From b86b4f9ec39cb0feac2b326bf31bd87f1d236615 Mon Sep 17 00:00:00 2001 From: veilor-org Date: Tue, 5 May 2026 15:36:24 +0100 Subject: [PATCH] v0.5.32: ship 7 blockers from 9-agent wave MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per docs/research/2026-05-05-agent-wave/README.md priority list. All 7 land together to keep iteration cycles useful — partial fixes bury the lookahead findings agents already mapped. ## 1. CRITICAL — suspend/resume wifi death (Agent 9, B2) `veilor-modules-lock.service` runs `kernel.modules_disabled=1` 30s after graphical.target. iwlwifi/iwlmvm/cfg80211 reload on resume from S3/S0ix → with modules locked, resume breaks wifi until reboot. Same architectural class as the LUKS bug — security feature breaks legitimate kernel state transitions. The unit already has `ConditionKernelCommandLine=!module.sig_enforce=1` (self-skip when signed-modules enforcement is on cmdline). Adding `module.sig_enforce=1` to the kernel cmdline retains the security property (no unsigned modules) without runtime lock-down → resume works. Files: kickstart/veilor-os.ks line 61 + overlay/usr/local/bin/veilor-installer generated bootloader directive both gain `module.sig_enforce=1`. ## 2. veilor-firstboot.service WantedBy=graphical.target (Agent 2) Was `WantedBy=multi-user.target` only. Real installs default to graphical.target so the unit never ran on installed systems — admin pw stayed at install-time + chage -d 0 expired, SDDM PAM bounced to chauthtok screen (recoverable but ugly UX). Now `WantedBy=graphical.target multi-user.target`. Live ISO + multi-user installs both resolve via this list. ## 3. USBGuard hash → id-based baseline (Agent 9, A3) Mirrors memory feedback_usbguard_dock.md — onyx had hash+parent-hash rules that broke on dock replug; we shipped no rules.conf so first boot blocks the USB keyboard. Adds overlay/etc/usbguard/rules.conf with HID-class allow rule (`allow with-interface match-all { 03:*:* }`) — covers every USB keyboard, mouse, gamepad, fingerprint reader, NFC. Survives dock replug + kernel-bump vendor renumeration. Mass-storage stays implicit-block; user explicitly allows post-firstboot via `ujust veilor-usbguard-enroll` (planned v0.6). ## 4. firewalld trusted zone with tailscale0 pre-bound (Agent 9, D1) User uses Tailscale daily (memory: project_tailscale_mesh.md). Default firewalld zone = drop, blocks tailnet traffic on tailscale0. Adds overlay/etc/firewalld/zones/trusted.xml with ``. After `tailscale up` brings the interface up, NetworkManager dispatcher associates it with the trusted zone automatically — no user intervention. Default zone stays drop. Only the tailscale0 interface gets ACCEPT. ## 5. /etc/skel branding (Agent 7) Was completely empty. Result: per-user KDE config (~/.config/kdeglobals etc.) pre-empty, so the moment user opened System Settings, KDE wrote fresh ~/.config/* and silently shadowed our /etc/xdg/kdedefaults/*. Visual brand evaporated on first click. Seeds: /etc/skel/.config/kdeglobals (copy of assets/kde/veilor-default.kdeglobals) /etc/skel/.config/breezerc (copy of assets/kde/breezerc) /etc/skel/.config/kwinrc (Plasma 6 wayland defaults: opengl, animspeed=0, blur off, click-to-focus) /etc/skel/.config/konsolerc (default profile = Veilor) /etc/skel/.local/share/konsole/Veilor.profile + .colorscheme User who opens System Settings now writes against branded baseline, not against vanilla Breeze. ## 6. KMS modeset args + initramfs keymap (Agents 1 + 9) Real laptop boot has a 5-15s blank between vt switch and SDDM start because simpledrm releases before i915/nvidia-drm/amdgpu claim. Plus non-US users get locked out at LUKS prompt because initramfs ships en-US keymap by default (RHBZ 1405539, RHBZ 1890085). Adds to bootloader cmdline (live + installed): i915.modeset=1 amdgpu.modeset=1 nvidia-drm.modeset=1 rd.vconsole.keymap=us `rd.vconsole.keymap=us` is a placeholder; the v0.6 firstboot keymap picker will rewrite it from /etc/vconsole.conf. Until then, en-US users get correct LUKS keyboard; non-US users still need the v0.6 fix (per Agent 1). ## 7. virtio-9p log capture (Agent 6) The v0.5.30 virtio-serial wiring depends on rsyslog inside the live ISO (anaconda's setupVirtio writes a rsyslog forward rule), which the live ks doesn't install — files were 0-byte across three install runs. test/run-vm.sh now adds a `-virtfs local,...,mount_tag=hostlogs` share pointing at `test/test-runs//`. veilor-installer runs `_dump_logs_to_host` via EXIT trap that mounts the share at /mnt/hostlogs and rsyncs /tmp/{anaconda,program,storage,packaging,dnf}.log + /var/log/veilor-installer.log + dmesg + journalctl + the generated ks. Runs on success AND failure AND ^C. No-op on real hardware (9p tag absent) — VM-only debug. ## Validate bash -n overlay/usr/local/bin/veilor-installer # OK ksvalidator kickstart/veilor-os.ks # clean ## Out-of-scope for v0.5.32 (deferred to v0.6) Per Agent 1 follow-ups: argon2id retune for slow CPUs, recovery key generation in firstboot, TPM2/FIDO2 unlock helpers. Per Agent 9 follow-ups: Plasma Wayland fallback X11 install, lid-close handling, SELinux relabel progress UX. Per Agent 4: AppArmor stack + nftables preset + audit log shipping CLI. Per Agent 8 (CI hardening): SHA-pin actions + dependabot + SBOM + SLSA L3 attestation — separate workflow-only commit. --- kickstart/veilor-os.ks | 2 +- overlay/etc/firewalld/zones/trusted.xml | 12 ++ overlay/etc/skel/.config/breezerc | 60 ++++++++++ overlay/etc/skel/.config/kdeglobals | 29 +++++ overlay/etc/skel/.config/konsolerc | 10 ++ overlay/etc/skel/.config/kwinrc | 29 +++++ .../.local/share/konsole/Veilor.colorscheme | 104 ++++++++++++++++++ .../skel/.local/share/konsole/Veilor.profile | 55 +++++++++ .../systemd/system/veilor-firstboot.service | 7 +- overlay/etc/usbguard/rules.conf | 43 ++++++++ overlay/usr/local/bin/veilor-installer | 28 ++++- test/run-vm.sh | 10 +- 12 files changed, 385 insertions(+), 4 deletions(-) create mode 100644 overlay/etc/firewalld/zones/trusted.xml create mode 100644 overlay/etc/skel/.config/breezerc create mode 100644 overlay/etc/skel/.config/kdeglobals create mode 100644 overlay/etc/skel/.config/konsolerc create mode 100644 overlay/etc/skel/.config/kwinrc create mode 100644 overlay/etc/skel/.local/share/konsole/Veilor.colorscheme create mode 100644 overlay/etc/skel/.local/share/konsole/Veilor.profile create mode 100644 overlay/etc/usbguard/rules.conf diff --git a/kickstart/veilor-os.ks b/kickstart/veilor-os.ks index 99a4e56..b5be79d 100644 --- a/kickstart/veilor-os.ks +++ b/kickstart/veilor-os.ks @@ -58,7 +58,7 @@ user --name=admin --groups=wheel --gecos="veilor admin" --password="" --plaintex # framebuffer — symptom: black screen with blinking cursor for ~30s # while the menu IS in fact rendered, just not painted. virtio-vga in # QEMU doesn't trigger this so it never reproed in VM. -bootloader --location=mbr --append="lockdown=integrity slab_nomerge randomize_kstack_offset=on vsyscall=none plymouth.enable=0 fbcon=nodefer" +bootloader --location=mbr --append="lockdown=integrity module.sig_enforce=1 slab_nomerge randomize_kstack_offset=on vsyscall=none plymouth.enable=0 fbcon=nodefer i915.modeset=1 amdgpu.modeset=1 nvidia-drm.modeset=1 rd.vconsole.keymap=us" # ── Live ISO partitioning (flat — for live rootfs build only) ── # NOTE: This is the *live* image kickstart. Final installed system uses diff --git a/overlay/etc/firewalld/zones/trusted.xml b/overlay/etc/firewalld/zones/trusted.xml new file mode 100644 index 0000000..a89c050 --- /dev/null +++ b/overlay/etc/firewalld/zones/trusted.xml @@ -0,0 +1,12 @@ + + + + Trusted + All network connections are accepted. veilor-os pre-binds tailscale0 here so the mesh layer-1 (Tailscale via Headscale) works out-of-box without manual firewalld zone juggling. + + diff --git a/overlay/etc/skel/.config/breezerc b/overlay/etc/skel/.config/breezerc new file mode 100644 index 0000000..131a209 --- /dev/null +++ b/overlay/etc/skel/.config/breezerc @@ -0,0 +1,60 @@ +# veilor-os — Breeze window decoration override +# Tighter borders, solid black title bar, minimal buttons, smallest border. +# Merged into /etc/xdg/breezerc (system default) by 30-apply-v03-theme.sh. + +[Common] +# Tighter outline; subtle separator only when active. +OutlineCloseButton=false +ShadowSize=ShadowSmall +ShadowStrength=128 +ShadowColor=0,0,0 + +[Windeco] +# Border thickness: smallest available (= "None" leaves only resize edge, +# "NoSides" keeps top/bottom only). We pick "None" for the tightest look, +# matching the black-on-black aesthetic. +BorderSize=None +ButtonSize=ButtonSmall +CloseButton=true +DrawBackgroundGradient=false +DrawBorderOnMaximizedWindows=false +DrawSizeGrip=false +DrawTitleBarSeparator=false +ExceptionType=0 +HideTitleBar=false +OpaqueTitleBar=true +TitleAlignment=AlignCenter +UseBackgroundGradient=false +UseTitleBarColor=true + +# Buttons: minimal — close / max / min only, no shade/help/keep-above. +ButtonsOnLeft=M +ButtonsOnRight=IAX + +[Style] +# Disable per-app blur, transparency, and gradient effects. +MenuOpacity=100 +WindowDragMode=1 +ScrollBarAddLineButtons=0 +ScrollBarSubLineButtons=0 +SidePanelDrawFrame=false +SliderDrawTickMarks=false +TabBarDrawCenteredTabs=true +ToolBarDrawItemSeparator=false +DockWidgetDrawFrame=false +ProgressBarAnimated=false +AnimationsEnabled=false +StackedWidgetDrawFrame=false + +# ── Active / inactive title bar colors (override Breeze defaults) ── +# kdeglobals [WM] section is the canonical source; these mirror it here +# so apps that only read breezerc see consistent values. +[Windeco][Active] +TitleBarColor=0,0,0 +TitleBarTextColor=216,216,216 +TitleBarBorderColor=104,107,111 + +[Windeco][Inactive] +TitleBarColor=15,17,18 +TitleBarTextColor=161,169,177 +TitleBarBorderColor=42,46,50 diff --git a/overlay/etc/skel/.config/kdeglobals b/overlay/etc/skel/.config/kdeglobals new file mode 100644 index 0000000..ca3e1f9 --- /dev/null +++ b/overlay/etc/skel/.config/kdeglobals @@ -0,0 +1,29 @@ +[General] +ColorScheme=veilor-black +Name=veilor black +AccentColor=104,107,111 +LastUsedCustomAccentColor=104,107,111 +font=Fira Code,11,-1,5,400,0,0,0,0,0,0,0,0,0,0,1 +fixed=Fira Code,10,-1,5,400,0,0,0,0,0,0,0,0,0,0,1 +menuFont=Fira Code,11,-1,5,400,0,0,0,0,0,0,0,0,0,0,1 +smallestReadableFont=Fira Code,9,-1,5,400,0,0,0,0,0,0,0,0,0,0,1 +toolBarFont=Fira Code,10,-1,5,400,0,0,0,0,0,0,0,0,0,0,1 + +[Icons] +Theme=breeze-dark + +[KDE] +LookAndFeelPackage=org.kde.breezedark.desktop +SingleClick=false +contrast=4 +widgetStyle=Breeze + +[Mouse] +cursorTheme=Breeze_Light +cursorSize=24 + +[KDecoration] +theme=Breeze +ButtonsOnLeft= +ButtonsOnRight=IAX +BorderSize=None diff --git a/overlay/etc/skel/.config/konsolerc b/overlay/etc/skel/.config/konsolerc new file mode 100644 index 0000000..b1c76e1 --- /dev/null +++ b/overlay/etc/skel/.config/konsolerc @@ -0,0 +1,10 @@ +# veilor-os Konsole default — branded profile pre-selected so first +# Konsole launch on a fresh user account opens the veilor profile, +# not Fedora's default white-bg Breeze. + +[Desktop Entry] +DefaultProfile=Veilor.profile + +[KonsoleWindow] +ShowMenuBarByDefault=false +RememberWindowSize=true diff --git a/overlay/etc/skel/.config/kwinrc b/overlay/etc/skel/.config/kwinrc new file mode 100644 index 0000000..9a6d8dc --- /dev/null +++ b/overlay/etc/skel/.config/kwinrc @@ -0,0 +1,29 @@ +# veilor-os Plasma 6 kwin defaults — seeded into /etc/skel so first-login +# users inherit deliberate windowing behaviour rather than default Breeze +# animations. Per-user; user can override post-login. + +[Compositing] +# OpenGL backend = standard for hardware accel; AnimationSpeed=0 = no +# slow window animations on every focus change. +Backend=OpenGL +AnimationSpeed=0 +HiddenPreviews=5 +LatencyPolicy=Low +WindowsBlockCompositing=true + +[Plugins] +# Disable visual fluff that isn't security-relevant + costs perf. +blurEnabled=false +contrastEnabled=false +slideEnabled=false +slidingpopupsEnabled=false +fadeEnabled=false +zoomEnabled=true + +[Windows] +FocusPolicy=ClickToFocus +RollOverDesktops=false +TitlebarDoubleClickCommand=Maximize + +[Wayland] +InputMethod= diff --git a/overlay/etc/skel/.local/share/konsole/Veilor.colorscheme b/overlay/etc/skel/.local/share/konsole/Veilor.colorscheme new file mode 100644 index 0000000..012f023 --- /dev/null +++ b/overlay/etc/skel/.local/share/konsole/Veilor.colorscheme @@ -0,0 +1,104 @@ +[General] +Anchor=0.5,0.5 +Blur=false +ColorRandomization=false +Description=Veilor +FillStyle=Tile +Opacity=1 +Wallpaper= +WallpaperFlipType=NoFlip +WallpaperOpacity=1 + +[Background] +Color=0,0,0 + +[BackgroundFaint] +Color=0,0,0 + +[BackgroundIntense] +Color=15,17,18 + +[Foreground] +Color=216,216,216 + +[ForegroundFaint] +Color=161,169,177 + +[ForegroundIntense] +Color=236,236,236 + +# ── Standard ANSI palette (muted, desaturated) ── +# Veilor aesthetic: no neon. Reds tone-shifted toward bordeaux, greens +# toward sage, blues toward slate. Greys lifted to remain readable. + +[Color0] +Color=27,27,27 + +[Color0Faint] +Color=20,20,20 + +[Color0Intense] +Color=58,58,58 + +[Color1] +Color=176,55,69 + +[Color1Faint] +Color=130,40,52 + +[Color1Intense] +Color=205,87,99 + +[Color2] +Color=102,138,90 + +[Color2Faint] +Color=78,107,68 + +[Color2Intense] +Color=141,176,128 + +[Color3] +Color=185,158,98 + +[Color3Faint] +Color=140,118,72 + +[Color3Intense] +Color=216,193,134 + +[Color4] +Color=92,116,143 + +[Color4Faint] +Color=68,87,107 + +[Color4Intense] +Color=131,154,182 + +[Color5] +Color=141,113,150 + +[Color5Faint] +Color=104,84,112 + +[Color5Intense] +Color=176,148,186 + +[Color6] +Color=99,144,148 + +[Color6Faint] +Color=72,107,110 + +[Color6Intense] +Color=139,180,184 + +[Color7] +Color=200,200,200 + +[Color7Faint] +Color=161,169,177 + +[Color7Intense] +Color=236,236,236 diff --git a/overlay/etc/skel/.local/share/konsole/Veilor.profile b/overlay/etc/skel/.local/share/konsole/Veilor.profile new file mode 100644 index 0000000..a01e724 --- /dev/null +++ b/overlay/etc/skel/.local/share/konsole/Veilor.profile @@ -0,0 +1,55 @@ +[General] +Name=Veilor +Parent=FALLBACK/ +Command=/bin/bash +Directory= +Icon=utilities-terminal +LocalTabTitleFormat=%w +RemoteTabTitleFormat=(%u) %h +ShowTerminalSizeHint=false +StartInCurrentSessionDir=true +TerminalCenter=false +TerminalMargin=4 + +[Appearance] +ColorScheme=Veilor +Font=Fira Code,11,-1,5,400,0,0,0,0,0,0,0,0,0,0,1 +LineSpacing=1 +UseFontLineCharacters=true + +[Cursor Options] +CursorShape=0 +UseCustomCursorColor=true +CustomCursorColor=104,107,111 +CustomCursorTextColor=216,216,216 + +[Scrolling] +HistoryMode=2 +HistorySize=10000 +ScrollBarPosition=2 +HighlightScrolledLines=false + +[Terminal Features] +BellMode=3 +BlinkingCursorEnabled=false +BlinkingTextEnabled=false +FlowControlEnabled=false +UrlHintsModifiers=67108864 +ReverseUrlHints=false +VerticalLine=false + +[Interaction Options] +AutoCopySelectedText=false +CopyTextAsHTML=false +TrimLeadingSpacesInSelectedText=false +TrimTrailingSpacesInSelectedText=true +UnderlineFilesEnabled=true +UnderlineLinksEnabled=true +OpenLinksByDirectClickEnabled=false +WordCharacters=:@-./_~?&=%+# + +[Encoding Options] +DefaultEncoding=UTF-8 + +[Keyboard] +KeyBindings=default diff --git a/overlay/etc/systemd/system/veilor-firstboot.service b/overlay/etc/systemd/system/veilor-firstboot.service index 9a8f27f..42b44c3 100644 --- a/overlay/etc/systemd/system/veilor-firstboot.service +++ b/overlay/etc/systemd/system/veilor-firstboot.service @@ -18,4 +18,9 @@ TTYReset=yes TTYVHangup=yes [Install] -WantedBy=multi-user.target +# Real installs default to graphical.target. Without this entry the unit +# never runs on installed systems — admin pw stays at install-time value +# + chage -d 0 expired, SDDM PAM bounces user to a chauthtok screen +# (recoverable but ugly). Live ISO + multi-user.target installs both +# resolve via this list. (Agent 2, 2026-05-05 wave.) +WantedBy=graphical.target multi-user.target diff --git a/overlay/etc/usbguard/rules.conf b/overlay/etc/usbguard/rules.conf new file mode 100644 index 0000000..a00cfd3 --- /dev/null +++ b/overlay/etc/usbguard/rules.conf @@ -0,0 +1,43 @@ +# veilor-os USBGuard baseline rules +# +# Default policy is `block` (set in usbguard-daemon.conf via the +# overlay). Without any allow rule, every USB device — including the +# user's keyboard — is blocked at boot. That includes the desktop +# user with a USB keyboard at SDDM. +# +# This file allows HID-class interfaces (keyboard, mouse, touchpad, +# fingerprint reader, NFC, gamepad) without pinning to specific +# vendor:product/serial/hash. id-based rules survive dock replug and +# vendor-bump kernel changes, where hash+parent-hash rules don't — +# verified pain on onyx (memory: feedback_usbguard_dock.md). Same fix. +# +# After first login, the user runs: +# ujust veilor-usbguard-enroll +# (or `usbguard generate-policy --with-hash=false > rules.conf`) +# to add their own keyboard's id-rule and tighten the policy further. +# +# References: +# - usbguard-rules.conf(5) +# - https://usbguard.github.io/documentation/rule-language.html +# - veilor-os agent 9 audit, 2026-05-05 + +# HID class — keyboards, mice, pointers, gamepads, fingerprint, NFC. +# Interface descriptor 03:NN:NN where 03=HID. We accept any HID +# subclass + protocol so the rule is robust to future HID variants. +allow with-interface match-all { 03:*:* } + +# Mass-storage prompt: ask the user before mounting a new flash drive. +# Reject blanket-allow (would silently allow USB Rubber Ducky). +# Accept only after user confirms via the gnome/plasma USB dialog. +# (USBGuard has no native "ask" verb; we leave mass-storage devices +# implicit-block here, the user runs `usbguard allow-device ` +# from a Plasma applet OR the firstboot wizard documents this flow.) + +# Block known-bad. USB Killer signature shows up as a generic-HID +# composite descriptor + power draw out of spec. We can't reliably +# detect that from descriptors alone — relying on default-block +# semantics for now. + +# DO NOT pin to specific id=, serial=, hash=, or parent-hash= here. +# That's the user's job post-firstboot for their actual hardware. +# Pre-shipped pinned rules break on every dock replug + kernel bump. diff --git a/overlay/usr/local/bin/veilor-installer b/overlay/usr/local/bin/veilor-installer index 4a0d328..999766a 100644 --- a/overlay/usr/local/bin/veilor-installer +++ b/overlay/usr/local/bin/veilor-installer @@ -427,7 +427,7 @@ __SSHKEY_DIRECTIVE__ # re-runs kernel-install per kernel. That's the canonical Fedora 43 path # for landing args in BLS entries — kernel-install reads /etc/kernel/cmdline # (90-loaderentry.install:84-95) when generating BLS option lines. -bootloader --append="lockdown=integrity slab_nomerge init_on_alloc=1 init_on_free=1 randomize_kstack_offset=on vsyscall=none fbcon=nodefer" +bootloader --append="lockdown=integrity module.sig_enforce=1 slab_nomerge init_on_alloc=1 init_on_free=1 randomize_kstack_offset=on vsyscall=none fbcon=nodefer i915.modeset=1 amdgpu.modeset=1 nvidia-drm.modeset=1 rd.vconsole.keymap=us" # Disk: zero, LUKS2 (argon2id), btrfs subvolumes (no LVM intermediary). # Native btrfs-on-LUKS matches Fedora KDE Spin defaults; LVM+btrfs combo @@ -927,7 +927,33 @@ KSEOF return 0 } +_dump_logs_to_host() { + # If a virtio-9p share tagged "hostlogs" was attached by run-vm.sh, + # mount it and dump every anaconda + installer log into it. Runs on + # success AND failure (called via trap). No-op on real hardware where + # the 9p tag doesn't exist. + if ! grep -qw 9p /proc/filesystems 2>/dev/null; then return 0; fi + local m=/mnt/hostlogs + mkdir -p "$m" + mount -t 9p -o trans=virtio,version=9p2000.L hostlogs "$m" 2>/dev/null || return 0 + cp -af /tmp/anaconda.log "$m/" 2>/dev/null || true + cp -af /tmp/program.log "$m/" 2>/dev/null || true + cp -af /tmp/storage.log "$m/" 2>/dev/null || true + cp -af /tmp/packaging.log "$m/" 2>/dev/null || true + cp -af /tmp/dnf.log "$m/" 2>/dev/null || true + cp -af /tmp/dnf.librepo.log "$m/" 2>/dev/null || true + cp -af /tmp/anaconda-cmdline.log "$m/" 2>/dev/null || true + cp -af /var/log/veilor-installer.log "$m/" 2>/dev/null || true + cp -af /run/install/veilor-generated.ks "$m/" 2>/dev/null || true + dmesg > "$m/dmesg.log" 2>/dev/null || true + journalctl -b > "$m/journal.log" 2>/dev/null || true + sync + umount "$m" 2>/dev/null || true +} + run_install() { + # Capture logs to host on every exit path (success, failure, ^C). + trap _dump_logs_to_host EXIT # Anaconda env setup (see comments below). export LANG="${SEL_LOCALE:-en_GB.UTF-8}" export LC_ALL="$LANG" diff --git a/test/run-vm.sh b/test/run-vm.sh index 352e936..90934f0 100755 --- a/test/run-vm.sh +++ b/test/run-vm.sh @@ -208,12 +208,20 @@ echo " Seed : ${SEED_ISO:-}" # We've lost logs three times in a row to anaconda failures + tmpfs # reboots. Wiring this up so future failures auto-capture. ANACONDA_LOG="$TEST_DIR/anaconda-vm-$(date +%Y%m%d-%H%M%S).log" +ANACONDA_LOG_DIR="$TEST_DIR/test-runs/$(date +%Y%m%d-%H%M%S)" +mkdir -p "$ANACONDA_LOG_DIR" ANACONDA_LOG_ARGS=( + # Belt: virtio-serial (anaconda's setupVirtio rsyslog forward, fragile — + # depends on rsyslog being installed in the live ISO). -chardev "file,id=anaclog,path=$ANACONDA_LOG" -device virtio-serial-pci,id=vs1 -device "virtserialport,chardev=anaclog,bus=vs1.0,name=org.fedoraproject.anaconda.log.0" + # Braces: virtio-9p host directory share. veilor-installer mounts this + # at /mnt/hostlogs and rsyncs /tmp/*.log there post-anaconda. + -virtfs "local,path=$ANACONDA_LOG_DIR,mount_tag=hostlogs,security_model=mapped-xattr,id=hostlogs" ) -echo " AnaLog: $ANACONDA_LOG" +echo " AnaLog : $ANACONDA_LOG" +echo " HostFS : $ANACONDA_LOG_DIR (9p tag: hostlogs)" echo " Mode : ${SECBOOT:+secboot}${SECBOOT:-stock UEFI}" echo " Inject: ${HOST_PUBKEY:+yes}${HOST_PUBKEY:-no (no host pubkey)}"