josh/Vetting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f188c7add40a1a407c2177d3cdd9b58f2a3ee8dc
Vetting/live-image
T
History
josh a5055b3c7a
CI / Lint + build + test (push) Has been cancelled
Details
Automate PXE setup: release bundle + pxe-setup.sh + startup validation 
Collapses the LXC side of PXE enablement from a six-step manual dance
(build, fetch iPXE, scp, bridge, hand-edit yaml) into:

  make release                   # dev box (Linux/WSL)
  scp bundle.tar.gz lxc:/tmp/
  sudo ./install.sh              # base install, unchanged
  sudo ./pxe-setup.sh --interface ... --dhcp-range ... --orchestrator-url ...

pxe-setup.sh fetches iPXE from boot.ipxe.org, verifies against pinned
SHA256s in deploy/ipxe-shas.txt (fail-closed), places vmlinuz/initrd.img
from the bundle, and rewrites only the pxe: block of vetting.yaml.
Idempotent; --force gates overwriting a hand-edited block.

Adds Supervisor.Validate() — called before dnsmasq spawn — so typo'd
configs fail at orchestrator startup with clear errors naming the
missing file or yaml key, instead of silently serving broken TFTP
until a real host tries to PXE-boot. Nine tests cover missing files,
bogus interface, malformed dhcp_range, bad orchestrator_url, and
aggregate reporting.

Hypervisor bridge creation stays documented (LXC can't do it) but
everything downstream of the bridge is now scripted.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-18 01:38:43 -04:00
..
mkosi.skeleton/etc/systemd/system
Initial commit: full Phases 1-6 implementation
2026-04-17 21:32:10 -04:00
Makefile
Initial commit: full Phases 1-6 implementation
2026-04-17 21:32:10 -04:00
mkosi.conf
Initial commit: full Phases 1-6 implementation
2026-04-17 21:32:10 -04:00
mkosi.postinst
Initial commit: full Phases 1-6 implementation
2026-04-17 21:32:10 -04:00
README.md
Automate PXE setup: release bundle + pxe-setup.sh + startup validation
2026-04-18 01:38:43 -04:00

README.md

Vetting live image

Debian-based Linux live image that PXE-booted hosts drop into. Runs the vetting-agent binary under systemd and reaches back to the orchestrator over HTTP+SSE.

Preferred build path: make release

Run make release from the repo root (Linux/WSL) — it builds the live image and bundles it with the orchestrator binary, install scripts, and pinned iPXE SHAs into a single vetting-bundle-<sha>.tar.gz. See ../docs/operations.md for the install flow.

Manual build (dev loop)

On Windows:

wsl make -C live-image all

On Linux:

make -C live-image all

This produces live-image/build/vmlinuz and live-image/build/initrd.img. deploy/pxe-setup.sh picks them up automatically when run from the repo tree — no manual copy needed.

iPXE binaries

The dnsmasq supervisor expects ipxe.efi and undionly.kpxe in pxe.tftp_root. deploy/pxe-setup.sh fetches them from boot.ipxe.org and verifies against pinned SHA256s in deploy/ipxe-shas.txt. Bumping the pins requires a deliberate repo commit.

WSL prerequisites (Windows dev)

sudo apt install mkosi debootstrap squashfs-tools dosfstools
Reference in New Issue View Git Blame Copy Permalink