josh/Vetting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d6cdb7caa93585c8232bb4711ec85bca778437f2
Vetting/live-image/README.md
T
josh a5055b3c7a
CI / Lint + build + test (push) Has been cancelled
Details
Automate PXE setup: release bundle + pxe-setup.sh + startup validation 
Collapses the LXC side of PXE enablement from a six-step manual dance
(build, fetch iPXE, scp, bridge, hand-edit yaml) into:

  make release                   # dev box (Linux/WSL)
  scp bundle.tar.gz lxc:/tmp/
  sudo ./install.sh              # base install, unchanged
  sudo ./pxe-setup.sh --interface ... --dhcp-range ... --orchestrator-url ...

pxe-setup.sh fetches iPXE from boot.ipxe.org, verifies against pinned
SHA256s in deploy/ipxe-shas.txt (fail-closed), places vmlinuz/initrd.img
from the bundle, and rewrites only the pxe: block of vetting.yaml.
Idempotent; --force gates overwriting a hand-edited block.

Adds Supervisor.Validate() — called before dnsmasq spawn — so typo'd
configs fail at orchestrator startup with clear errors naming the
missing file or yaml key, instead of silently serving broken TFTP
until a real host tries to PXE-boot. Nine tests cover missing files,
bogus interface, malformed dhcp_range, bad orchestrator_url, and
aggregate reporting.

Hypervisor bridge creation stays documented (LXC can't do it) but
everything downstream of the bridge is now scripted.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-18 01:38:43 -04:00

1.2 KiB
Raw Blame History

Vetting live image

Debian-based Linux live image that PXE-booted hosts drop into. Runs the vetting-agent binary under systemd and reaches back to the orchestrator over HTTP+SSE.

Preferred build path: make release

Run make release from the repo root (Linux/WSL) — it builds the live image and bundles it with the orchestrator binary, install scripts, and pinned iPXE SHAs into a single vetting-bundle-<sha>.tar.gz. See ../docs/operations.md for the install flow.

Manual build (dev loop)

On Windows:

wsl make -C live-image all

On Linux:

make -C live-image all

This produces live-image/build/vmlinuz and live-image/build/initrd.img. deploy/pxe-setup.sh picks them up automatically when run from the repo tree — no manual copy needed.

iPXE binaries

The dnsmasq supervisor expects ipxe.efi and undionly.kpxe in pxe.tftp_root. deploy/pxe-setup.sh fetches them from boot.ipxe.org and verifies against pinned SHA256s in deploy/ipxe-shas.txt. Bumping the pins requires a deliberate repo commit.

WSL prerequisites (Windows dev)

sudo apt install mkosi debootstrap squashfs-tools dosfstools
Reference in New Issue View Git Blame Copy Permalink