Conversation
Stage dracut binaries/scripts/modules/configs, NetworkManager conf.d profiles (wifi-mac, nvme-nbft) and dispatcher.d scripts (chrony, nvme-nbft-connect), firewalld nm-shared zone, systemd-logind grub2 drop-in, and usr/share/mios/knowledge (knowledge-graph, script-inventory, upstream-gaps). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
mios-dev
pushed a commit
that referenced
this pull request
May 3, 2026
…tats) #1 Orphaned 37-ollama-prep.sh -- replaced with first-boot service Build-time embedding never worked: the OCI build's final /var cleanup wipes /var/lib/ollama before commit, so models pulled in 37-ollama-prep.sh got deleted before they could ship. Drop the script to a no-op stub, document the migration, and wire the work to a runtime service that runs once per deploy: usr/lib/systemd/system/mios-ollama-firstboot.service usr/libexec/mios/ollama-firstboot.sh The service waits for the mios-ollama Quadlet, then runs 'podman exec mios-ollama ollama pull' for qwen2.5-coder:7b and nomic-embed-text. Sentinel /var/lib/mios/.ollama-firstboot-done guards re-runs. Enabled via 90-mios.preset. #2 ceph-bootstrap.sh path mismatch -- create script + fix paths Both ceph-bootstrap.service and mios-ceph-bootstrap.service ExecStart'd /usr/local/bin/ceph-bootstrap.sh, but no such file existed in the repo and 13-ceph-k3s.sh only chmod'd a phantom path. /usr/local resolves to /var/usrlocal on bootc/FCOS and gets wiped by /var cleanup anyway. Create the script at /usr/libexec/mios/ceph-bootstrap.sh (immutable image surface) with a real cephadm bootstrap implementation (--single-host-defaults --skip-monitoring-stack), and update both unit files + 13-ceph-k3s.sh to point at the new path. #3 /var build-time write removed (Architectural Law 2) automation/31-user.sh:50 used to 'cp -a /etc/skel/. "$home/"' into /var/home at build time. The Containerfile's final /var cleanup wiped that work, then the deployed image had no skel- seeded home. Drop the build-time copy; rely on the existing first-boot paths (wsl-firstboot for WSL2, role-apply for bootc) which run after /var is mounted persistent. #4a python3-requests added to PACKAGES.md /usr/bin/mios (Python CLI) imports requests; without the rpm the import failed at runtime and pip can't recover on the read-only /usr composefs surface. #4b userenv.sh deployed to /usr/lib/mios/userenv.sh /usr/bin/mios-env (Architectural Law 5 resolver) sources /usr/lib/mios/userenv.sh, but the file lived only at tools/lib/userenv.sh in the build context with no install step. mios-env therefore fell back to env-defaults-only and ignored the three-layer mios.toml overlay. 36-tools.sh now stages the file with 'install -D -m 0644'. #5 SELinux container_use_devices already addressed Earlier commit 7b56947 wrote /usr/share/selinux/packages/mios/booleans.conf at build time in 37-selinux.sh, and selinux-init.service applies it on first boot via 'setsebool -P'. Verified the runtime path is wired -- no further change needed. #6 log-to-bootstrap.sh stats now computed dynamically Previously hard-coded 928 MB / 153 markdown / 116 shell scripts in both manifest.json and the README. Replace with du -sb on the working tree (excluding .git), 'find ... -name *.md / *.sh | wc -l', and a bc-driven compression ratio. The 'compressed_context_size' picks the newest *.tar.gz under artifacts/ai-rag rather than naming a specific bundle.
mios-dev
pushed a commit
that referenced
this pull request
May 6, 2026
Sealed-image opt-in (gap #1 from the bootc-comparison audit). The existing 40-composefs-verity.sh wrote /usr/lib/ostree/prepare-root.conf unconditionally with composefs in fs-verity mode. fs-verity requires ext4 or btrfs -- on XFS roots (some cloud images, some podman-machine disks) this bricks the deploy. There was no operator-facing escape hatch. Adds [security] table to mios.toml SSOT: composefs_mode = "verity" | "yes" | "off" mask_systemd_remount_fs = true | false - "verity" current behavior (tamper-evident, ext4/btrfs only). Default. - "yes" composefs read-only /usr without verity (works on XFS too; upstream FCOS/bootc default). - "off" skip prepare-root.conf rewrite entirely; honor base image. automation/40-composefs-verity.sh now: - Sources lib/packages.sh for the canonical _resolve_mios_toml chain (so /etc/mios/ + ~/.config/ overrides land here too). - Inlines a minimal _read_mios_scalar awk helper (the same shape as get_packages_from_toml -- top-level scalars, strips quotes + inline comments). - Branches on composefs_mode and renders the matching prepare-root.conf body. The "yes" body keeps the [root] / [etc] transient=false stanzas so the immutable-/usr posture stays intact even without verity. - Only masks systemd-remount-fs.service when verity is selected AND mask_systemd_remount_fs is truthy. The "yes" path uses the upstream mount sequence and doesn't need the mask. - Logs the resolved mode + whether it backed up an existing config. No behavior change for existing deployments: default is "verity", which matches the pre-commit unconditional path. Operators on XFS/cloud substrates can drop a single override into /etc/mios/mios.toml: [security] composefs_mode = "yes" and the next bootc switch flips to the non-verity path without code changes. Verified: bash -n on the rewritten script; tomllib + the awk resolver both round-trip the new [security] table; the resolver also continues to read [hwcaps] cleanly (no regression to the existing toml consumers).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stage dracut binaries/scripts/modules/configs, NetworkManager conf.d profiles (wifi-mac, nvme-nbft) and dispatcher.d scripts (chrony, nvme-nbft-connect), firewalld nm-shared zone, systemd-logind grub2 drop-in, and usr/share/mios/knowledge (knowledge-graph, script-inventory, upstream-gaps).