josh
41a273b47f
Two bugs chained together to ship a broken bundle: 1. With Bootable=no, mkosi skips update-initramfs, so no /boot/initrd.img-<kver> ever gets generated inside the rootfs. The postinst now runs update-initramfs via chroot to produce it. 2. The `make release` recipe chained its `cp` calls with `;`, so a missing live-image/build/initrd.img silently failed and the bundle still got tarred + uploaded. Adding `set -e` at the top of the recipe makes any missing component fail the build loudly instead of shipping a half-bundle. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Vetting live image
Debian-based Linux live image that PXE-booted hosts drop into. Runs the
vetting-agent binary under systemd and reaches back to the orchestrator
over HTTP+SSE.
Preferred build path: make release
Run make release from the repo root (Linux/WSL) — it builds the live
image and bundles it with the orchestrator binary, install scripts,
and pinned iPXE SHAs into a single vetting-bundle-<sha>.tar.gz. See
../docs/operations.md for the install flow.
Manual build (dev loop)
On Windows:
wsl make -C live-image all
On Linux:
make -C live-image all
This produces live-image/build/vmlinuz and live-image/build/initrd.img.
deploy/pxe-setup.sh picks them up automatically when run from the repo
tree — no manual copy needed.
iPXE binaries
The dnsmasq supervisor expects ipxe.efi and undionly.kpxe in
pxe.tftp_root. deploy/pxe-setup.sh fetches them from boot.ipxe.org
and verifies against pinned SHA256s in deploy/ipxe-shas.txt. Bumping
the pins requires a deliberate repo commit.
WSL prerequisites (Windows dev)
sudo apt install mkosi debootstrap squashfs-tools dosfstools