josh
d48cf146f4
Belt-and-braces for the kernel-cmdline systemd.firstboot=off fix. mkosi ships /etc/machine-id empty, which triggers firstboot's interactive locale/timezone/root-password prompt on every PXE boot; with the agent running unattended there's nobody to answer and sysinit.target blocks indefinitely. Mask via a /dev/null symlink in /etc/systemd/system so the service is unstartable regardless of cmdline — rules out the failure mode where an older orchestrator binary serves an iPXE script without the off-switch arg.
Vetting live image
Debian-based Linux live image that PXE-booted hosts drop into. Runs the
vetting-agent binary under systemd and reaches back to the orchestrator
over HTTP+SSE.
Preferred build path: make release
Run make release from the repo root (Linux/WSL) — it builds the live
image and bundles it with the orchestrator binary, install scripts,
and pinned iPXE SHAs into a single vetting-bundle-<sha>.tar.gz. See
../docs/operations.md for the install flow.
Manual build (dev loop)
On Windows:
wsl make -C live-image all
On Linux:
make -C live-image all
This produces live-image/build/vmlinuz and live-image/build/initrd.img.
deploy/pxe-setup.sh picks them up automatically when run from the repo
tree — no manual copy needed.
iPXE binaries
The dnsmasq supervisor expects ipxe.efi and undionly.kpxe in
pxe.tftp_root. deploy/pxe-setup.sh fetches them from boot.ipxe.org
and verifies against pinned SHA256s in deploy/ipxe-shas.txt. Bumping
the pins requires a deliberate repo commit.
WSL prerequisites (Windows dev)
sudo apt install mkosi debootstrap squashfs-tools dosfstools