not ready yet, continue polling
+    }
+
+    await new Promise(resolve => setTimeout(resolve, interval));
+  }
+
+  // If we reach here, service didn't restart in time
+  // Show a message to refresh manually
+  errorMessage.value = 'Service restart is taking longer than expected. Please refresh the page manually.';
+}
 </script>