josh/Vetting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(release): version live-image, skip rebuild+redownload when unchanged
CI / Lint + build + test (push) Successful in 1m41s
Details
Release / detect (push) Successful in 7s
Details
Release / build-live-image (push) Failing after 3m58s
Details
Release / bundle (push) Has been skipped
Details

Browse Source 
Splits the release workflow into three jobs (detect, build-live-image,
bundle) so the ~9 min mkosi build only runs when live-image/VERSION
bumps. The slim bundle (~30 MB: orchestrator + agent + deploy scripts
+ a live-image/VERSION pointer) rebuilds every push; the ~300 MB
vmlinuz+initrd.img are published separately under the immutable
live-image/<version>/ path. install.sh compares the pointer to
/var/lib/vetting/live/VERSION and fetches the files only on mismatch,
cutting repeat-install wall-clock from ~30 s + 300 MB to ~10 s + 0 MB
on the common no-live-image-change release.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Josh Wright
2026-04-20 21:04:14 -04:00
parent 4c153bb115
commit 211abdf08f
7 changed files with 309 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/operations.md
+35 -22
View File
@@ -13,11 +13,17 @@ repaired nodes so DHCP and WoL work.
### One-liner install (recommended)
Every push to `main` kicks off a Gitea Actions run that builds a full
release bundle (orchestrator + agent + live image + install scripts +
pinned iPXE SHAs) and publishes it to the Gitea package registry. The
LXC installer fetches the prebuilt tarball — no source clone, no Go
toolchain, no `make`, no WSL.
Every push to `main` kicks off a Gitea Actions run that rebuilds the
slim release bundle (orchestrator + agent + install scripts + a
pointer file for the live image's version) and publishes it to the
Gitea package registry. The ~300 MB live image (`vmlinuz` + `initrd.img`)
is published separately under `live-image/<version>/` and only
rebuilds when [`live-image/VERSION`](../live-image/VERSION) changes.
The LXC installer fetches the slim bundle on every run (~30 MB,
fast), then fetches the live image files only when the bundle's
pointer differs from what's on disk — no Go toolchain, no `make`,
no WSL, and no 300 MB transfer on ordinary releases.
On the LXC:
@@ -26,16 +32,21 @@ curl -fsSL https://gitea.thewrightserver.net/josh/Vetting/raw/branch/main/deploy
| sudo bash
```
To pin a specific build instead of the rolling `latest`:
Force-refresh the on-disk live image even when versions match
(useful if the staged files got corrupted):
```
VETTING_VERSION=sha-abc1234 curl -fsSL .../proxmox-install.sh | sudo bash
curl -fsSL .../proxmox-install.sh | sudo bash -s -- --force-live-image
```
`proxmox-install.sh` curls the bundle from
`${REGISTRY_URL}/api/packages/${PACKAGE_OWNER}/generic/vetting/${VETTING_VERSION}/vetting-bundle.tar.gz`,
`${REGISTRY_URL}/api/packages/${PACKAGE_OWNER}/generic/vetting/latest/vetting-bundle.tar.gz`,
extracts it, and hands off to the bundled `install.sh` for the base
install (user, binaries, config, systemd unit).
install (user, binaries, config, systemd unit). `install.sh` then
compares `live-image/VERSION` inside the bundle against
`/var/lib/vetting/live/VERSION` and fetches
`live-image/<version>/{vmlinuz,initrd.img}` from the registry when
they differ.
If you don't need PXE (e.g. host-mode reporter only, no automated
live-boots), you can stop here — edit `/etc/vetting/vetting.yaml` to
@@ -44,17 +55,21 @@ tune `server.bind` / `public_url`, then
### Offline / air-gapped install
If the LXC can't reach the registry, build the tarball locally and
`scp` it across:
If the LXC can't reach the registry, build the slim bundle locally
and `scp` it across. The live image files must also be copied in
separately (either into the bundle's `live-image/` dir before running
install.sh, or into `/var/lib/vetting/live/` directly):
```
make release # on a Linux/WSL workstation
scp bin/vetting-bundle-<sha>.tar.gz lxc:/tmp/
ssh lxc 'cd /tmp && tar xzf vetting-bundle-*.tar.gz \
&& cd vetting-bundle-* && sudo ./install.sh'
make release # on any host with Go + templ
scp bin/vetting-bundle.tar.gz lxc:/tmp/
ssh lxc 'cd /tmp && tar xzf vetting-bundle.tar.gz \
&& cp /path/to/vmlinuz /path/to/initrd.img vetting-bundle/live-image/ \
&& cd vetting-bundle && sudo ./install.sh'
```
Same bundle layout either way.
`install.sh` recognizes local `vmlinuz`/`initrd.img` under
`live-image/` and stages them without a registry fetch.
### PXE enablement
@@ -232,10 +247,8 @@ curl -fsSL https://gitea.thewrightserver.net/josh/Vetting/raw/branch/main/deploy
That's it — `install.sh` auto-restarts `vetting.service` when it's
already enabled, and re-stages `vmlinuz`/`initrd.img` into
`/var/lib/vetting/live/` so PXE-enabled LXCs come back up with the
fresh live image. Watch the logs with `journalctl -fu vetting`.
`/var/lib/vetting/live/` only when the bundle points at a new
`live-image/VERSION`. Watch the logs with `journalctl -fu vetting`.
Pin to a specific build with `VETTING_VERSION=sha-abc1234` if you
need to roll back or test a commit. The DB migration runs at startup
and is append-only — no manual schema work unless a release's notes
call it out.
The DB migration runs at startup and is append-only — no manual
schema work unless a release's notes call it out.