josh
5aa245cd85
mkosi was failing with "systemd-boot was not found at usr/lib/systemd/boot/efi" because Bootable=yes expects systemd-boot installed *inside* the image for EFI boot. This image is only ever PXE-booted — iPXE loads vmlinuz+initrd from TFTP directly, so the rootfs itself needs no bootloader. Switching to Bootable=no drops the EFI-image assembly step; the linux-image-amd64 postinst still creates /vmlinuz and /initrd.img symlinks that the top-level Makefile copies into the bundle. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Vetting live image
Debian-based Linux live image that PXE-booted hosts drop into. Runs the
vetting-agent binary under systemd and reaches back to the orchestrator
over HTTP+SSE.
Preferred build path: make release
Run make release from the repo root (Linux/WSL) — it builds the live
image and bundles it with the orchestrator binary, install scripts,
and pinned iPXE SHAs into a single vetting-bundle-<sha>.tar.gz. See
../docs/operations.md for the install flow.
Manual build (dev loop)
On Windows:
wsl make -C live-image all
On Linux:
make -C live-image all
This produces live-image/build/vmlinuz and live-image/build/initrd.img.
deploy/pxe-setup.sh picks them up automatically when run from the repo
tree — no manual copy needed.
iPXE binaries
The dnsmasq supervisor expects ipxe.efi and undionly.kpxe in
pxe.tftp_root. deploy/pxe-setup.sh fetches them from boot.ipxe.org
and verifies against pinned SHA256s in deploy/ipxe-shas.txt. Bumping
the pins requires a deliberate repo commit.
WSL prerequisites (Windows dev)
sudo apt install mkosi debootstrap squashfs-tools dosfstools