niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/notes/pre-image capture workflow.md
Carl Niklas Rydberg 1d552bd46a Added some notes that needs to be analyzed.
2026-01-17 00:19:49 +01:00

151 lines
4.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Perfect — heres a full sketch of a **pre-image capture workflow** for building your ASL-AUTH-HOST ISO with full provenance from zero. This is conceptual but grounded in your existing scripts and tools.
---
## **1. Directory Layout**
```
/work/
├─ iso_root/ # ISO staging area (debootstrap root)
├─ overlay/ # Overlay for binaries, scripts, configs
├─ asl-preimage-store/ # Temporary ASL store for pre-image artifacts
│ ├─ binaries/
│ ├─ scripts/
│ └─ per/
├─ build_logs/ # Capture logs from each step
└─ asl-workflow.sh # Orchestration script
```
---
## **2. Pre-image capture steps**
1. **Initialize pre-image ASL store**
```bash
#!/bin/bash
# pre-image store initialization
PRESTORE=/work/asl-preimage-store
mkdir -p $PRESTORE/{binaries,scripts,per}
asl-init-store --store $PRESTORE
```
> `asl-init-store` can be a thin wrapper around `libasl-capture` to create a temporary store.
---
2. **Wrap build commands in `asl-capture`**
All commands affecting the ISO will be executed via `asl-capture` to generate artifacts and PERs.
Example:
```bash
# Capture debootstrap
asl-capture --store $PRESTORE --cmd "debootstrap --arch=amd64 bullseye $ISO_ROOT http://deb.debian.org/debian/" \
--outdir $PRESTORE/per/debootstrap
# Capture package installation
asl-capture --store $PRESTORE --cmd "chroot $ISO_ROOT /bin/bash -c 'apt-get update && apt-get install -y ...'" \
--outdir $PRESTORE/per/apt_install
```
Each step generates:
* **Artifact of input** (command, scripts, downloaded packages)
* **Artifact of output** (installed files, overlays, logs)
* **Execution Receipt (PER)** linking inputs → outputs
---
3. **Capture overlay**
```bash
# Capture binaries and scripts
for f in $WORKDIR/binaries/* $WORKDIR/scripts/*; do
asl-capture --store $PRESTORE --file $f --outdir $PRESTORE/per/overlay
done
```
This ensures all binaries/scripts are **artifacts** with traceable lineage.
---
4. **Assemble ISO using captured artifacts**
```bash
asl-capture --store $PRESTORE --cmd "./build_asl_auth_host_iso.sh" \
--artifact-inputs $PRESTORE/binaries \
--artifact-inputs $PRESTORE/scripts \
--artifact-inputs $PRESTORE/per \
--outdir $PRESTORE/per/build_iso
```
> The ISO itself becomes a **final artifact** with its **own PER**, referencing all previous steps.
---
5. **Seed initial ASL host store in ISO**
Copy pre-image artifacts + PERs into ISO root:
```bash
cp -a $PRESTORE/binaries $ISO_ROOT/var/lib/asl/personal/binaries
cp -a $PRESTORE/per $ISO_ROOT/var/lib/asl/personal/per
cp -a $PRESTORE/scripts $ISO_ROOT/var/lib/asl/personal/scripts
```
> The offline host boots with an **already captured history** of how it was built.
---
## **3. Optional: Artifact DAG visualization**
After pre-image capture, you can generate a DAG of artifacts and receipts:
```bash
asl-dag --store $PRESTORE --out $WORKDIR/build_logs/preimage_dag.svg
```
This provides:
* Traceable provenance of **everything in the ISO**
* Easy inspection for audit
---
## **4. Workflow Summary**
```
Initialize Pre-image Store --> Capture debootstrap --> Capture apt install --> Capture overlay
| | |
+---------------------+-------------------------+
PERs + Artifacts
|
Build ISO using captured inputs
|
Seed ISO with captured store
|
Offline host boots with full pre-image provenance
```
---
### **Key Notes**
* `asl-capture` wraps **any shell command** or file copy, producing both **artifact** and **PER**.
* Pre-image store is **temporary** during build, but all artifacts go into ISO for the offline host.
* This method ensures **determinism, reproducibility, and full traceability** even before the host exists.
---
I can also draft a **concrete bash orchestration script (`asl-workflow.sh`)** that wires all of this together, including:
* Pre-image store initialization
* Step-by-step captured commands
* ISO assembly
* Seeding the offline host store
Do you want me to do that next?
Reference in a new issue View git blame Copy permalink