niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/ops/ASL SystemRescue Overlay – Intake Schema.md
Carl Niklas Rydberg 4cba1f45eb Move host/rescue docs to ops tier
2026-01-17 09:04:19 +01:00

292 lines
5.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Perfect — then lets be very concrete and **treat the overlay itself as a specification**, not just “put binaries somewhere”.
Below is a **clean, minimal, opinionated overlay schema** for an **ASL intake / rescue environment**, aligned with everything youve defined (ASL, STORE-INDEX, federation, ZFS optional).
No diagrams, no fluff.
---
# ASL SystemRescue Overlay Intake Schema
This overlay defines **what exists at boot**, **where state lives**, and **what is immutable vs runtime**.
---
## 1. High-level intent
The overlay must:
* Make ASL tools **always available**
* Be **stateless by default**
* Support **local ZFS intake OR remote ASL intake**
* Keep **semantic state out of the rescue image**
* Be safe on crashed systems
So the overlay provides:
* **executables**
* **configuration defaults**
* **service wiring**
* **well-known mount points**
Nothing else.
---
## 2. Canonical overlay layout
```
overlay/
├── usr/
│ └── local/
│ ├── bin/
│ │ ├── asl-intake
│ │ ├── asl-admin
│ │ └── asl-debug
│ └── lib/
│ └── libasl.so
├── etc/
│ └── asl/
│ ├── asl.conf # mode selection, endpoints
│ ├── federation.conf # domain + peer config
│ └── logging.conf
├── etc/systemd/system/
│ ├── asl-intake.service
│ └── asl-preflight.service
├── var/
│ └── lib/
│ └── asl/
│ ├── runtime/ # ephemeral runtime state
│ ├── cache/ # optional CAS cache
│ └── locks/
├── run/
│ └── asl/
│ └── sockets/ # if used (optional)
└── mnt/
└── asl/
├── local/ # local ZFS mount target
└── remote/ # optional remote FS
```
This is the **entire contract** between SystemRescue and ASL.
---
## 3. What each directory *means* (important)
### `/usr/local/bin`
**Immutable tools**
* `asl-intake`
Primary recovery/intake executable
* `asl-admin`
Inspection, snapshot listing, GC checks
* `asl-debug`
Low-level validation, block/segment inspection
> These must never write here.
---
### `/etc/asl`
**Declarative configuration only**
Example `asl.conf`:
```
mode = auto # auto | local | remote
local.mount = /mnt/asl/local
remote.endpoint = https://asl-backend
domain.id = rescue-domain
```
Rules:
* No secrets unless unavoidable
* No mutable state
* Safe to ship in ISO
---
### `/var/lib/asl`
**All mutable local state**
This is the *only* place your tools write to by default.
```
/var/lib/asl/runtime # PID files, temp metadata
/var/lib/asl/cache # optional local CAS cache
/var/lib/asl/locks # advisory locks
```
This may live:
* in RAM (default)
* on USB persistence
* never on the broken system disk
---
### `/mnt/asl/local`
**Local ASL backend mount (ZFS)**
If local intake is possible:
```
zpool import rescuepool
zfs mount rescuepool/asl → /mnt/asl/local
```
Your tool treats this as:
```
/mnt/asl/local/
├── blocks/
├── segments/
├── snapshots/
└── logs/
```
(Exact internal layout is backend-defined, not overlay-defined.)
---
### `/mnt/asl/remote`
Optional:
* NFS
* SSHFS
* Debug mounts
Not required for normal operation.
---
## 4. systemd services (minimal and safe)
### `asl-preflight.service`
Runs once at boot.
Responsibilities:
* Detect network
* Detect ZFS availability
* Detect importable pools
* Write decision to `/run/asl/mode`
No mutations.
---
### `asl-intake.service`
Starts the tool.
Example behavior:
* Reads `/run/asl/mode`
* Chooses:
* local ZFS backend
* or remote ASL endpoint
* Starts intake loop or waits for operator
This keeps **policy out of the binary**.
---
## 5. Local vs remote handling (explicit contract)
### Local ZFS mode
The overlay guarantees:
```
/mnt/asl/local exists
/var/lib/asl writable
/usr/local/bin contains tools
```
Your tool guarantees:
* Never mutate unsealed data
* Never auto-import pools without operator or config approval
---
### Remote ASL mode
The overlay guarantees:
* Network tools available
* TLS roots present
* Configurable endpoint
Your tool guarantees:
* Snapshot-bounded reads
* Deterministic uploads
* Idempotent retries
---
## 6. What is *explicitly forbidden* in the overlay
These rules prevent disasters:
❌ Writing to `/usr`, `/bin`, `/lib`
❌ Storing state in `/etc`
❌ Auto-mounting the crashed system root
❌ Assuming ZFS exists
❌ Assuming network exists
All assumptions must be **detected, not presumed**.
---
## 7. Why this schema works with your ASL design
This layout aligns perfectly with your specs because:
* **ASL-STORE-INDEX**
→ persistence lives outside the overlay
* **Federation**
→ domain identity is config, not state
* **PEL / TGK**
→ execution artifacts are handled like any other artifact
* **Determinism**
→ overlay never contains semantic state
The overlay is **pure capability**, not data.
---
## 8. Summary (the one-paragraph version)
> The SystemRescue overlay should contain **only tools, config, and wiring**.
> All mutable ASL state lives either in `/var/lib/asl` (ephemeral) or in a mounted backend (`/mnt/asl/local` or remote).
> The overlay never encodes semantic state, snapshots, or artifacts — only the ability to access and produce them.
If you want, next we can:
* Turn this into a **formal overlay contract doc**
* Define a **preflight decision table**
* Or map this schema directly onto your ASL backend spec
But this layout is already “correct by construction.”
Reference in a new issue View git blame Copy permalink