Merge debug/prod into single ISO build, fix NVIDIA module loading

## ISO build consolidation - Remove separate debug/prod split: overlay-debug/, build-debug.sh, mkimg.bee_debug.sh, genapkovl-bee_debug.sh all deleted - Single overlay: iso/overlay/ (was overlay-debug content) - Single build script: build.sh (SSH, TUI, NVIDIA, vendor tools, bee-release) - Single mkimage profile: bee (with dropbear, dialog, strace, gcompat, etc.) ## NVIDIA fixes - Modules now stored at /usr/local/lib/nvidia/ instead of /lib/modules/<kver>/extra/nvidia/ — modloop squashfs mounts over that path at boot making overlay content there inaccessible - bee-nvidia init: load via insmod (absolute path), not modprobe - bee-nvidia init: create libnvidia-ml.so.1/libcuda.so.1 symlinks in /usr/lib/ - build-nvidia-module.sh: always install linux-lts-dev (not conditional) — stale 6.6.x headers caused wrong-kernel modules that never loaded at runtime - build-nvidia-module.sh: create soname symlinks in cache - KERNEL_VERSION in VERSIONS updated 6.6 → 6.12 - gcompat added to ISO packages (nvidia-smi is a glibc binary on musl Alpine) ## Service ordering - bee-audit: add `after bee-nvidia` so NVIDIA enrichment always succeeds ## New tooling - iso/builder/smoketest.sh: SSH smoke test for post-boot ISO validation - iso/builder/build-gpu-burn.sh: builds gpu_burn vendor binary (CUDA 12.8+) - vendor/gpu_burn included automatically if placed in iso/vendor/ Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-06 20:14:18 +03:00
parent 0907ba07c3
commit 1768bb58dd
24 changed files with 1296 additions and 261 deletions
--- a/iso/builder/build.sh
+++ b/iso/builder/build.sh
@@ -1,5 +1,11 @@
 #!/bin/sh
-# build.sh — production ISO build (unattended mode)
+# build.sh — build bee ISO
+#
+# Single build script. Produces a bootable live ISO with SSH access, TUI, NVIDIA drivers.
+#
+# Run on Alpine builder VM as root after setup-builder.sh.
+# Usage:
+#   sh iso/builder/build.sh [--authorized-keys /path/to/authorized_keys]

 set -e

@@ -8,29 +14,92 @@ BUILDER_DIR="${REPO_ROOT}/iso/builder"
 OVERLAY_DIR="${REPO_ROOT}/iso/overlay"
 DIST_DIR="${REPO_ROOT}/dist"
 VENDOR_DIR="${REPO_ROOT}/iso/vendor"
+AUTH_KEYS=""
+
+# parse args
+while [ $# -gt 0 ]; do
+    case "$1" in
+        --authorized-keys) AUTH_KEYS="$2"; shift 2 ;;
+        *) echo "unknown arg: $1"; exit 1 ;;
+    esac
+done

 . "${BUILDER_DIR}/VERSIONS"
 export PATH="$PATH:/usr/local/go/bin"

-echo "=== bee production ISO build ==="
-echo "Alpine: ${ALPINE_VERSION}, Go: ${GO_VERSION}, NVIDIA: ${NVIDIA_DRIVER_VERSION}"
+# NOTE: lz4 compression for modloop is disabled — Alpine initramfs may not support lz4 squashfs.
+# Default xz compression is used until lz4 support is confirmed.

+echo "=== bee ISO build ==="
+echo "Alpine: ${ALPINE_VERSION}, Go: ${GO_VERSION}"
+echo ""
+
+# --- compile audit binary (static, Linux amd64) ---
+# Skip rebuild if binary is newer than all Go source files.
 AUDIT_BIN="${DIST_DIR}/bee-audit-linux-amd64"
-mkdir -p "$DIST_DIR"
+NEED_BUILD=1
+if [ -f "$AUDIT_BIN" ]; then
+    NEWEST_SRC=$(find "${REPO_ROOT}/audit" -name '*.go' -newer "$AUDIT_BIN" | head -1)
+    [ -z "$NEWEST_SRC" ] && NEED_BUILD=0
+fi

-cd "${REPO_ROOT}/audit"
-GOOS=linux GOARCH=amd64 CGO_ENABLED=0 \
-    go build \
-    -ldflags "-s -w -X main.Version=${AUDIT_VERSION}" \
-    -o "$AUDIT_BIN" \
-    ./cmd/audit
+if [ "$NEED_BUILD" = "1" ]; then
+    echo "=== building audit binary ==="
+    cd "${REPO_ROOT}/audit"
+    GOOS=linux GOARCH=amd64 CGO_ENABLED=0 \
+        go build \
+        -ldflags "-s -w -X main.Version=${AUDIT_VERSION:-$(date +%Y%m%d)}" \
+        -o "$AUDIT_BIN" \
+        ./cmd/audit
+    echo "binary: $AUDIT_BIN"
+    echo "size:   $(du -sh "$AUDIT_BIN" | cut -f1)"
+else
+    echo "=== audit binary up to date, skipping build ==="
+fi

+# --- inject authorized_keys for SSH access ---
+# Uses the same Ed25519 keys as release signing (from git.mchus.pro/mchus/keys).
+# SSH public keys are stored alongside signing keys as ~/.keys/<name>.key.pub
+AUTHORIZED_KEYS_FILE="${OVERLAY_DIR}/root/.ssh/authorized_keys"
+mkdir -p "${OVERLAY_DIR}/root/.ssh"
+
+if [ -n "$AUTH_KEYS" ]; then
+    cp "$AUTH_KEYS" "$AUTHORIZED_KEYS_FILE"
+    chmod 600 "$AUTHORIZED_KEYS_FILE"
+    echo "SSH authorized_keys: installed from $AUTH_KEYS"
+else
+    # auto-collect all developer SSH public keys from ~/.keys/*.key.pub
+    > "$AUTHORIZED_KEYS_FILE"
+    FOUND=0
+    for ssh_pub in "$HOME"/.keys/*.key.pub; do
+        [ -f "$ssh_pub" ] || continue
+        cat "$ssh_pub" >> "$AUTHORIZED_KEYS_FILE"
+        echo "SSH: added $(basename "$ssh_pub" .key.pub)"
+        FOUND=$((FOUND + 1))
+    done
+    if [ "$FOUND" -gt 0 ]; then
+        chmod 600 "$AUTHORIZED_KEYS_FILE"
+        echo "SSH authorized_keys: $FOUND key(s) from ~/.keys/*.key.pub"
+    else
+        echo "WARNING: no SSH public keys found — falling back to password auth"
+        echo "  root password will be set to: bee / eeb"
+        echo "  (generate a key with: sh keys/scripts/keygen.sh <your-name>)"
+        USE_PASSWORD_FALLBACK=1
+    fi
+fi
+
+# --- password fallback: write marker file read by init script ---
+if [ "${USE_PASSWORD_FALLBACK:-0}" = "1" ]; then
+    touch "${OVERLAY_DIR}/etc/bee-ssh-password-fallback"
+fi
+
+# --- copy audit binary into overlay ---
 mkdir -p "${OVERLAY_DIR}/usr/local/bin"
-cp "$AUDIT_BIN" "${OVERLAY_DIR}/usr/local/bin/audit"
+cp "${DIST_DIR}/bee-audit-linux-amd64" "${OVERLAY_DIR}/usr/local/bin/audit"
 chmod +x "${OVERLAY_DIR}/usr/local/bin/audit"

-# Copy optional vendor utilities if already fetched.
-for tool in storcli64 sas2ircu sas3ircu mstflint; do
+# --- vendor utilities (optional pre-fetched binaries) ---
+for tool in storcli64 sas2ircu sas3ircu mstflint gpu_burn; do
    if [ -f "${VENDOR_DIR}/${tool}" ]; then
        cp "${VENDOR_DIR}/${tool}" "${OVERLAY_DIR}/usr/local/bin/${tool}"
        chmod +x "${OVERLAY_DIR}/usr/local/bin/${tool}" || true
@@ -40,21 +109,29 @@ for tool in storcli64 sas2ircu sas3ircu mstflint; do
    fi
 done

-# Build and inject NVIDIA proprietary modules + userspace tools.
-echo "=== building NVIDIA modules ==="
+# --- build NVIDIA kernel modules and inject into overlay ---
+echo ""
+echo "=== building NVIDIA ${NVIDIA_DRIVER_VERSION} modules ==="
 sh "${BUILDER_DIR}/build-nvidia-module.sh" "${NVIDIA_DRIVER_VERSION}" "${DIST_DIR}"
-KVER="$(ls /usr/src/ 2>/dev/null | grep '^linux-headers-' | sed 's/linux-headers-//' | sort -V | tail -1)"
+
+# Determine kernel version (same as what goes into the ISO — both use linux-lts from same Alpine)
+KVER=$(ls /usr/src/ 2>/dev/null | grep '^linux-headers-' | sed 's/linux-headers-//' | sort -V | tail -1)
 NVIDIA_CACHE="${DIST_DIR}/nvidia-${NVIDIA_DRIVER_VERSION}-${KVER}"

-mkdir -p "${OVERLAY_DIR}/lib/modules/${KVER}/extra/nvidia"
-cp "${NVIDIA_CACHE}/modules/"*.ko "${OVERLAY_DIR}/lib/modules/${KVER}/extra/nvidia/"
+# Inject .ko files into overlay at /usr/local/lib/nvidia/ (not /lib/modules/ — modloop squashfs
+# mounts over that path at boot and makes it read-only, so overlay content there is inaccessible)
+OVERLAY_KMOD_DIR="${OVERLAY_DIR}/usr/local/lib/nvidia"
+mkdir -p "${OVERLAY_KMOD_DIR}"
+cp "${NVIDIA_CACHE}/modules/"*.ko "${OVERLAY_KMOD_DIR}/"

+# Inject nvidia-smi and libnvidia-ml
 mkdir -p "${OVERLAY_DIR}/usr/local/bin" "${OVERLAY_DIR}/usr/lib"
 cp "${NVIDIA_CACHE}/bin/nvidia-smi" "${OVERLAY_DIR}/usr/local/bin/"
 chmod +x "${OVERLAY_DIR}/usr/local/bin/nvidia-smi"
 cp "${NVIDIA_CACHE}/lib/"* "${OVERLAY_DIR}/usr/lib/" 2>/dev/null || true

-# Embed build metadata used at runtime.
+
+# --- embed build metadata ---
 mkdir -p "${OVERLAY_DIR}/etc"
 BUILD_DATE="$(date +%Y-%m-%d)"
 GIT_COMMIT="$(git -C "${REPO_ROOT}" rev-parse --short HEAD 2>/dev/null || echo unknown)"
@@ -67,12 +144,27 @@ ALPINE_VERSION=${ALPINE_VERSION}
 NVIDIA_DRIVER_VERSION=${NVIDIA_DRIVER_VERSION}
 EOF

+# --- export build info for genapkovl to inject into motd ---
+BUILD_DATE=$(date +%Y-%m-%d)
+GIT_COMMIT=$(git -C "${REPO_ROOT}" rev-parse --short HEAD 2>/dev/null || echo "unknown")
+export BEE_BUILD_INFO="${BUILD_DATE} git:${GIT_COMMIT} alpine:${ALPINE_VERSION} nvidia:${NVIDIA_DRIVER_VERSION}"
+
+# --- build ISO using mkimage ---
+mkdir -p "${DIST_DIR}"
+echo ""
+echo "=== building ISO ==="
+
+# Install our mkimage profile where mkimage.sh can find it.
+# ~/.mkimage is the user plugin directory loaded by mkimage.sh.
 mkdir -p "${HOME}/.mkimage"
 cp "${BUILDER_DIR}/mkimg.bee.sh" "${HOME}/.mkimage/"
 cp "${BUILDER_DIR}/genapkovl-bee.sh" "${HOME}/.mkimage/"

+# Export overlay dir so the profile script can find it regardless of SRCDIR.
 export BEE_OVERLAY_DIR="${OVERLAY_DIR}"

+# Clean workdir selectively: remove everything except apks cache so packages aren't re-downloaded.
+# mkimage stores each section in a hash-named subdir; apks_* dirs contain downloaded packages.
 if [ -d /var/tmp/bee-iso-work ]; then
    find /var/tmp/bee-iso-work -maxdepth 1 -mindepth 1 \
        -not -name 'apks_*' -not -name 'kernel_*' \
@@ -80,6 +172,9 @@ if [ -d /var/tmp/bee-iso-work ]; then
        -exec rm -rf {} + 2>/dev/null || true
 fi

+# Run from /var/tmp to avoid git repo context conflicts and to ensure enough scratch space.
+# mkinitfs/update-kernel use TMPDIR for initramfs build; tmpfs /tmp is only ~1GB.
+# mkimage.sh sources genapkovl-*.sh from CWD (not from ~/.mkimage), so copy it here too.
 export TMPDIR=/var/tmp
 cp "${BUILDER_DIR}/genapkovl-bee.sh" /var/tmp/
 cd /var/tmp
@@ -93,5 +188,9 @@ sh /usr/share/aports/scripts/mkimage.sh \
    --profile bee

 ISO="${DIST_DIR}/alpine-bee-${ALPINE_VERSION}-x86_64.iso"
+echo ""
 echo "=== done ==="
 echo "ISO: $ISO"
+echo "Size: $(du -sh "$ISO" 2>/dev/null | cut -f1 || echo 'not found')"
+echo ""
+echo "Boot via BMC virtual media and SSH to the server IP on port 22 as root."