josh
43ea845ac0
update-initramfs produces a boot stub (~50 MB) that expects to mount a separate rootfs over squashfs/disk/NFS. Our PXE channel only ships vmlinuz+initrd.img, so the stub had nothing to pivot to — kernel finished hand-off and the system wedged with firmware, modules, and userspace stranded in the 545 MB rootfs dir we never delivered. Replace with an everything-in-initramfs build: cpio.zst the full rootfs (minus /boot) as the initrd, add /init -> sbin/init for the kernel's runtime entrypoint, materialize the kernel symlink into a real file. Bump check-initrd floor to 200 MB and switch the firmware grep from unmkinitramfs (boot-stub-specific) to zstd | cpio -t. Also add cpio to the CI apt deps.
Vetting live image
Debian-based Linux live image that PXE-booted hosts drop into. Runs the
vetting-agent binary under systemd and reaches back to the orchestrator
over HTTP+SSE.
Preferred build path: make release
Run make release from the repo root (Linux/WSL) — it builds the live
image and bundles it with the orchestrator binary, install scripts,
and pinned iPXE SHAs into a single vetting-bundle-<sha>.tar.gz. See
../docs/operations.md for the install flow.
Manual build (dev loop)
On Windows:
wsl make -C live-image all
On Linux:
make -C live-image all
This produces live-image/build/vmlinuz and live-image/build/initrd.img.
deploy/pxe-setup.sh picks them up automatically when run from the repo
tree — no manual copy needed.
iPXE binaries
The dnsmasq supervisor expects ipxe.efi and undionly.kpxe in
pxe.tftp_root. deploy/pxe-setup.sh fetches them from boot.ipxe.org
and verifies against pinned SHA256s in deploy/ipxe-shas.txt. Bumping
the pins requires a deliberate repo commit.
WSL prerequisites (Windows dev)
sudo apt install mkosi debootstrap squashfs-tools dosfstools