diff --git a/PLAN.md b/PLAN.md index 2cf359e..9354326 100644 --- a/PLAN.md +++ b/PLAN.md @@ -272,13 +272,10 @@ ISO image bootable via BMC virtual media or USB. Runs boot services automaticall ### 2.1 — Builder environment -`iso/builder/setup-builder.sh` prepares a Debian 12 host/VM with: -- `live-build`, `debootstrap`, bootloader tooling, kernel headers -- Go toolchain -- everything needed to compile the `bee` binary and NVIDIA modules - -`iso/builder/build-in-container.sh` offers the same builder stack in a Debian 12 container image. -The container run is privileged because `live-build` needs mount/chroot/loop capabilities. +`iso/builder/build-in-container.sh` is the only supported builder entrypoint. +It builds a Debian 12 builder image with `live-build`, toolchains, and pinned kernel headers, +then runs the ISO assembly in a privileged container because `live-build` needs +mount/chroot/loop capabilities. `iso/builder/build.sh` orchestrates the full ISO build: 1. compile the Go `bee` binary @@ -392,7 +389,7 @@ No "works on my Mac" drift. --- BUILDER + BEE ISO (unblock real-hardware testing) --- -2.1 builder setup → Debian host/VM or privileged container with build deps +2.1 builder setup → privileged container with build deps 2.2 debug ISO profile → minimal Debian ISO: `bee` binary + OpenSSH + all packages 2.3 boot on real server → SSH in, verify packages present, run audit manually diff --git a/bible-local/architecture/runtime-flows.md b/bible-local/architecture/runtime-flows.md index c7a693f..af74f24 100644 --- a/bible-local/architecture/runtime-flows.md +++ b/bible-local/architecture/runtime-flows.md @@ -57,7 +57,7 @@ Rules: ## ISO build sequence ``` -build.sh [--authorized-keys /path/to/keys] +build-in-container.sh [--authorized-keys /path/to/keys] 1. compile `bee` binary (skip if .go files older than binary) 2. create a temporary overlay staging dir under `dist/` 3. inject authorized_keys into staged `root/.ssh/` (or set password fallback marker) @@ -78,13 +78,12 @@ build.sh [--authorized-keys /path/to/keys] 11. patch staged `motd` with build metadata 12. copy `iso/builder/` into a temporary live-build workdir under `dist/` 13. sync staged overlay into workdir `config/includes.chroot/` - 14. run `lb config && lb build` inside the temporary workdir - (either on a Debian host/VM or inside the privileged builder container) + 14. run `lb config && lb build` inside the privileged builder container ``` **Critical invariants:** - `DEBIAN_KERNEL_ABI` in `iso/builder/VERSIONS` pins the exact kernel ABI used in BOTH places: - 1. `setup-builder.sh` / `build-in-container.sh` / `build-nvidia-module.sh` — Debian kernel headers for module build + 1. `build-in-container.sh` / `build-nvidia-module.sh` — Debian kernel headers for module build 2. `auto/config` — `linux-image-${DEBIAN_KERNEL_ABI}` in the ISO - NVIDIA modules go to staged `usr/local/lib/nvidia/` — NOT to `/lib/modules//extra/`. - The source overlay in `iso/overlay/` is treated as immutable source. Build-time files are injected only into the staged overlay. diff --git a/iso/builder/build-in-container.sh b/iso/builder/build-in-container.sh index 4e89536..4e0769d 100755 --- a/iso/builder/build-in-container.sh +++ b/iso/builder/build-in-container.sh @@ -1,5 +1,5 @@ #!/bin/sh -# build-in-container.sh — build the bee ISO inside a Debian container. +# build-in-container.sh — build the bee ISO inside the Debian builder container. set -e @@ -70,6 +70,7 @@ set -- \ run --rm --privileged \ -v "${REPO_ROOT}:/work" \ -v "${CACHE_DIR}:/cache" \ + -e BEE_CONTAINER_BUILD=1 \ -e GOCACHE=/cache/go-build \ -e GOMODCACHE=/cache/go-mod \ -e TMPDIR=/cache/tmp \ @@ -83,6 +84,7 @@ if [ -n "$AUTH_KEYS" ]; then -v "${REPO_ROOT}:/work" \ -v "${CACHE_DIR}:/cache" \ -v "${AUTH_KEYS_DIR}:/tmp/bee-authkeys:ro" \ + -e BEE_CONTAINER_BUILD=1 \ -e GOCACHE=/cache/go-build \ -e GOMODCACHE=/cache/go-mod \ -e TMPDIR=/cache/tmp \ diff --git a/iso/builder/build.sh b/iso/builder/build.sh index b878fbb..380738c 100755 --- a/iso/builder/build.sh +++ b/iso/builder/build.sh @@ -1,14 +1,13 @@ #!/bin/sh -# build.sh — build bee ISO (Debian 12 / live-build) -# -# Single build script. Produces a bootable live ISO with SSH access, TUI, NVIDIA drivers. -# -# Run on Debian 12 builder VM as root after setup-builder.sh. -# Usage: -# sh iso/builder/build.sh [--authorized-keys /path/to/authorized_keys] +# build.sh — internal ISO build entrypoint executed inside the builder container. set -e +if [ "${BEE_CONTAINER_BUILD:-0}" != "1" ]; then + echo "build.sh must run inside iso/builder/build-in-container.sh" >&2 + exit 1 +fi + REPO_ROOT="$(cd "$(dirname "$0")/../.." && pwd)" BUILDER_DIR="${REPO_ROOT}/iso/builder" OVERLAY_DIR="${REPO_ROOT}/iso/overlay" diff --git a/iso/builder/setup-builder.sh b/iso/builder/setup-builder.sh deleted file mode 100644 index 9938273..0000000 --- a/iso/builder/setup-builder.sh +++ /dev/null @@ -1,75 +0,0 @@ -#!/bin/sh -# setup-builder.sh — prepare Debian 12 host/VM as bee ISO builder -# -# Run once on a fresh Debian 12 (Bookworm) host/VM as root. -# After this script completes, the machine can build bee ISO images directly. -# Container alternative: use `iso/builder/build-in-container.sh`. -# -# Usage (on Debian VM): -# wget -O- https://git.mchus.pro/mchus/bee/raw/branch/main/iso/builder/setup-builder.sh | sh -# or: sh setup-builder.sh - -set -e - -. "$(dirname "$0")/VERSIONS" 2>/dev/null || true -GO_VERSION="${GO_VERSION:-1.24.0}" -DEBIAN_VERSION="${DEBIAN_VERSION:-12}" -DEBIAN_KERNEL_ABI="${DEBIAN_KERNEL_ABI:-6.1.0-28}" - -echo "=== bee builder setup ===" -echo "Debian: $(cat /etc/debian_version)" -echo "Go target: ${GO_VERSION}" -echo "Kernel ABI: ${DEBIAN_KERNEL_ABI}" -echo "" - -# --- system packages --- -export DEBIAN_FRONTEND=noninteractive -apt-get update -qq - -apt-get install -y \ - live-build \ - debootstrap \ - squashfs-tools \ - xorriso \ - grub-pc-bin \ - grub-efi-amd64-bin \ - mtools \ - git \ - wget \ - curl \ - tar \ - xz-utils \ - screen \ - rsync \ - build-essential \ - gcc \ - make \ - perl \ - "linux-headers-${DEBIAN_KERNEL_ABI}-amd64" - -echo "linux-headers installed: $(dpkg -l "linux-headers-${DEBIAN_KERNEL_ABI}-amd64" | awk '/^ii/{print $3}')" - -# --- Go toolchain --- -echo "" -echo "=== installing Go ${GO_VERSION} ===" -if [ -d /usr/local/go ] && /usr/local/go/bin/go version 2>/dev/null | grep -q "${GO_VERSION}"; then - echo "Go ${GO_VERSION} already installed" -else - ARCH=$(uname -m) - case "$ARCH" in - x86_64) GOARCH=amd64 ;; - aarch64) GOARCH=arm64 ;; - *) echo "unsupported arch: $ARCH"; exit 1 ;; - esac - wget -O /tmp/go.tar.gz \ - "https://go.dev/dl/go${GO_VERSION}.linux-${GOARCH}.tar.gz" - rm -rf /usr/local/go - tar -C /usr/local -xzf /tmp/go.tar.gz - rm /tmp/go.tar.gz -fi -export PATH="$PATH:/usr/local/go/bin" -echo "Go: $(go version)" - -echo "" -echo "=== builder setup complete ===" -echo "Next: sh iso/builder/build.sh" diff --git a/scripts/run-builder.sh b/scripts/run-builder.sh index f285bfe..2d56f31 100755 --- a/scripts/run-builder.sh +++ b/scripts/run-builder.sh @@ -1,5 +1,5 @@ #!/bin/sh -# run-builder.sh — trigger ISO build on remote Debian 12 builder VM +# run-builder.sh — trigger containerized ISO build on a remote builder host # # Usage: # sh scripts/run-builder.sh @@ -79,7 +79,7 @@ screen -S bee-build -X quit 2>/dev/null || true echo "--- starting build in screen session (survives SSH disconnect) ---" echo "--- log: \$LOG ---" -screen -dmS bee-build sh -c "sudo sh iso/builder/build.sh ${EXTRA_ARGS} > \$LOG 2>&1; echo \$? > /tmp/bee-build-exit" +screen -dmS bee-build sh -c "sh iso/builder/build-in-container.sh ${EXTRA_ARGS} > \$LOG 2>&1; echo \$? > /tmp/bee-build-exit" # Stream log until build finishes echo "--- streaming build log (Ctrl+C safe — build continues on VM) ---"