fix: audit pipeline correctness after full review

- bee-audit init.d: use --output file: so "audit output written" is logged (stdout mode silently redirects, never emits the slog confirmation) - build-nvidia-module.sh: use $KERNEL_SRC in find for .ko collection (was hardcoded $EXTRACT_DIR/kernel, silent failure if path differs) - smoketest: add bee-audit to required services (was never checked) - smoketest: remove legacy bee-audit-debug from service list - smoketest: internet ping → warn (live CD runs in isolated network, no internet) - build.sh: auto-copy smoketest.sh → overlay/usr/local/bin/bee-smoketest (removes manual sync hazard; smoketest.sh is now single source of truth) - remove static overlay/usr/local/bin/bee-smoketest (generated by build.sh now) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-07 12:06:25 +03:00
parent 0e0760bba9
commit 18f377987f
5 changed files with 9 additions and 189 deletions
--- a/iso/builder/build-nvidia-module.sh
+++ b/iso/builder/build-nvidia-module.sh
@@ -105,7 +105,7 @@ make -j$(nproc) KERNEL_UNAME="$KVER" SYSSRC="$KDIR" modules 2>&1 | tail -5
 # Collect outputs
 mkdir -p "$CACHE_DIR/modules" "$CACHE_DIR/bin" "$CACHE_DIR/lib"

-find "$EXTRACT_DIR/kernel" -name '*.ko' -exec cp {} "$CACHE_DIR/modules/" \;
+find "$KERNEL_SRC" -name '*.ko' -exec cp {} "$CACHE_DIR/modules/" \;
 for ko in "$CACHE_DIR/modules/"*.ko; do
    strip --strip-debug "$ko" 2>/dev/null || true
 done
--- a/iso/builder/build.sh
+++ b/iso/builder/build.sh
@@ -99,6 +99,10 @@ mkdir -p "${OVERLAY_DIR}/usr/local/bin"
 cp "${DIST_DIR}/bee-audit-linux-amd64" "${OVERLAY_DIR}/usr/local/bin/audit"
 chmod +x "${OVERLAY_DIR}/usr/local/bin/audit"

+# --- inject smoketest into overlay so it runs directly on the live CD ---
+cp "${BUILDER_DIR}/smoketest.sh" "${OVERLAY_DIR}/usr/local/bin/bee-smoketest"
+chmod +x "${OVERLAY_DIR}/usr/local/bin/bee-smoketest"
+
 # --- vendor utilities (optional pre-fetched binaries) ---
 for tool in storcli64 sas2ircu sas3ircu mstflint; do
    if [ -f "${VENDOR_DIR}/${tool}" ]; then
--- a/iso/builder/smoketest.sh
+++ b/iso/builder/smoketest.sh
@@ -95,7 +95,7 @@ fi

 echo ""
 echo "-- openrc services --"
-for svc in bee-nvidia bee-network; do
+for svc in bee-nvidia bee-network bee-audit; do
    if rc-service "$svc" status >/dev/null 2>&1; then
        ok "service running: $svc"
    else
@@ -103,7 +103,7 @@ for svc in bee-nvidia bee-network; do
    fi
 done

-for svc in bee-audit-debug dropbear bee-sshsetup; do
+for svc in dropbear bee-sshsetup; do
    if [ -f "/etc/init.d/$svc" ]; then
        if rc-service "$svc" status >/dev/null 2>&1; then
            ok "service running: $svc"
@@ -166,7 +166,7 @@ fi
 if ping -c1 -W3 1.1.1.1 >/dev/null 2>&1; then
    ok "internet: reachable (1.1.1.1)"
 else
-    fail "internet: unreachable"
+    warn "internet: unreachable (expected — live CD runs in isolated network segment)"
 fi

 echo ""