josh/Vetting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Automate PXE setup: release bundle + pxe-setup.sh + startup validation
CI / Lint + build + test (push) Has been cancelled
Details

Browse Source 
Collapses the LXC side of PXE enablement from a six-step manual dance
(build, fetch iPXE, scp, bridge, hand-edit yaml) into:

  make release                   # dev box (Linux/WSL)
  scp bundle.tar.gz lxc:/tmp/
  sudo ./install.sh              # base install, unchanged
  sudo ./pxe-setup.sh --interface ... --dhcp-range ... --orchestrator-url ...

pxe-setup.sh fetches iPXE from boot.ipxe.org, verifies against pinned
SHA256s in deploy/ipxe-shas.txt (fail-closed), places vmlinuz/initrd.img
from the bundle, and rewrites only the pxe: block of vetting.yaml.
Idempotent; --force gates overwriting a hand-edited block.

Adds Supervisor.Validate() — called before dnsmasq spawn — so typo'd
configs fail at orchestrator startup with clear errors naming the
missing file or yaml key, instead of silently serving broken TFTP
until a real host tries to PXE-boot. Nine tests cover missing files,
bogus interface, malformed dhcp_range, bad orchestrator_url, and
aggregate reporting.

Hypervisor bridge creation stays documented (LXC can't do it) but
everything downstream of the bridge is now scripted.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Josh Wright
2026-04-18 01:38:43 -04:00
parent d245fa6235
commit a5055b3c7a
8 changed files with 660 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deploy/ipxe-shas.txt
+18
View File
@@ -0,0 +1,18 @@
# Pinned iPXE binary checksums. pxe-setup.sh fetches ipxe.efi +
# undionly.kpxe from https://boot.ipxe.org and verifies the SHA256
# against these pins. Mismatch = hard fail; the script will not place
# mismatched binaries into tftp_root.
#
# Sources (both from the iPXE project's latest-build tree):
# ipxe.efi → https://boot.ipxe.org/x86_64-efi/ipxe.efi
# undionly.kpxe → https://boot.ipxe.org/undionly.kpxe
#
# To bump: fetch fresh binaries, verify via a second trusted source
# (e.g. a checksum published by a distro package, or a second mirror),
# regenerate with `sha256sum ipxe.efi undionly.kpxe > ipxe-shas.txt`,
# and commit. Treat this as a security-sensitive change.
#
# Format: compatible with `sha256sum -c ipxe-shas.txt` when run from
# the directory containing both files.
270afb529c4a8c1a89e2b852eca150789d948edaca9ca7099a12f170cc9c82e5 ipxe.efi
a84c7945d5ac941b8284a279bb2c93062bc19370681c9cf9a28b52daa1782a95 undionly.kpxe