josh
6c6d20710f
Previous run actually built the 518 MB rootfs with firmware-misc-nonfree et al. installed — the real payload is working. Two follow-ups: - check-initrd was reading stat on a symlink path and getting 30 bytes (the symlink's own size), not the 6.1.0-44-amd64 kernel initrd it points to. Switched to wc -c, which follows symlinks, and to du -hL for the OK message. - Add zstd to Packages= so COMPRESS=zstd in initramfs.conf can be honored; without it update-initramfs falls back to gzip with a "No zstd in PATH" warning. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Vetting live image
Debian-based Linux live image that PXE-booted hosts drop into. Runs the
vetting-agent binary under systemd and reaches back to the orchestrator
over HTTP+SSE.
Preferred build path: make release
Run make release from the repo root (Linux/WSL) — it builds the live
image and bundles it with the orchestrator binary, install scripts,
and pinned iPXE SHAs into a single vetting-bundle-<sha>.tar.gz. See
../docs/operations.md for the install flow.
Manual build (dev loop)
On Windows:
wsl make -C live-image all
On Linux:
make -C live-image all
This produces live-image/build/vmlinuz and live-image/build/initrd.img.
deploy/pxe-setup.sh picks them up automatically when run from the repo
tree — no manual copy needed.
iPXE binaries
The dnsmasq supervisor expects ipxe.efi and undionly.kpxe in
pxe.tftp_root. deploy/pxe-setup.sh fetches them from boot.ipxe.org
and verifies against pinned SHA256s in deploy/ipxe-shas.txt. Bumping
the pins requires a deliberate repo commit.
WSL prerequisites (Windows dev)
sudo apt install mkosi debootstrap squashfs-tools dosfstools