docs(changelog,roadmap): refresh state 2026-05-08
- CHANGELOG [Unreleased]: v0.7 spike progress (~13 CI fixes: Forgejo runner v6.4.0 userns-remap, veilor-build:43 image, cosign v2.4.1 + keypair signing, GHCR PAT, secureblue base ghcr.io/secureblue/kinoite-main-hardened, BlueBuild module pivots files->copy + script/systemd->containerfile RUN, build timeout 60->360min, runs-on: nullstone, livemedia -> bootc-image-builder pivot) - CHANGELOG: add [0.5.0] entry — final kickstart-path release, tagged 2026-05-06; document v0.5.x grind delta from v0.2.5 - CHANGELOG: record 2026-05-08 Headscale 172.20.0.0/24 ACL fix + GH-remote removal across worktrees (traceability) - ROADMAP: status snapshot table at top — v0.5.0 DONE, v0.7 IN FLIGHT (blocked on green CI), installer-iso tooling DONE, USB install-log TODO, v1.0 ship criteria carried over - ROADMAP: rename v0.5.32 section -> v0.5.0 final release; carry-overs (real-hw test, gum input glitch) move to v0.7 - ROADMAP: v0.7 status block (CI plumbing, first-green blocker, base image lock, build host, timeout) - ROADMAP: USB install-log toggle renamed inst.veilor.savelogs=0|1 -> veilor.install_logs=on|off; marked TODO (concurrent agent thread) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
s8n-ru
parent
fa4db50680
commit
865c9507af
2 changed files with 196 additions and 32 deletions
137
CHANGELOG.md
137
CHANGELOG.md
|
|
@ -11,19 +11,75 @@ future maintainers can see why a change exists, not just what it changes.
|
|||
|
||||
## [Unreleased]
|
||||
|
||||
### v0.7 BlueBuild OCI spike (active)
|
||||
### v0.7 BlueBuild OCI spike (active — `v0.7-bluebuild-spike`)
|
||||
|
||||
- Promote `v0.7-bluebuild-spike` to active mainline; v0.6 cancelled.
|
||||
- Port `build-bluebuild.yml` to the Forgejo runner (`runs-on: nullstone`):
|
||||
install BlueBuild CLI in-job, push to `git.s8n.ru/veilor-org/veilor-os`,
|
||||
gate cosign keyless / SBOM / attest steps to GitHub-only.
|
||||
- Atomic CLI tools: `veilor-update` rewritten on `bootc upgrade`,
|
||||
new `veilor-postinstall` first-login TUI, `veilor-doctor` learns
|
||||
`bootc status --json` while keeping the legacy dnf path.
|
||||
- Docs: `docs/INSTALL-V07.md`, `docs/STRATEGY.md` PIVOT EXECUTION
|
||||
section, README quick-install rewritten for v0.7.
|
||||
CI plumbing landed (~13 fixes) to unblock the first green BlueBuild
|
||||
run on the self-hosted Forgejo runner. **Build still red** as of
|
||||
2026-05-08; OCI artifact + installer ISO pending green run.
|
||||
|
||||
### Planned
|
||||
#### Forgejo runner + build-image plumbing
|
||||
|
||||
- Forgejo runner upgraded to **v6.4.0** with `userns-remap=default`.
|
||||
Buildah needs `--userns=host` to undo the remap inside the job; added
|
||||
to every `bluebuild build` invocation.
|
||||
- Custom build image **`veilor-build:43`** (fedora:43 + nodejs +
|
||||
buildah deps). Replaces the upstream BlueBuild image, which lacked
|
||||
Forgejo-runner-friendly tooling.
|
||||
- Workflow now **`runs-on: nullstone`** (single self-hosted runner,
|
||||
no nested docker).
|
||||
- Build timeout bumped **60 min → 360 min** to absorb first-time
|
||||
secureblue base pulls on a cold runner.
|
||||
|
||||
#### Signing + registry auth
|
||||
|
||||
- **cosign v2.4.1** installed from upstream binary (no Fedora RPM yet
|
||||
for v2.4.x).
|
||||
- **GHCR PAT login** added so the BlueBuild step can pull
|
||||
`ghcr.io/secureblue/kinoite-main-hardened` (rate-limited anonymous).
|
||||
- **cosign keypair signing** — keyless OIDC fails on Forgejo (no
|
||||
Sigstore Fulcio integration), so we ship a static keypair under
|
||||
the repo and sign with `cosign sign --key`. Public key checked in
|
||||
for verification.
|
||||
|
||||
#### BlueBuild recipe pivots
|
||||
|
||||
- Base image switched to **`ghcr.io/secureblue/kinoite-main-hardened`**
|
||||
(the actual published image). Prior reference to
|
||||
`securecore-kinoite-hardened-userns` was a planning-phase guess and
|
||||
did not exist.
|
||||
- Module type pivots driven by buildah-privileged + bind-mounted helper
|
||||
scripts hitting chmod-permitted blockers:
|
||||
- `type: files` → **`type: copy`** (files module's chmod step
|
||||
failed under bind-mount).
|
||||
- `type: script` + `type: systemd` → **`type: containerfile` RUN**
|
||||
(single layer, no helper-script bind-mount).
|
||||
|
||||
#### Installer ISO — pivoted
|
||||
|
||||
- **livemedia-creator → bootc-image-builder.** livemedia-creator does
|
||||
not support the `ostreecontainer` install method (only
|
||||
`ostreesetup`/`url`/`nfs`), so the v0.7 path required the swap.
|
||||
Build pending OCI artifact.
|
||||
|
||||
#### Docs
|
||||
|
||||
- This CHANGELOG entry.
|
||||
- ROADMAP refresh — v0.5.0 marked done, v0.7 OCI marked in-flight,
|
||||
installer-iso pivot recorded, USB install-log persistence default-on
|
||||
promise documented, v1.0 ship criteria carried over.
|
||||
|
||||
### Infra (out-of-tree, recorded for traceability)
|
||||
|
||||
- **2026-05-08** — Headscale OIDC 403 fixed by adding
|
||||
`172.20.0.0/24` (docker proxy bridge gateway) to the
|
||||
`no-guest@file` Traefik middleware allowlist on nullstone.
|
||||
Unblocks `tag:guest` provisioning for veilor-os clients.
|
||||
- **All GitHub remotes removed** from veilor-os local clones, six
|
||||
worktrees, and sibling projects (auth-limbo, minecraft-launcher,
|
||||
minecraft-server, infra). GH push-mirrors disabled. Forgejo-only
|
||||
since 2026-05-05.
|
||||
|
||||
### Planned (deferred / parking)
|
||||
|
||||
- v0.3 polish — Plymouth black theme, SDDM theme, Konsole profile,
|
||||
wallpaper SVG. Re-enable `init_on_alloc=1 init_on_free=1` post-install
|
||||
|
|
@ -34,6 +90,65 @@ future maintainers can see why a change exists, not just what it changes.
|
|||
|
||||
---
|
||||
|
||||
## [0.5.0] — 2026-05-06
|
||||
|
||||
**Tag:** `v0.5.0` — **final kickstart-path release**.
|
||||
|
||||
The hardened-Fedora-43 kickstart line ships. Future work moves to
|
||||
the v0.7 BlueBuild OCI spike; the kickstart retires at v1.0.
|
||||
|
||||
### Added
|
||||
|
||||
- First green Forgejo-CI ISO build (~2.7 GB live ISO, EFI + BIOS
|
||||
bootable). Released as `ci-latest` artifact at
|
||||
`git.s8n.ru/veilor-org/veilor-os/releases/tag/ci-latest`.
|
||||
- **gum TUI installer** wrapping Anaconda — single LUKS prompt,
|
||||
locale locked to `en_US.UTF-8`, admin-password first-boot flow.
|
||||
- **LUKS2 argon2id + btrfs subvols** install via Anaconda, written
|
||||
through `/etc/kernel/cmdline` so BLS entries carry the cmdline
|
||||
veilor needs.
|
||||
- **3-mode `veilor-power` CLI** (`save | mid | perf`) with AC/battery
|
||||
udev auto-switching, lifted into the overlay.
|
||||
- **KDE black theme** + Fira Code system font, branded
|
||||
`/etc/os-release`, GRUB rebrand, plymouth detail-text boot.
|
||||
- Hardening: SELinux enforcing, USBGuard default-block, fail2ban +
|
||||
auditd, firewalld drop zone, NTS chrony, DNS-over-TLS, locked
|
||||
root.
|
||||
- Self-hosted **Forgejo CI** on nullstone replaces the GitHub
|
||||
Actions build pipeline.
|
||||
|
||||
### Fixed (delta from v0.2.5 → v0.5.0 — 35+ failure classes)
|
||||
|
||||
The full v0.5.x grind is documented per-release in commit messages
|
||||
(v0.5.21–v0.5.32). Headline fixes:
|
||||
|
||||
- **`--location=none` skipped `CollectKernelArgumentsTask`.** Anaconda
|
||||
shipped BLS entries with empty cmdline. Fix: write
|
||||
`/etc/kernel/cmdline` directly + `/etc/default/grub` + grubby +
|
||||
explicit `kernel-install add`. (v0.5.31)
|
||||
- **`transaction_progress.py` install scroll** masked real failures
|
||||
when patched too broadly. Narrowed the patch to only suppress
|
||||
`Configuring xxx.x86_64`. (v0.5.28 → v0.5.29)
|
||||
- **Locale dialog raced anaconda startup.** Lock to en_US.UTF-8,
|
||||
defer locale choice to `veilor-postinstall` (v0.7 scope). (v0.5.28)
|
||||
- **`fbcon=nodefer`** + GRUB rebrand + ASCII gum cursor make the
|
||||
install flow legible on linux fbcon. (v0.5.27)
|
||||
- **`rd.luks.uuid`** injected via `grubby --update-kernel=ALL` in
|
||||
chroot `%post` — earlier releases relied on Anaconda which silently
|
||||
dropped it. (v0.5.23, v0.5.27)
|
||||
- **9-agent research wave** identified the v0.5.32 blocker map; 7
|
||||
blockers shipped in one bundle.
|
||||
|
||||
### Notes
|
||||
|
||||
- Treat v0.5.0 as the **portfolio anchor** for the kickstart path.
|
||||
v0.5.32-rc was the last test-run; v0.5.0 was tagged on
|
||||
2026-05-06 as the freeze point.
|
||||
- v0.6 was **cancelled** the same day (folded into v0.7). See
|
||||
`docs/ROADMAP.md` strategy-pivot section.
|
||||
|
||||
---
|
||||
|
||||
## [0.2.5] — 2026-05-01
|
||||
|
||||
**Commit:** `8515bdb`
|
||||
|
|
|
|||
|
|
@ -9,6 +9,22 @@ For the historical record of what landed in each release, see
|
|||
|
||||
---
|
||||
|
||||
## Status snapshot — 2026-05-08
|
||||
|
||||
| Milestone | State | Notes |
|
||||
|-----------|-------|-------|
|
||||
| v0.2.x — green ISO + base hardening | DONE | shipped 2026-05-01 (`v0.2.5`) |
|
||||
| v0.3 — UX polish (Plymouth/SDDM/Konsole) | parked | rolls into v0.7 overlay |
|
||||
| v0.4 — distribution + signing | not started | cosign keypair already in v0.7 CI |
|
||||
| v0.5 — hardening tier 2 | DONE (kickstart line) | tagged `v0.5.0` 2026-05-06 — final kickstart-path release |
|
||||
| v0.6 — ergonomics | CANCELLED 2026-05-06 | folded into v0.7 |
|
||||
| v0.7 — BlueBuild OCI mainline | IN FLIGHT — blocked on green CI run | ~13 CI plumbing fixes landed; OCI artifact + installer ISO pending first green build |
|
||||
| v0.7 — installer-ISO tooling pivot | DONE (tooling) | livemedia-creator → bootc-image-builder; build pending OCI |
|
||||
| v0.7 — USB install-log persistence | TODO | default ON until v1.0; see "Installer logs" item below |
|
||||
| v1.0 — production | not started | multi-arch, LTS, recovery ISO, TPM2 |
|
||||
|
||||
---
|
||||
|
||||
## ⚡ STRATEGY PIVOT — 2026-05-06
|
||||
|
||||
**Decision: skip v0.6 kickstart polish. Pivot directly to v0.7
|
||||
|
|
@ -27,10 +43,12 @@ Reasons:
|
|||
`veilor-update`) translate cleanly to v0.7: `bootc upgrade` replaces
|
||||
`dnf upgrade`. Move them into v0.7 scope.
|
||||
|
||||
**v0.5.0 is the final kickstart-path release.** Tag, freeze, ship as
|
||||
proof-of-work / portfolio anchor. **v0.6 cancelled as a milestone.**
|
||||
**v0.5.0 is the final kickstart-path release.** Tagged on 2026-05-06,
|
||||
shipped as proof-of-work / portfolio anchor. **v0.6 cancelled as a
|
||||
milestone.**
|
||||
|
||||
Active focus: `v0.7-bluebuild-spike` branch.
|
||||
Active focus: `v0.7-bluebuild-spike` branch — first green CI run is
|
||||
the gating blocker for everything downstream.
|
||||
|
||||
---
|
||||
|
||||
|
|
@ -100,20 +118,31 @@ failures before greening.
|
|||
(`/etc/kernel/cmdline` + `/etc/default/grub` + grubby) plus explicit
|
||||
`kernel-install add`.
|
||||
|
||||
## v0.5.32 — next ship (active)
|
||||
## v0.5.0 — final kickstart release (DONE 2026-05-06)
|
||||
|
||||
Outstanding from the grind, immediate priority for the next tag:
|
||||
Tagged `v0.5.0` on 2026-05-06 as the final kickstart-path release.
|
||||
The v0.5.27→v0.5.31 install grind closed out via v0.5.32-rc, and the
|
||||
9-agent verification wave bundle landed before the freeze.
|
||||
|
||||
- **End-to-end VM green run** — v0.5.31 lands the kernel-cmdline fix
|
||||
but no full hybrid-VM pass has signed it off. Run the procedure in
|
||||
`test/TESTING.md` to install + reboot + login, file the report in
|
||||
`test/test-runs/`, then tag.
|
||||
- **Real-hardware run on the spare laptop** — VM is necessary not
|
||||
sufficient. Friend's laptop is mate's-test, spare is ours. KMS,
|
||||
fbcon, USB controller, real-firmware Secure Boot only show up here.
|
||||
Shipped:
|
||||
- ~2.7 GB live ISO via Forgejo CI on nullstone (EFI + BIOS bootable)
|
||||
- `ci-latest` artifact at
|
||||
`git.s8n.ru/veilor-org/veilor-os/releases/tag/ci-latest`
|
||||
- gum TUI installer wrapping Anaconda; LUKS2 argon2id + btrfs
|
||||
- Full hardening overlay: SELinux enforcing, USBGuard default-block,
|
||||
fail2ban + auditd, firewalld drop, NTS chrony, DoT
|
||||
- 3-mode `veilor-power`, KDE black theme, Fira Code, branded
|
||||
os-release / GRUB / plymouth
|
||||
|
||||
Carry-overs into v0.7 (NOT shipped in v0.5.0):
|
||||
|
||||
- **Real-hardware run on the spare laptop** — VM-only signoff. KMS,
|
||||
fbcon, USB controller, real-firmware Secure Boot still need
|
||||
validation on the spare or the friend's laptop.
|
||||
- **gum input render glitch** — duplicate "Install", stray T in
|
||||
password fields on linux fbcon. Replace `gum input --password` with
|
||||
bash `read -srp`; cosmetic only but visible on every install.
|
||||
Carries to v0.7 installer ISO, which inherits the gum TUI.
|
||||
|
||||
---
|
||||
|
||||
|
|
@ -244,12 +273,32 @@ distro from a kickstart.
|
|||
|
||||
---
|
||||
|
||||
## v0.7 — BlueBuild OCI mainline (ACTIVE — primary focus 2026-05-06+)
|
||||
## v0.7 — BlueBuild OCI mainline (IN FLIGHT — blocked on green CI run, 2026-05-08)
|
||||
|
||||
This was originally planned as "public flex + bootc spike". Post-pivot,
|
||||
v0.7 is now the **primary active milestone** — it absorbs all v0.6
|
||||
ergonomic work and becomes the next ship target.
|
||||
|
||||
### Status as of 2026-05-08
|
||||
|
||||
- **CI plumbing:** ~13 fixes landed on `v0.7-bluebuild-spike` to make
|
||||
the BlueBuild build run on the self-hosted Forgejo runner. See
|
||||
`CHANGELOG.md` `[Unreleased]` for the full breakdown.
|
||||
- **First green build:** **NOT YET.** Blocking everything downstream
|
||||
(OCI artifact publish, installer ISO build, real-hardware install
|
||||
test, public flex items).
|
||||
- **Installer ISO tooling pivot:** **DONE** — livemedia-creator does
|
||||
not support `ostreecontainer`; switched to `bootc-image-builder`.
|
||||
Build itself is pending the first green OCI artifact.
|
||||
- **Build host:** workflow runs on `nullstone` (single self-hosted
|
||||
Forgejo runner v6.4.0, `userns-remap=default`, buildah needs
|
||||
`--userns=host`).
|
||||
- **Base image:** `ghcr.io/secureblue/kinoite-main-hardened` (locked
|
||||
2026-05-08; corrected from earlier draft naming).
|
||||
- **Signing:** cosign keypair (keyless OIDC fails on Forgejo — no
|
||||
Sigstore Fulcio).
|
||||
- **Build timeout:** 60 min → 360 min (cold-runner first pulls).
|
||||
|
||||
Scope:
|
||||
- BlueBuild recipe (`bluebuild/recipe.yml`) layering on
|
||||
`ghcr.io/secureblue/kinoite-main-hardened`
|
||||
|
|
@ -264,14 +313,14 @@ Scope:
|
|||
- `veilor-update` rewritten on `bootc upgrade` (was `dnf upgrade`)
|
||||
- Forgejo registry as primary OCI publish target; GHCR mirror optional
|
||||
- cosign key-pair signing of OCI image (replaces broken keyless flow)
|
||||
- **Installer logs persisted to USB stick by default** (debug mode):
|
||||
the bootstrap ISO writes `/var/log/anaconda/*` + the resolved
|
||||
kickstart + ostreecontainer pull log + dmesg back onto the USB
|
||||
install medium (mounted rw at `/run/install/repo` during install)
|
||||
into a `veilor-install-logs/<timestamp>/` folder. Toggleable via
|
||||
kernel cmdline `inst.veilor.savelogs=0` for opt-out, or
|
||||
`inst.veilor.savelogs=1` (default). Stays **ON by default through
|
||||
v0.7+v0.8+v0.9; flips OFF for v1.0 final release**. Why: any failed
|
||||
- **Installer logs persisted to USB stick by default** (debug mode —
|
||||
TODO, in-flight in a separate agent thread): the bootstrap ISO
|
||||
writes `/var/log/anaconda/*` + the resolved kickstart +
|
||||
ostreecontainer pull log + dmesg back onto the USB install medium
|
||||
(mounted rw at `/run/install/repo` during install) into a
|
||||
`veilor-install-logs/<timestamp>/` folder. Toggleable via kernel
|
||||
cmdline `veilor.install_logs=on|off`; **default ON through v0.7,
|
||||
v0.8, v0.9; flips OFF for v1.0 final release**. Why: any failed
|
||||
install, the operator boots back to a working OS, plugs the USB,
|
||||
reads the logs offline — no need to take screenshots of dracut on a
|
||||
bricked machine. Implementation: `%post --nochroot` block in
|
||||
|
|
|
|||
Loading…
Reference in a new issue