Root cause of linux-lts pin failure: mkimage was using dl-cdn.alpinelinux.org
while the builder uses mirrors.hosterion.ro — different mirrors can have different
package availability at any given moment.
Now mkimage reads repositories directly from /etc/apk/repositories on the builder,
ensuring both module build and ISO package install use the same mirror.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
mkimage.sh calls git internally. Running it from inside /root/bee causes
"outside repository" fatal errors. /var/tmp is outside the git repo.
genapkovl is found via ~/.mkimage/ so no copy to /var/tmp needed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Pin linux-lts to exact KERNEL_PKG_VERSION=6.12.76-r0 in build and ISO package list
- Add build-time verification that compiled kernel version matches pin (fails loudly)
- Fix bee-audit-debug → bee-audit in genapkovl OpenRC registration (service was never starting)
- Add AUDIT_VERSION=0.1.0 to VERSIONS (was undefined, bee-release had empty fields)
- Pin linux-lts-dev version in second apk add in build-nvidia-module.sh
- Add /root/.profile to overlay so /usr/local/bin is in PATH for SSH sessions
- Remove "DEBUG MODE" from motd
- Fix smoketest: grep for slog "audit output written" instead of non-existent "audit completed"
- Document no-internet constraint in system-overview and runtime-flows
- Remove redundant genapkovl copy to /var/tmp (now found via ~/.mkimage/)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Without this, old mkimg.bee_debug.sh left from previous builds
causes mkimage to build both bee and bee_debug profiles.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
gpu_burn requires CUDA toolkit (~4GB) to build and the resulting binary
would significantly inflate the ISO. Removed from vendor tool list and
smoketest. build-gpu-burn.sh dropped as well.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
## ISO build consolidation
- Remove separate debug/prod split: overlay-debug/, build-debug.sh,
mkimg.bee_debug.sh, genapkovl-bee_debug.sh all deleted
- Single overlay: iso/overlay/ (was overlay-debug content)
- Single build script: build.sh (SSH, TUI, NVIDIA, vendor tools, bee-release)
- Single mkimage profile: bee (with dropbear, dialog, strace, gcompat, etc.)
## NVIDIA fixes
- Modules now stored at /usr/local/lib/nvidia/ instead of
/lib/modules/<kver>/extra/nvidia/ — modloop squashfs mounts over that
path at boot making overlay content there inaccessible
- bee-nvidia init: load via insmod (absolute path), not modprobe
- bee-nvidia init: create libnvidia-ml.so.1/libcuda.so.1 symlinks in /usr/lib/
- build-nvidia-module.sh: always install linux-lts-dev (not conditional) —
stale 6.6.x headers caused wrong-kernel modules that never loaded at runtime
- build-nvidia-module.sh: create soname symlinks in cache
- KERNEL_VERSION in VERSIONS updated 6.6 → 6.12
- gcompat added to ISO packages (nvidia-smi is a glibc binary on musl Alpine)
## Service ordering
- bee-audit: add `after bee-nvidia` so NVIDIA enrichment always succeeds
## New tooling
- iso/builder/smoketest.sh: SSH smoke test for post-boot ISO validation
- iso/builder/build-gpu-burn.sh: builds gpu_burn vendor binary (CUDA 12.8+)
- vendor/gpu_burn included automatically if placed in iso/vendor/
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
sed -i on overlay/etc/motd caused git pull conflict on next build.
Now BEE_BUILD_INFO is exported and substituted in $tmp copy only.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
macOS does not reliably apply git file mode changes on disk.
Run chmod explicitly on the VM where it matters.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- genapkovl now explicitly chmod +x init.d/* and usr/local/bin/* after cp
- add bee-net-restart command (short name, no .sh) and /etc/profile.d/bee.sh for PATH
- udhcpc: add & to ensure non-blocking even when DHCP responds immediately
- motd: short commands without paths
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- bee-* init.d scripts had mode 644 in git — OpenRC silently skipped them,
causing bee-network/bee-nvidia/bee-audit to never start at boot
- bee-network.sh also lacked executable bit
- Remove -q from udhcpc (was quitting after first lease, no renewal)
- Add autologin root on tty1 via /etc/inittab
- Inject build date + git commit + versions into motd at build time
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
modloop was not mounting because:
1. modloop=/boot/modloop-lts was missing from kernel cmdline
2. lz4-compressed squashfs may not be supported by Alpine initramfs
Both issues result in /lib/modules not existing and all modprobe failing.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- 550.54.15 did not exist on NVIDIA CDN (404)
- updated to 590.48.01 (latest stable, 396MB)
- download sha256sum file first, verify installer before extracting
- re-download if file is missing, empty, or sha256 mismatch
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Long builds (NVIDIA driver download+compile) would abort on SSH timeout.
Now build runs in a detached screen session on the VM, run-builder.sh
streams the log and waits for completion safely.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Builds kernel modules from the official NVIDIA installer source tree,
same as a standard NVIDIA driver install. No open-gpu-kernel-modules.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- build-nvidia-module.sh: downloads nvidia open-gpu-kernel-modules source,
builds against linux-lts headers, extracts nvidia-smi from .run installer
- modules cached by driver version + kernel version (rebuild only on update)
- .ko files injected into ISO overlay at /lib/modules/<kver>/extra/nvidia/
- bee-nvidia init script loads nvidia/nvidia-modeset/nvidia-uvm at boot
- NVIDIA_DRIVER_VERSION=550.54.15 (Turing+, H100/A100 supported)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
xz → lz4 for mksquashfs: kernel modloop rebuild is ~10x faster.
Size increase is acceptable since modloop is loaded into RAM.
Applied in both setup-builder.sh and build-debug.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
kernel_* workdir sections were being deleted alongside other non-apks dirs.
Now both apks_* and kernel_* are preserved — kernel modloop squashfs won't
be rebuilt unless the kernel version changes.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- audit binary is only rebuilt when .go files are newer than the binary
- rsync replaces scp for ISO download (delta transfer on repeat builds)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Keep apks_* workdir sections so packages aren't re-downloaded on each build.
Only non-apks sections (kernel, apkovl, final image) are cleaned to pick up changes.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- add .DS_Store to .gitignore and remove tracked files
- copy genapkovl-bee_debug.sh to /var/tmp before mkimage (was causing "no such file" error)
- switch udhcpc to background mode (-b -t 0) so network comes up when cable connected after boot
- add -B to DROPBEAR_OPTS to allow password fallback (bee/eeb)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
