Version-stamp squashfs filename and restrict live-boot media selection

Squashfs versioning: - ISO now contains filesystem-v<VERSION>.squashfs instead of the generic filesystem.squashfs, making it immediately visible which build is running (visible in /run/live/medium/live/ at boot time). - Full build path: rename filesystem.squashfs → filesystem-v*.squashfs after lb build, before lb binary_checksums/binary_iso. - Fast path: find and unpack whatever filesystem*.squashfs exists, repack as the new versioned name, remove the old file, update the ISO. - needs_full_build: accept any filesystem*.squashfs so version changes alone don't force a full rebuild. Media selection hardening: - Add live-media=/dev/disk/by-label/<LABEL> to the kernel boot line in addition to the existing live-media-label=<LABEL>. live-boot will now open exactly the labeled device rather than scanning all block devices, preventing accidental use of squashfs files from local disks or stale virtual media attached via IPMI. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-04 18:44:47 +03:00
parent 8d173175eb
commit b75e65bcb1
2 changed files with 33 additions and 9 deletions
--- a/iso/builder/auto/config
+++ b/iso/builder/auto/config
@@ -38,7 +38,7 @@ lb config noauto \
    --memtest memtest86+ \
    --iso-volume "${LB_ISO_VOLUME}" \
    --iso-application "EASY-BEE-${BEE_GPU_VENDOR_UPPER:-NVIDIA}" \
-    --bootappend-live "boot=live live-media-label=${LB_ISO_VOLUME} components video=1920x1080 console=ttyS0,115200n8 console=tty0 loglevel=3 systemd.show_status=1 username=bee user-fullname=Bee modprobe.blacklist=nouveau,snd_hda_intel,snd_hda_codec_realtek,snd_hda_codec_generic,soundcore" \
+    --bootappend-live "boot=live live-media=/dev/disk/by-label/${LB_ISO_VOLUME} live-media-label=${LB_ISO_VOLUME} components video=1920x1080 console=ttyS0,115200n8 console=tty0 loglevel=3 systemd.show_status=1 username=bee user-fullname=Bee modprobe.blacklist=nouveau,snd_hda_intel,snd_hda_codec_realtek,snd_hda_codec_generic,soundcore" \
    --debootstrap-options "--include=ca-certificates" \
    --apt-recommends false \
    --chroot-squashfs-compression-type zstd \
--- a/iso/builder/build.sh
+++ b/iso/builder/build.sh
@@ -894,8 +894,11 @@ FULL_BUILD_MARKER="${BUILD_WORK_DIR}/.bee-full-build-marker"
 # hooks, archives, Dockerfile, auto/config) require a full lb build.
 needs_full_build() {
    [ -f "${FULL_BUILD_MARKER}" ]                                        || return 0
-    [ -f "${BUILD_WORK_DIR}/binary/live/filesystem.squashfs" ]           || return 0
    [ -f "${BUILD_WORK_DIR}/live-image-amd64.hybrid.iso" ]               || return 0
+    # Accept any versioned squashfs (filesystem-v*.squashfs or legacy filesystem.squashfs)
+    _any_sq=$(find "${BUILD_WORK_DIR}/binary/live" -maxdepth 1 \
+        -name 'filesystem*.squashfs' 2>/dev/null | head -1)
+    [ -n "$_any_sq" ]                                                    || return 0

    _heavy=$(find \
        "${BUILDER_DIR}/VERSIONS" \
@@ -918,34 +921,46 @@ needs_full_build() {
 # Fast-path: unsquash existing filesystem, rsync overlay on top, repack.
 # Requires ~10 GB free in BEE_CACHE_DIR for the unpacked squashfs.
 fast_path_repack_squashfs() {
-    _sq="${BUILD_WORK_DIR}/binary/live/filesystem.squashfs"
+    _old_sq=$(find "${BUILD_WORK_DIR}/binary/live" -maxdepth 1 \
+        -name 'filesystem*.squashfs' | sort | head -1)
+    _sq="${BUILD_WORK_DIR}/binary/live/${SQUASHFS_FILENAME}"
    _tmp="${BEE_CACHE_DIR}/fast-unsquash-${BUILD_VARIANT}"
-    echo "=== fast-path: unsquash ($(du -sh "$_sq" | cut -f1) compressed) ==="
+    echo "=== fast-path: unsquash $(basename "$_old_sq") ($(du -sh "$_old_sq" | cut -f1) compressed) ==="
    rm -rf "$_tmp"
-    unsquashfs -d "$_tmp" "$_sq"
+    unsquashfs -d "$_tmp" "$_old_sq"
    echo "=== fast-path: syncing overlay stage ==="
    rsync -a --checksum "${OVERLAY_STAGE_DIR}/" "$_tmp/"
-    echo "=== fast-path: repacking squashfs ==="
+    echo "=== fast-path: repacking as ${SQUASHFS_FILENAME} ==="
    _sq_new="${_sq}.new"
    rm -f "$_sq_new"
    mksquashfs "$_tmp" "$_sq_new" -comp zstd -b 1048576 -noappend -no-progress -no-xattrs
    mv "$_sq_new" "$_sq"
    rm -rf "$_tmp"
+    [ "$_old_sq" != "$_sq" ] && rm -f "$_old_sq"
    echo "=== fast-path: squashfs repacked ($(du -sh "$_sq" | cut -f1)) ==="
 }

-# Fast-path: rebuild ISO by replacing only live/filesystem.squashfs via xorriso.
+# Fast-path: rebuild ISO replacing the squashfs via xorriso.
 # Boot structure (El Torito, EFI, MBR hybrid) is replayed from the prior ISO.
 fast_path_rebuild_iso() {
-    _sq="${BUILD_WORK_DIR}/binary/live/filesystem.squashfs"
+    _sq="${BUILD_WORK_DIR}/binary/live/${SQUASHFS_FILENAME}"
    _prior="${BUILD_WORK_DIR}/live-image-amd64.hybrid.iso"
    _new="${BUILD_WORK_DIR}/live-image-amd64.hybrid.iso.new"
    echo "=== fast-path: rebuilding ISO with xorriso ==="
    rm -f "$_new"
+    # Remove any old squashfs entries from the prior ISO before adding the new one
+    _old_entries=$(xorriso -indev "$_prior" -find /live -name 'filesystem*.squashfs' -- 2>/dev/null \
+        | grep -E '^/live/filesystem.*\.squashfs$' || true)
+    _rm_args=""
+    for _e in $_old_entries; do
+        _rm_args="$_rm_args -rm $_e --"
+    done
+    # shellcheck disable=SC2086
    xorriso \
        -indev  "$_prior" \
        -outdev "$_new" \
-        -map    "$_sq" /live/filesystem.squashfs \
+        ${_rm_args} \
+        -map    "$_sq" /live/${SQUASHFS_FILENAME} \
        -boot_image any replay \
        -commit
    mv "$_new" "$_prior"
@@ -1087,6 +1102,7 @@ recover_iso_memtest() {
 }

 PROJECT_VERSION_EFFECTIVE="$(resolve_project_version)"
+SQUASHFS_FILENAME="filesystem-v${PROJECT_VERSION_EFFECTIVE}.squashfs"
 ISO_BASENAME="easy-bee-${BUILD_VARIANT}-v${PROJECT_VERSION_EFFECTIVE}-amd64"
 # Versioned output directory: dist/easy-bee-v4.1/ — all final artefacts live here.
 OUT_DIR="${DIST_DIR}/easy-bee-v${PROJECT_VERSION_EFFECTIVE}"
@@ -1683,6 +1699,14 @@ export MKSQUASHFS_OPTIONS="-no-xattrs"
 run_step_sh "live-build build" "90-lb-build" "lb build 2>&1"
 echo "=== enforcing canonical bootloader assets ==="
 enforce_live_build_bootloader_assets "${LB_DIR}"
+# Rename lb's default filesystem.squashfs to the versioned filename so the
+# ISO contains a version-stamped squashfs (e.g. filesystem-v10.15.squashfs).
+_std_sq="${LB_DIR}/binary/live/filesystem.squashfs"
+_ver_sq="${LB_DIR}/binary/live/${SQUASHFS_FILENAME}"
+if [ -f "${_std_sq}" ] && [ "${_std_sq}" != "${_ver_sq}" ]; then
+    mv "${_std_sq}" "${_ver_sq}"
+    echo "=== squashfs renamed: filesystem.squashfs → ${SQUASHFS_FILENAME} ==="
+fi
 reset_live_build_stage "${LB_DIR}" "binary_checksums"
 reset_live_build_stage "${LB_DIR}" "binary_iso"
 reset_live_build_stage "${LB_DIR}" "binary_zsync"