veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

docs(changelog,roadmap): refresh state 2026-05-08

Browse source 
- CHANGELOG [Unreleased]: v0.7 spike progress (~13 CI fixes:
  Forgejo runner v6.4.0 userns-remap, veilor-build:43 image,
  cosign v2.4.1 + keypair signing, GHCR PAT, secureblue base
  ghcr.io/secureblue/kinoite-main-hardened, BlueBuild module
  pivots files->copy + script/systemd->containerfile RUN,
  build timeout 60->360min, runs-on: nullstone, livemedia ->
  bootc-image-builder pivot)
- CHANGELOG: add [0.5.0] entry — final kickstart-path release,
  tagged 2026-05-06; document v0.5.x grind delta from v0.2.5
- CHANGELOG: record 2026-05-08 Headscale 172.20.0.0/24 ACL
  fix + GH-remote removal across worktrees (traceability)
- ROADMAP: status snapshot table at top — v0.5.0 DONE,
  v0.7 IN FLIGHT (blocked on green CI), installer-iso tooling
  DONE, USB install-log TODO, v1.0 ship criteria carried over
- ROADMAP: rename v0.5.32 section -> v0.5.0 final release;
  carry-overs (real-hw test, gum input glitch) move to v0.7
- ROADMAP: v0.7 status block (CI plumbing, first-green
  blocker, base image lock, build host, timeout)
- ROADMAP: USB install-log toggle renamed
  inst.veilor.savelogs=0|1 -> veilor.install_logs=on|off;
  marked TODO (concurrent agent thread)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
s8n-ru 2026-05-08 00:49:36 +01:00
parent fa4db50680
commit 865c9507af
2 changed files with 196 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

137
CHANGELOG.md
View file

@ -11,19 +11,75 @@ future maintainers can see why a change exists, not just what it changes.
## [Unreleased] ## [Unreleased]
### v0.7 BlueBuild OCI spike (active) ### v0.7 BlueBuild OCI spike (active`v0.7-bluebuild-spike`)
- Promote `v0.7-bluebuild-spike` to active mainline; v0.6 cancelled. CI plumbing landed (~13 fixes) to unblock the first green BlueBuild
- Port `build-bluebuild.yml` to the Forgejo runner (`runs-on: nullstone`): run on the self-hosted Forgejo runner. **Build still red** as of
install BlueBuild CLI in-job, push to `git.s8n.ru/veilor-org/veilor-os`, 2026-05-08; OCI artifact + installer ISO pending green run.
gate cosign keyless / SBOM / attest steps to GitHub-only.
- Atomic CLI tools: `veilor-update` rewritten on `bootc upgrade`,
new `veilor-postinstall` first-login TUI, `veilor-doctor` learns
`bootc status --json` while keeping the legacy dnf path.
- Docs: `docs/INSTALL-V07.md`, `docs/STRATEGY.md` PIVOT EXECUTION
section, README quick-install rewritten for v0.7.
### Planned #### Forgejo runner + build-image plumbing
- Forgejo runner upgraded to **v6.4.0** with `userns-remap=default`.
Buildah needs `--userns=host` to undo the remap inside the job; added
to every `bluebuild build` invocation.
- Custom build image **`veilor-build:43`** (fedora:43 + nodejs +
buildah deps). Replaces the upstream BlueBuild image, which lacked
Forgejo-runner-friendly tooling.
- Workflow now **`runs-on: nullstone`** (single self-hosted runner,
no nested docker).
- Build timeout bumped **60 min → 360 min** to absorb first-time
secureblue base pulls on a cold runner.
#### Signing + registry auth
- **cosign v2.4.1** installed from upstream binary (no Fedora RPM yet
for v2.4.x).
- **GHCR PAT login** added so the BlueBuild step can pull
`ghcr.io/secureblue/kinoite-main-hardened` (rate-limited anonymous).
- **cosign keypair signing** — keyless OIDC fails on Forgejo (no
Sigstore Fulcio integration), so we ship a static keypair under
the repo and sign with `cosign sign --key`. Public key checked in
for verification.
#### BlueBuild recipe pivots
- Base image switched to **`ghcr.io/secureblue/kinoite-main-hardened`**
(the actual published image). Prior reference to
`securecore-kinoite-hardened-userns` was a planning-phase guess and
did not exist.
- Module type pivots driven by buildah-privileged + bind-mounted helper
scripts hitting chmod-permitted blockers:
- `type: files`**`type: copy`** (files module's chmod step
failed under bind-mount).
- `type: script` + `type: systemd`**`type: containerfile` RUN**
(single layer, no helper-script bind-mount).
#### Installer ISO — pivoted
- **livemedia-creator → bootc-image-builder.** livemedia-creator does
not support the `ostreecontainer` install method (only
`ostreesetup`/`url`/`nfs`), so the v0.7 path required the swap.
Build pending OCI artifact.
#### Docs
- This CHANGELOG entry.
- ROADMAP refresh — v0.5.0 marked done, v0.7 OCI marked in-flight,
installer-iso pivot recorded, USB install-log persistence default-on
promise documented, v1.0 ship criteria carried over.
### Infra (out-of-tree, recorded for traceability)
- **2026-05-08** — Headscale OIDC 403 fixed by adding
`172.20.0.0/24` (docker proxy bridge gateway) to the
`no-guest@file` Traefik middleware allowlist on nullstone.
Unblocks `tag:guest` provisioning for veilor-os clients.
- **All GitHub remotes removed** from veilor-os local clones, six
worktrees, and sibling projects (auth-limbo, minecraft-launcher,
minecraft-server, infra). GH push-mirrors disabled. Forgejo-only
since 2026-05-05.
### Planned (deferred / parking)
- v0.3 polish — Plymouth black theme, SDDM theme, Konsole profile, - v0.3 polish — Plymouth black theme, SDDM theme, Konsole profile,
wallpaper SVG. Re-enable `init_on_alloc=1 init_on_free=1` post-install wallpaper SVG. Re-enable `init_on_alloc=1 init_on_free=1` post-install
@ -34,6 +90,65 @@ future maintainers can see why a change exists, not just what it changes.
--- ---
## [0.5.0] — 2026-05-06
**Tag:** `v0.5.0`**final kickstart-path release**.
The hardened-Fedora-43 kickstart line ships. Future work moves to
the v0.7 BlueBuild OCI spike; the kickstart retires at v1.0.
### Added
- First green Forgejo-CI ISO build (~2.7 GB live ISO, EFI + BIOS
bootable). Released as `ci-latest` artifact at
`git.s8n.ru/veilor-org/veilor-os/releases/tag/ci-latest`.
- **gum TUI installer** wrapping Anaconda — single LUKS prompt,
locale locked to `en_US.UTF-8`, admin-password first-boot flow.
- **LUKS2 argon2id + btrfs subvols** install via Anaconda, written
through `/etc/kernel/cmdline` so BLS entries carry the cmdline
veilor needs.
- **3-mode `veilor-power` CLI** (`save | mid | perf`) with AC/battery
udev auto-switching, lifted into the overlay.
- **KDE black theme** + Fira Code system font, branded
`/etc/os-release`, GRUB rebrand, plymouth detail-text boot.
- Hardening: SELinux enforcing, USBGuard default-block, fail2ban +
auditd, firewalld drop zone, NTS chrony, DNS-over-TLS, locked
root.
- Self-hosted **Forgejo CI** on nullstone replaces the GitHub
Actions build pipeline.
### Fixed (delta from v0.2.5 → v0.5.0 — 35+ failure classes)
The full v0.5.x grind is documented per-release in commit messages
(v0.5.21v0.5.32). Headline fixes:
- **`--location=none` skipped `CollectKernelArgumentsTask`.** Anaconda
shipped BLS entries with empty cmdline. Fix: write
`/etc/kernel/cmdline` directly + `/etc/default/grub` + grubby +
explicit `kernel-install add`. (v0.5.31)
- **`transaction_progress.py` install scroll** masked real failures
when patched too broadly. Narrowed the patch to only suppress
`Configuring xxx.x86_64`. (v0.5.28 → v0.5.29)
- **Locale dialog raced anaconda startup.** Lock to en_US.UTF-8,
defer locale choice to `veilor-postinstall` (v0.7 scope). (v0.5.28)
- **`fbcon=nodefer`** + GRUB rebrand + ASCII gum cursor make the
install flow legible on linux fbcon. (v0.5.27)
- **`rd.luks.uuid`** injected via `grubby --update-kernel=ALL` in
chroot `%post` — earlier releases relied on Anaconda which silently
dropped it. (v0.5.23, v0.5.27)
- **9-agent research wave** identified the v0.5.32 blocker map; 7
blockers shipped in one bundle.
### Notes
- Treat v0.5.0 as the **portfolio anchor** for the kickstart path.
v0.5.32-rc was the last test-run; v0.5.0 was tagged on
2026-05-06 as the freeze point.
- v0.6 was **cancelled** the same day (folded into v0.7). See
`docs/ROADMAP.md` strategy-pivot section.
---
## [0.2.5] — 2026-05-01 ## [0.2.5] — 2026-05-01
**Commit:** `8515bdb` **Commit:** `8515bdb`

91
docs/ROADMAP.md
View file

@ -9,6 +9,22 @@ For the historical record of what landed in each release, see
--- ---
## Status snapshot — 2026-05-08
| Milestone | State | Notes |
|-----------|-------|-------|
| v0.2.x — green ISO + base hardening | DONE | shipped 2026-05-01 (`v0.2.5`) |
| v0.3 — UX polish (Plymouth/SDDM/Konsole) | parked | rolls into v0.7 overlay |
| v0.4 — distribution + signing | not started | cosign keypair already in v0.7 CI |
| v0.5 — hardening tier 2 | DONE (kickstart line) | tagged `v0.5.0` 2026-05-06 — final kickstart-path release |
| v0.6 — ergonomics | CANCELLED 2026-05-06 | folded into v0.7 |
| v0.7 — BlueBuild OCI mainline | IN FLIGHT — blocked on green CI run | ~13 CI plumbing fixes landed; OCI artifact + installer ISO pending first green build |
| v0.7 — installer-ISO tooling pivot | DONE (tooling) | livemedia-creator → bootc-image-builder; build pending OCI |
| v0.7 — USB install-log persistence | TODO | default ON until v1.0; see "Installer logs" item below |
| v1.0 — production | not started | multi-arch, LTS, recovery ISO, TPM2 |
---
## ⚡ STRATEGY PIVOT — 2026-05-06 ## ⚡ STRATEGY PIVOT — 2026-05-06
**Decision: skip v0.6 kickstart polish. Pivot directly to v0.7 **Decision: skip v0.6 kickstart polish. Pivot directly to v0.7
@ -27,10 +43,12 @@ Reasons:
`veilor-update`) translate cleanly to v0.7: `bootc upgrade` replaces `veilor-update`) translate cleanly to v0.7: `bootc upgrade` replaces
`dnf upgrade`. Move them into v0.7 scope. `dnf upgrade`. Move them into v0.7 scope.
**v0.5.0 is the final kickstart-path release.** Tag, freeze, ship as **v0.5.0 is the final kickstart-path release.** Tagged on 2026-05-06,
proof-of-work / portfolio anchor. **v0.6 cancelled as a milestone.** shipped as proof-of-work / portfolio anchor. **v0.6 cancelled as a
milestone.**
Active focus: `v0.7-bluebuild-spike` branch. Active focus: `v0.7-bluebuild-spike` branch — first green CI run is
the gating blocker for everything downstream.
--- ---
@ -100,20 +118,31 @@ failures before greening.
(`/etc/kernel/cmdline` + `/etc/default/grub` + grubby) plus explicit (`/etc/kernel/cmdline` + `/etc/default/grub` + grubby) plus explicit
`kernel-install add`. `kernel-install add`.
## v0.5.32 — next ship (active) ## v0.5.0 — final kickstart release (DONE 2026-05-06)
Outstanding from the grind, immediate priority for the next tag: Tagged `v0.5.0` on 2026-05-06 as the final kickstart-path release.
The v0.5.27→v0.5.31 install grind closed out via v0.5.32-rc, and the
9-agent verification wave bundle landed before the freeze.
- **End-to-end VM green run** — v0.5.31 lands the kernel-cmdline fix Shipped:
but no full hybrid-VM pass has signed it off. Run the procedure in - ~2.7 GB live ISO via Forgejo CI on nullstone (EFI + BIOS bootable)
`test/TESTING.md` to install + reboot + login, file the report in - `ci-latest` artifact at
`test/test-runs/`, then tag. `git.s8n.ru/veilor-org/veilor-os/releases/tag/ci-latest`
- **Real-hardware run on the spare laptop** — VM is necessary not - gum TUI installer wrapping Anaconda; LUKS2 argon2id + btrfs
sufficient. Friend's laptop is mate's-test, spare is ours. KMS, - Full hardening overlay: SELinux enforcing, USBGuard default-block,
fbcon, USB controller, real-firmware Secure Boot only show up here. fail2ban + auditd, firewalld drop, NTS chrony, DoT
- 3-mode `veilor-power`, KDE black theme, Fira Code, branded
os-release / GRUB / plymouth
Carry-overs into v0.7 (NOT shipped in v0.5.0):
- **Real-hardware run on the spare laptop** — VM-only signoff. KMS,
fbcon, USB controller, real-firmware Secure Boot still need
validation on the spare or the friend's laptop.
- **gum input render glitch** — duplicate "Install", stray T in - **gum input render glitch** — duplicate "Install", stray T in
password fields on linux fbcon. Replace `gum input --password` with password fields on linux fbcon. Replace `gum input --password` with
bash `read -srp`; cosmetic only but visible on every install. bash `read -srp`; cosmetic only but visible on every install.
Carries to v0.7 installer ISO, which inherits the gum TUI.
--- ---
@ -244,12 +273,32 @@ distro from a kickstart.
--- ---
## v0.7 — BlueBuild OCI mainline (ACTIVE — primary focus 2026-05-06+) ## v0.7 — BlueBuild OCI mainline (IN FLIGHT — blocked on green CI run, 2026-05-08)
This was originally planned as "public flex + bootc spike". Post-pivot, This was originally planned as "public flex + bootc spike". Post-pivot,
v0.7 is now the **primary active milestone** — it absorbs all v0.6 v0.7 is now the **primary active milestone** — it absorbs all v0.6
ergonomic work and becomes the next ship target. ergonomic work and becomes the next ship target.
### Status as of 2026-05-08
- **CI plumbing:** ~13 fixes landed on `v0.7-bluebuild-spike` to make
the BlueBuild build run on the self-hosted Forgejo runner. See
`CHANGELOG.md` `[Unreleased]` for the full breakdown.
- **First green build:** **NOT YET.** Blocking everything downstream
(OCI artifact publish, installer ISO build, real-hardware install
test, public flex items).
- **Installer ISO tooling pivot:** **DONE** — livemedia-creator does
not support `ostreecontainer`; switched to `bootc-image-builder`.
Build itself is pending the first green OCI artifact.
- **Build host:** workflow runs on `nullstone` (single self-hosted
Forgejo runner v6.4.0, `userns-remap=default`, buildah needs
`--userns=host`).
- **Base image:** `ghcr.io/secureblue/kinoite-main-hardened` (locked
2026-05-08; corrected from earlier draft naming).
- **Signing:** cosign keypair (keyless OIDC fails on Forgejo — no
Sigstore Fulcio).
- **Build timeout:** 60 min → 360 min (cold-runner first pulls).
Scope: Scope:
- BlueBuild recipe (`bluebuild/recipe.yml`) layering on - BlueBuild recipe (`bluebuild/recipe.yml`) layering on
`ghcr.io/secureblue/kinoite-main-hardened` `ghcr.io/secureblue/kinoite-main-hardened`
@ -264,14 +313,14 @@ Scope:
- `veilor-update` rewritten on `bootc upgrade` (was `dnf upgrade`) - `veilor-update` rewritten on `bootc upgrade` (was `dnf upgrade`)
- Forgejo registry as primary OCI publish target; GHCR mirror optional - Forgejo registry as primary OCI publish target; GHCR mirror optional
- cosign key-pair signing of OCI image (replaces broken keyless flow) - cosign key-pair signing of OCI image (replaces broken keyless flow)
- **Installer logs persisted to USB stick by default** (debug mode): - **Installer logs persisted to USB stick by default** (debug mode
the bootstrap ISO writes `/var/log/anaconda/*` + the resolved TODO, in-flight in a separate agent thread): the bootstrap ISO
kickstart + ostreecontainer pull log + dmesg back onto the USB writes `/var/log/anaconda/*` + the resolved kickstart +
install medium (mounted rw at `/run/install/repo` during install) ostreecontainer pull log + dmesg back onto the USB install medium
into a `veilor-install-logs/<timestamp>/` folder. Toggleable via (mounted rw at `/run/install/repo` during install) into a
kernel cmdline `inst.veilor.savelogs=0` for opt-out, or `veilor-install-logs/<timestamp>/` folder. Toggleable via kernel
`inst.veilor.savelogs=1` (default). Stays **ON by default through cmdline `veilor.install_logs=on|off`; **default ON through v0.7,
v0.7+v0.8+v0.9; flips OFF for v1.0 final release**. Why: any failed v0.8, v0.9; flips OFF for v1.0 final release**. Why: any failed
install, the operator boots back to a working OS, plugs the USB, install, the operator boots back to a working OS, plugs the USB,
reads the logs offline — no need to take screenshots of dracut on a reads the logs offline — no need to take screenshots of dracut on a
bricked machine. Implementation: `%post --nochroot` block in bricked machine. Implementation: `%post --nochroot` block in