migrate ISO build from Alpine to Debian 12 (Bookworm)

Replace the entire live CD build pipeline: - Alpine SDK + mkimage + genapkovl → Debian live-build (lb config/build) - OpenRC init scripts → systemd service units - dropbear → openssh-server (native to Debian live) - udhcpc → dhclient for DHCP - apk → apt-get in setup-builder.sh and build-nvidia-module.sh - Add auto/config (lb config options) and auto/build wrapper - Add config/package-lists/bee.list.chroot replacing Alpine apks - Add config/hooks/normal/9000-bee-setup.hook.chroot to enable services - Add bee-nvidia-load and bee-sshsetup helper scripts - Keep NVIDIA pre-compile pipeline (Option B): compile on builder VM against pinned Debian kernel headers (DEBIAN_KERNEL_ABI), inject .ko into includes.chroot - Fixes: native glibc (no gcompat shims), proper udev, writable /lib/modules, no Alpine modloop read-only constraint, no stale apk cache issues Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-08 18:01:38 +03:00
parent d952e10dbb
commit 345a93512a
26 changed files with 362 additions and 582 deletions
--- a/iso/builder/build-nvidia-module.sh
+++ b/iso/builder/build-nvidia-module.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
-# build-nvidia-module.sh — install NVIDIA proprietary driver into ISO overlay
+# build-nvidia-module.sh — compile NVIDIA proprietary driver modules for Debian 12
 #
 # Downloads the official NVIDIA .run installer, extracts kernel modules and
 # userspace tools (nvidia-smi, libnvidia-ml). Everything is proprietary NVIDIA.
@@ -16,33 +16,25 @@ set -e

 NVIDIA_VERSION="$1"
 DIST_DIR="$2"
-ALPINE_VERSION="$3"
+DEBIAN_KERNEL_ABI="$3"

-[ -n "$NVIDIA_VERSION" ]  || { echo "usage: $0 <nvidia-version> <dist-dir> <alpine-version>"; exit 1; }
-[ -n "$DIST_DIR" ]        || { echo "usage: $0 <nvidia-version> <dist-dir> <alpine-version>"; exit 1; }
-[ -n "$ALPINE_VERSION" ]  || { echo "usage: $0 <nvidia-version> <dist-dir> <alpine-version>"; exit 1; }
+[ -n "$NVIDIA_VERSION" ]    || { echo "usage: $0 <nvidia-version> <dist-dir> <debian-kernel-abi>"; exit 1; }
+[ -n "$DIST_DIR" ]          || { echo "usage: $0 <nvidia-version> <dist-dir> <debian-kernel-abi>"; exit 1; }
+[ -n "$DEBIAN_KERNEL_ABI" ] || { echo "usage: $0 <nvidia-version> <dist-dir> <debian-kernel-abi>"; exit 1; }

-# Install linux-lts-dev (no version pin — always use whatever is current in Alpine 3.21 main).
-# This ensures modules are compiled for the same kernel that mkimage will install in the ISO.
-# Both use dl-cdn.alpinelinux.org, so they see the same package state at build time.
-echo "=== installing linux-lts-dev (latest from dl-cdn) ==="
-apk add --quiet --update \
-    --repository "https://dl-cdn.alpinelinux.org/alpine/v${ALPINE_VERSION}/main" \
-    linux-lts-dev
-
-# Detect kernel version from installed headers (pick highest version if multiple).
-detect_kver() {
-    ls /usr/src/ 2>/dev/null \
-        | grep '^linux-headers-' \
-        | sed 's/linux-headers-//' \
-        | sort -V \
-        | tail -1
-}
-
-KVER="$(detect_kver)"
+KVER="${DEBIAN_KERNEL_ABI}-amd64"
 KDIR="/usr/src/linux-headers-${KVER}"
+
 echo "=== NVIDIA ${NVIDIA_VERSION} (proprietary) for kernel ${KVER} ==="

+if [ ! -d "$KDIR" ]; then
+    echo "=== installing linux-headers-${KVER} ==="
+    DEBIAN_FRONTEND=noninteractive apt-get install -y \
+        "linux-headers-${KVER}" \
+        gcc make perl
+fi
+echo "kernel headers: $KDIR"
+
 CACHE_DIR="${DIST_DIR}/nvidia-${NVIDIA_VERSION}-${KVER}"
 if [ -d "$CACHE_DIR/modules" ] && [ -f "$CACHE_DIR/bin/nvidia-smi" ]; then
    echo "=== NVIDIA cached, skipping build ==="
@@ -51,12 +43,7 @@ if [ -d "$CACHE_DIR/modules" ] && [ -f "$CACHE_DIR/bin/nvidia-smi" ]; then
    exit 0
 fi

-# Install build dependencies (linux-lts-dev already at correct version from above)
-apk add --quiet \
-    --repository "https://dl-cdn.alpinelinux.org/alpine/v${ALPINE_VERSION}/main" \
-    gcc make perl linux-lts-dev wget
-
-# Download official NVIDIA .run installer (proprietary) with sha256 verification
+# Download official NVIDIA .run installer with sha256 verification
 BASE_URL="https://download.nvidia.com/XFree86/Linux-x86_64/${NVIDIA_VERSION}"
 RUN_FILE="/var/tmp/NVIDIA-Linux-x86_64-${NVIDIA_VERSION}.run"
 SHA_FILE="/var/tmp/NVIDIA-Linux-x86_64-${NVIDIA_VERSION}.run.sha256sum"
@@ -96,7 +83,7 @@ done
 [ -n "$KERNEL_SRC" ] || { echo "ERROR: kernel source dir not found in:"; ls "$EXTRACT_DIR/"; exit 1; }
 echo "kernel source: $KERNEL_SRC"

-# Build kernel modules from extracted source
+# Build kernel modules
 echo "=== building kernel modules ($(nproc) cores) ==="
 cd "$KERNEL_SRC"
 make -j$(nproc) KERNEL_UNAME="$KVER" SYSSRC="$KDIR" modules 2>&1 | tail -5
@@ -112,32 +99,31 @@ done
 cp "$EXTRACT_DIR/nvidia-smi"           "$CACHE_DIR/bin/"
 cp "$EXTRACT_DIR/nvidia-bug-report.sh" "$CACHE_DIR/bin/" 2>/dev/null || true

-# Copy userspace libraries — use find to handle any versioning scheme (libnvidia-ml.so.X.Y.Z or .so.1)
+# Copy ALL userspace library files
 for lib in libnvidia-ml libcuda; do
-    found=$(find "$EXTRACT_DIR" -maxdepth 1 -name "${lib}.so.*" | head -1)
-    if [ -z "$found" ]; then
+    count=0
+    for f in $(find "$EXTRACT_DIR" -maxdepth 1 -name "${lib}.so.*" 2>/dev/null); do
+        cp "$f" "$CACHE_DIR/lib/" && count=$((count+1))
+    done
+    if [ "$count" -eq 0 ]; then
        echo "ERROR: ${lib}.so.* not found in $EXTRACT_DIR"
        ls "$EXTRACT_DIR/"*.so* 2>/dev/null | head -20 || true
        exit 1
    fi
-    cp "$found" "$CACHE_DIR/lib/"
 done

-# Verify .ko files were actually built
+# Verify .ko files were built
 ko_count=$(ls "$CACHE_DIR/modules/"*.ko 2>/dev/null | wc -l)
 [ "$ko_count" -gt 0 ] || { echo "ERROR: no .ko files built in $CACHE_DIR/modules/"; exit 1; }

-# Create soname symlinks required by nvidia-smi on Alpine (musl/glibc via gcompat + libc6-compat)
+# Create soname symlinks: use [0-9][0-9]* to avoid circular symlink (.so.1 has single digit)
 for lib in libnvidia-ml libcuda; do
-    versioned=$(ls "$CACHE_DIR/lib/${lib}.so."* 2>/dev/null | grep -v '\.so\.1$' | head -1)
-    [ -n "$versioned" ] || versioned=$(ls "$CACHE_DIR/lib/${lib}.so."* 2>/dev/null | head -1)
+    versioned=$(ls "$CACHE_DIR/lib/${lib}.so."[0-9][0-9]* 2>/dev/null | head -1)
    [ -n "$versioned" ] || continue
    base=$(basename "$versioned")
-    # Only create .so.1 if versioned file is not already named .so.1
-    if [ "$base" != "${lib}.so.1" ]; then
-        ln -sf "$base" "$CACHE_DIR/lib/${lib}.so.1"
-    fi
+    ln -sf "$base" "$CACHE_DIR/lib/${lib}.so.1"
    ln -sf "${lib}.so.1" "$CACHE_DIR/lib/${lib}.so" 2>/dev/null || true
+    echo "${lib}: .so.1 -> $base"
 done

 echo "=== NVIDIA build complete ==="