Automate PXE setup: release bundle + pxe-setup.sh + startup validation
CI / Lint + build + test (push) Has been cancelled
CI / Lint + build + test (push) Has been cancelled
Collapses the LXC side of PXE enablement from a six-step manual dance (build, fetch iPXE, scp, bridge, hand-edit yaml) into: make release # dev box (Linux/WSL) scp bundle.tar.gz lxc:/tmp/ sudo ./install.sh # base install, unchanged sudo ./pxe-setup.sh --interface ... --dhcp-range ... --orchestrator-url ... pxe-setup.sh fetches iPXE from boot.ipxe.org, verifies against pinned SHA256s in deploy/ipxe-shas.txt (fail-closed), places vmlinuz/initrd.img from the bundle, and rewrites only the pxe: block of vetting.yaml. Idempotent; --force gates overwriting a hand-edited block. Adds Supervisor.Validate() — called before dnsmasq spawn — so typo'd configs fail at orchestrator startup with clear errors naming the missing file or yaml key, instead of silently serving broken TFTP until a real host tries to PXE-boot. Nine tests cover missing files, bogus interface, malformed dhcp_range, bad orchestrator_url, and aggregate reporting. Hypervisor bridge creation stays documented (LXC can't do it) but everything downstream of the bridge is now scripted. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
+15
-8
@@ -4,9 +4,16 @@ Debian-based Linux live image that PXE-booted hosts drop into. Runs the
|
||||
`vetting-agent` binary under systemd and reaches back to the orchestrator
|
||||
over HTTP+SSE.
|
||||
|
||||
## Building
|
||||
## Preferred build path: `make release`
|
||||
|
||||
Must be built on Linux (or WSL). On Windows:
|
||||
Run `make release` from the repo root (Linux/WSL) — it builds the live
|
||||
image *and* bundles it with the orchestrator binary, install scripts,
|
||||
and pinned iPXE SHAs into a single `vetting-bundle-<sha>.tar.gz`. See
|
||||
[../docs/operations.md](../docs/operations.md) for the install flow.
|
||||
|
||||
## Manual build (dev loop)
|
||||
|
||||
On Windows:
|
||||
|
||||
```sh
|
||||
wsl make -C live-image all
|
||||
@@ -19,15 +26,15 @@ make -C live-image all
|
||||
```
|
||||
|
||||
This produces `live-image/build/vmlinuz` and `live-image/build/initrd.img`.
|
||||
Copy (or symlink) them into the directory configured as `pxe.live_dir` in
|
||||
`deploy/vetting.yaml`; the orchestrator serves them at `/live/*`.
|
||||
`deploy/pxe-setup.sh` picks them up automatically when run from the repo
|
||||
tree — no manual copy needed.
|
||||
|
||||
## iPXE binaries
|
||||
|
||||
The dnsmasq supervisor expects `ipxe.efi` and `undionly.kpxe` to live in
|
||||
`pxe.tftp_root`. Fetch the latest release binaries from
|
||||
https://boot.ipxe.org and drop them in that directory. The Makefile does
|
||||
not download them automatically so their SHA256 can be operator-verified.
|
||||
The dnsmasq supervisor expects `ipxe.efi` and `undionly.kpxe` in
|
||||
`pxe.tftp_root`. `deploy/pxe-setup.sh` fetches them from boot.ipxe.org
|
||||
and verifies against pinned SHA256s in `deploy/ipxe-shas.txt`. Bumping
|
||||
the pins requires a deliberate repo commit.
|
||||
|
||||
## WSL prerequisites (Windows dev)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user