reanimator/bee
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
ffc7e5c71a8385f7d9819b430ac742184227edfb
bee/bible-local/architecture/system-overview.md
Mikhail Chusavitin ffc7e5c71a Fix critical ISO build bugs: kernel pinning, service registration, PATH, audit checks 
- Pin linux-lts to exact KERNEL_PKG_VERSION=6.12.76-r0 in build and ISO package list
- Add build-time verification that compiled kernel version matches pin (fails loudly)
- Fix bee-audit-debug → bee-audit in genapkovl OpenRC registration (service was never starting)
- Add AUDIT_VERSION=0.1.0 to VERSIONS (was undefined, bee-release had empty fields)
- Pin linux-lts-dev version in second apk add in build-nvidia-module.sh
- Add /root/.profile to overlay so /usr/local/bin is in PATH for SSH sessions
- Remove "DEBUG MODE" from motd
- Fix smoketest: grep for slog "audit output written" instead of non-existent "audit completed"
- Document no-internet constraint in system-overview and runtime-flows
- Remove redundant genapkovl copy to /var/tmp (now found via ~/.mkimage/)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-07 10:52:54 +03:00

2.9 KiB
Raw Blame History

System Overview — bee

What it does

Hardware audit LiveCD. Boots on a server via BMC virtual media or USB. Collects hardware inventory at OS level (not through BMC/Redfish). Produces HardwareIngestRequest JSON compatible with core/reanimator.

Why it exists

Fills gaps where Redfish/logpile is blind:

  • NVMe serials and SMART data
  • DIMM serials and slot layout
  • GPU serials and VBIOS versions
  • Physical disks behind RAID controllers
  • Full SMART wear telemetry
  • NIC firmware versions

In scope

  • Read-only hardware inventory: board, CPU, memory, storage, PCIe, PSU, GPU, NIC, RAID
  • Unattended operation — no user interaction required
  • NVIDIA proprietary driver loaded at boot for GPU enrichment via nvidia-smi
  • SSH access (dropbear) always available for inspection and debugging
  • Interactive TUI (bee-tui) for network setup, service management, GPU tests
  • GPU stress testing via gpu_burn (vendor binary, optional)

Network isolation — CRITICAL

The live CD runs in an isolated network segment with no internet access.

  • All tools, drivers, and binaries MUST be pre-baked into the ISO at build time
  • No apk add at boot — packages are installed during ISO creation, not at runtime
  • No downloads at boot — NVIDIA modules, vendor tools, and all binaries come from the ISO overlay
  • DHCP is used only for LAN access (SSH from operator laptop); internet is NOT assumed
  • Any feature requiring network downloads cannot be added to the live CD

Out of scope

  • Any writes to the server being audited
  • Network configuration changes (persistent)
  • BMC/IPMI configuration
  • Anything requiring persistent storage on the audited machine
  • Windows support
  • Any functionality requiring internet access at boot

Tech stack

Component Technology
Audit binary Go, static, CGO_ENABLED=0
LiveCD Alpine Linux 3.21, linux-lts 6.12.x
ISO build Alpine mkimage + apkovl overlay (iso/overlay/)
Init system OpenRC
SSH Dropbear (always included)
NVIDIA driver Proprietary .run installer, built against linux-lts headers
NVIDIA modules Loaded via insmod from /usr/local/lib/nvidia/ (not modloop path)
glibc compat gcompat — required for nvidia-smi (glibc binary on musl Alpine)
Builder VM Alpine 3.21

Key paths

Path Purpose
audit/cmd/audit/ CLI entry point
audit/internal/collector/ Per-subsystem collectors
audit/internal/schema/ HardwareIngestRequest types
iso/builder/ ISO build scripts and mkimage profile
iso/overlay/ Single overlay: files injected into ISO via apkovl
iso/vendor/ Optional pre-built vendor binaries (storcli64, gpu_burn, …)
iso/builder/VERSIONS Pinned versions: Alpine, Go, NVIDIA driver, kernel
iso/builder/smoketest.sh Post-boot smoke test — run via SSH to verify live ISO
dist/ Build outputs (gitignored)
iso/out/ Downloaded ISO files (gitignored)
Reference in New Issue View Git Blame Copy Permalink