reanimator/bee
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Update docs for current LiveCD flow

Browse Source
This commit is contained in:
Mikhail Chusavitin
2026-03-14 16:28:30 +03:00
parent 591164a251
commit 17f0bda45e
3 changed files with 47 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
PLAN.md
View File

@@ -4,13 +4,13 @@ Hardware audit LiveCD for offline server inventory.
Produces `HardwareIngestRequest` JSON compatible with core/reanimator. Produces `HardwareIngestRequest` JSON compatible with core/reanimator.
**Principle:** OS-level collection — reads hardware directly, not through BMC. **Principle:** OS-level collection — reads hardware directly, not through BMC.
Fully unattended — no user interaction required at any stage. Boot → update → audit → output → done. Automatic boot audit plus operator console. Boot runs audit immediately, but local/SSH operators can rerun checks through the TUI and CLI.
All errors are logged, never presented interactively. Every failure path has a silent fallback. Errors are logged and should not block boot on partial collector failures.
Fills the gaps where logpile/Redfish is blind: NVMe, DIMM serials, GPU serials, physical disks behind RAID, full SMART, NIC firmware. Fills the gaps where logpile/Redfish is blind: NVMe, DIMM serials, GPU serials, physical disks behind RAID, full SMART, NIC firmware.
--- ---
## Status snapshot (2026-03-06) ## Status snapshot (2026-03-14)
### Phase 1 — Go Audit Binary ### Phase 1 — Go Audit Binary
@@ -33,9 +33,14 @@ Fills the gaps where logpile/Redfish is blind: NVMe, DIMM serials, GPU serials,
- Current implementation uses Debian 12 `live-build`, `systemd`, and OpenSSH. - Current implementation uses Debian 12 `live-build`, `systemd`, and OpenSSH.
- Network bring-up on boot — **DONE** - Network bring-up on boot — **DONE**
- Boot services (`bee-network`, `bee-nvidia`, `bee-audit`, `bee-sshsetup`) — **DONE** - Boot services (`bee-network`, `bee-nvidia`, `bee-audit`, `bee-sshsetup`) — **DONE**
- Local console UX (`bee` autologin on `tty1`, `menu` auto-start, TUI privilege escalation via `sudo -n`) — **DONE**
- VM/debug support (`qemu-guest-agent`, serial console, virtual GPU initramfs modules) — **DONE**
- Vendor utilities in overlay — **DONE** - Vendor utilities in overlay — **DONE**
- Build metadata + staged overlay injection — **DONE** - Build metadata + staged overlay injection — **DONE**
- Builder container cache persisted outside container writable layer — **DONE**
- ISO volume label `BEE`**DONE**
- Auto-update flow remains deferred; current focus is deterministic offline audit ISO behavior. - Auto-update flow remains deferred; current focus is deterministic offline audit ISO behavior.
- Real-hardware validation remains **PENDING**; current validation is limited to local/libvirt VM boot + service checks.
--- ---
@@ -334,6 +339,8 @@ Planned code shape:
### 2.5 — Operator workflows ### 2.5 — Operator workflows
- Automatic boot audit writes JSON to `/var/log/bee-audit.json` - Automatic boot audit writes JSON to `/var/log/bee-audit.json`
- `tty1` autologins into `bee` and auto-runs `menu`
- `menu` launches the LiveCD wrapper `bee-tui`, which escalates to `root` via `sudo -n`
- `bee tui` can rerun the audit manually - `bee tui` can rerun the audit manually
- `bee tui` can export the latest audit JSON to removable media - `bee tui` can export the latest audit JSON to removable media
- removable export requires explicit target selection, mount, confirmation, copy, and cleanup - removable export requires explicit target selection, mount, confirmation, copy, and cleanup
@@ -358,6 +365,7 @@ Missing optional tools do not fail the build or boot.
Current release model: Current release model:
- shipping a new ISO means a full rebuild - shipping a new ISO means a full rebuild
- build metadata is embedded into `/etc/bee-release` and `motd` - build metadata is embedded into `/etc/bee-release` and `motd`
- current ISO label is `BEE`
- binary self-update remains deferred; no automatic USB/network patching is part of the current runtime - binary self-update remains deferred; no automatic USB/network patching is part of the current runtime
--- ---

24
bible-local/architecture/runtime-flows.md
View File

@@ -30,6 +30,26 @@ local-fs.target
- `bee-audit.service` does not wait for `network-online.target`; audit is local and must run even if DHCP is broken. - `bee-audit.service` does not wait for `network-online.target`; audit is local and must run even if DHCP is broken.
- `bee-audit.service` logs audit failures but does not turn partial collector problems into a boot blocker. - `bee-audit.service` logs audit failures but does not turn partial collector problems into a boot blocker.
## Console and login flow
Local-console behavior:
```text
tty1
└── live-config autologin → bee
└── /home/bee/.profile
└── exec menu
└── /usr/local/bin/bee-tui
└── sudo -n /usr/local/bin/bee tui --runtime livecd
```
Rules:
- local `tty1` lands in user `bee`, not directly in `root`
- `menu` must work without typing `sudo`
- TUI actions still run as `root` via `sudo -n`
- SSH is independent from the tty1 path
- serial console support is enabled for VM boot debugging
## ISO build sequence ## ISO build sequence
``` ```
@@ -80,6 +100,10 @@ Exit code 0 = all required checks pass. All `FAIL` lines must be zero before shi
Key checks: NVIDIA modules loaded, `nvidia-smi` sees all GPUs, lib symlinks present, Key checks: NVIDIA modules loaded, `nvidia-smi` sees all GPUs, lib symlinks present,
systemd services running, audit completed with NVIDIA enrichment, LAN reachability. systemd services running, audit completed with NVIDIA enrichment, LAN reachability.
Current validation state:
- local/libvirt VM boot path is validated for `systemd`, SSH, `bee audit`, `bee-network`, and TUI startup
- real hardware validation is still required before treating the ISO as release-ready
## Overlay mechanism ## Overlay mechanism
`live-build` copies files from `config/includes.chroot/` into the ISO filesystem. `live-build` copies files from `config/includes.chroot/` into the ISO filesystem.

13
bible-local/architecture/system-overview.md
View File

@@ -19,10 +19,11 @@ Fills gaps where Redfish/logpile is blind:
## In scope ## In scope
- Read-only hardware inventory: board, CPU, memory, storage, PCIe, PSU, GPU, NIC, RAID - Read-only hardware inventory: board, CPU, memory, storage, PCIe, PSU, GPU, NIC, RAID
- Unattended operation — no user interaction required - Automatic boot audit with operator-facing local console and SSH access
- NVIDIA proprietary driver loaded at boot for GPU enrichment via `nvidia-smi` - NVIDIA proprietary driver loaded at boot for GPU enrichment via `nvidia-smi`
- SSH access (OpenSSH) always available for inspection and debugging - SSH access (OpenSSH) always available for inspection and debugging
- Interactive Go TUI via `bee tui` for network setup, service management, and acceptance tests - Interactive Go TUI via `bee tui` for network setup, service management, and acceptance tests
- Local `tty1` operator UX: `bee` autologin, `menu` auto-start, privileged actions via `sudo -n`
## Network isolation — CRITICAL ## Network isolation — CRITICAL
@@ -56,6 +57,14 @@ Fills gaps where Redfish/logpile is blind:
| NVIDIA modules | Loaded via `insmod` from `/usr/local/lib/nvidia/` | | NVIDIA modules | Loaded via `insmod` from `/usr/local/lib/nvidia/` |
| Builder | Debian 12 host/VM or Debian 12 container image | | Builder | Debian 12 host/VM or Debian 12 container image |
## Operator UX
- On the live ISO, `tty1` autologins as `bee`
- The login profile auto-runs `menu`, which enters the Go TUI
- The TUI itself executes privileged actions as `root` via `sudo -n`
- SSH remains available independently of the local console path
- VM-oriented builds also include `qemu-guest-agent` and serial console support for debugging
## Runtime split ## Runtime split
- The main Go application must run both on a normal Linux host and inside the live ISO - The main Go application must run both on a normal Linux host and inside the live ISO
@@ -75,5 +84,7 @@ Fills gaps where Redfish/logpile is blind:
| `iso/vendor/` | Optional pre-built vendor binaries (storcli64, sas2ircu, sas3ircu, mstflint, …) | | `iso/vendor/` | Optional pre-built vendor binaries (storcli64, sas2ircu, sas3ircu, mstflint, …) |
| `iso/builder/VERSIONS` | Pinned versions: Debian, Go, NVIDIA driver, kernel ABI | | `iso/builder/VERSIONS` | Pinned versions: Debian, Go, NVIDIA driver, kernel ABI |
| `iso/builder/smoketest.sh` | Post-boot smoke test — run via SSH to verify live ISO | | `iso/builder/smoketest.sh` | Post-boot smoke test — run via SSH to verify live ISO |
| `iso/overlay/etc/profile.d/bee.sh` | `menu` helper + tty1 auto-start policy |
| `iso/overlay/home/bee/.profile` | `bee` shell profile for local console startup |
| `dist/` | Build outputs (gitignored) | | `dist/` | Build outputs (gitignored) |
| `iso/out/` | Downloaded ISO files (gitignored) | | `iso/out/` | Downloaded ISO files (gitignored) |