345a93512a
Replace the entire live CD build pipeline: - Alpine SDK + mkimage + genapkovl → Debian live-build (lb config/build) - OpenRC init scripts → systemd service units - dropbear → openssh-server (native to Debian live) - udhcpc → dhclient for DHCP - apk → apt-get in setup-builder.sh and build-nvidia-module.sh - Add auto/config (lb config options) and auto/build wrapper - Add config/package-lists/bee.list.chroot replacing Alpine apks - Add config/hooks/normal/9000-bee-setup.hook.chroot to enable services - Add bee-nvidia-load and bee-sshsetup helper scripts - Keep NVIDIA pre-compile pipeline (Option B): compile on builder VM against pinned Debian kernel headers (DEBIAN_KERNEL_ABI), inject .ko into includes.chroot - Fixes: native glibc (no gcompat shims), proper udev, writable /lib/modules, no Alpine modloop read-only constraint, no stale apk cache issues Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
190 lines
6.3 KiB
Bash
Executable File
190 lines
6.3 KiB
Bash
Executable File
#!/bin/sh
|
|
# build.sh — build bee ISO (Debian 12 / live-build)
|
|
#
|
|
# Single build script. Produces a bootable live ISO with SSH access, TUI, NVIDIA drivers.
|
|
#
|
|
# Run on Debian 12 builder VM as root after setup-builder.sh.
|
|
# Usage:
|
|
# sh iso/builder/build.sh [--authorized-keys /path/to/authorized_keys]
|
|
|
|
set -e
|
|
|
|
REPO_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
|
|
BUILDER_DIR="${REPO_ROOT}/iso/builder"
|
|
OVERLAY_DIR="${REPO_ROOT}/iso/overlay"
|
|
DIST_DIR="${REPO_ROOT}/dist"
|
|
VENDOR_DIR="${REPO_ROOT}/iso/vendor"
|
|
AUTH_KEYS=""
|
|
|
|
# parse args
|
|
while [ $# -gt 0 ]; do
|
|
case "$1" in
|
|
--authorized-keys) AUTH_KEYS="$2"; shift 2 ;;
|
|
*) echo "unknown arg: $1"; exit 1 ;;
|
|
esac
|
|
done
|
|
|
|
. "${BUILDER_DIR}/VERSIONS"
|
|
export PATH="$PATH:/usr/local/go/bin"
|
|
|
|
echo "=== bee ISO build ==="
|
|
echo "Debian: ${DEBIAN_VERSION}, Kernel ABI: ${DEBIAN_KERNEL_ABI}, Go: ${GO_VERSION}"
|
|
echo ""
|
|
|
|
# --- compile audit binary (static, Linux amd64) ---
|
|
AUDIT_BIN="${DIST_DIR}/bee-audit-linux-amd64"
|
|
NEED_BUILD=1
|
|
if [ -f "$AUDIT_BIN" ]; then
|
|
NEWEST_SRC=$(find "${REPO_ROOT}/audit" -name '*.go' -newer "$AUDIT_BIN" | head -1)
|
|
[ -z "$NEWEST_SRC" ] && NEED_BUILD=0
|
|
fi
|
|
|
|
if [ "$NEED_BUILD" = "1" ]; then
|
|
echo "=== building audit binary ==="
|
|
cd "${REPO_ROOT}/audit"
|
|
GOOS=linux GOARCH=amd64 CGO_ENABLED=0 \
|
|
go build \
|
|
-ldflags "-s -w -X main.Version=${AUDIT_VERSION:-$(date +%Y%m%d)}" \
|
|
-o "$AUDIT_BIN" \
|
|
./cmd/audit
|
|
echo "binary: $AUDIT_BIN"
|
|
echo "size: $(du -sh "$AUDIT_BIN" | cut -f1)"
|
|
else
|
|
echo "=== audit binary up to date, skipping build ==="
|
|
fi
|
|
|
|
# --- inject authorized_keys for SSH access ---
|
|
AUTHORIZED_KEYS_FILE="${OVERLAY_DIR}/root/.ssh/authorized_keys"
|
|
mkdir -p "${OVERLAY_DIR}/root/.ssh"
|
|
|
|
if [ -n "$AUTH_KEYS" ]; then
|
|
cp "$AUTH_KEYS" "$AUTHORIZED_KEYS_FILE"
|
|
chmod 600 "$AUTHORIZED_KEYS_FILE"
|
|
echo "SSH authorized_keys: installed from $AUTH_KEYS"
|
|
else
|
|
> "$AUTHORIZED_KEYS_FILE"
|
|
FOUND=0
|
|
for ssh_pub in "$HOME"/.keys/*.key.pub; do
|
|
[ -f "$ssh_pub" ] || continue
|
|
cat "$ssh_pub" >> "$AUTHORIZED_KEYS_FILE"
|
|
echo "SSH: added $(basename "$ssh_pub" .key.pub)"
|
|
FOUND=$((FOUND + 1))
|
|
done
|
|
if [ "$FOUND" -gt 0 ]; then
|
|
chmod 600 "$AUTHORIZED_KEYS_FILE"
|
|
echo "SSH authorized_keys: $FOUND key(s) from ~/.keys/*.key.pub"
|
|
else
|
|
echo "WARNING: no SSH public keys found — falling back to password auth"
|
|
echo " SSH login: bee / eeb"
|
|
USE_PASSWORD_FALLBACK=1
|
|
fi
|
|
fi
|
|
|
|
if [ "${USE_PASSWORD_FALLBACK:-0}" = "1" ]; then
|
|
touch "${OVERLAY_DIR}/etc/bee-ssh-password-fallback"
|
|
else
|
|
rm -f "${OVERLAY_DIR}/etc/bee-ssh-password-fallback"
|
|
fi
|
|
|
|
# --- copy audit binary into overlay ---
|
|
mkdir -p "${OVERLAY_DIR}/usr/local/bin"
|
|
cp "${DIST_DIR}/bee-audit-linux-amd64" "${OVERLAY_DIR}/usr/local/bin/audit"
|
|
chmod +x "${OVERLAY_DIR}/usr/local/bin/audit"
|
|
|
|
# --- inject smoketest into overlay so it runs directly on the live CD ---
|
|
cp "${BUILDER_DIR}/smoketest.sh" "${OVERLAY_DIR}/usr/local/bin/bee-smoketest"
|
|
chmod +x "${OVERLAY_DIR}/usr/local/bin/bee-smoketest"
|
|
|
|
# --- vendor utilities (optional pre-fetched binaries) ---
|
|
for tool in storcli64 sas2ircu sas3ircu mstflint; do
|
|
if [ -f "${VENDOR_DIR}/${tool}" ]; then
|
|
cp "${VENDOR_DIR}/${tool}" "${OVERLAY_DIR}/usr/local/bin/${tool}"
|
|
chmod +x "${OVERLAY_DIR}/usr/local/bin/${tool}" || true
|
|
echo "vendor tool: ${tool} (included)"
|
|
else
|
|
echo "vendor tool: ${tool} (not found, skipped)"
|
|
fi
|
|
done
|
|
|
|
# --- build NVIDIA kernel modules ---
|
|
echo ""
|
|
echo "=== building NVIDIA ${NVIDIA_DRIVER_VERSION} modules ==="
|
|
sh "${BUILDER_DIR}/build-nvidia-module.sh" "${NVIDIA_DRIVER_VERSION}" "${DIST_DIR}" "${DEBIAN_KERNEL_ABI}"
|
|
|
|
KVER="${DEBIAN_KERNEL_ABI}-amd64"
|
|
NVIDIA_CACHE="${DIST_DIR}/nvidia-${NVIDIA_DRIVER_VERSION}-${KVER}"
|
|
|
|
# Inject .ko files into overlay at /usr/local/lib/nvidia/
|
|
OVERLAY_KMOD_DIR="${OVERLAY_DIR}/usr/local/lib/nvidia"
|
|
mkdir -p "${OVERLAY_KMOD_DIR}"
|
|
cp "${NVIDIA_CACHE}/modules/"*.ko "${OVERLAY_KMOD_DIR}/"
|
|
|
|
# Inject nvidia-smi and libnvidia-ml
|
|
mkdir -p "${OVERLAY_DIR}/usr/local/bin" "${OVERLAY_DIR}/usr/lib"
|
|
cp "${NVIDIA_CACHE}/bin/nvidia-smi" "${OVERLAY_DIR}/usr/local/bin/"
|
|
chmod +x "${OVERLAY_DIR}/usr/local/bin/nvidia-smi"
|
|
cp "${NVIDIA_CACHE}/bin/nvidia-bug-report.sh" "${OVERLAY_DIR}/usr/local/bin/" 2>/dev/null || true
|
|
chmod +x "${OVERLAY_DIR}/usr/local/bin/nvidia-bug-report.sh" 2>/dev/null || true
|
|
cp "${NVIDIA_CACHE}/lib/"* "${OVERLAY_DIR}/usr/lib/" 2>/dev/null || true
|
|
|
|
# --- embed build metadata ---
|
|
mkdir -p "${OVERLAY_DIR}/etc"
|
|
BUILD_DATE="$(date +%Y-%m-%d)"
|
|
GIT_COMMIT="$(git -C "${REPO_ROOT}" rev-parse --short HEAD 2>/dev/null || echo unknown)"
|
|
cat > "${OVERLAY_DIR}/etc/bee-release" <<EOF
|
|
BEE_ISO_VERSION=${AUDIT_VERSION}
|
|
BEE_AUDIT_VERSION=${AUDIT_VERSION}
|
|
BUILD_DATE=${BUILD_DATE}
|
|
GIT_COMMIT=${GIT_COMMIT}
|
|
DEBIAN_VERSION=${DEBIAN_VERSION}
|
|
DEBIAN_KERNEL_ABI=${DEBIAN_KERNEL_ABI}
|
|
NVIDIA_DRIVER_VERSION=${NVIDIA_DRIVER_VERSION}
|
|
EOF
|
|
|
|
# Patch motd with build info
|
|
BEE_BUILD_INFO="${BUILD_DATE} git:${GIT_COMMIT} debian:${DEBIAN_VERSION} nvidia:${NVIDIA_DRIVER_VERSION}"
|
|
if [ -f "${OVERLAY_DIR}/etc/motd" ]; then
|
|
sed "s/%%BUILD_INFO%%/${BEE_BUILD_INFO}/" "${OVERLAY_DIR}/etc/motd" \
|
|
> "${OVERLAY_DIR}/etc/motd.patched"
|
|
mv "${OVERLAY_DIR}/etc/motd.patched" "${OVERLAY_DIR}/etc/motd"
|
|
fi
|
|
|
|
# --- sync overlay into live-build includes.chroot ---
|
|
LB_DIR="${BUILDER_DIR}"
|
|
LB_INCLUDES="${LB_DIR}/config/includes.chroot"
|
|
mkdir -p "${LB_INCLUDES}"
|
|
rsync -a "${OVERLAY_DIR}/" "${LB_INCLUDES}/"
|
|
|
|
# Ensure SSH authorized_keys perms are correct (rsync may alter)
|
|
if [ -f "${LB_INCLUDES}/root/.ssh/authorized_keys" ]; then
|
|
chmod 700 "${LB_INCLUDES}/root/.ssh"
|
|
chmod 600 "${LB_INCLUDES}/root/.ssh/authorized_keys"
|
|
fi
|
|
|
|
# --- build ISO using live-build ---
|
|
mkdir -p "${DIST_DIR}"
|
|
echo ""
|
|
echo "=== building ISO (live-build) ==="
|
|
|
|
cd "${LB_DIR}"
|
|
lb clean 2>&1 | tail -3
|
|
lb config 2>&1 | tail -5
|
|
lb build 2>&1
|
|
|
|
# live-build outputs live-image-amd64.hybrid.iso in LB_DIR
|
|
ISO_RAW="${LB_DIR}/live-image-amd64.hybrid.iso"
|
|
ISO_OUT="${DIST_DIR}/bee-debian${DEBIAN_VERSION}-v${AUDIT_VERSION}-amd64.iso"
|
|
if [ -f "$ISO_RAW" ]; then
|
|
cp "$ISO_RAW" "$ISO_OUT"
|
|
echo ""
|
|
echo "=== done ==="
|
|
echo "ISO: $ISO_OUT"
|
|
echo "Size: $(du -sh "$ISO_OUT" | cut -f1)"
|
|
else
|
|
echo "ERROR: ISO not found at $ISO_RAW"
|
|
exit 1
|
|
fi
|
|
|
|
echo ""
|
|
echo "Boot via BMC virtual media and SSH to the server IP on port 22 as root."
|