mirror of
https://github.com/BetterCorp/BetterFrame.git
synced 2026-05-26 17:56:34 +00:00
feat(os-ota): install RAUC + system.conf + boot backend in pi-gen image
Phase 2b. Bake the runtime side of RAUC into the curated image so a
freshly-flashed kiosk can accept .raucb bundles immediately:
- Add `rauc` + `dosfstools` to the apt package list.
- Drop deploy/rauc/system.conf to /etc/rauc/system.conf (already declares
the A/B slot layout that repartition-image.sh produces).
- Drop deploy/rauc/betterframe-rauc-boot.sh to
/usr/local/sbin/betterframe-rauc-boot.sh — the custom bootloader
backend that flips the BF_BOOTSEL autoboot.txt to point at the
freshly-installed slot via Pi 5 tryboot.
- Drop deploy/rauc/ca-cert.pem (operator-supplied, committed) to
/etc/rauc/keyring.pem so rauc can verify CMS signatures. If the cert
isn't committed yet, image build emits a workflow warning and the
kiosk image installs but refuses every bundle — image still flashes,
just no OS OTA until the cert is committed.
- Enable BF_ENABLE_OS_OTA=1 in /etc/default/betterframe-kiosk so the
kiosk Rust consumer actually polls for bundles. Set to 0 to pin OS
version for a specific kiosk.
mark-good was already wired (deploy/systemd/betterframe-rauc-mark-good.{service,sh}).
The kiosk's heartbeat loop also calls `rauc status mark-good` as a
belt+suspenders backup; both are idempotent.
This commit is contained in:
Mitchell R
parent
3575f1169b
commit
0fa797adfa
3 changed files with 36 additions and 0 deletions
15
.github/workflows/build.yml
vendored
15
.github/workflows/build.yml
vendored
|
|
@ -192,6 +192,21 @@ jobs:
|
||||||
deploy/pi-gen/stage-betterframe-client/01-install-kiosk/files/
|
deploy/pi-gen/stage-betterframe-client/01-install-kiosk/files/
|
||||||
cp deploy/plymouth/betterframe/betterframe.script \
|
cp deploy/plymouth/betterframe/betterframe.script \
|
||||||
deploy/pi-gen/stage-betterframe-client/01-install-kiosk/files/
|
deploy/pi-gen/stage-betterframe-client/01-install-kiosk/files/
|
||||||
|
# RAUC config + custom bootloader backend
|
||||||
|
cp deploy/rauc/system.conf \
|
||||||
|
deploy/pi-gen/stage-betterframe-client/01-install-kiosk/files/rauc-system.conf
|
||||||
|
cp deploy/rauc/betterframe-rauc-boot.sh \
|
||||||
|
deploy/pi-gen/stage-betterframe-client/01-install-kiosk/files/
|
||||||
|
# CA cert is operator-supplied — generated locally via
|
||||||
|
# scripts/gen-rauc-signing-keys.sh and committed at
|
||||||
|
# deploy/rauc/ca-cert.pem. Without it the image installs but
|
||||||
|
# rauc refuses every bundle (verify-only mode).
|
||||||
|
if [ -f deploy/rauc/ca-cert.pem ]; then
|
||||||
|
cp deploy/rauc/ca-cert.pem \
|
||||||
|
deploy/pi-gen/stage-betterframe-client/01-install-kiosk/files/rauc-keyring.pem
|
||||||
|
else
|
||||||
|
echo "::warning::deploy/rauc/ca-cert.pem missing — OS OTA disabled in this image"
|
||||||
|
fi
|
||||||
chmod +x deploy/pi-gen/stage-betterframe-client/01-install-kiosk/00-run.sh \
|
chmod +x deploy/pi-gen/stage-betterframe-client/01-install-kiosk/00-run.sh \
|
||||||
deploy/pi-gen/stage-betterframe-client/01-install-kiosk/01-run-chroot.sh \
|
deploy/pi-gen/stage-betterframe-client/01-install-kiosk/01-run-chroot.sh \
|
||||||
deploy/pi-gen/stage-betterframe-client/prerun.sh
|
deploy/pi-gen/stage-betterframe-client/prerun.sh
|
||||||
|
|
|
||||||
|
|
@ -15,3 +15,5 @@ gstreamer1.0-gtk4
|
||||||
v4l-utils
|
v4l-utils
|
||||||
wlr-randr
|
wlr-randr
|
||||||
ca-certificates
|
ca-certificates
|
||||||
|
rauc
|
||||||
|
dosfstools
|
||||||
|
|
|
||||||
|
|
@ -31,6 +31,20 @@ install -m 644 /tmp/bf-files/betterframe-kiosk.conf /etc/tmpfiles.d/betterframe-
|
||||||
install -d -m 755 /etc/udev/rules.d
|
install -d -m 755 /etc/udev/rules.d
|
||||||
install -m 644 /tmp/bf-files/90-betterframe-no-hid.rules /etc/udev/rules.d/90-betterframe-no-hid.rules
|
install -m 644 /tmp/bf-files/90-betterframe-no-hid.rules /etc/udev/rules.d/90-betterframe-no-hid.rules
|
||||||
|
|
||||||
|
# --- RAUC OS-OTA config ---
|
||||||
|
# system.conf names the A/B slots + the custom bootloader backend.
|
||||||
|
# keyring.pem is the operator's CA cert (generated by
|
||||||
|
# scripts/gen-rauc-signing-keys.sh, committed at deploy/rauc/ca-cert.pem).
|
||||||
|
# Without keyring.pem, RAUC refuses every bundle.
|
||||||
|
install -d -m 755 /etc/rauc
|
||||||
|
install -m 644 /tmp/bf-files/rauc-system.conf /etc/rauc/system.conf
|
||||||
|
if [ -f /tmp/bf-files/rauc-keyring.pem ]; then
|
||||||
|
install -m 644 /tmp/bf-files/rauc-keyring.pem /etc/rauc/keyring.pem
|
||||||
|
else
|
||||||
|
echo "WARNING: no rauc-keyring.pem staged — OS OTA will refuse all bundles" >&2
|
||||||
|
fi
|
||||||
|
install -m 755 /tmp/bf-files/betterframe-rauc-boot.sh /usr/local/sbin/betterframe-rauc-boot.sh
|
||||||
|
|
||||||
# Default env file — operator may edit on first boot to point at their server.
|
# Default env file — operator may edit on first boot to point at their server.
|
||||||
cat > /etc/default/betterframe-kiosk <<'EOF'
|
cat > /etc/default/betterframe-kiosk <<'EOF'
|
||||||
# Runtime env for betterframe-kiosk. Edit and `systemctl restart betterframe-kiosk`.
|
# Runtime env for betterframe-kiosk. Edit and `systemctl restart betterframe-kiosk`.
|
||||||
|
|
@ -42,6 +56,11 @@ cat > /etc/default/betterframe-kiosk <<'EOF'
|
||||||
# builds auto-deploy once they land in the BF server (via the build workflow's
|
# builds auto-deploy once they land in the BF server (via the build workflow's
|
||||||
# auto-import step). Set to 0 to pin a kiosk to its current binary.
|
# auto-import step). Set to 0 to pin a kiosk to its current binary.
|
||||||
BF_ENABLE_APP_OTA=1
|
BF_ENABLE_APP_OTA=1
|
||||||
|
|
||||||
|
# Enable full-OS RAUC OTA. The image ships with A/B partitions + rauc
|
||||||
|
# preinstalled. Set to 0 to pin OS version manually (kiosk-app updates
|
||||||
|
# still flow via BF_ENABLE_APP_OTA).
|
||||||
|
BF_ENABLE_OS_OTA=1
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Plymouth boot splash
|
# Plymouth boot splash
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue