Version-stamp squashfs filename and restrict live-boot media selection

Squashfs versioning:
- ISO now contains filesystem-v<VERSION>.squashfs instead of the generic
  filesystem.squashfs, making it immediately visible which build is
  running (visible in /run/live/medium/live/ at boot time).
- Full build path: rename filesystem.squashfs → filesystem-v*.squashfs
  after lb build, before lb binary_checksums/binary_iso.
- Fast path: find and unpack whatever filesystem*.squashfs exists, repack
  as the new versioned name, remove the old file, update the ISO.
- needs_full_build: accept any filesystem*.squashfs so version changes
  alone don't force a full rebuild.

Media selection hardening:
- Add live-media=/dev/disk/by-label/<LABEL> to the kernel boot line in
  addition to the existing live-media-label=<LABEL>. live-boot will now
  open exactly the labeled device rather than scanning all block devices,
  preventing accidental use of squashfs files from local disks or
  stale virtual media attached via IPMI.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

iso/builder/auto/config

@@ -38,7 +38,7 @@ lb config noauto \
     --memtest memtest86+ \
     --iso-volume "${LB_ISO_VOLUME}" \
     --iso-application "EASY-BEE-${BEE_GPU_VENDOR_UPPER:-NVIDIA}" \
-    --bootappend-live "boot=live live-media-label=${LB_ISO_VOLUME} components video=1920x1080 console=ttyS0,115200n8 console=tty0 loglevel=3 systemd.show_status=1 username=bee user-fullname=Bee modprobe.blacklist=nouveau,snd_hda_intel,snd_hda_codec_realtek,snd_hda_codec_generic,soundcore" \
+    --bootappend-live "boot=live live-media=/dev/disk/by-label/${LB_ISO_VOLUME} live-media-label=${LB_ISO_VOLUME} components video=1920x1080 console=ttyS0,115200n8 console=tty0 loglevel=3 systemd.show_status=1 username=bee user-fullname=Bee modprobe.blacklist=nouveau,snd_hda_intel,snd_hda_codec_realtek,snd_hda_codec_generic,soundcore" \
     --debootstrap-options "--include=ca-certificates" \
     --apt-recommends false \
     --chroot-squashfs-compression-type zstd \

iso/builder/build.sh

@@ -894,13 +894,11 @@ FULL_BUILD_MARKER="${BUILD_WORK_DIR}/.bee-full-build-marker"
 # hooks, archives, Dockerfile, auto/config) require a full lb build.
 needs_full_build() {
     [ -f "${FULL_BUILD_MARKER}" ]                                        || return 0
-    [ -f "${BUILD_WORK_DIR}/binary/live/filesystem.squashfs" ]           || return 0
     [ -f "${BUILD_WORK_DIR}/live-image-amd64.hybrid.iso" ]               || return 0
-    _extra_sq=$(find "${BUILD_WORK_DIR}/binary/live" -maxdepth 1 -type f -name '*.squashfs' ! -name 'filesystem.squashfs' 2>/dev/null | head -1)
+    # Accept any versioned squashfs (filesystem-v*.squashfs or legacy filesystem.squashfs)
-    if [ -n "$_extra_sq" ]; then
+    _any_sq=$(find "${BUILD_WORK_DIR}/binary/live" -maxdepth 1 \
-        echo "=== full build required: multi-squashfs live image present ==="
+        -name 'filesystem*.squashfs' 2>/dev/null | head -1)
-        return 0
+    [ -n "$_any_sq" ]                                                    || return 0
-    fi
 
     _heavy=$(find \
         "${BUILDER_DIR}/VERSIONS" \
@@ -923,34 +921,46 @@ needs_full_build() {
 # Fast-path: unsquash existing filesystem, rsync overlay on top, repack.
 # Requires ~10 GB free in BEE_CACHE_DIR for the unpacked squashfs.
 fast_path_repack_squashfs() {
-    _sq="${BUILD_WORK_DIR}/binary/live/filesystem.squashfs"
+    _old_sq=$(find "${BUILD_WORK_DIR}/binary/live" -maxdepth 1 \
+        -name 'filesystem*.squashfs' | sort | head -1)
+    _sq="${BUILD_WORK_DIR}/binary/live/${SQUASHFS_FILENAME}"
     _tmp="${BEE_CACHE_DIR}/fast-unsquash-${BUILD_VARIANT}"
-    echo "=== fast-path: unsquash ($(du -sh "$_sq" | cut -f1) compressed) ==="
+    echo "=== fast-path: unsquash $(basename "$_old_sq") ($(du -sh "$_old_sq" | cut -f1) compressed) ==="
     rm -rf "$_tmp"
-    unsquashfs -d "$_tmp" "$_sq"
+    unsquashfs -d "$_tmp" "$_old_sq"
     echo "=== fast-path: syncing overlay stage ==="
     rsync -a --checksum "${OVERLAY_STAGE_DIR}/" "$_tmp/"
-    echo "=== fast-path: repacking squashfs ==="
+    echo "=== fast-path: repacking as ${SQUASHFS_FILENAME} ==="
     _sq_new="${_sq}.new"
     rm -f "$_sq_new"
-    mksquashfs "$_tmp" "$_sq_new" -comp zstd -b 1048576 -noappend -no-progress
+    mksquashfs "$_tmp" "$_sq_new" -comp zstd -b 1048576 -noappend -no-progress -no-xattrs
     mv "$_sq_new" "$_sq"
     rm -rf "$_tmp"
+    [ "$_old_sq" != "$_sq" ] && rm -f "$_old_sq"
     echo "=== fast-path: squashfs repacked ($(du -sh "$_sq" | cut -f1)) ==="
 }
 
-# Fast-path: rebuild ISO by replacing only live/filesystem.squashfs via xorriso.
+# Fast-path: rebuild ISO replacing the squashfs via xorriso.
 # Boot structure (El Torito, EFI, MBR hybrid) is replayed from the prior ISO.
 fast_path_rebuild_iso() {
-    _sq="${BUILD_WORK_DIR}/binary/live/filesystem.squashfs"
+    _sq="${BUILD_WORK_DIR}/binary/live/${SQUASHFS_FILENAME}"
     _prior="${BUILD_WORK_DIR}/live-image-amd64.hybrid.iso"
     _new="${BUILD_WORK_DIR}/live-image-amd64.hybrid.iso.new"
     echo "=== fast-path: rebuilding ISO with xorriso ==="
     rm -f "$_new"
+    # Remove any old squashfs entries from the prior ISO before adding the new one
+    _old_entries=$(xorriso -indev "$_prior" -find /live -name 'filesystem*.squashfs' -- 2>/dev/null \
+        | grep -E '^/live/filesystem.*\.squashfs$' || true)
+    _rm_args=""
+    for _e in $_old_entries; do
+        _rm_args="$_rm_args -rm $_e --"
+    done
+    # shellcheck disable=SC2086
     xorriso \
         -indev  "$_prior" \
         -outdev "$_new" \
-        -map    "$_sq" /live/filesystem.squashfs \
+        ${_rm_args} \
+        -map    "$_sq" /live/${SQUASHFS_FILENAME} \
         -boot_image any replay \
         -commit
     mv "$_new" "$_prior"
@@ -986,7 +996,6 @@ split_live_squashfs_layers() {
     tmp_root="$(mktemp -d)"
     tmp_usr="$(mktemp -d)"
     tmp_fw="$(mktemp -d)"
-    trap 'rm -rf "$tmp_root" "$tmp_usr" "$tmp_fw"' RETURN
 
     echo "=== splitting live squashfs into smaller layers ==="
     unsquashfs -d "$tmp_root/root" "$base_sq" >/dev/null
@@ -998,22 +1007,21 @@ split_live_squashfs_layers() {
     move_tree_to_layer "$tmp_root/root" "boot/firmware" "$tmp_fw/root"
 
     rm -f "$usr_sq" "$fw_sq"
-    mksquashfs "$tmp_root/root" "${base_sq}.new" -comp zstd -b 1048576 -noappend -no-progress >/dev/null
+    mksquashfs "$tmp_root/root" "${base_sq}.new" -comp zstd -b 1048576 -noappend -no-progress -no-xattrs >/dev/null
     mv "${base_sq}.new" "$base_sq"
 
     if dir_has_entries "$tmp_usr/root"; then
-        mksquashfs "$tmp_usr/root" "${usr_sq}.new" -comp zstd -b 1048576 -noappend -no-progress >/dev/null
+        mksquashfs "$tmp_usr/root" "${usr_sq}.new" -comp zstd -b 1048576 -noappend -no-progress -no-xattrs >/dev/null
         mv "${usr_sq}.new" "$usr_sq"
     fi
     if dir_has_entries "$tmp_fw/root"; then
-        mksquashfs "$tmp_fw/root" "${fw_sq}.new" -comp zstd -b 1048576 -noappend -no-progress >/dev/null
+        mksquashfs "$tmp_fw/root" "${fw_sq}.new" -comp zstd -b 1048576 -noappend -no-progress -no-xattrs >/dev/null
         mv "${fw_sq}.new" "$fw_sq"
     fi
 
     echo "=== live squashfs layers ==="
     find "$live_dir" -maxdepth 1 -type f -name '*.squashfs' -exec du -sh {} \; | sort
     rm -rf "$tmp_root" "$tmp_usr" "$tmp_fw"
-    trap - RETURN
 }
 
 recover_iso_memtest() {
@@ -1094,6 +1102,7 @@ recover_iso_memtest() {
 }
 
 PROJECT_VERSION_EFFECTIVE="$(resolve_project_version)"
+SQUASHFS_FILENAME="filesystem-v${PROJECT_VERSION_EFFECTIVE}.squashfs"
 ISO_BASENAME="easy-bee-${BUILD_VARIANT}-v${PROJECT_VERSION_EFFECTIVE}-amd64"
 # Versioned output directory: dist/easy-bee-v4.1/ — all final artefacts live here.
 OUT_DIR="${DIST_DIR}/easy-bee-v${PROJECT_VERSION_EFFECTIVE}"
@@ -1686,10 +1695,18 @@ cd "${LB_DIR}"
 run_step_sh "live-build clean" "80-lb-clean" "lb clean --all 2>&1 | tail -3"
 run_step_sh "live-build config" "81-lb-config" "lb config 2>&1 | tail -5"
 dump_memtest_debug "pre-build" "${LB_DIR}"
+export MKSQUASHFS_OPTIONS="-no-xattrs"
 run_step_sh "live-build build" "90-lb-build" "lb build 2>&1"
-split_live_squashfs_layers "${LB_DIR}"
 echo "=== enforcing canonical bootloader assets ==="
 enforce_live_build_bootloader_assets "${LB_DIR}"
+# Rename lb's default filesystem.squashfs to the versioned filename so the
+# ISO contains a version-stamped squashfs (e.g. filesystem-v10.15.squashfs).
+_std_sq="${LB_DIR}/binary/live/filesystem.squashfs"
+_ver_sq="${LB_DIR}/binary/live/${SQUASHFS_FILENAME}"
+if [ -f "${_std_sq}" ] && [ "${_std_sq}" != "${_ver_sq}" ]; then
+    mv "${_std_sq}" "${_ver_sq}"
+    echo "=== squashfs renamed: filesystem.squashfs → ${SQUASHFS_FILENAME} ==="
+fi
 reset_live_build_stage "${LB_DIR}" "binary_checksums"
 reset_live_build_stage "${LB_DIR}" "binary_iso"
 reset_live_build_stage "${LB_DIR}" "binary_zsync"

iso/builder/config/hooks/normal/9998-strip-xattrs.hook.chroot

@@ -0,0 +1,37 @@
+#!/usr/bin/env python3
+# 9998-strip-xattrs.hook.chroot
+#
+# mksquashfs 4.5.1 (Debian bookworm) writes a non-INVALID xattr_id_table_start
+# even with -no-xattrs when the source tree contains POSIX ACL xattrs set by
+# dpkg/install-time.  Linux 6.1 squashfs driver then fails with
+# "unable to read xattr id index table" and aborts the mount.
+#
+# Strip all xattrs from the live chroot before mksquashfs sees the tree so the
+# resulting squashfs has SQUASHFS_INVALID_BLK in xattr_id_table_start.
+
+import os
+
+def strip(path):
+    try:
+        for attr in os.listxattr(path, follow_symlinks=False):
+            try:
+                os.removexattr(path, attr, follow_symlinks=False)
+            except OSError:
+                pass
+    except OSError:
+        pass
+
+removed = 0
+for root, dirs, files in os.walk('/', topdown=True, followlinks=False):
+    for name in dirs + files:
+        p = os.path.join(root, name)
+        try:
+            attrs = os.listxattr(p, follow_symlinks=False)
+            if attrs:
+                strip(p)
+                removed += len(attrs)
+        except OSError:
+            pass
+    strip(root)
+
+print(f"9998-strip-xattrs: removed xattrs from {removed} entries")