# Vetting live image

Debian-based Linux live image that PXE-booted hosts drop into. Runs the
`vetting-agent` binary under systemd and reaches back to the orchestrator
over HTTP+SSE.

## Versioning

The live image has its own version marker at
[VERSION](VERSION). Bump it (`v<major>.<minor>.<patch>`) whenever
any mkosi input changes; CI only rebuilds and republishes
`live-image/<VERSION>/{vmlinuz,initrd.img}` on the push that touches
that file. The slim release bundle carries only a pointer to this
version, and `install.sh` fetches the actual files from the registry
when the target's on-disk copy is stale. See
[../docs/operations.md](../docs/operations.md) for the install flow.

## Release bundling

`make release` from the repo root produces `vetting-bundle.tar.gz` —
orchestrator + agent + install scripts + a `live-image/VERSION`
pointer. It does **not** embed `vmlinuz`/`initrd.img`; those come
from the registry at install time.

## Manual build (dev loop)

On Windows:

```sh
wsl make -C live-image all
```

On Linux:

```sh
make -C live-image all
```

This produces `live-image/build/vmlinuz` and `live-image/build/initrd.img`.
`deploy/pxe-setup.sh` picks them up automatically when run from the repo
tree — no manual copy needed.

## iPXE binaries

The dnsmasq supervisor expects `ipxe.efi` and `undionly.kpxe` in
`pxe.tftp_root`. `deploy/pxe-setup.sh` fetches them from boot.ipxe.org
and verifies against pinned SHA256s in `deploy/ipxe-shas.txt`. Bumping
the pins requires a deliberate repo commit.

## WSL prerequisites (Windows dev)

```sh
sudo apt install mkosi debootstrap squashfs-tools dosfstools
```