From 41a273b47f5703b87c21fa0adb7dca739f511f07 Mon Sep 17 00:00:00 2001 From: josh Date: Sat, 18 Apr 2026 10:47:26 -0400 Subject: [PATCH] live-image: generate initrd explicitly; fail release on missing files Two bugs chained together to ship a broken bundle: 1. With Bootable=no, mkosi skips update-initramfs, so no /boot/initrd.img- ever gets generated inside the rootfs. The postinst now runs update-initramfs via chroot to produce it. 2. The `make release` recipe chained its `cp` calls with `;`, so a missing live-image/build/initrd.img silently failed and the bundle still got tarred + uploaded. Adding `set -e` at the top of the recipe makes any missing component fail the build loudly instead of shipping a half-bundle. Co-Authored-By: Claude Opus 4.7 --- Makefile | 3 ++- live-image/mkosi.postinst | 15 +++++++++++---- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index a84ff53..e3332c0 100644 --- a/Makefile +++ b/Makefile @@ -75,7 +75,8 @@ release: orchestrator-linux agent-linux live-image ## Build the scp-and-go relea ifneq ($(findstring Windows,$(UNAME_S))$(findstring MINGW,$(UNAME_S))$(findstring MSYS,$(UNAME_S)),) @echo "ERROR: make release must be run from Linux/WSL (live-image dep needs mkosi)." && exit 1 endif - @stamp=vetting-bundle-$(GIT_SHA); \ + @set -e; \ + stamp=vetting-bundle-$(GIT_SHA); \ rm -rf build/$$stamp bin/$$stamp.tar.gz; \ mkdir -p build/$$stamp/bin build/$$stamp/live-image; \ cp bin/vetting-linux-amd64 bin/vetting-agent.linux-amd64 build/$$stamp/bin/; \ diff --git a/live-image/mkosi.postinst b/live-image/mkosi.postinst index aea9cfd..46a991c 100755 --- a/live-image/mkosi.postinst +++ b/live-image/mkosi.postinst @@ -1,10 +1,17 @@ #!/bin/sh -# mkosi postinst: enable the vetting-agent service. The binary lands in -# the image via mkosi.extra/ (staged by the live-image Makefile from -# ../bin/vetting-agent.linux-amd64); the service unit lands via -# mkosi.skeleton/. All we need here is the multi-user.target symlink. +# mkosi postinst: enable the vetting-agent service and generate the +# initrd. The binary lands in the image via mkosi.extra/ (staged by the +# live-image Makefile from ../bin/vetting-agent.linux-amd64); the +# service unit lands via mkosi.skeleton/. set -eu mkdir -p "$BUILDROOT/etc/systemd/system/multi-user.target.wants" ln -sf /etc/systemd/system/vetting-agent.service \ "$BUILDROOT/etc/systemd/system/multi-user.target.wants/vetting-agent.service" + +# Bootable=no means mkosi won't run update-initramfs for us, and the +# deferred initramfs-tools trigger inside the chroot doesn't actually +# generate /boot/initrd.img-. Do it explicitly so the top-level +# Makefile's cp of live-image/build/initrd.img has something to copy. +kver=$(ls "$BUILDROOT/lib/modules/" | head -n1) +chroot "$BUILDROOT" update-initramfs -c -k "$kver"