veilor-os/build/build-iso.sh

#!/usr/bin/env bash
# veilor-os — ISO builder
# Wraps livemedia-creator inside a podman container for reproducibility.
# Run from repo root.

set -euo pipefail

REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
OUT_DIR="$REPO_ROOT/build/out"
KS="$REPO_ROOT/kickstart/veilor-os.ks"
RELEASEVER="${RELEASEVER:-43}"
DATE="$(date +%Y%m%d)"
ISO_NAME="veilor-os-${RELEASEVER}-${DATE}.iso"

mkdir -p "$OUT_DIR"

# ── Validate kickstart ──
if command -v ksvalidator &>/dev/null; then
    ksvalidator "$KS"
fi

# ── Build container (rootless OK) ──
podman build -t veilor-build:latest "$REPO_ROOT/build"

# ── Build ISO (rootful — losetup + mount need real CAP_SYS_ADMIN) ──
# rootless podman can't create loop devices even with --privileged because the
# host kernel rejects CAP_SYS_ADMIN from a user namespace.
SUDO=""
if [[ $EUID -ne 0 ]]; then
    SUDO="sudo"
    echo "[INFO] Running ISO build under sudo (loop devices require root)"
fi

# Make rootful podman see the rootless-built image
$SUDO podman load -i <(podman save veilor-build:latest) 2>/dev/null || \
    $SUDO podman build -t veilor-build:latest "$REPO_ROOT/build"

$SUDO podman run --rm --privileged \
    --security-opt label=disable \
    -v /dev:/dev \
    -v "$REPO_ROOT:/work" \
    -v "$OUT_DIR:/out" \
    veilor-build:latest -c "
        set -e
        rm -rf /out/build-${DATE} /tmp/lmc
        livemedia-creator \
            --make-iso \
            --no-virt \
            --ks /work/kickstart/veilor-os.ks \
            --resultdir /out/build-${DATE} \
            --project veilor-os \
            --releasever ${RELEASEVER} \
            --volid VEILOR_OS \
            --tmp /tmp/lmc \
            --logfile /out/build-${DATE}.log
        cp /out/build-${DATE}/*.iso /out/${ISO_NAME}
        sha256sum /out/${ISO_NAME} > /out/${ISO_NAME}.sha256
    "

echo
echo "════════════════════════════════════════════════════════"
echo " ISO ready:    $OUT_DIR/$ISO_NAME"
echo " Checksum:     $OUT_DIR/$ISO_NAME.sha256"
echo " Build log:    $OUT_DIR/build-${DATE}.log"
echo "════════════════════════════════════════════════════════"
echo
echo " Write to USB: sudo dd if=$OUT_DIR/$ISO_NAME of=/dev/sdX bs=4M status=progress conv=fsync"
echo "  (replace /dev/sdX with your USB device — use lsblk to identify)"
veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme 2026-04-30 03:43:33 +01:00			`#!/usr/bin/env bash`
			`# veilor-os — ISO builder`
			`# Wraps livemedia-creator inside a podman container for reproducibility.`
			`# Run from repo root.`

			`set -euo pipefail`

			`REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"`
			`OUT_DIR="$REPO_ROOT/build/out"`
			`KS="$REPO_ROOT/kickstart/veilor-os.ks"`
			`RELEASEVER="${RELEASEVER:-43}"`
			`DATE="$(date +%Y%m%d)"`
			`ISO_NAME="veilor-os-${RELEASEVER}-${DATE}.iso"`

			`mkdir -p "$OUT_DIR"`

			`# ── Validate kickstart ──`
			`if command -v ksvalidator &>/dev/null; then`
			`ksvalidator "$KS"`
			`fi`

build: switch ISO run to rootful podman — rootless can't losetup (host CAP_SYS_ADMIN rejection) 2026-04-30 04:16:07 +01:00			`# ── Build container (rootless OK) ──`
veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme 2026-04-30 03:43:33 +01:00			`podman build -t veilor-build:latest "$REPO_ROOT/build"`

build: switch ISO run to rootful podman — rootless can't losetup (host CAP_SYS_ADMIN rejection) 2026-04-30 04:16:07 +01:00			`# ── Build ISO (rootful — losetup + mount need real CAP_SYS_ADMIN) ──`
			`# rootless podman can't create loop devices even with --privileged because the`
			`# host kernel rejects CAP_SYS_ADMIN from a user namespace.`
			`SUDO=""`
			`if [[ $EUID -ne 0 ]]; then`
			`SUDO="sudo"`
			`echo "[INFO] Running ISO build under sudo (loop devices require root)"`
			`fi`

			`# Make rootful podman see the rootless-built image`
			`$SUDO podman load -i <(podman save veilor-build:latest) 2>/dev/null \|\| \`
			`$SUDO podman build -t veilor-build:latest "$REPO_ROOT/build"`

			`$SUDO podman run --rm --privileged \`
build: bind /dev + disable selinux relabel — losetup needs host loop devices 2026-04-30 04:14:28 +01:00			`--security-opt label=disable \`
			`-v /dev:/dev \`
			`-v "$REPO_ROOT:/work" \`
			`-v "$OUT_DIR:/out" \`
veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme 2026-04-30 03:43:33 +01:00			`veilor-build:latest -c "`
			`set -e`
build: rm stale resultdir + tmp before each run (livemedia-creator refuses dirty dest) 2026-04-30 04:08:49 +01:00			`rm -rf /out/build-${DATE} /tmp/lmc`
veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme 2026-04-30 03:43:33 +01:00			`livemedia-creator \`
			`--make-iso \`
			`--no-virt \`
			`--ks /work/kickstart/veilor-os.ks \`
			`--resultdir /out/build-${DATE} \`
			`--project veilor-os \`
			`--releasever ${RELEASEVER} \`
build: replace invalid --title flag with --volid VEILOR_OS 2026-04-30 04:07:18 +01:00			`--volid VEILOR_OS \`
veilor-os v0.1 scaffold — kickstart + hardening + 3-mode power + DuckSans-ready KDE black theme 2026-04-30 03:43:33 +01:00			`--tmp /tmp/lmc \`
			`--logfile /out/build-${DATE}.log`
			`cp /out/build-${DATE}/*.iso /out/${ISO_NAME}`
			`sha256sum /out/${ISO_NAME} > /out/${ISO_NAME}.sha256`
			`"`

			`echo`
			`echo "════════════════════════════════════════════════════════"`
			`echo " ISO ready: $OUT_DIR/$ISO_NAME"`
			`echo " Checksum: $OUT_DIR/$ISO_NAME.sha256"`
			`echo " Build log: $OUT_DIR/build-${DATE}.log"`
			`echo "════════════════════════════════════════════════════════"`
			`echo`
			`echo " Write to USB: sudo dd if=$OUT_DIR/$ISO_NAME of=/dev/sdX bs=4M status=progress conv=fsync"`
			`echo " (replace /dev/sdX with your USB device — use lsblk to identify)"`