josh/Vetting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8367ec2a9f14732b04196c7b56e5724599e0aa46
Vetting/live-image/README.md
T
josh 211abdf08f
CI / Lint + build + test (push) Successful in 1m41s
Details
Release / detect (push) Successful in 7s
Details
Release / build-live-image (push) Failing after 3m58s
Details
Release / bundle (push) Has been skipped
Details
feat(release): version live-image, skip rebuild+redownload when unchanged 
Splits the release workflow into three jobs (detect, build-live-image,
bundle) so the ~9 min mkosi build only runs when live-image/VERSION
bumps. The slim bundle (~30 MB: orchestrator + agent + deploy scripts
+ a live-image/VERSION pointer) rebuilds every push; the ~300 MB
vmlinuz+initrd.img are published separately under the immutable
live-image/<version>/ path. install.sh compares the pointer to
/var/lib/vetting/live/VERSION and fetches the files only on mismatch,
cutting repeat-install wall-clock from ~30 s + 300 MB to ~10 s + 0 MB
on the common no-live-image-change release.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-20 21:04:14 -04:00

55 lines
1.6 KiB
Markdown
Raw Blame History

# Vetting live image
Debian-based Linux live image that PXE-booted hosts drop into. Runs the
`vetting-agent` binary under systemd and reaches back to the orchestrator
over HTTP+SSE.
## Versioning
The live image has its own version marker at
[VERSION](VERSION). Bump it (`v<major>.<minor>.<patch>`) whenever
any mkosi input changes; CI only rebuilds and republishes
`live-image/<VERSION>/{vmlinuz,initrd.img}` on the push that touches
that file. The slim release bundle carries only a pointer to this
version, and `install.sh` fetches the actual files from the registry
when the target's on-disk copy is stale. See
[../docs/operations.md](../docs/operations.md) for the install flow.
## Release bundling
`make release` from the repo root produces `vetting-bundle.tar.gz`
orchestrator + agent + install scripts + a `live-image/VERSION`
pointer. It does **not** embed `vmlinuz`/`initrd.img`; those come
from the registry at install time.
## Manual build (dev loop)
On Windows:
```sh
wsl make -C live-image all
```
On Linux:
```sh
make -C live-image all
```
This produces `live-image/build/vmlinuz` and `live-image/build/initrd.img`.
`deploy/pxe-setup.sh` picks them up automatically when run from the repo
tree — no manual copy needed.
## iPXE binaries
The dnsmasq supervisor expects `ipxe.efi` and `undionly.kpxe` in
`pxe.tftp_root`. `deploy/pxe-setup.sh` fetches them from boot.ipxe.org
and verifies against pinned SHA256s in `deploy/ipxe-shas.txt`. Bumping
the pins requires a deliberate repo commit.
## WSL prerequisites (Windows dev)
```sh
sudo apt install mkosi debootstrap squashfs-tools dosfstools
```
Reference in New Issue View Git Blame Copy Permalink