Debian-based Linux live image that PXE-booted hosts drop into. Runs the vetting-agent binary under systemd and reaches back to the orchestrator over HTTP+SSE.

Versioning

The live image has its own version marker at VERSION. Bump it (v<major>.<minor>.<patch>) whenever any mkosi input changes; CI only rebuilds and republishes live-image/<VERSION>/{vmlinuz,initrd.img} on the push that touches that file. The slim release bundle carries only a pointer to this version, and install.sh fetches the actual files from the registry when the target's on-disk copy is stale. See ../docs/operations.md for the install flow.

Release bundling

make release from the repo root produces vetting-bundle.tar.gz — orchestrator + agent + install scripts + a live-image/VERSION pointer. It does not embed vmlinuz/initrd.img; those come from the registry at install time.

Manual build (dev loop)

On Windows:

wsl make -C live-image all

On Linux:

make -C live-image all

This produces live-image/build/vmlinuz and live-image/build/initrd.img. deploy/pxe-setup.sh picks them up automatically when run from the repo tree — no manual copy needed.

iPXE binaries

The dnsmasq supervisor expects ipxe.efi and undionly.kpxe in pxe.tftp_root. deploy/pxe-setup.sh fetches them from boot.ipxe.org and verifies against pinned SHA256s in deploy/ipxe-shas.txt. Bumping the pins requires a deliberate repo commit.

WSL prerequisites (Windows dev)

sudo apt install mkosi debootstrap squashfs-tools dosfstools