Drop legacy non-container builders

2026-03-16 00:23:55 +03:00
parent 78c6dfc0ef
commit d18cde19c1
6 changed files with 19 additions and 97 deletions
--- a/PLAN.md
+++ b/PLAN.md
@@ -272,13 +272,10 @@ ISO image bootable via BMC virtual media or USB. Runs boot services automaticall
 ### 2.1 — Builder environment
-`iso/builder/setup-builder.sh` prepares a Debian 12 host/VM with:
+`iso/builder/build-in-container.sh` is the only supported builder entrypoint.
- `live-build`, `debootstrap`, bootloader tooling, kernel headers
+It builds a Debian 12 builder image with `live-build`, toolchains, and pinned kernel headers,
- Go toolchain
+then runs the ISO assembly in a privileged container because `live-build` needs
- everything needed to compile the `bee` binary and NVIDIA modules
+mount/chroot/loop capabilities.
 `iso/builder/build-in-container.sh` offers the same builder stack in a Debian 12 container image.
 The container run is privileged because `live-build` needs mount/chroot/loop capabilities.
 `iso/builder/build.sh` orchestrates the full ISO build:
 1. compile the Go `bee` binary
@@ -392,7 +389,7 @@ No "works on my Mac" drift.
 --- BUILDER + BEE ISO (unblock real-hardware testing) ---
-2.1  builder setup                 → Debian host/VM or privileged container with build deps
+2.1  builder setup                 → privileged container with build deps
 2.2  debug ISO profile             → minimal Debian ISO: `bee` binary + OpenSSH + all packages
 2.3  boot on real server           → SSH in, verify packages present, run audit manually
--- a/bible-local/architecture/runtime-flows.md
+++ b/bible-local/architecture/runtime-flows.md
@@ -57,7 +57,7 @@ Rules:
 ## ISO build sequence
 ```
-build.sh [--authorized-keys /path/to/keys]
+build-in-container.sh [--authorized-keys /path/to/keys]
  1. compile `bee` binary (skip if .go files older than binary)
  2. create a temporary overlay staging dir under `dist/`
  3. inject authorized_keys into staged `root/.ssh/` (or set password fallback marker)
@@ -78,13 +78,12 @@ build.sh [--authorized-keys /path/to/keys]
  11. patch staged `motd` with build metadata
  12. copy `iso/builder/` into a temporary live-build workdir under `dist/`
  13. sync staged overlay into workdir `config/includes.chroot/`
-  14. run `lb config && lb build` inside the temporary workdir
+  14. run `lb config && lb build` inside the privileged builder container
     (either on a Debian host/VM or inside the privileged builder container)
 ```
 **Critical invariants:**
 - `DEBIAN_KERNEL_ABI` in `iso/builder/VERSIONS` pins the exact kernel ABI used in BOTH places:
-  1. `setup-builder.sh` / `build-in-container.sh` / `build-nvidia-module.sh` — Debian kernel headers for module build
+  1. `build-in-container.sh` / `build-nvidia-module.sh` — Debian kernel headers for module build
  2. `auto/config` — `linux-image-${DEBIAN_KERNEL_ABI}` in the ISO
 - NVIDIA modules go to staged `usr/local/lib/nvidia/` — NOT to `/lib/modules/<kver>/extra/`.
 - The source overlay in `iso/overlay/` is treated as immutable source. Build-time files are injected only into the staged overlay.
--- a/iso/builder/build-in-container.sh
+++ b/iso/builder/build-in-container.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
-# build-in-container.sh — build the bee ISO inside a Debian container.
+# build-in-container.sh — build the bee ISO inside the Debian builder container.
 set -e
@@ -70,6 +70,7 @@ set -- \
    run --rm --privileged \
    -v "${REPO_ROOT}:/work" \
    -v "${CACHE_DIR}:/cache" \
    -e BEE_CONTAINER_BUILD=1 \
    -e GOCACHE=/cache/go-build \
    -e GOMODCACHE=/cache/go-mod \
    -e TMPDIR=/cache/tmp \
@@ -83,6 +84,7 @@ if [ -n "$AUTH_KEYS" ]; then
        -v "${REPO_ROOT}:/work" \
        -v "${CACHE_DIR}:/cache" \
        -v "${AUTH_KEYS_DIR}:/tmp/bee-authkeys:ro" \
        -e BEE_CONTAINER_BUILD=1 \
        -e GOCACHE=/cache/go-build \
        -e GOMODCACHE=/cache/go-mod \
        -e TMPDIR=/cache/tmp \
--- a/iso/builder/build.sh
+++ b/iso/builder/build.sh
@@ -1,14 +1,13 @@
 #!/bin/sh
-# build.sh — build bee ISO (Debian 12 / live-build)
+# build.sh — internal ISO build entrypoint executed inside the builder container.
 #
 # Single build script. Produces a bootable live ISO with SSH access, TUI, NVIDIA drivers.
 #
 # Run on Debian 12 builder VM as root after setup-builder.sh.
 # Usage:
 #   sh iso/builder/build.sh [--authorized-keys /path/to/authorized_keys]
 set -e
 if [ "${BEE_CONTAINER_BUILD:-0}" != "1" ]; then
    echo "build.sh must run inside iso/builder/build-in-container.sh" >&2
    exit 1
 fi
 REPO_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
 BUILDER_DIR="${REPO_ROOT}/iso/builder"
 OVERLAY_DIR="${REPO_ROOT}/iso/overlay"
--- a/iso/builder/setup-builder.sh
+++ b/iso/builder/setup-builder.sh
@@ -1,75 +0,0 @@
 #!/bin/sh
 # setup-builder.sh — prepare Debian 12 host/VM as bee ISO builder
 #
 # Run once on a fresh Debian 12 (Bookworm) host/VM as root.
 # After this script completes, the machine can build bee ISO images directly.
 # Container alternative: use `iso/builder/build-in-container.sh`.
 #
 # Usage (on Debian VM):
 #   wget -O- https://git.mchus.pro/mchus/bee/raw/branch/main/iso/builder/setup-builder.sh | sh
 #   or: sh setup-builder.sh
 set -e
 . "$(dirname "$0")/VERSIONS" 2>/dev/null || true
 GO_VERSION="${GO_VERSION:-1.24.0}"
 DEBIAN_VERSION="${DEBIAN_VERSION:-12}"
 DEBIAN_KERNEL_ABI="${DEBIAN_KERNEL_ABI:-6.1.0-28}"
 echo "=== bee builder setup ==="
 echo "Debian: $(cat /etc/debian_version)"
 echo "Go target: ${GO_VERSION}"
 echo "Kernel ABI: ${DEBIAN_KERNEL_ABI}"
 echo ""
 # --- system packages ---
 export DEBIAN_FRONTEND=noninteractive
 apt-get update -qq
 apt-get install -y \
    live-build \
    debootstrap \
    squashfs-tools \
    xorriso \
    grub-pc-bin \
    grub-efi-amd64-bin \
    mtools \
    git \
    wget \
    curl \
    tar \
    xz-utils \
    screen \
    rsync \
    build-essential \
    gcc \
    make \
    perl \
    "linux-headers-${DEBIAN_KERNEL_ABI}-amd64"
 echo "linux-headers installed: $(dpkg -l "linux-headers-${DEBIAN_KERNEL_ABI}-amd64" | awk '/^ii/{print $3}')"
 # --- Go toolchain ---
 echo ""
 echo "=== installing Go ${GO_VERSION} ==="
 if [ -d /usr/local/go ] && /usr/local/go/bin/go version 2>/dev/null | grep -q "${GO_VERSION}"; then
    echo "Go ${GO_VERSION} already installed"
 else
    ARCH=$(uname -m)
    case "$ARCH" in
        x86_64) GOARCH=amd64 ;;
        aarch64) GOARCH=arm64 ;;
        *) echo "unsupported arch: $ARCH"; exit 1 ;;
    esac
    wget -O /tmp/go.tar.gz \
        "https://go.dev/dl/go${GO_VERSION}.linux-${GOARCH}.tar.gz"
    rm -rf /usr/local/go
    tar -C /usr/local -xzf /tmp/go.tar.gz
    rm /tmp/go.tar.gz
 fi
 export PATH="$PATH:/usr/local/go/bin"
 echo "Go: $(go version)"
 echo ""
 echo "=== builder setup complete ==="
 echo "Next: sh iso/builder/build.sh"
--- a/scripts/run-builder.sh
+++ b/scripts/run-builder.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
-# run-builder.sh — trigger ISO build on remote Debian 12 builder VM
+# run-builder.sh — trigger containerized ISO build on a remote builder host
 #
 # Usage:
 #   sh scripts/run-builder.sh
@@ -79,7 +79,7 @@ screen -S bee-build -X quit 2>/dev/null || true
 echo "--- starting build in screen session (survives SSH disconnect) ---"
 echo "--- log: \$LOG ---"
-screen -dmS bee-build sh -c "sudo sh iso/builder/build.sh ${EXTRA_ARGS} > \$LOG 2>&1; echo \$? > /tmp/bee-build-exit"
+screen -dmS bee-build sh -c "sh iso/builder/build-in-container.sh ${EXTRA_ARGS} > \$LOG 2>&1; echo \$? > /tmp/bee-build-exit"
 # Stream log until build finishes
 echo "--- streaming build log (Ctrl+C safe — build continues on VM) ---"