josh/Vetting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
488a0d10529ca4cb529ffc04170025b1f2ff48a3
Vetting/live-image/mkosi.conf
T
josh 28918bad15
CI / Lint + build + test (push) Successful in 1m35s
Details
Release / release (push) Failing after 22s
Details
live-image: fix firmware so i915 actually loads at boot 
Previous attempt (c962d6d) added firmware-linux-nonfree to mkosi.conf,
but the CI bundle was still 63 MB and Tiger Lake wedged on tgl_guc.
Two reasons: (1) firmware-linux-nonfree on bookworm is a thin
metapackage that doesn't include firmware-misc-nonfree, which is where
i915 GuC/HuC blobs actually live; (2) Ubuntu's apt-packaged mkosi is
old enough that Repositories=non-free-firmware shorthand likely isn't
wired through to the debootstrap invocation, so firmware packages
silently miss the bootstrap step entirely.

Changes:
- Enumerate firmware packages explicitly in mkosi.conf (firmware-
  misc-nonfree, firmware-iwlwifi, firmware-realtek, firmware-amd-
  graphics, firmware-intel-sound, intel/amd64-microcode).
- Ship mkosi.sources.d/debian.sources with explicit deb822 so the
  non-free-firmware component is unambiguously available.
- Install mkosi 24.3 via pip in CI instead of apt's older build.
- Pin MODULES=most and COMPRESS=zstd via a tracked initramfs-tools
  config under mkosi.extra/.
- Narrow .gitignore so only the generated agent binary is ignored,
  not the whole mkosi.extra/ tree.
- New check-initrd Makefile target asserts both size (>=150 MB) and
  actual presence of i915/tgl_guc_*.bin inside the built initrd, so
  a silent firmware-drop regression fails the build loudly.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-18 13:38:40 -04:00

65 lines
2.0 KiB
Plaintext
Raw Blame History

# Vetting live image (Phase 2 skeleton).
#
# Produces a Debian-based rootfs packaged as squashfs plus a kernel
# image, ready to be served over HTTP to iPXE. The image is deliberately
# small: only what the agent needs to run Phase 2 (the Hello / Claim /
# Heartbeat loop). Phase 4+ adds smartctl, stress-ng, fio, iperf3, etc.
[Distribution]
Distribution=debian
Release=bookworm
# non-free-firmware is where bookworm landed i915 GuC/HuC, iwlwifi,
# amdgpu, nvidia-*, realtek NIC firmware, etc. — anything we'd want
# when PXE-booting a random repaired host. Without it i915 wedges
# on Tiger Lake+ and drags the serial console with it.
#
# Belt-and-suspenders: mkosi.sources.d/debian.sources ships an
# explicit deb822 sources drop-in so the bootstrap step sees the
# component regardless of how this shorthand is interpreted by the
# mkosi version doing the build.
Repositories=main non-free-firmware
[Output]
Format=directory
Output=build
[Content]
# PXE live image — iPXE loads vmlinuz+initrd from TFTP, so the rootfs
# itself doesn't need an EFI bootloader. Bootable=no skips mkosi's
# systemd-boot/bootctl dance; we still get /vmlinuz + /initrd.img
# symlinks courtesy of the linux-image-amd64 postinst.
Bootable=no
BuildPackages=
Packages=
systemd
systemd-sysv
udev
linux-image-amd64
live-boot
iproute2
iputils-ping
openssh-server
ca-certificates
curl
dmidecode
pciutils
usbutils
initramfs-tools
# Firmware. firmware-linux-nonfree on bookworm is a thin metapackage
# that does NOT pull i915 GuC/HuC — those live in firmware-misc-nonfree.
# Enumerate explicitly so the blob for whatever hardware we boot on
# actually lands in /lib/firmware and then in the initrd.
firmware-misc-nonfree
firmware-iwlwifi
firmware-realtek
firmware-amd-graphics
firmware-intel-sound
intel-microcode
amd64-microcode
firmware-linux-nonfree
# Phase 4 will add: smartmontools stress-ng fio iperf3 lshw lm-sensors
[Host]
# Copy the prebuilt Go agent in from the repo root via postinst.
Reference in New Issue View Git Blame Copy Permalink