From 865c9507af98e415853c49bb983ab9589ada184e Mon Sep 17 00:00:00 2001 From: s8n-ru <279801990+s8n-ru@users.noreply.github.com> Date: Fri, 8 May 2026 00:49:36 +0100 Subject: [PATCH] docs(changelog,roadmap): refresh state 2026-05-08 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - CHANGELOG [Unreleased]: v0.7 spike progress (~13 CI fixes: Forgejo runner v6.4.0 userns-remap, veilor-build:43 image, cosign v2.4.1 + keypair signing, GHCR PAT, secureblue base ghcr.io/secureblue/kinoite-main-hardened, BlueBuild module pivots files->copy + script/systemd->containerfile RUN, build timeout 60->360min, runs-on: nullstone, livemedia -> bootc-image-builder pivot) - CHANGELOG: add [0.5.0] entry — final kickstart-path release, tagged 2026-05-06; document v0.5.x grind delta from v0.2.5 - CHANGELOG: record 2026-05-08 Headscale 172.20.0.0/24 ACL fix + GH-remote removal across worktrees (traceability) - ROADMAP: status snapshot table at top — v0.5.0 DONE, v0.7 IN FLIGHT (blocked on green CI), installer-iso tooling DONE, USB install-log TODO, v1.0 ship criteria carried over - ROADMAP: rename v0.5.32 section -> v0.5.0 final release; carry-overs (real-hw test, gum input glitch) move to v0.7 - ROADMAP: v0.7 status block (CI plumbing, first-green blocker, base image lock, build host, timeout) - ROADMAP: USB install-log toggle renamed inst.veilor.savelogs=0|1 -> veilor.install_logs=on|off; marked TODO (concurrent agent thread) Co-Authored-By: Claude Opus 4.7 --- CHANGELOG.md | 137 ++++++++++++++++++++++++++++++++++++++++++++---- docs/ROADMAP.md | 91 ++++++++++++++++++++++++-------- 2 files changed, 196 insertions(+), 32 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ebfade6..f610f05 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,19 +11,75 @@ future maintainers can see why a change exists, not just what it changes. ## [Unreleased] -### v0.7 BlueBuild OCI spike (active) +### v0.7 BlueBuild OCI spike (active — `v0.7-bluebuild-spike`) -- Promote `v0.7-bluebuild-spike` to active mainline; v0.6 cancelled. -- Port `build-bluebuild.yml` to the Forgejo runner (`runs-on: nullstone`): - install BlueBuild CLI in-job, push to `git.s8n.ru/veilor-org/veilor-os`, - gate cosign keyless / SBOM / attest steps to GitHub-only. -- Atomic CLI tools: `veilor-update` rewritten on `bootc upgrade`, - new `veilor-postinstall` first-login TUI, `veilor-doctor` learns - `bootc status --json` while keeping the legacy dnf path. -- Docs: `docs/INSTALL-V07.md`, `docs/STRATEGY.md` PIVOT EXECUTION - section, README quick-install rewritten for v0.7. +CI plumbing landed (~13 fixes) to unblock the first green BlueBuild +run on the self-hosted Forgejo runner. **Build still red** as of +2026-05-08; OCI artifact + installer ISO pending green run. -### Planned +#### Forgejo runner + build-image plumbing + +- Forgejo runner upgraded to **v6.4.0** with `userns-remap=default`. + Buildah needs `--userns=host` to undo the remap inside the job; added + to every `bluebuild build` invocation. +- Custom build image **`veilor-build:43`** (fedora:43 + nodejs + + buildah deps). Replaces the upstream BlueBuild image, which lacked + Forgejo-runner-friendly tooling. +- Workflow now **`runs-on: nullstone`** (single self-hosted runner, + no nested docker). +- Build timeout bumped **60 min → 360 min** to absorb first-time + secureblue base pulls on a cold runner. + +#### Signing + registry auth + +- **cosign v2.4.1** installed from upstream binary (no Fedora RPM yet + for v2.4.x). +- **GHCR PAT login** added so the BlueBuild step can pull + `ghcr.io/secureblue/kinoite-main-hardened` (rate-limited anonymous). +- **cosign keypair signing** — keyless OIDC fails on Forgejo (no + Sigstore Fulcio integration), so we ship a static keypair under + the repo and sign with `cosign sign --key`. Public key checked in + for verification. + +#### BlueBuild recipe pivots + +- Base image switched to **`ghcr.io/secureblue/kinoite-main-hardened`** + (the actual published image). Prior reference to + `securecore-kinoite-hardened-userns` was a planning-phase guess and + did not exist. +- Module type pivots driven by buildah-privileged + bind-mounted helper + scripts hitting chmod-permitted blockers: + - `type: files` → **`type: copy`** (files module's chmod step + failed under bind-mount). + - `type: script` + `type: systemd` → **`type: containerfile` RUN** + (single layer, no helper-script bind-mount). + +#### Installer ISO — pivoted + +- **livemedia-creator → bootc-image-builder.** livemedia-creator does + not support the `ostreecontainer` install method (only + `ostreesetup`/`url`/`nfs`), so the v0.7 path required the swap. + Build pending OCI artifact. + +#### Docs + +- This CHANGELOG entry. +- ROADMAP refresh — v0.5.0 marked done, v0.7 OCI marked in-flight, + installer-iso pivot recorded, USB install-log persistence default-on + promise documented, v1.0 ship criteria carried over. + +### Infra (out-of-tree, recorded for traceability) + +- **2026-05-08** — Headscale OIDC 403 fixed by adding + `172.20.0.0/24` (docker proxy bridge gateway) to the + `no-guest@file` Traefik middleware allowlist on nullstone. + Unblocks `tag:guest` provisioning for veilor-os clients. +- **All GitHub remotes removed** from veilor-os local clones, six + worktrees, and sibling projects (auth-limbo, minecraft-launcher, + minecraft-server, infra). GH push-mirrors disabled. Forgejo-only + since 2026-05-05. + +### Planned (deferred / parking) - v0.3 polish — Plymouth black theme, SDDM theme, Konsole profile, wallpaper SVG. Re-enable `init_on_alloc=1 init_on_free=1` post-install @@ -34,6 +90,65 @@ future maintainers can see why a change exists, not just what it changes. --- +## [0.5.0] — 2026-05-06 + +**Tag:** `v0.5.0` — **final kickstart-path release**. + +The hardened-Fedora-43 kickstart line ships. Future work moves to +the v0.7 BlueBuild OCI spike; the kickstart retires at v1.0. + +### Added + +- First green Forgejo-CI ISO build (~2.7 GB live ISO, EFI + BIOS + bootable). Released as `ci-latest` artifact at + `git.s8n.ru/veilor-org/veilor-os/releases/tag/ci-latest`. +- **gum TUI installer** wrapping Anaconda — single LUKS prompt, + locale locked to `en_US.UTF-8`, admin-password first-boot flow. +- **LUKS2 argon2id + btrfs subvols** install via Anaconda, written + through `/etc/kernel/cmdline` so BLS entries carry the cmdline + veilor needs. +- **3-mode `veilor-power` CLI** (`save | mid | perf`) with AC/battery + udev auto-switching, lifted into the overlay. +- **KDE black theme** + Fira Code system font, branded + `/etc/os-release`, GRUB rebrand, plymouth detail-text boot. +- Hardening: SELinux enforcing, USBGuard default-block, fail2ban + + auditd, firewalld drop zone, NTS chrony, DNS-over-TLS, locked + root. +- Self-hosted **Forgejo CI** on nullstone replaces the GitHub + Actions build pipeline. + +### Fixed (delta from v0.2.5 → v0.5.0 — 35+ failure classes) + +The full v0.5.x grind is documented per-release in commit messages +(v0.5.21–v0.5.32). Headline fixes: + +- **`--location=none` skipped `CollectKernelArgumentsTask`.** Anaconda + shipped BLS entries with empty cmdline. Fix: write + `/etc/kernel/cmdline` directly + `/etc/default/grub` + grubby + + explicit `kernel-install add`. (v0.5.31) +- **`transaction_progress.py` install scroll** masked real failures + when patched too broadly. Narrowed the patch to only suppress + `Configuring xxx.x86_64`. (v0.5.28 → v0.5.29) +- **Locale dialog raced anaconda startup.** Lock to en_US.UTF-8, + defer locale choice to `veilor-postinstall` (v0.7 scope). (v0.5.28) +- **`fbcon=nodefer`** + GRUB rebrand + ASCII gum cursor make the + install flow legible on linux fbcon. (v0.5.27) +- **`rd.luks.uuid`** injected via `grubby --update-kernel=ALL` in + chroot `%post` — earlier releases relied on Anaconda which silently + dropped it. (v0.5.23, v0.5.27) +- **9-agent research wave** identified the v0.5.32 blocker map; 7 + blockers shipped in one bundle. + +### Notes + +- Treat v0.5.0 as the **portfolio anchor** for the kickstart path. + v0.5.32-rc was the last test-run; v0.5.0 was tagged on + 2026-05-06 as the freeze point. +- v0.6 was **cancelled** the same day (folded into v0.7). See + `docs/ROADMAP.md` strategy-pivot section. + +--- + ## [0.2.5] — 2026-05-01 **Commit:** `8515bdb` diff --git a/docs/ROADMAP.md b/docs/ROADMAP.md index d781d5a..80e8a84 100644 --- a/docs/ROADMAP.md +++ b/docs/ROADMAP.md @@ -9,6 +9,22 @@ For the historical record of what landed in each release, see --- +## Status snapshot — 2026-05-08 + +| Milestone | State | Notes | +|-----------|-------|-------| +| v0.2.x — green ISO + base hardening | DONE | shipped 2026-05-01 (`v0.2.5`) | +| v0.3 — UX polish (Plymouth/SDDM/Konsole) | parked | rolls into v0.7 overlay | +| v0.4 — distribution + signing | not started | cosign keypair already in v0.7 CI | +| v0.5 — hardening tier 2 | DONE (kickstart line) | tagged `v0.5.0` 2026-05-06 — final kickstart-path release | +| v0.6 — ergonomics | CANCELLED 2026-05-06 | folded into v0.7 | +| v0.7 — BlueBuild OCI mainline | IN FLIGHT — blocked on green CI run | ~13 CI plumbing fixes landed; OCI artifact + installer ISO pending first green build | +| v0.7 — installer-ISO tooling pivot | DONE (tooling) | livemedia-creator → bootc-image-builder; build pending OCI | +| v0.7 — USB install-log persistence | TODO | default ON until v1.0; see "Installer logs" item below | +| v1.0 — production | not started | multi-arch, LTS, recovery ISO, TPM2 | + +--- + ## ⚡ STRATEGY PIVOT — 2026-05-06 **Decision: skip v0.6 kickstart polish. Pivot directly to v0.7 @@ -27,10 +43,12 @@ Reasons: `veilor-update`) translate cleanly to v0.7: `bootc upgrade` replaces `dnf upgrade`. Move them into v0.7 scope. -**v0.5.0 is the final kickstart-path release.** Tag, freeze, ship as -proof-of-work / portfolio anchor. **v0.6 cancelled as a milestone.** +**v0.5.0 is the final kickstart-path release.** Tagged on 2026-05-06, +shipped as proof-of-work / portfolio anchor. **v0.6 cancelled as a +milestone.** -Active focus: `v0.7-bluebuild-spike` branch. +Active focus: `v0.7-bluebuild-spike` branch — first green CI run is +the gating blocker for everything downstream. --- @@ -100,20 +118,31 @@ failures before greening. (`/etc/kernel/cmdline` + `/etc/default/grub` + grubby) plus explicit `kernel-install add`. -## v0.5.32 — next ship (active) +## v0.5.0 — final kickstart release (DONE 2026-05-06) -Outstanding from the grind, immediate priority for the next tag: +Tagged `v0.5.0` on 2026-05-06 as the final kickstart-path release. +The v0.5.27→v0.5.31 install grind closed out via v0.5.32-rc, and the +9-agent verification wave bundle landed before the freeze. -- **End-to-end VM green run** — v0.5.31 lands the kernel-cmdline fix - but no full hybrid-VM pass has signed it off. Run the procedure in - `test/TESTING.md` to install + reboot + login, file the report in - `test/test-runs/`, then tag. -- **Real-hardware run on the spare laptop** — VM is necessary not - sufficient. Friend's laptop is mate's-test, spare is ours. KMS, - fbcon, USB controller, real-firmware Secure Boot only show up here. +Shipped: +- ~2.7 GB live ISO via Forgejo CI on nullstone (EFI + BIOS bootable) +- `ci-latest` artifact at + `git.s8n.ru/veilor-org/veilor-os/releases/tag/ci-latest` +- gum TUI installer wrapping Anaconda; LUKS2 argon2id + btrfs +- Full hardening overlay: SELinux enforcing, USBGuard default-block, + fail2ban + auditd, firewalld drop, NTS chrony, DoT +- 3-mode `veilor-power`, KDE black theme, Fira Code, branded + os-release / GRUB / plymouth + +Carry-overs into v0.7 (NOT shipped in v0.5.0): + +- **Real-hardware run on the spare laptop** — VM-only signoff. KMS, + fbcon, USB controller, real-firmware Secure Boot still need + validation on the spare or the friend's laptop. - **gum input render glitch** — duplicate "Install", stray T in password fields on linux fbcon. Replace `gum input --password` with bash `read -srp`; cosmetic only but visible on every install. + Carries to v0.7 installer ISO, which inherits the gum TUI. --- @@ -244,12 +273,32 @@ distro from a kickstart. --- -## v0.7 — BlueBuild OCI mainline (ACTIVE — primary focus 2026-05-06+) +## v0.7 — BlueBuild OCI mainline (IN FLIGHT — blocked on green CI run, 2026-05-08) This was originally planned as "public flex + bootc spike". Post-pivot, v0.7 is now the **primary active milestone** — it absorbs all v0.6 ergonomic work and becomes the next ship target. +### Status as of 2026-05-08 + +- **CI plumbing:** ~13 fixes landed on `v0.7-bluebuild-spike` to make + the BlueBuild build run on the self-hosted Forgejo runner. See + `CHANGELOG.md` `[Unreleased]` for the full breakdown. +- **First green build:** **NOT YET.** Blocking everything downstream + (OCI artifact publish, installer ISO build, real-hardware install + test, public flex items). +- **Installer ISO tooling pivot:** **DONE** — livemedia-creator does + not support `ostreecontainer`; switched to `bootc-image-builder`. + Build itself is pending the first green OCI artifact. +- **Build host:** workflow runs on `nullstone` (single self-hosted + Forgejo runner v6.4.0, `userns-remap=default`, buildah needs + `--userns=host`). +- **Base image:** `ghcr.io/secureblue/kinoite-main-hardened` (locked + 2026-05-08; corrected from earlier draft naming). +- **Signing:** cosign keypair (keyless OIDC fails on Forgejo — no + Sigstore Fulcio). +- **Build timeout:** 60 min → 360 min (cold-runner first pulls). + Scope: - BlueBuild recipe (`bluebuild/recipe.yml`) layering on `ghcr.io/secureblue/kinoite-main-hardened` @@ -264,14 +313,14 @@ Scope: - `veilor-update` rewritten on `bootc upgrade` (was `dnf upgrade`) - Forgejo registry as primary OCI publish target; GHCR mirror optional - cosign key-pair signing of OCI image (replaces broken keyless flow) -- **Installer logs persisted to USB stick by default** (debug mode): - the bootstrap ISO writes `/var/log/anaconda/*` + the resolved - kickstart + ostreecontainer pull log + dmesg back onto the USB - install medium (mounted rw at `/run/install/repo` during install) - into a `veilor-install-logs//` folder. Toggleable via - kernel cmdline `inst.veilor.savelogs=0` for opt-out, or - `inst.veilor.savelogs=1` (default). Stays **ON by default through - v0.7+v0.8+v0.9; flips OFF for v1.0 final release**. Why: any failed +- **Installer logs persisted to USB stick by default** (debug mode — + TODO, in-flight in a separate agent thread): the bootstrap ISO + writes `/var/log/anaconda/*` + the resolved kickstart + + ostreecontainer pull log + dmesg back onto the USB install medium + (mounted rw at `/run/install/repo` during install) into a + `veilor-install-logs//` folder. Toggleable via kernel + cmdline `veilor.install_logs=on|off`; **default ON through v0.7, + v0.8, v0.9; flips OFF for v1.0 final release**. Why: any failed install, the operator boots back to a working OS, plugs the USB, reads the logs offline — no need to take screenshots of dracut on a bricked machine. Implementation: `%post --nochroot` block in