Split live rootfs into smaller squashfs layers

Restore post-build GRUB and isolinux sync
Drop post-build EFI bootloader patching
2026-05-03 23:15:22 +03:00 · 2026-05-03 21:49:54 +03:00 · 2026-05-03 21:22:53 +03:00 · 2026-05-03 21:18:37 +03:00 · 2026-05-03 21:16:36 +03:00 · 2026-05-03 21:14:45 +03:00
23 changed files with 482 additions and 143 deletions
--- a/audit/internal/app/support_bundle.go
+++ b/audit/internal/app/support_bundle.go
@@ -24,6 +24,8 @@ var supportBundleServices = []string{
 	"bee-selfheal.service",
 	"bee-selfheal.timer",
 	"bee-sshsetup.service",
+	"display-manager.service",
+	"lightdm.service",
 	"nvidia-dcgm.service",
 	"nvidia-fabricmanager.service",
 }
@@ -44,12 +46,128 @@ var supportBundleCommands = []struct {
 	{name: "system/mount.txt", cmd: []string{"mount"}},
 	{name: "system/df-h.txt", cmd: []string{"df", "-h"}},
 	{name: "system/dmesg.txt", cmd: []string{"dmesg"}},
+	{name: "system/dmesg-gui-video-input.txt", cmd: []string{"sh", "-c", `
+if command -v dmesg >/dev/null 2>&1; then
+  dmesg | grep -iE 'nvidia|drm|fb|framebuffer|vesa|efi|lightdm|Xorg|input|hid|usb|keyboard|mouse|virtual keyboard|virtual mouse|ami|aspeed|ast' || echo "no GUI/video/input kernel messages found"
+else
+  echo "dmesg not found"
+fi
+`}},
 	{name: "system/kernel-aer-nvidia.txt", cmd: []string{"sh", "-c", `
 if command -v dmesg >/dev/null 2>&1; then
  dmesg | grep -iE 'AER|NVRM|Xid|pcieport|nvidia' || echo "no AER/NVRM/Xid kernel messages found"
 else
  echo "dmesg not found"
 fi
+`}},
+	{name: "system/loginctl-sessions.txt", cmd: []string{"sh", "-c", `
+if command -v loginctl >/dev/null 2>&1; then
+  loginctl list-sessions 2>&1 || true
+else
+  echo "loginctl not found"
+fi
+`}},
+	{name: "system/loginctl-seats.txt", cmd: []string{"sh", "-c", `
+if command -v loginctl >/dev/null 2>&1; then
+  loginctl list-seats 2>&1 || true
+  echo
+  for seat in $(loginctl list-seats --no-legend 2>/dev/null | awk '{print $1}'); do
+    echo "=== $seat ==="
+    loginctl seat-status "$seat" 2>&1 || true
+    echo
+  done
+else
+  echo "loginctl not found"
+fi
+`}},
+	{name: "system/ps-gui.txt", cmd: []string{"sh", "-c", `
+ps -ef | grep -iE 'lightdm|Xorg|X$|openbox|chromium|chrome|xinit|xsession' | grep -v grep || echo "no GUI processes found"
+`}},
+	{name: "system/lspci-video-vv.txt", cmd: []string{"sh", "-c", `
+if ! command -v lspci >/dev/null 2>&1; then
+  echo "lspci not found"
+  exit 0
+fi
+found=0
+for dev in $(lspci -Dn | awk '$2 ~ /^03(00|02):$/ {print $1}'); do
+  found=1
+  echo "=== $dev ==="
+  lspci -s "$dev" -vv 2>&1 || true
+  echo
+done
+if [ "$found" -eq 0 ]; then
+  echo "no display-class PCI devices found"
+fi
+`}},
+	{name: "system/proc-fb.txt", cmd: []string{"cat", "/proc/fb"}},
+	{name: "system/drm-cards.txt", cmd: []string{"sh", "-c", `
+if [ -d /sys/class/drm ]; then
+  for path in /sys/class/drm/card*; do
+    [ -e "$path" ] || continue
+    card=$(basename "$path")
+    echo "=== $card ==="
+    for f in status enabled dpms modes; do
+      [ -r "$path/$f" ] && printf "  %-8s %s\n" "$f" "$(cat "$path/$f" 2>/dev/null)"
+    done
+    device=$(readlink -f "$path/device" 2>/dev/null || true)
+    [ -n "$device" ] && echo "  device   ${device##*/}"
+    echo
+  done
+else
+  echo "/sys/class/drm not present"
+fi
+`}},
+	{name: "system/input-devices.txt", cmd: []string{"sh", "-c", `
+if [ -r /proc/bus/input/devices ]; then
+  cat /proc/bus/input/devices
+else
+  echo "/proc/bus/input/devices not readable"
+fi
+`}},
+	{name: "system/udevadm-input.txt", cmd: []string{"sh", "-c", `
+if ! command -v udevadm >/dev/null 2>&1; then
+  echo "udevadm not found"
+  exit 0
+fi
+found=0
+for dev in /dev/input/event*; do
+  [ -e "$dev" ] || continue
+  found=1
+  echo "=== $dev ==="
+  udevadm info --query=all --name="$dev" 2>&1 || true
+  echo
+done
+if [ "$found" -eq 0 ]; then
+  echo "no /dev/input/event* devices found"
+fi
+`}},
+	{name: "system/xinput-list.txt", cmd: []string{"sh", "-c", `
+if command -v xinput >/dev/null 2>&1; then
+  DISPLAY=:0 xinput --list 2>&1 || true
+else
+  echo "xinput not found"
+fi
+`}},
+	{name: "system/libinput-list-devices.txt", cmd: []string{"sh", "-c", `
+if command -v libinput >/dev/null 2>&1; then
+  libinput list-devices 2>&1 || true
+else
+  echo "libinput not found"
+fi
+`}},
+	{name: "system/systemctl-gui-units.txt", cmd: []string{"sh", "-c", `
+if ! command -v systemctl >/dev/null 2>&1; then
+  echo "systemctl not found"
+  exit 0
+fi
+echo "=== unit files ==="
+systemctl list-unit-files --no-pager --all 'lightdm*' 'display-manager*' 2>&1 || true
+echo
+echo "=== active units ==="
+systemctl list-units --no-pager --all 'lightdm*' 'display-manager*' 2>&1 || true
+echo
+echo "=== failed units ==="
+systemctl --failed --no-pager 2>&1 | grep -iE 'lightdm|display-manager|Xorg' || echo "no failed GUI units"
 `}},
 	{name: "system/nvidia-smi-q.txt", cmd: []string{"nvidia-smi", "-q"}},
 	{name: "system/nvidia-smi-topo.txt", cmd: []string{"sh", "-c", `
@@ -236,6 +354,13 @@ var supportBundleOptionalFiles = []struct {
 }{
 	{name: "system/kern.log", src: "/var/log/kern.log"},
 	{name: "system/syslog.txt", src: "/var/log/syslog"},
+	{name: "system/Xorg.0.log", src: "/var/log/Xorg.0.log"},
+	{name: "system/Xorg.0.log.old", src: "/var/log/Xorg.0.log.old"},
+	{name: "system/lightdm/lightdm.log", src: "/var/log/lightdm/lightdm.log"},
+	{name: "system/lightdm/x-0.log", src: "/var/log/lightdm/x-0.log"},
+	{name: "system/lightdm/x-0-greeter.log", src: "/var/log/lightdm/x-0-greeter.log"},
+	{name: "system/home-bee-xsession-errors.log", src: "/home/bee/.xsession-errors"},
+	{name: "system/home-bee-chromium-debug.log", src: "/tmp/bee-chrome/chrome_debug.log"},
 	{name: "system/fabricmanager.log", src: "/var/log/fabricmanager.log"},
 	{name: "system/nvlsm.log", src: "/var/log/nvlsm.log"},
 	{name: "system/fabricmanager/fabricmanager.log", src: "/var/log/fabricmanager/fabricmanager.log"},
--- a/audit/internal/platform/install.go
+++ b/audit/internal/platform/install.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"strconv"
 	"strings"
 )
@@ -18,7 +19,7 @@ type InstallDisk struct {
 	MountedParts []string // partition mount points currently active
 }

-const squashfsPath = "/run/live/medium/live/filesystem.squashfs"
+const squashfsGlob = "/run/live/medium/live/*.squashfs"

 // ListInstallDisks returns block devices suitable for installation.
 // Excludes the current live boot medium but includes USB drives.
@@ -176,11 +177,22 @@ func inferLiveBootKind(fsType, source, deviceType, transport string) string {
 // squashfs size × 1.5 to allow for extracted filesystem and bootloader.
 // Returns 0 if the squashfs is not available (non-live environment).
 func MinInstallBytes() int64 {
-	fi, err := os.Stat(squashfsPath)
-	if err != nil {
+	files, err := filepath.Glob(squashfsGlob)
+	if err != nil || len(files) == 0 {
 		return 0
 	}
-	return fi.Size() * 3 / 2
+	var total int64
+	for _, path := range files {
+		fi, statErr := os.Stat(path)
+		if statErr != nil {
+			continue
+		}
+		total += fi.Size()
+	}
+	if total == 0 {
+		return 0
+	}
+	return total * 3 / 2
 }

 // toramActive returns true when the live system was booted with toram.
@@ -222,12 +234,10 @@ func DiskWarnings(d InstallDisk) []string {
 			humanBytes(min), humanBytes(d.SizeBytes)))
 	}
 	if toramActive() {
-		sqFi, err := os.Stat(squashfsPath)
-		if err == nil {
-			free := freeMemBytes()
-			if free > 0 && free < sqFi.Size()*2 {
-				w = append(w, "toram mode — low RAM, extraction may be slow or fail")
-			}
+		free := freeMemBytes()
+		min := MinInstallBytes()
+		if free > 0 && min > 0 && free < (min*4/3) {
+			w = append(w, "toram mode — low RAM, extraction may be slow or fail")
 		}
 	}
 	return w
--- a/audit/internal/webui/server.go
+++ b/audit/internal/webui/server.go
@@ -1294,8 +1294,8 @@ const loadingPageHTML = `<!DOCTYPE html>
 *{margin:0;padding:0;box-sizing:border-box}
 html,body{height:100%;background:#0f1117;display:flex;align-items:center;justify-content:center;font-family:'Courier New',monospace;color:#e2e8f0}
 .wrap{text-align:center;width:420px}
-.logo{font-size:11px;line-height:1.4;color:#f6c90e;margin-bottom:6px;white-space:pre;text-align:left}
-.subtitle{font-size:12px;color:#a0aec0;text-align:left;margin-bottom:24px;padding-left:2px}
+.brand{font-size:22px;letter-spacing:.18em;color:#f6c90e;margin-bottom:6px;text-align:left}
+.subtitle{font-size:12px;color:#a0aec0;text-align:left;margin-bottom:24px}
 .spinner{width:36px;height:36px;border:3px solid #2d3748;border-top-color:#f6c90e;border-radius:50%;animation:spin .8s linear infinite;margin:0 auto 14px}
 .spinner.hidden{display:none}
@keyframes spin{to{transform:rotate(360deg)}}
@@ -1313,12 +1313,7 @@ td:first-child{color:#718096;width:55%}
 </head>
 <body>
 <div class="wrap">
-  <div class="logo">  ███████╗ █████╗ ███████╗██╗   ██╗      ██████╗ ███████╗███████╗
-  ██╔════╝██╔══██╗██╔════╝╚██╗ ██╔╝      ██╔══██╗██╔════╝██╔════╝
-  █████╗  ███████║███████╗ ╚████╔╝ █████╗██████╔╝█████╗  █████╗
-  ██╔══╝  ██╔══██║╚════██║  ╚██╔╝  ╚════╝██╔══██╗██╔══╝  ██╔══╝
-  ███████╗██║  ██║███████║   ██║         ██████╔╝███████╗███████╗
-  ╚══════╝╚═╝  ╚═╝╚══════╝   ╚═╝         ╚═════╝ ╚══════╝╚══════╝</div>
+  <div class="brand">EASY BEE</div>
  <div class="subtitle">Hardware Audit LiveCD</div>
  <div class="spinner" id="spin"></div>
  <div class="status" id="st">Connecting to bee-web...</div>
@@ -1328,8 +1323,20 @@ td:first-child{color:#718096;width:55%}
 <script>
 (function(){
 var gone = false;
+var pollStarted = false;
+var fallbackOpenTimer = null;
+var AUTO_OPEN_DELAY_MS = 15000;
 function go(){ if(!gone){gone=true;window.location.replace('/');} }

+function scheduleFallbackOpen(){
+  if(fallbackOpenTimer!==null) return;
+  fallbackOpenTimer=setTimeout(function(){
+    document.getElementById('spin').className='spinner hidden';
+    document.getElementById('st').textContent='Startup checks are taking too long — opening app...';
+    go();
+  },AUTO_OPEN_DELAY_MS);
+}
+
 function icon(s){
  if(s==='active')   return '<span class="ok">&#9679; active</span>';
  if(s==='failed')   return '<span class="fail">&#10005; failed</span>';
@@ -1361,6 +1368,7 @@ function pollServices(){
      tbl.innerHTML=html;
      if(allSettled(svcs)){
        clearInterval(pollTimer);
+        if(fallbackOpenTimer!==null) clearTimeout(fallbackOpenTimer);
        document.getElementById('spin').className='spinner hidden';
        document.getElementById('st').textContent='Ready \u2014 opening...';
        setTimeout(go,800);
@@ -1375,8 +1383,12 @@ function probe(){
      if(r.ok){
        document.getElementById('st').textContent='bee-web running \u2014 checking services...';
        document.getElementById('btn').style.display='';
-        pollServices();
-        pollTimer=setInterval(pollServices,1500);
+        scheduleFallbackOpen();
+        if(!pollStarted){
+          pollStarted=true;
+          pollServices();
+          pollTimer=setInterval(pollServices,1500);
+        }
      } else {
        document.getElementById('st').textContent='bee-web starting (status '+r.status+')...';
        setTimeout(probe,500);
--- a/audit/internal/webui/server_test.go
+++ b/audit/internal/webui/server_test.go
@@ -604,6 +604,25 @@ func TestReadyIsOKWhenAuditPathIsUnset(t *testing.T) {
 	}
 }

+func TestLoadingPageHasFallbackAutoOpen(t *testing.T) {
+	handler := NewHandler(HandlerOptions{})
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/loading", nil))
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status=%d body=%s", rec.Code, rec.Body.String())
+	}
+	body := rec.Body.String()
+	for _, needle := range []string{
+		`var AUTO_OPEN_DELAY_MS = 15000;`,
+		`function scheduleFallbackOpen(){`,
+		`Startup checks are taking too long — opening app...`,
+	} {
+		if !strings.Contains(body, needle) {
+			t.Fatalf("loading page missing %q: %s", needle, body)
+		}
+	}
+}
+
 func TestAuditPageRendersViewerFrameAndActions(t *testing.T) {
 	dir := t.TempDir()
 	path := filepath.Join(dir, "audit.json")
--- a/iso/builder/auto/config
+++ b/iso/builder/auto/config
@@ -16,6 +16,12 @@ else
    LB_LINUX_PACKAGES="linux-image"
 fi

+if [ -n "${BEE_ISO_VOLUME:-}" ]; then
+    LB_ISO_VOLUME="${BEE_ISO_VOLUME}"
+else
+    LB_ISO_VOLUME="EASY_BEE_${BEE_GPU_VENDOR_UPPER:-NVIDIA}"
+fi
+
 lb config noauto \
    --distribution bookworm \
    --architectures amd64 \
@@ -30,9 +36,9 @@ lb config noauto \
    --linux-flavours "amd64" \
    --linux-packages "${LB_LINUX_PACKAGES}" \
    --memtest memtest86+ \
-    --iso-volume "EASY_BEE_${BEE_GPU_VENDOR_UPPER:-NVIDIA}" \
+    --iso-volume "${LB_ISO_VOLUME}" \
    --iso-application "EASY-BEE-${BEE_GPU_VENDOR_UPPER:-NVIDIA}" \
-    --bootappend-live "boot=live components video=1920x1080 console=ttyS0,115200n8 console=tty0 loglevel=3 systemd.show_status=1 username=bee user-fullname=Bee modprobe.blacklist=nouveau,snd_hda_intel,snd_hda_codec_realtek,snd_hda_codec_generic,soundcore" \
+    --bootappend-live "boot=live live-media-label=${LB_ISO_VOLUME} components video=1920x1080 console=ttyS0,115200n8 console=tty0 loglevel=3 systemd.show_status=1 username=bee user-fullname=Bee modprobe.blacklist=nouveau,snd_hda_intel,snd_hda_codec_realtek,snd_hda_codec_generic,soundcore" \
    --debootstrap-options "--include=ca-certificates" \
    --apt-recommends false \
    --chroot-squashfs-compression-type zstd \
--- a/iso/builder/build.sh
+++ b/iso/builder/build.sh
@@ -516,12 +516,12 @@ validate_iso_live_boot_entries() {
        exit 1
    fi

-    grep -q 'menuentry "EASY-BEE"' "$grub_cfg" || {
+    grep -q 'menuentry "EASY-BEE v' "$grub_cfg" || {
        echo "ERROR: GRUB default EASY-BEE entry is missing" >&2
        rm -f "$grub_cfg" "$isolinux_cfg"
        exit 1
    }
-    grep -q 'menuentry "EASY-BEE -- load to RAM (toram)"' "$grub_cfg" || {
+    grep -q 'menuentry "EASY-BEE v.* -- load to RAM (toram)"' "$grub_cfg" || {
        echo "ERROR: GRUB toram entry is missing" >&2
        rm -f "$grub_cfg" "$isolinux_cfg"
        exit 1
@@ -536,6 +536,11 @@ validate_iso_live_boot_entries() {
        rm -f "$grub_cfg" "$isolinux_cfg"
        exit 1
    }
+    grep -q 'linux .*live-media-label=EASY_BEE_' "$grub_cfg" || {
+        echo "ERROR: GRUB live entry is missing live-media-label pinning" >&2
+        rm -f "$grub_cfg" "$isolinux_cfg"
+        exit 1
+    }

    grep -q 'append .*boot=live ' "$isolinux_cfg" || {
        echo "ERROR: isolinux live entry is missing boot=live" >&2
@@ -547,45 +552,48 @@ validate_iso_live_boot_entries() {
        rm -f "$grub_cfg" "$isolinux_cfg"
        exit 1
    }
+    grep -q 'append .*live-media-label=EASY_BEE_' "$isolinux_cfg" || {
+        echo "ERROR: isolinux live entry is missing live-media-label pinning" >&2
+        rm -f "$grub_cfg" "$isolinux_cfg"
+        exit 1
+    }

    rm -f "$grub_cfg" "$isolinux_cfg"
    echo "=== live boot validation OK ==="
 }

-validate_iso_grub_theme_assets() {
+validate_iso_grub_assets() {
    iso_path="$1"
-    echo "=== validating GRUB theme assets in ISO ==="
+    echo "=== validating GRUB assets in ISO ==="

    [ -f "$iso_path" ] || {
-        echo "ERROR: ISO not found for GRUB theme validation: $iso_path" >&2
+        echo "ERROR: ISO not found for GRUB asset validation: $iso_path" >&2
        exit 1
    }
    require_iso_reader "$iso_path" >/dev/null 2>&1 || {
-        echo "ERROR: ISO reader unavailable for GRUB theme validation" >&2
+        echo "ERROR: ISO reader unavailable for GRUB asset validation" >&2
        exit 1
    }

    iso_files="$(mktemp)"
-    list_iso_files "$iso_path" > "$iso_files" || {
-        echo "ERROR: failed to list ISO files for GRUB theme validation" >&2
+    iso_list_files "$iso_path" > "$iso_files" || {
+        echo "ERROR: failed to list ISO files for GRUB asset validation" >&2
        rm -f "$iso_files"
        exit 1
    }

    for required in \
        boot/grub/config.cfg \
-        boot/grub/theme.cfg \
-        boot/grub/live-theme/theme.txt \
-        boot/grub/live-theme/bee-logo.tga; do
+        boot/grub/grub.cfg; do
        grep -q "^${required}$" "$iso_files" || {
-            echo "ERROR: missing GRUB theme asset in ISO: ${required}" >&2
+            echo "ERROR: missing GRUB asset in ISO: ${required}" >&2
            rm -f "$iso_files"
            exit 1
        }
    done

    rm -f "$iso_files"
-    echo "=== GRUB theme validation OK ==="
+    echo "=== GRUB asset validation OK ==="
 }

 validate_iso_nvidia_runtime() {
@@ -600,29 +608,37 @@ validate_iso_nvidia_runtime() {

    squashfs_tmp="$(mktemp)"
    squashfs_list="$(mktemp)"
-    iso_read_member "$iso_path" live/filesystem.squashfs "$squashfs_tmp" || {
-        rm -f "$squashfs_tmp" "$squashfs_list"
-        nvidia_runtime_fail "failed to extract live/filesystem.squashfs from ISO"
-    }
-    unsquashfs -ll "$squashfs_tmp" > "$squashfs_list" 2>/dev/null || {
-        rm -f "$squashfs_tmp" "$squashfs_list"
-        nvidia_runtime_fail "failed to inspect filesystem.squashfs from ISO"
+    iso_files="$(mktemp)"
+    iso_list_files "$iso_path" > "$iso_files" || {
+        rm -f "$squashfs_tmp" "$squashfs_list" "$iso_files"
+        nvidia_runtime_fail "failed to list ISO files for NVIDIA runtime validation"
    }
+    grep '^live/.*\.squashfs$' "$iso_files" | while IFS= read -r squashfs_member; do
+        iso_read_member "$iso_path" "$squashfs_member" "$squashfs_tmp" || {
+            rm -f "$squashfs_tmp" "$squashfs_list" "$iso_files"
+            nvidia_runtime_fail "failed to extract $squashfs_member from ISO"
+        }
+        unsquashfs -ll "$squashfs_tmp" >> "$squashfs_list" 2>/dev/null || {
+            rm -f "$squashfs_tmp" "$squashfs_list" "$iso_files"
+            nvidia_runtime_fail "failed to inspect $squashfs_member from ISO"
+        }
+        : > "$squashfs_tmp"
+    done

    grep -Eq 'usr/bin/dcgmi$' "$squashfs_list" || {
-        rm -f "$squashfs_tmp" "$squashfs_list"
+        rm -f "$squashfs_tmp" "$squashfs_list" "$iso_files"
        nvidia_runtime_fail "dcgmi missing from final NVIDIA ISO"
    }
    grep -Eq 'usr/bin/nv-hostengine$' "$squashfs_list" || {
-        rm -f "$squashfs_tmp" "$squashfs_list"
+        rm -f "$squashfs_tmp" "$squashfs_list" "$iso_files"
        nvidia_runtime_fail "nv-hostengine missing from final NVIDIA ISO"
    }
    grep -Eq 'usr/bin/dcgmproftester([0-9]+)?$' "$squashfs_list" || {
-        rm -f "$squashfs_tmp" "$squashfs_list"
+        rm -f "$squashfs_tmp" "$squashfs_list" "$iso_files"
        nvidia_runtime_fail "dcgmproftester missing from final NVIDIA ISO"
    }

-    rm -f "$squashfs_tmp" "$squashfs_list"
+    rm -f "$squashfs_tmp" "$squashfs_list" "$iso_files"
    echo "=== NVIDIA runtime validation OK ==="
 }

@@ -716,20 +732,25 @@ write_canonical_grub_cfg() {
    kernel="$2"
    append_live="$3"
    initrd="$4"
+    version_label="${PROJECT_VERSION_EFFECTIVE}"

    cat > "$cfg" <<EOF
 source /boot/grub/config.cfg

-menuentry "EASY-BEE" {
-    linux   ${kernel} ${append_live} bee.display=kms bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+menuentry "EASY-BEE v${version_label}" {
+    linux   ${kernel} ${append_live} nomodeset bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
    initrd  ${initrd}
 }

-menuentry "EASY-BEE -- load to RAM (toram)" {
-    linux   ${kernel} ${append_live} toram bee.display=kms bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+menuentry "EASY-BEE v${version_label} -- load to RAM (toram)" {
+    linux   ${kernel} ${append_live} toram nomodeset bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
    initrd  ${initrd}
 }

+menuentry "EASY-BEE v${version_label} -- no GUI / no X11" {
+    linux   ${kernel} ${append_live} nomodeset bee.gui=off bee.nvidia.mode=gsp-off pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+    initrd  ${initrd}
+}

 if [ "\${grub_platform}" = "efi" ]; then
    menuentry "Memory Test (memtest86+)" {
@@ -754,21 +775,28 @@ write_canonical_isolinux_cfg() {
    kernel="$2"
    initrd="$3"
    append_live="$4"
+    version_label="${PROJECT_VERSION_EFFECTIVE}"

    cat > "$cfg" <<EOF
 label live-@FLAVOUR@-normal
-    menu label ^EASY-BEE
+    menu label ^EASY-BEE v${version_label}
    linux ${kernel}
    initrd ${initrd}
    append ${append_live} nomodeset bee.nvidia.mode=normal net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup

 label live-@FLAVOUR@-toram
-    menu label EASY-BEE (^load to RAM)
+    menu label EASY-BEE v${version_label} (^load to RAM)
    menu default
    linux ${kernel}
    initrd ${initrd}
    append ${append_live} toram nomodeset bee.nvidia.mode=normal net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup

+label live-@FLAVOUR@-console
+    menu label EASY-BEE v${version_label} (^no GUI / no X11)
+    linux ${kernel}
+    initrd ${initrd}
+    append ${append_live} nomodeset bee.gui=off bee.nvidia.mode=gsp-off net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+
 label live-@FLAVOUR@-gsp-off
    menu label EASY-BEE (^NVIDIA GSP=off)
    linux ${kernel}
@@ -812,10 +840,7 @@ enforce_live_build_bootloader_assets() {

    if [ -f "$grub_cfg" ]; then
        if extract_live_grub_entry "$grub_cfg"; then
-            mkdir -p "$grub_dir/live-theme"
            cp "${BUILDER_DIR}/config/bootloaders/grub-efi/config.cfg" "$grub_dir/config.cfg"
-            cp "${BUILDER_DIR}/config/bootloaders/grub-efi/theme.cfg" "$grub_dir/theme.cfg"
-            cp -R "${BUILDER_DIR}/config/bootloaders/grub-efi/live-theme/." "$grub_dir/live-theme/"
            write_canonical_grub_cfg "$grub_cfg" "$grub_kernel" "${live_build_append:-$grub_append}" "$grub_initrd"
            echo "bootloader sync: rewrote binary/boot/grub/grub.cfg with canonical EASY-BEE menu"
        else
@@ -871,6 +896,11 @@ needs_full_build() {
    [ -f "${FULL_BUILD_MARKER}" ]                                        || return 0
    [ -f "${BUILD_WORK_DIR}/binary/live/filesystem.squashfs" ]           || return 0
    [ -f "${BUILD_WORK_DIR}/live-image-amd64.hybrid.iso" ]               || return 0
+    _extra_sq=$(find "${BUILD_WORK_DIR}/binary/live" -maxdepth 1 -type f -name '*.squashfs' ! -name 'filesystem.squashfs' 2>/dev/null | head -1)
+    if [ -n "$_extra_sq" ]; then
+        echo "=== full build required: multi-squashfs live image present ==="
+        return 0
+    fi

    _heavy=$(find \
        "${BUILDER_DIR}/VERSIONS" \
@@ -927,6 +957,65 @@ fast_path_rebuild_iso() {
    echo "=== fast-path: ISO rebuilt ==="
 }

+dir_has_entries() {
+    _dir="$1"
+    [ -d "$_dir" ] || return 1
+    find "$_dir" -mindepth 1 -print -quit 2>/dev/null | grep -q .
+}
+
+move_tree_to_layer() {
+    _src_root="$1"
+    _rel="$2"
+    _dst_root="$3"
+    [ -e "${_src_root}/${_rel}" ] || return 0
+    mkdir -p "${_dst_root}/$(dirname "$_rel")"
+    mv "${_src_root}/${_rel}" "${_dst_root}/${_rel}"
+}
+
+split_live_squashfs_layers() {
+    lb_dir="$1"
+    live_dir="${lb_dir}/binary/live"
+    base_sq="${live_dir}/filesystem.squashfs"
+    usr_sq="${live_dir}/10-usr.squashfs"
+    fw_sq="${live_dir}/20-firmware.squashfs"
+
+    [ -f "$base_sq" ] || return 0
+    command -v unsquashfs >/dev/null 2>&1 || return 0
+    command -v mksquashfs >/dev/null 2>&1 || return 0
+
+    tmp_root="$(mktemp -d)"
+    tmp_usr="$(mktemp -d)"
+    tmp_fw="$(mktemp -d)"
+    trap 'rm -rf "$tmp_root" "$tmp_usr" "$tmp_fw"' RETURN
+
+    echo "=== splitting live squashfs into smaller layers ==="
+    unsquashfs -d "$tmp_root/root" "$base_sq" >/dev/null
+    mkdir -p "$tmp_usr/root" "$tmp_fw/root"
+
+    move_tree_to_layer "$tmp_root/root" "usr" "$tmp_usr/root"
+    move_tree_to_layer "$tmp_root/root" "lib/firmware" "$tmp_fw/root"
+    move_tree_to_layer "$tmp_root/root" "usr/lib/firmware" "$tmp_fw/root"
+    move_tree_to_layer "$tmp_root/root" "boot/firmware" "$tmp_fw/root"
+
+    rm -f "$usr_sq" "$fw_sq"
+    mksquashfs "$tmp_root/root" "${base_sq}.new" -comp zstd -b 1048576 -noappend -no-progress >/dev/null
+    mv "${base_sq}.new" "$base_sq"
+
+    if dir_has_entries "$tmp_usr/root"; then
+        mksquashfs "$tmp_usr/root" "${usr_sq}.new" -comp zstd -b 1048576 -noappend -no-progress >/dev/null
+        mv "${usr_sq}.new" "$usr_sq"
+    fi
+    if dir_has_entries "$tmp_fw/root"; then
+        mksquashfs "$tmp_fw/root" "${fw_sq}.new" -comp zstd -b 1048576 -noappend -no-progress >/dev/null
+        mv "${fw_sq}.new" "$fw_sq"
+    fi
+
+    echo "=== live squashfs layers ==="
+    find "$live_dir" -maxdepth 1 -type f -name '*.squashfs' -exec du -sh {} \; | sort
+    rm -rf "$tmp_root" "$tmp_usr" "$tmp_fw"
+    trap - RETURN
+}
+
 recover_iso_memtest() {
    lb_dir="$1"
    iso_path="$2"
@@ -1008,6 +1097,7 @@ PROJECT_VERSION_EFFECTIVE="$(resolve_project_version)"
 ISO_BASENAME="easy-bee-${BUILD_VARIANT}-v${PROJECT_VERSION_EFFECTIVE}-amd64"
 # Versioned output directory: dist/easy-bee-v4.1/ — all final artefacts live here.
 OUT_DIR="${DIST_DIR}/easy-bee-v${PROJECT_VERSION_EFFECTIVE}"
+ISO_VERSION_LABEL_TOKEN="$(printf '%s' "${PROJECT_VERSION_EFFECTIVE}" | tr '[:lower:].-' '[:upper:]__')"
 mkdir -p "${OUT_DIR}"
 LOG_DIR="${OUT_DIR}/${ISO_BASENAME}.logs"
 LOG_ARCHIVE="${OUT_DIR}/${ISO_BASENAME}.logs.tar.gz"
@@ -1574,7 +1664,7 @@ if ! needs_full_build; then
    fast_path_rebuild_iso
    ISO_RAW="${LB_DIR}/live-image-amd64.hybrid.iso"
    validate_iso_live_boot_entries "$ISO_RAW"
-    validate_iso_grub_theme_assets "$ISO_RAW"
+    validate_iso_grub_assets "$ISO_RAW"
    validate_iso_nvidia_runtime "$ISO_RAW"
    cp "$ISO_RAW" "$ISO_OUT"
    echo ""
@@ -1589,13 +1679,15 @@ echo "=== building ISO (variant: ${BUILD_VARIANT}) ==="

 # Export for auto/config
 BEE_GPU_VENDOR_UPPER="$(echo "${BUILD_VARIANT}" | tr 'a-z-' 'A-Z_')"
-export BEE_GPU_VENDOR_UPPER
+BEE_ISO_VOLUME="EASY_BEE_${BEE_GPU_VENDOR_UPPER}_V${ISO_VERSION_LABEL_TOKEN}"
+export BEE_GPU_VENDOR_UPPER BEE_ISO_VOLUME

 cd "${LB_DIR}"
 run_step_sh "live-build clean" "80-lb-clean" "lb clean --all 2>&1 | tail -3"
 run_step_sh "live-build config" "81-lb-config" "lb config 2>&1 | tail -5"
 dump_memtest_debug "pre-build" "${LB_DIR}"
 run_step_sh "live-build build" "90-lb-build" "lb build 2>&1"
+split_live_squashfs_layers "${LB_DIR}"
 echo "=== enforcing canonical bootloader assets ==="
 enforce_live_build_bootloader_assets "${LB_DIR}"
 reset_live_build_stage "${LB_DIR}" "binary_checksums"
@@ -1629,7 +1721,7 @@ if [ -f "$ISO_RAW" ]; then
    fi
    validate_iso_memtest "$ISO_RAW"
    validate_iso_live_boot_entries "$ISO_RAW"
-    validate_iso_grub_theme_assets "$ISO_RAW"
+    validate_iso_grub_assets "$ISO_RAW"
    validate_iso_nvidia_runtime "$ISO_RAW"
    cp "$ISO_RAW" "$ISO_OUT"
    touch "${FULL_BUILD_MARKER}"
--- a/iso/builder/config/bootloaders/grub-efi/config.cfg
+++ b/iso/builder/config/bootloaders/grub-efi/config.cfg
@@ -1,5 +1,7 @@
 set default=1
 set timeout=10
+set color_normal=yellow/black
+set color_highlight=white/brown

 if [ x$feature_default_font_path = xy ] ; then
    font=unicode
@@ -8,7 +10,7 @@ else
 fi

 if loadfont $font ; then
-    set gfxmode=1920x1080,1280x1024,auto
+    set gfxmode=1280x1024,auto
    set gfxpayload=keep
    insmod efi_gop
    insmod efi_uga
@@ -26,6 +28,3 @@ insmod gfxterm

 terminal_input console serial
 terminal_output gfxterm serial
-
-insmod tga
-source /boot/grub/theme.cfg
--- a/iso/builder/config/bootloaders/grub-efi/grub.cfg
+++ b/iso/builder/config/bootloaders/grub-efi/grub.cfg
@@ -1,12 +1,17 @@
 source /boot/grub/config.cfg

-menuentry "EASY-BEE" {
-    linux   @KERNEL_LIVE@ @APPEND_LIVE@ bee.display=kms bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+menuentry "EASY-BEE v@VERSION@" {
+    linux   @KERNEL_LIVE@ @APPEND_LIVE@ nomodeset bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
    initrd  @INITRD_LIVE@
 }

-menuentry "EASY-BEE -- load to RAM (toram)" {
-    linux   @KERNEL_LIVE@ @APPEND_LIVE@ toram bee.display=kms bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+menuentry "EASY-BEE v@VERSION@ -- load to RAM (toram)" {
+    linux   @KERNEL_LIVE@ @APPEND_LIVE@ toram nomodeset bee.nvidia.mode=normal pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+    initrd  @INITRD_LIVE@
+}
+
+menuentry "EASY-BEE v@VERSION@ -- no GUI / no X11" {
+    linux   @KERNEL_LIVE@ @APPEND_LIVE@ nomodeset bee.gui=off bee.nvidia.mode=gsp-off pci=realloc net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
    initrd  @INITRD_LIVE@
 }

--- a/iso/builder/config/bootloaders/grub-efi/live-theme/theme.txt
+++ b/iso/builder/config/bootloaders/grub-efi/live-theme/theme.txt
@@ -5,13 +5,6 @@ title-text: ""
 message-font: "Unifont Regular 16"
 terminal-font: "Unifont Regular 16"

-#bee logo - centered, upper third of screen
-+ image {
-        top = 4%
-        left = 50%-200
-        file = "bee-logo.tga"
-}
-
 #help bar at the bottom
 + label {
        top = 100%-50
--- a/iso/builder/config/bootloaders/isolinux/live.cfg.in
+++ b/iso/builder/config/bootloaders/isolinux/live.cfg.in
@@ -1,16 +1,22 @@
 label live-@FLAVOUR@-normal
-    menu label ^EASY-BEE
+    menu label ^EASY-BEE v@VERSION@
    linux @LINUX@
    initrd @INITRD@
    append @APPEND_LIVE@ nomodeset bee.nvidia.mode=normal net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup

 label live-@FLAVOUR@-toram
-    menu label EASY-BEE (^load to RAM)
+    menu label EASY-BEE v@VERSION@ (^load to RAM)
    menu default
    linux @LINUX@
    initrd @INITRD@
    append @APPEND_LIVE@ toram nomodeset bee.nvidia.mode=normal net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup

+label live-@FLAVOUR@-console
+    menu label EASY-BEE v@VERSION@ (^no GUI / no X11)
+    linux @LINUX@
+    initrd @INITRD@
+    append @APPEND_LIVE@ nomodeset bee.gui=off bee.nvidia.mode=gsp-off net.ifnames=0 biosdevname=0 mitigations=off transparent_hugepage=always numa_balancing=disable pcie_aspm=off intel_idle.max_cstate=1 processor.max_cstate=1 nowatchdog nosoftlockup
+
 label live-@FLAVOUR@-gsp-off
    menu label EASY-BEE (^NVIDIA GSP=off)
    linux @LINUX@
--- a/iso/builder/config/hooks/normal/9000-bee-setup.hook.chroot
+++ b/iso/builder/config/hooks/normal/9000-bee-setup.hook.chroot
@@ -67,6 +67,7 @@ chmod +x /usr/local/bin/bee-log-run    2>/dev/null || true
 chmod +x /usr/local/bin/bee-selfheal        2>/dev/null || true
 chmod +x /usr/local/bin/bee-boot-status    2>/dev/null || true
 chmod +x /usr/local/bin/bee-install        2>/dev/null || true
+chmod +x /usr/local/bin/bee-gui-gate       2>/dev/null || true
 chmod +x /usr/local/bin/bee-remount-medium 2>/dev/null || true
 if [ "$GPU_VENDOR" = "nvidia" ]; then
    chmod +x /usr/local/bin/bee-nvidia-load 2>/dev/null || true
--- a/iso/overlay/etc/motd
+++ b/iso/overlay/etc/motd
@@ -1,11 +1,4 @@
-
-  ███████╗ █████╗ ███████╗██╗   ██╗      ██████╗ ███████╗███████╗
-  ██╔════╝██╔══██╗██╔════╝╚██╗ ██╔╝      ██╔══██╗██╔════╝██╔════╝
-  █████╗  ███████║███████╗ ╚████╔╝ █████╗██████╔╝█████╗  █████╗
-  ██╔══╝  ██╔══██║╚════██║  ╚██╔╝  ╚════╝██╔══██╗██╔══╝  ██╔══╝
-  ███████╗██║  ██║███████║   ██║         ██████╔╝███████╗███████╗
-  ╚══════╝╚═╝  ╚═╝╚══════╝   ╚═╝         ╚═════╝ ╚══════╝╚══════╝
-
+  EASY BEE
  Hardware Audit LiveCD
  Build: %%BUILD_INFO%%

--- a/iso/overlay/etc/systemd/system/bee-audit.service
+++ b/iso/overlay/etc/systemd/system/bee-audit.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=Bee: hardware audit
-After=bee-preflight.service bee-network.service bee-nvidia.service bee-blackbox.service
+After=bee-preflight.service bee-nvidia.service bee-blackbox.service

 [Service]
 Type=oneshot
--- a/iso/overlay/etc/systemd/system/bee-network.service
+++ b/iso/overlay/etc/systemd/system/bee-network.service
@@ -1,7 +1,6 @@
 [Unit]
 Description=Bee: bring up network interfaces via DHCP
-After=local-fs.target bee-blackbox.service
-Before=network-online.target bee-audit.service
+After=bee-web.service bee-audit.service

 [Service]
 Type=oneshot
--- a/iso/overlay/etc/systemd/system/bee-preflight.service
+++ b/iso/overlay/etc/systemd/system/bee-preflight.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=Bee: runtime preflight self-check
-After=bee-network.service bee-nvidia.service bee-blackbox.service
+After=bee-nvidia.service bee-blackbox.service
 Before=bee-audit.service

 [Service]
--- a/iso/overlay/etc/systemd/system/bee-selfheal.timer
+++ b/iso/overlay/etc/systemd/system/bee-selfheal.timer
@@ -3,7 +3,7 @@ Description=Bee: run self-heal checks periodically

 [Timer]
 OnBootSec=45sec
-OnUnitActiveSec=60sec
+OnUnitActiveSec=3min
 AccuracySec=15sec
 Unit=bee-selfheal.service

--- a/iso/overlay/etc/systemd/system/lightdm.service.d/bee-gui-gate.conf
+++ b/iso/overlay/etc/systemd/system/lightdm.service.d/bee-gui-gate.conf
@@ -0,0 +1,2 @@
+[Service]
+ExecCondition=/usr/local/bin/bee-gui-gate
--- a/iso/overlay/usr/local/bin/bee-boot-status
+++ b/iso/overlay/usr/local/bin/bee-boot-status
@@ -51,12 +51,7 @@ while true; do
    printf '\033[H\033[2J'

    printf '\n'
-    printf '  \033[33m███████╗ █████╗ ███████╗██╗   ██╗      ██████╗ ███████╗███████╗\033[0m\n'
-    printf '  \033[33m██╔════╝██╔══██╗██╔════╝╚██╗ ██╔╝      ██╔══██╗██╔════╝██╔════╝\033[0m\n'
-    printf '  \033[33m█████╗  ███████║███████╗ ╚████╔╝ █████╗██████╔╝█████╗  █████╗\033[0m\n'
-    printf '  \033[33m██╔══╝  ██╔══██║╚════██║  ╚██╔╝  ╚════╝██╔══██╗██╔══╝  ██╔══╝\033[0m\n'
-    printf '  \033[33m███████╗██║  ██║███████║   ██║         ██████╔╝███████╗███████╗\033[0m\n'
-    printf '  \033[33m╚══════╝╚═╝  ╚═╝╚══════╝   ╚═╝         ╚═════╝ ╚══════╝╚══════╝\033[0m\n'
+    printf '  \033[33mEASY BEE\033[0m\n'
    printf '  Hardware Audit LiveCD\n'
    printf '\n'

--- a/iso/overlay/usr/local/bin/bee-gui-gate
+++ b/iso/overlay/usr/local/bin/bee-gui-gate
@@ -0,0 +1,27 @@
+#!/bin/sh
+# bee-gui-gate — skip starting the local GUI when bee.gui=off is set.
+
+set -eu
+
+cmdline_param() {
+    key="$1"
+    for token in $(cat /proc/cmdline 2>/dev/null); do
+        case "$token" in
+            "$key"=*)
+                echo "${token#*=}"
+                return 0
+                ;;
+        esac
+    done
+    return 1
+}
+
+mode="$(cmdline_param bee.gui || true)"
+case "${mode}" in
+    off|false|0|tty|console|text|nogui)
+        echo "bee-gui-gate: bee.gui=${mode}; skipping lightdm"
+        exit 1
+        ;;
+esac
+
+exit 0
--- a/iso/overlay/usr/local/bin/bee-install
+++ b/iso/overlay/usr/local/bin/bee-install
@@ -8,7 +8,7 @@
 # Layout (UEFI):  GPT, /dev/sdX1=EFI 512MB vfat, /dev/sdX2=root ext4
 # Layout (BIOS):  MBR, /dev/sdX1=root ext4
 #
-# Squashfs source: /run/live/medium/live/filesystem.squashfs
+# Squashfs sources: /run/live/medium/live/*.squashfs

 set -euo pipefail

@@ -62,9 +62,9 @@ for tool in parted mkfs.vfat mkfs.ext4 unsquashfs grub-install update-grub; do
    fi
 done

-SQUASHFS="/run/live/medium/live/filesystem.squashfs"
-if [ ! -f "$SQUASHFS" ]; then
-    echo "ERROR: squashfs not found at $SQUASHFS" >&2
+mapfile -t SQUASHFS_FILES < <(find /run/live/medium/live -maxdepth 1 -type f -name '*.squashfs' | sort)
+if [ "${#SQUASHFS_FILES[@]}" -eq 0 ]; then
+    echo "ERROR: no squashfs files found under /run/live/medium/live" >&2
    echo "  The live medium may have been disconnected." >&2
    echo "  Reconnect the disc and run:  bee-remount-medium --wait" >&2
    echo "  Then re-run bee-install." >&2
@@ -106,7 +106,10 @@ log "=== BEE DISK INSTALLER ==="
 log "Target device : $DEVICE"
 log "Root partition: $PART_ROOT"
 [ "$UEFI" = "1" ] && log "EFI partition : $PART_EFI"
-log "Squashfs      : $SQUASHFS ($(du -sh "$SQUASHFS" | cut -f1))"
+log "Squashfs      : ${#SQUASHFS_FILES[@]} layer(s)"
+for sf in "${SQUASHFS_FILES[@]}"; do
+    log "  - $sf ($(du -sh "$sf" | cut -f1))"
+done
 log "Log           : $LOGFILE"
 log ""

@@ -163,7 +166,9 @@ log "  Mounted."

 # ------------------------------------------------------------------
 log "--- Step 5/7: Unpacking filesystem (this takes 10-20 minutes) ---"
-log "  Source: $SQUASHFS"
+for sf in "${SQUASHFS_FILES[@]}"; do
+    log "  Source: $sf"
+done
 log "  Target: $MOUNT_ROOT"

 # unsquashfs does not support resume, so retry the entire unpack step if the
@@ -177,9 +182,9 @@ while true; do
    fi
    [ "$UNPACK_ATTEMPTS" -gt 1 ] && log "  Retry attempt $UNPACK_ATTEMPTS / $UNPACK_MAX ..."

-    # Re-check squashfs is reachable before each attempt
-    if [ ! -f "$SQUASHFS" ]; then
-        log "  SOURCE LOST: $SQUASHFS not found."
+    mapfile -t SQUASHFS_FILES < <(find /run/live/medium/live -maxdepth 1 -type f -name '*.squashfs' | sort)
+    if [ "${#SQUASHFS_FILES[@]}" -eq 0 ]; then
+        log "  SOURCE LOST: no squashfs files found under /run/live/medium/live."
        log "  Reconnect the disc and run 'bee-remount-medium --wait' in another terminal,"
        log "  then press Enter here to retry."
        read -r _
@@ -194,12 +199,17 @@ while true; do
    fi

    UNPACK_OK=0
-    unsquashfs -f -d "$MOUNT_ROOT" "$SQUASHFS" 2>&1 | \
-        grep -E '^\[|^inod|^created|^extract|^ERROR|failed' | \
-        while IFS= read -r line; do log "  $line"; done || UNPACK_OK=$?
+    for sf in "${SQUASHFS_FILES[@]}"; do
+        log "  Unpacking $(basename "$sf") ..."
+        unsquashfs -f -d "$MOUNT_ROOT" "$sf" 2>&1 | \
+            grep -E '^\[|^inod|^created|^extract|^ERROR|failed' | \
+            while IFS= read -r line; do log "  $line"; done || UNPACK_OK=$?
+        [ "$UNPACK_OK" -eq 0 ] || break
+    done

    # Check squashfs is still reachable (gone = disc pulled during copy)
-    if [ ! -f "$SQUASHFS" ]; then
+    mapfile -t SQUASHFS_FILES < <(find /run/live/medium/live -maxdepth 1 -type f -name '*.squashfs' | sort)
+    if [ "${#SQUASHFS_FILES[@]}" -eq 0 ]; then
        log "  WARNING: source medium lost during unpack — will retry after remount."
        log "  Run 'bee-remount-medium --wait' in another terminal, then press Enter."
        read -r _
--- a/iso/overlay/usr/local/bin/bee-network.sh
+++ b/iso/overlay/usr/local/bin/bee-network.sh
@@ -1,8 +1,9 @@
 #!/bin/sh
 # bee-network.sh — bring up all physical network interfaces via DHCP
-# Unattended: runs silently, logs results, never blocks.
+# Unattended: starts later in boot, runs quietly, and gives up after a bounded timeout.

 LOG_PREFIX="bee-network"
+DHCP_TIMEOUT_SECS=300

 log() { echo "[$LOG_PREFIX] $*"; }

@@ -19,9 +20,50 @@ if command -v udevadm >/dev/null 2>&1; then
    udevadm settle --timeout=5 >/dev/null 2>&1 || log "WARN: udevadm settle timed out"
 fi

+start_dhcp() {
+    iface="$1"
+    if ! ip link set "$iface" up; then
+        log "WARN: could not bring up $iface"
+        return 1
+    fi
+
+    carrier=$(cat "/sys/class/net/$iface/carrier" 2>/dev/null || true)
+    if [ "$carrier" = "1" ]; then
+        log "carrier detected on $iface"
+    else
+        log "carrier not detected on $iface"
+    fi
+
+    dhclient -r "$iface" >/dev/null 2>&1 || true
+
+    if timeout "${DHCP_TIMEOUT_SECS}" dhclient -4 -q -1 "$iface" >/dev/null 2>&1; then
+        addr="$(ip -4 -o addr show dev "$iface" scope global 2>/dev/null | awk '{print $4}' | head -1)"
+        if [ -n "$addr" ]; then
+            log "DHCP lease acquired on $iface ($addr)"
+        else
+            log "DHCP lease acquired on $iface"
+        fi
+        return 0
+    fi
+
+    rc=$?
+    case "$rc" in
+        124)
+            log "DHCP timed out on $iface after ${DHCP_TIMEOUT_SECS}s"
+            ;;
+        *)
+            log "DHCP failed on $iface (exit $rc)"
+            ;;
+    esac
+    dhclient -r "$iface" >/dev/null 2>&1 || true
+    return 1
+}
+
 started_ifaces=""
 started_count=0
 scan_pass=1
+pids=""
+pid_ifaces=""

 # Some server NICs appear a bit later after module/firmware init. Do a small
 # bounded rescan window without turning network bring-up into a boot blocker.
@@ -34,22 +76,11 @@ while [ "$scan_pass" -le 3 ]; do
                *" $iface "*) continue ;;
            esac

-            log "bringing up $iface"
-            if ! ip link set "$iface" up; then
-                log "WARN: could not bring up $iface"
-                continue
-            fi
-
-            carrier=$(cat "/sys/class/net/$iface/carrier" 2>/dev/null || true)
-            if [ "$carrier" = "1" ]; then
-                log "carrier detected on $iface"
-            else
-                log "carrier not detected yet on $iface"
-            fi
-
-            # DHCP in background — non-blocking, keep dhclient verbose output in the service log.
-            dhclient -4 -v -nw "$iface" &
-            log "DHCP started for $iface (pid $!)"
+            log "starting DHCP on $iface (timeout ${DHCP_TIMEOUT_SECS}s)"
+            start_dhcp "$iface" &
+            pid="$!"
+            pids="$pids $pid"
+            pid_ifaces="$pid_ifaces $pid:$iface"

            started_ifaces="$started_ifaces $iface"
            started_count=$((started_count + 1))
@@ -68,4 +99,15 @@ if [ "$started_count" -eq 0 ]; then
    exit 0
 fi

-log "done (interfaces started: $started_count)"
+success_count=0
+for pid_iface in $pid_ifaces; do
+    pid="${pid_iface%%:*}"
+    iface="${pid_iface#*:}"
+    if wait "$pid"; then
+        success_count=$((success_count + 1))
+    else
+        log "DHCP did not complete successfully on $iface"
+    fi
+done
+
+log "done (interfaces scanned: $started_count, leases acquired: $success_count)"
--- a/iso/overlay/usr/local/bin/bee-remount-medium
+++ b/iso/overlay/usr/local/bin/bee-remount-medium
@@ -2,7 +2,7 @@
 # bee-remount-medium — find and remount the live ISO medium to /run/live/medium
 #
 # Run this after reconnecting the ISO source disc (USB/CD) if the live medium
-# was lost and /run/live/medium/live/filesystem.squashfs is missing.
+# was lost and /run/live/medium/live/*.squashfs are missing.
 #
 # Usage: bee-remount-medium [--wait]
 #   --wait  keep retrying every 5 seconds until the medium is found (useful
@@ -11,7 +11,7 @@
 set -euo pipefail

 MEDIUM_DIR="/run/live/medium"
-SQUASHFS_REL="live/filesystem.squashfs"
+SQUASHFS_GLOB="live/*.squashfs"
 WAIT_MODE=0

 for arg in "$@"; do
@@ -56,7 +56,7 @@ try_mount() {
    local tmpdir
    tmpdir=$(mktemp -d /tmp/bee-probe-XXXXXX)
    if mount -o ro "$dev" "$tmpdir" 2>/dev/null; then
-        if [ -f "${tmpdir}/${SQUASHFS_REL}" ]; then
+        if find "${tmpdir}/live" -maxdepth 1 -type f -name '*.squashfs' 2>/dev/null | grep -q .; then
            # Unmount probe mount and mount properly onto live path
            umount "$tmpdir" 2>/dev/null || true
            rmdir "$tmpdir"  2>/dev/null || true
@@ -82,8 +82,9 @@ attempt() {
    for dev in $(find_candidates); do
        log "  Trying $dev ..."
        if try_mount "$dev"; then
-            local sq="${MEDIUM_DIR}/${SQUASHFS_REL}"
-            log "SUCCESS: squashfs available at $sq ($(du -sh "$sq" | cut -f1))"
+            local count
+            count=$(find "${MEDIUM_DIR}/live" -maxdepth 1 -type f -name '*.squashfs' 2>/dev/null | wc -l | tr -d ' ')
+            log "SUCCESS: ${count} squashfs layer(s) available under ${MEDIUM_DIR}/live"
            return 0
        fi
    done
@@ -100,5 +101,5 @@ if [ "$WAIT_MODE" = "1" ]; then
        sleep 5
    done
 else
-    attempt || die "No ISO medium with ${SQUASHFS_REL} found. Reconnect the disc and re-run, or use --wait."
+    attempt || die "No ISO medium with ${SQUASHFS_GLOB} found. Reconnect the disc and re-run, or use --wait."
 fi
--- a/iso/overlay/usr/local/bin/bee-selfheal
+++ b/iso/overlay/usr/local/bin/bee-selfheal
@@ -8,11 +8,17 @@ EXPORT_DIR="/appdata/bee/export"
 AUDIT_JSON="${EXPORT_DIR}/bee-audit.json"
 RUNTIME_JSON="${EXPORT_DIR}/runtime-health.json"
 LOCK_DIR="/run/bee-selfheal.lock"
+EVENTS=0

 log() {
    echo "[${LOG_PREFIX}] $*"
 }

+log_event() {
+    EVENTS=$((EVENTS + 1))
+    log "$*"
+}
+
 have_nvidia_gpu() {
    lspci -Dn 2>/dev/null | awk '$2 ~ /^03(00|02):$/ && $3 ~ /^10de:/ { found=1; exit } END { exit(found ? 0 : 1) }'
 }
@@ -56,24 +62,22 @@ web_healthy() {
 mkdir -p "${EXPORT_DIR}" /run

 if ! mkdir "${LOCK_DIR}" 2>/dev/null; then
-    log "another self-heal run is already active"
+    log_event "another self-heal run is already active"
    exit 0
 fi
 trap 'rmdir "${LOCK_DIR}" >/dev/null 2>&1 || true' EXIT

-log "start"
-
 if have_nvidia_gpu && [ ! -e /dev/nvidia0 ]; then
-    log "NVIDIA GPU detected but /dev/nvidia0 is missing"
+    log_event "NVIDIA GPU detected but /dev/nvidia0 is missing"
    restart_service bee-nvidia.service || true
 fi

 runtime_state="$(artifact_state "${RUNTIME_JSON}")"
 if [ "${runtime_state}" != "ready" ]; then
    if [ "${runtime_state}" = "interrupted" ]; then
-        log "runtime-health.json.tmp exists — interrupted runtime-health write detected"
+        log_event "runtime-health.json.tmp exists — interrupted runtime-health write detected"
    else
-        log "runtime-health.json missing or empty"
+        log_event "runtime-health.json missing or empty"
    fi
    restart_service bee-preflight.service || true
 fi
@@ -81,19 +85,17 @@ fi
 audit_state="$(artifact_state "${AUDIT_JSON}")"
 if [ "${audit_state}" != "ready" ]; then
    if [ "${audit_state}" = "interrupted" ]; then
-        log "bee-audit.json.tmp exists — interrupted audit write detected"
+        log_event "bee-audit.json.tmp exists — interrupted audit write detected"
    else
-        log "bee-audit.json missing or empty"
+        log_event "bee-audit.json missing or empty"
    fi
    restart_service bee-audit.service || true
 fi

 if ! service_active bee-web.service; then
-    log "bee-web.service is not active"
+    log_event "bee-web.service is not active"
    restart_service bee-web.service || true
 elif ! web_healthy; then
-    log "bee-web health check failed"
+    log_event "bee-web health check failed"
    restart_service bee-web.service || true
 fi
-
-log "done"
Author	SHA1	Message	Date
Michael Chus	7b4bcc745a	Split live rootfs into smaller squashfs layers	2026-05-03 23:15:22 +03:00
Michael Chus	42774d44a6	Restore post-build GRUB and isolinux sync	2026-05-03 21:49:54 +03:00
Michael Chus	5dc022ddf8	Drop post-build EFI bootloader patching	2026-05-03 21:22:53 +03:00
Michael Chus	6623e159f5	Grow EFI image before syncing GRUB theme assets	2026-05-03 21:18:37 +03:00
Michael Chus	bbd6d009f8	Avoid EFI image overflow when syncing GRUB theme	2026-05-03 21:16:36 +03:00
Michael Chus	6c2b188ec9	Add no-GUI boot mode and quieter boot diagnostics	2026-05-03 21:14:45 +03:00
Michael Chus	14505ef24a	Remove easy bee ASCII logo banners	2026-05-03 21:07:13 +03:00
Michael Chus	4f20c9246d	Make UEFI boot safe and remove GRUB logo	2026-05-03 20:11:42 +03:00
Michael Chus	eed157c2db	Pin live boot medium to versioned ISO label	2026-05-03 15:52:07 +03:00
Michael Chus	a2c8aea0df	Fix GRUB theme ISO validation helper name	2026-05-03 14:45:16 +03:00
Michael Chus	b21f03cd26	Reduce bee-selfheal log noise and slow timer	2026-05-03 14:38:12 +03:00