Implement audit enrichments, TUI workflows, and production ISO scaffold

2026-03-06 11:56:26 +03:00
parent bdfb6a0a79
commit 18b8c69bc5
32 changed files with 3187 additions and 9 deletions
--- a/iso/builder/build.sh
+++ b/iso/builder/build.sh
@@ -0,0 +1,97 @@
+#!/bin/sh
+# build.sh — production ISO build (unattended mode)
+
+set -e
+
+REPO_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
+BUILDER_DIR="${REPO_ROOT}/iso/builder"
+OVERLAY_DIR="${REPO_ROOT}/iso/overlay"
+DIST_DIR="${REPO_ROOT}/dist"
+VENDOR_DIR="${REPO_ROOT}/iso/vendor"
+
+. "${BUILDER_DIR}/VERSIONS"
+export PATH="$PATH:/usr/local/go/bin"
+
+echo "=== bee production ISO build ==="
+echo "Alpine: ${ALPINE_VERSION}, Go: ${GO_VERSION}, NVIDIA: ${NVIDIA_DRIVER_VERSION}"
+
+AUDIT_BIN="${DIST_DIR}/bee-audit-linux-amd64"
+mkdir -p "$DIST_DIR"
+
+cd "${REPO_ROOT}/audit"
+GOOS=linux GOARCH=amd64 CGO_ENABLED=0 \
+    go build \
+    -ldflags "-s -w -X main.Version=${AUDIT_VERSION}" \
+    -o "$AUDIT_BIN" \
+    ./cmd/audit
+
+mkdir -p "${OVERLAY_DIR}/usr/local/bin"
+cp "$AUDIT_BIN" "${OVERLAY_DIR}/usr/local/bin/audit"
+chmod +x "${OVERLAY_DIR}/usr/local/bin/audit"
+
+# Copy optional vendor utilities if already fetched.
+for tool in storcli64 sas2ircu sas3ircu mstflint; do
+    if [ -f "${VENDOR_DIR}/${tool}" ]; then
+        cp "${VENDOR_DIR}/${tool}" "${OVERLAY_DIR}/usr/local/bin/${tool}"
+        chmod +x "${OVERLAY_DIR}/usr/local/bin/${tool}" || true
+        echo "vendor tool: ${tool} (included)"
+    else
+        echo "vendor tool: ${tool} (not found, skipped)"
+    fi
+done
+
+# Build and inject NVIDIA proprietary modules + userspace tools.
+echo "=== building NVIDIA modules ==="
+sh "${BUILDER_DIR}/build-nvidia-module.sh" "${NVIDIA_DRIVER_VERSION}" "${DIST_DIR}"
+KVER="$(ls /usr/src/ 2>/dev/null | grep '^linux-headers-' | sed 's/linux-headers-//' | head -1)"
+NVIDIA_CACHE="${DIST_DIR}/nvidia-${NVIDIA_DRIVER_VERSION}-${KVER}"
+
+mkdir -p "${OVERLAY_DIR}/lib/modules/${KVER}/extra/nvidia"
+cp "${NVIDIA_CACHE}/modules/"*.ko "${OVERLAY_DIR}/lib/modules/${KVER}/extra/nvidia/"
+
+mkdir -p "${OVERLAY_DIR}/usr/local/bin" "${OVERLAY_DIR}/usr/lib"
+cp "${NVIDIA_CACHE}/bin/nvidia-smi" "${OVERLAY_DIR}/usr/local/bin/"
+chmod +x "${OVERLAY_DIR}/usr/local/bin/nvidia-smi"
+cp "${NVIDIA_CACHE}/lib/"* "${OVERLAY_DIR}/usr/lib/" 2>/dev/null || true
+
+# Embed build metadata used at runtime.
+mkdir -p "${OVERLAY_DIR}/etc"
+BUILD_DATE="$(date +%Y-%m-%d)"
+GIT_COMMIT="$(git -C "${REPO_ROOT}" rev-parse --short HEAD 2>/dev/null || echo unknown)"
+cat > "${OVERLAY_DIR}/etc/bee-release" <<EOF
+BEE_ISO_VERSION=${AUDIT_VERSION}
+BEE_AUDIT_VERSION=${AUDIT_VERSION}
+BUILD_DATE=${BUILD_DATE}
+GIT_COMMIT=${GIT_COMMIT}
+ALPINE_VERSION=${ALPINE_VERSION}
+NVIDIA_DRIVER_VERSION=${NVIDIA_DRIVER_VERSION}
+EOF
+
+mkdir -p "${HOME}/.mkimage"
+cp "${BUILDER_DIR}/mkimg.bee.sh" "${HOME}/.mkimage/"
+cp "${BUILDER_DIR}/genapkovl-bee.sh" "${HOME}/.mkimage/"
+
+export BEE_OVERLAY_DIR="${OVERLAY_DIR}"
+
+if [ -d /var/tmp/bee-iso-work ]; then
+    find /var/tmp/bee-iso-work -maxdepth 1 -mindepth 1 \
+        -not -name 'apks_*' -not -name 'kernel_*' \
+        -not -name 'syslinux_*' -not -name 'grub_*' \
+        -exec rm -rf {} + 2>/dev/null || true
+fi
+
+export TMPDIR=/var/tmp
+cp "${BUILDER_DIR}/genapkovl-bee.sh" /var/tmp/
+cd /var/tmp
+sh /usr/share/aports/scripts/mkimage.sh \
+    --tag "v${ALPINE_VERSION}" \
+    --outdir "${DIST_DIR}" \
+    --arch x86_64 \
+    --repository "https://dl-cdn.alpinelinux.org/alpine/v${ALPINE_VERSION}/main" \
+    --repository "https://dl-cdn.alpinelinux.org/alpine/v${ALPINE_VERSION}/community" \
+    --workdir /var/tmp/bee-iso-work \
+    --profile bee
+
+ISO="${DIST_DIR}/alpine-bee-${ALPINE_VERSION}-x86_64.iso"
+echo "=== done ==="
+echo "ISO: $ISO"
--- a/iso/builder/genapkovl-bee.sh
+++ b/iso/builder/genapkovl-bee.sh
@@ -0,0 +1,82 @@
+#!/bin/sh -e
+HOSTNAME="$1"
+[ -n "$HOSTNAME" ] || { echo "usage: $0 hostname"; exit 1; }
+OVERLAY="${BEE_OVERLAY_DIR}"
+[ -n "$OVERLAY" ] || { echo "ERROR: BEE_OVERLAY_DIR not set"; exit 1; }
+
+cleanup() { rm -rf "$tmp"; }
+tmp="$(mktemp -d)"
+trap cleanup EXIT
+
+makefile() { OWNER="$1" PERMS="$2" FILENAME="$3"; cat > "$FILENAME"; chown "$OWNER" "$FILENAME"; chmod "$PERMS" "$FILENAME"; }
+rc_add() { mkdir -p "$tmp/etc/runlevels/$2"; ln -sf /etc/init.d/"$1" "$tmp/etc/runlevels/$2/$1"; }
+
+mkdir -p "$tmp/etc"
+makefile root:root 0644 "$tmp/etc/hostname" <<EOT
+$HOSTNAME
+EOT
+
+mkdir -p "$tmp/etc/network"
+makefile root:root 0644 "$tmp/etc/network/interfaces" <<EOT
+auto lo
+iface lo inet loopback
+EOT
+
+mkdir -p "$tmp/etc/apk"
+makefile root:root 0644 "$tmp/etc/apk/world" <<EOT
+alpine-base
+dmidecode
+smartmontools
+nvme-cli
+pciutils
+ipmitool
+util-linux
+lsblk
+e2fsprogs
+lshw
+openrc
+ca-certificates
+tzdata
+jq
+wget
+EOT
+
+rc_add devfs sysinit
+rc_add dmesg sysinit
+rc_add mdev sysinit
+rc_add hwdrivers sysinit
+rc_add modloop sysinit
+
+rc_add hwclock boot
+rc_add modules boot
+rc_add sysctl boot
+rc_add hostname boot
+rc_add bootmisc boot
+rc_add syslog boot
+
+rc_add mount-ro shutdown
+rc_add killprocs shutdown
+rc_add savecache shutdown
+
+rc_add bee-network default
+rc_add bee-update default
+rc_add bee-nvidia default
+rc_add bee-audit default
+
+if [ -d "$OVERLAY/etc" ]; then
+    cp -r "$OVERLAY/etc/." "$tmp/etc/"
+    chmod +x "$tmp/etc/init.d/"* 2>/dev/null || true
+fi
+
+mkdir -p "$tmp/usr"
+if [ -d "$OVERLAY/usr" ]; then
+    cp -r "$OVERLAY/usr/." "$tmp/usr/"
+    chmod +x "$tmp/usr/local/bin/"* 2>/dev/null || true
+fi
+
+if [ -d "$OVERLAY/lib" ]; then
+    mkdir -p "$tmp/lib"
+    cp -r "$OVERLAY/lib/." "$tmp/lib/"
+fi
+
+tar -c -C "$tmp" etc usr lib 2>/dev/null | gzip -9n > "$HOSTNAME.apkovl.tar.gz"
--- a/iso/builder/genapkovl-bee_debug.sh
+++ b/iso/builder/genapkovl-bee_debug.sh
@@ -89,6 +89,11 @@ if [ -d "$OVERLAY/root" ]; then
    chmod 600 "$tmp/root/.ssh/authorized_keys" 2>/dev/null || true
 fi

+if [ -d "$OVERLAY/lib" ]; then
+    mkdir -p "$tmp/lib"
+    cp -r "$OVERLAY/lib/." "$tmp/lib/"
+fi
+
 mkdir -p "$tmp/etc/dropbear" "$tmp/etc/conf.d"
 # -R: auto-generate host keys if missing
 # no dependency on networking service — bee-network handles DHCP independently
@@ -97,4 +102,4 @@ DROPBEAR_OPTS="-R -B"
 EOF


-tar -c -C "$tmp" etc usr root 2>/dev/null | gzip -9n > "$HOSTNAME.apkovl.tar.gz"
+tar -c -C "$tmp" etc usr root lib 2>/dev/null | gzip -9n > "$HOSTNAME.apkovl.tar.gz"
--- a/iso/builder/mkimg.bee.sh
+++ b/iso/builder/mkimg.bee.sh
@@ -0,0 +1,47 @@
+#!/bin/sh
+# Alpine mkimage profile: bee (production)
+
+profile_bee() {
+    title="Bee Hardware Audit"
+    desc="Hardware audit LiveCD (production unattended mode)"
+    arch="x86_64"
+    hostname="alpine-bee"
+    apkovl="genapkovl-bee.sh"
+    image_ext="iso"
+    output_format="iso"
+    kernel_flavors="lts"
+    kernel_addons=""
+    initfs_cmdline="modules=loop,squashfs,sd-mod,usb-storage modloop=/boot/modloop-lts quiet"
+    initfs_features="ata base cdrom ext4 mmc nvme raid scsi squashfs usb virtio nfit"
+
+    apks="
+        alpine-base
+        linux-lts
+        linux-firmware-none
+        linux-firmware-rtl_nic
+        linux-firmware-bnx2
+        linux-firmware-bnx2x
+        linux-firmware-tigon
+        linux-firmware-qlogic
+        linux-firmware-netronome
+        linux-firmware-mellanox
+        linux-firmware-intel
+        linux-firmware-other
+
+        dmidecode
+        smartmontools
+        nvme-cli
+        pciutils
+        ipmitool
+        util-linux
+        lsblk
+        e2fsprogs
+        lshw
+
+        openrc
+        ca-certificates
+        tzdata
+        jq
+        wget
+    "
+}