veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
veilor-os/docs/research/2026-05-05-agent-wave/02-sddm-firstboot-ux.md
veilor-org 4e9782a18a docs: 9-agent research wave findings — v0.5.32 blocker map 
Logs the full output of the 9-agent deep-dive run on 2026-05-05 to
docs/research/2026-05-05-agent-wave/. Pulls every actionable finding
into one indexed location so v0.5.32 planning has a paper trail.

Files:
  docs/research/2026-05-05-agent-wave/README.md             — index
  docs/research/2026-05-05-agent-wave/01-...real-hardware.md — Plymouth + LUKS edge cases
  docs/research/2026-05-05-agent-wave/02-...firstboot-ux.md  — SDDM + first-boot UX
  docs/research/2026-05-05-agent-wave/03-...spike-plan.md    — bootc-image-builder 1-week spike
  docs/research/2026-05-05-agent-wave/04-...tier-2.md         — AppArmor + nftables + audit + homed
  docs/research/2026-05-05-agent-wave/05-...launch.md         — threat model + v0.7 launch checklist
  docs/research/2026-05-05-agent-wave/06-...log-capture.md    — virtio-9p host-share for anaconda logs
  docs/research/2026-05-05-agent-wave/07-...skel-branding.md  — /etc/skel gap audit
  docs/research/2026-05-05-agent-wave/08-...ci-hardening.md   — SHA-pin actions + SBOM + SLSA L3
  docs/research/2026-05-05-agent-wave/09-...failure-modes.md  — real-hardware pessimistic audit

Plus the prior linter-applied:
  docs/ROADMAP.md      — Lessons learned section, v0.5.32 active block,
                          v0.6 promotion of veilor-postinstall + veilor-doctor,
                          v0.7 bootc spike scheduled
  docs/THREAT-MODEL.md  — drafted by Agent 5; in/out scope, comparison
                          matrix, v0.7 launch checklist

Top blockers identified for v0.5.32 (cross-cited in README):
  1. Suspend/resume wifi death (kernel.modules_disabled=1)
  2. veilor-firstboot.service WantedBy=graphical.target
  3. kernel-upgrade grub drift
  4. USBGuard hash-rules problem (already learned on onyx)
  5. firewalld blocks tailscale0
  6. /etc/skel/ empty
  7. virtio-9p log capture replaces broken virtio-serial path

Wave + verifier pattern (per ROADMAP lessons learned #4) validated:
9 parallel agents on distinct topics produced converging blocker
list. The same pattern landed v0.5.31 four-bug fix from the prior
4-agent verification wave on v0.5.30 outcome.
2026-05-05 14:52:53 +01:00

4.9 KiB
Raw Blame History

SDDM + first-boot UX failure modes

Agent 2 of 9-agent wave, 2026-05-05.

Findings

1. SDDM has no username prefilled — BLOCKS LOGIN (perceived)

  • User sees blank greeter; no signal that the only user is admin.
  • Fix: /etc/sddm.conf.d/veilor.conf add [Users]\nRememberLastUser=true plus seed /var/lib/sddm/state.conf [Last]\nUser=admin\nSession=plasma.

2. chage -d 0 + SDDM autologin race

  • With Relogin=false (current), single-shot is safe.
  • Fix: Document Relogin=false. Don't combine Autologin=true with chage -d 0.

3. PAM expired-pw change inline in SDDM

  • Plasma 6 SDDM 0.21+ renders the chain. But if password fails pwquality (cracklib min=14 + complexity from 10-harden-base.sh), error text shown briefly then form resets — user sees no clear reason for rejection.
  • Fix: /etc/security/pwquality.conf.d/10-veilor.conf with documented rules + Plasma startup notification showing them.

4. Wayland session start failure on virtio-vga — BLOCKS LOGIN

  • KWin tries wlroots/DRM, fails to acquire /dev/dri/card0 if virtio_gpu kernel module not loaded.
  • Fix: add plasma-workspace-x11 to %packages. SDDM session menu shows Plasma (X11) fallback.

5. Plasma 6 first-run wizards on /etc/skel-empty

  • KWin compositor backend pick + Plasma welcome center + accent colour wizard — modal stealing focus on first session.
  • Fix: seed /etc/skel/.config/:
    • kwinrc [Compositing]\nBackend=OpenGL
    • kdeglobals [General]\nAccentColor=...
    • plasma-welcomerc [General]\nLastSeenVersion=99 (suppresses welcome)

6. SELinux relabel after first boot — looks like hang

  • touch /.autorelabel triggers full restore on rootfs; 90s on 4 GB live install, 3-5min on real disk. User hard-resets thinking it crashed → corrupted relabel state.
  • Fix: replace with veilor-relabel.service that prints [veilor] relabeling SELinux file contexts (1/N): %s to TTY1 with progress, plus one-time post-relabel KDialog notification.

7. USBGuard blocks input at SDDM — BLOCKS LOGIN on desktops

  • If /etc/usbguard/rules.conf empty/missing, USBGuard ImplicitPolicyTarget=block (default) blocks USB. SDDM running but USB keyboard dead.
  • Fix: ship a baseline rules.conf: allow with-interface equals { 03:00:* 03:01:* } (HID class) so any keyboard/mouse works pre-policy.

8. NetworkManager DHCP — LOW severity

  • Wired auto-connects fine. Wi-Fi: silent failure unless SSID preconfigured. Acceptable; Plasma 6 ships plasma-nm widget.
  • Polish: /etc/xdg/autostart/veilor-firstboot-net-check.desktop → KDialog "Connect to network?" if nmcli general is disconnected.

9. veilor-firstboot.service ordering — BLOCKS LOGIN on real installs

  • Current: WantedBy=multi-user.target only.
  • Real installs: default to graphical.target, so unit never runs.
  • Admin pw stays veilor + chage-expired. SDDM PAM bounces to chauthtok screen — recoverable but ugly.
  • Fix: WantedBy=graphical.target multi-user.target. Add Before=graphical.target. Verify systemctl enable veilor-firstboot.service (in installer line 884) resolves both. Add DefaultDependencies=no + Wants=systemd-vconsole-setup.service.

Endeavour OS welcome app — design notes for veilor-postinstall

EOS welcome (endeavouros-team/welcome on GitHub) is bash + yad, ~3000 LOC. Patterns to lift for veilor:

  • Yad GTK dialog as runtime (single binary dep). veilor (KDE) uses kdialog + qmlscene instead — native Plasma look.
  • Tabbed layout: Welcome | Set up apps | Security | System info | Shortcuts.
  • Self-disabling autostart: ~/.config/autostart/veilor-welcome.desktop removed after user clicks "Don't show again".
  • External script dispatch: /usr/share/veilor-os/postinstall/<step>.sh per step. Decouples UI from actions.
  • Update channel awareness: pull from github.com/veilor-org/veilor-os releases atom feed; show CVE advisories from security.atom we publish.

Recommended stack:

  • /usr/bin/veilor-welcome (bash entrypoint, ≤300 LOC)
  • /usr/share/veilor-os/postinstall/welcome.qml (QtQuick/Kirigami UI)
  • /usr/share/veilor-os/postinstall/steps/{01-account,02-network,03-usbguard-policy,04-update,05-tour}.sh
  • /etc/xdg/autostart/veilor-welcome.desktop
  • Replace current scripts/firstboot.sh placeholder with step 03-usbguard-policy (auto-generate-policy is the unfinished core item).

Top three to ship next (highest UX impact, lowest risk)

  1. WantedBy=graphical.target multi-user.target in veilor-firstboot.service — fixes silent SDDM-PAM-chauthtok bounce on real installs.
  2. Username prefill in sddm.conf.d/veilor.conf: add [Users] RememberLastUser=true + /var/lib/sddm/state.conf [Last] User=admin Session=plasma.
  3. USBGuard HID baseline rules.conf — un-bricks any desktop with USB keyboard.