kubesolo-os

adelorenzo/kubesolo-os

Fork 0

Commit Graph

Author	SHA1	Message	Date
Adolfo Delorenzo	6c15ba7776	fix: kernel AppArmor 2-pass olddefconfig and QEMU test direct kernel boot Some checks failed CI / Go Tests (push) Has been cancelled Details CI / Build Go Binaries (amd64, linux, linux-amd64) (push) Has been cancelled Details CI / Build Go Binaries (arm64, linux, linux-arm64) (push) Has been cancelled Details CI / Shellcheck (push) Has been cancelled Details The stock TinyCore kernel config has "# CONFIG_SECURITY is not set" which caused make olddefconfig to silently revert all security configs in a single pass. Fix by applying security configs (AppArmor, Audit, LSM) after the first olddefconfig resolves base dependencies, then running a second pass. Added mandatory verification that exits on missing critical configs. All QEMU test scripts converted from broken -cdrom + -append pattern to direct kernel boot (-kernel + -initrd) via shared test/lib/qemu-helpers.sh helper library. The -append flag only works with -kernel, not -cdrom. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-12 14:11:38 -06:00
Adolfo Delorenzo	49a37e30e8	feat: add production hardening — Ed25519 signing, Portainer Edge, SSH extension (Phase 4) Image signing: - Ed25519 sign/verify package (pure Go stdlib, zero deps) - genkey and sign CLI subcommands for build system - Optional --pubkey flag for verifying updates on apply - Signature URLs in update metadata (latest.json) Portainer Edge Agent: - cloud-init portainer.go module writes K8s manifest - Auto-deploys Edge Agent when portainer.edge-agent.enabled - Full RBAC (ServiceAccount, ClusterRoleBinding, Deployment) - 5 Portainer tests in portainer_test.go Production tooling: - SSH debug extension builder (hack/build-ssh-extension.sh) - Boot performance benchmark (test/benchmark/bench-boot.sh) - Resource usage benchmark (test/benchmark/bench-resources.sh) - Deployment guide (docs/deployment-guide.md) Test results: 50 update agent tests + 22 cloud-init tests passing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-11 11:26:23 -06:00

Author

SHA1

Message

Date

Adolfo Delorenzo

6c15ba7776

fix: kernel AppArmor 2-pass olddefconfig and QEMU test direct kernel boot

CI / Go Tests (push) Has been cancelled

Details

CI / Build Go Binaries (amd64, linux, linux-amd64) (push) Has been cancelled

Details

CI / Build Go Binaries (arm64, linux, linux-arm64) (push) Has been cancelled

Details

CI / Shellcheck (push) Has been cancelled

Details

The stock TinyCore kernel config has "# CONFIG_SECURITY is not set" which
caused make olddefconfig to silently revert all security configs in a single
pass. Fix by applying security configs (AppArmor, Audit, LSM) after the
first olddefconfig resolves base dependencies, then running a second pass.
Added mandatory verification that exits on missing critical configs.

All QEMU test scripts converted from broken -cdrom + -append pattern to
direct kernel boot (-kernel + -initrd) via shared test/lib/qemu-helpers.sh
helper library. The -append flag only works with -kernel, not -cdrom.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-12 14:11:38 -06:00

Adolfo Delorenzo

49a37e30e8

feat: add production hardening — Ed25519 signing, Portainer Edge, SSH extension (Phase 4)

Image signing:
- Ed25519 sign/verify package (pure Go stdlib, zero deps)
- genkey and sign CLI subcommands for build system
- Optional --pubkey flag for verifying updates on apply
- Signature URLs in update metadata (latest.json)

Portainer Edge Agent:
- cloud-init portainer.go module writes K8s manifest
- Auto-deploys Edge Agent when portainer.edge-agent.enabled
- Full RBAC (ServiceAccount, ClusterRoleBinding, Deployment)
- 5 Portainer tests in portainer_test.go

Production tooling:
- SSH debug extension builder (hack/build-ssh-extension.sh)
- Boot performance benchmark (test/benchmark/bench-boot.sh)
- Resource usage benchmark (test/benchmark/bench-resources.sh)
- Deployment guide (docs/deployment-guide.md)

Test results: 50 update agent tests + 22 cloud-init tests passing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-11 11:26:23 -06:00

2 Commits