284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
8.4 KiB
8.4 KiB
Scratchpad — Ubuntu Server Interactive Install Safety
Context / Discoveries
- Current appliance ISO flow is built under
ee/appliance/ubuntu-iso/. - The build script stages
host-service,operator,scripts,manifests,flux,releases, andstatus-uiinto the ISO overlay. - Current
user-datais autoinstall-based and already useslate-commandsto copy bundled appliance files into the target system. - UTM smoke testing exposed a loop where the VM can reboot back into the installer if the ISO cannot be detached cleanly.
- UTM docs state that CD/DVD images are meant to be removable media, but the runtime can still get stuck in a state where eject is not available.
- GitHub discussion
utmapp/UTM#6130reports a similar Apple Silicon / UTM version issue where ISO eject appears unavailable or the VM window closes without fully stopping the VM.
Decisions
- Keep the Ubuntu Server installer as the install surface; do not switch to Ubuntu Desktop.
- Prioritize a user-facing disk confirmation before destructive storage actions.
- Keep the appliance bundle on the ISO so installation works offline.
- Use a branded boot / ISO label: AlgaPSA Install.
- Add a disk-first boot guard so a completed install does not re-enter the installer loop if the ISO remains attached.
Key Files
ee/appliance/ubuntu-iso/config/nocloud/user-dataee/appliance/ubuntu-iso/scripts/build-ubuntu-appliance-iso.shee/appliance/ubuntu-iso/tests/t001-build-smoke.test.mjsee/appliance/ubuntu-iso/overlay/etc/systemd/system/alga-appliance.serviceee/appliance/ubuntu-iso/overlay/etc/systemd/system/alga-appliance-console.serviceee/appliance/ubuntu-iso/overlay/opt/alga-appliance/
Validation Notes
- Existing VM bundles and ISO artifacts were moved to
/Volumes/Extreme SSD/alga-appliance-smoke/to avoid exhausting the internal disk. - The current smoke build path already supports configurable work/output dirs via
ALGA_APPLIANCE_ISO_WORK_DIRandALGA_APPLIANCE_ISO_OUTPUT_DIR. - Boot branding should stay simple; user accepted only boot/ISO labeling, not a custom installer theme.
- Implemented Subiquity storage confirmation through
autoinstall.interactive-sections: [storage]; the existing direct storage layout remains the preselected install target but destructive disk actions require user confirmation. - The ISO remaster now writes
.disk/infoasAlgaPSA Install, uses ISO volume labelALGAPSA_INSTALL, and prepends a guarded GRUBAlgaPSA Installentry. - The disk-first guard uses
/etc/alga-appliance/booted-from-disk, created bylate-commandsin the installed target. If the ISO remains attached, GRUB searches for the marker and chains to the installed disk's/boot/grub/grub.cfg. node --test ee/appliance/ubuntu-iso/tests/t001-build-smoke.test.mjspasses and covers T001-T004 with a fakexorrisoremaster: branding, ISO label, offline overlay, storage interactivity, payload copy, service enablement, and disk marker behavior.node --test ee/appliance/host-service/tests/*.test.mjs ee/appliance/ubuntu-iso/tests/*.test.mjspasses except fort003-first-boot-smokeunder sandboxed localhost networking (connect EPERM 127.0.0.1:18081). The targeted first-boot smoke passes when rerun with localhost socket permissions:node --test ee/appliance/host-service/tests/t003-first-boot-smoke.test.mjs.ee/appliance/host-service/tests/t003-first-boot-smoke.test.mjsnow covers the first-boot console banner,/healthz, static setup/status UI serving fromALGA_APPLIANCE_STATUS_UI_DIR, unauthorized setup protection, setup config JSON, and setup submission persistence. The test usesALGA_APPLIANCE_DISABLE_SETUP_QUEUE=1so it verifies web setup behavior without starting the real bootstrap workflow.- Real remaster build succeeded with the Ubuntu 24.04.4 base ISO:
ALGA_APPLIANCE_ISO_WORK_DIR="/Volumes/Extreme SSD/alga-appliance-smoke/work" ALGA_APPLIANCE_ISO_OUTPUT_DIR="/Volumes/Extreme SSD/alga-appliance-smoke/iso-output" bash ee/appliance/ubuntu-iso/scripts/build-ubuntu-appliance-iso.sh --base-iso "/Volumes/Extreme SSD/alga-appliance-smoke/ubuntu-24.04.4-live-server-amd64.iso" --release-version smoke-20260503-round8. - Real artifact:
/Volumes/Extreme SSD/alga-appliance-smoke/iso-output/alga-appliance-ubuntu-smoke-20260503-round8.iso;xorriso -pvd_inforeports volume idALGAPSA_INSTALL, and the staged ISO root has.disk/info=AlgaPSA Install. - The real round8 GRUB configs contain the
AlgaPSA Installentry, the/etc/alga-appliance/booted-from-disksearch guard, andautoinstall ds=nocloud;s=/cdrom/nocloud/. - UTM CLI check found
Ubuntu-Appliance-Persistence-Smoke-Round7running with UUID5E97B267-A8D8-4671-A152-FD588A207F53; its config has only the qcow2 disk attached and no CD/DVD drive, which supports that it is not currently booting the installer ISO. Host service ports8080and3000were not reachable at192.168.64.17, so the full T005 readiness smoke remains unverified. - T005 live VM evidence was completed on
Ubuntu-Appliance-Interactive-Smoke-Round10(UUID8AAE785E-F1C1-408A-9141-5CEA3DB48AAC) after manual completion of the Subiquity install flow. Earlier screenshot evidence showed the interactive guided storage confirmation screen with the 80G QEMU disk selected and a user-facing[ Done ]action before destructive installation. - Round10 config path:
/Volumes/Extreme SSD/alga-appliance-smoke/vms/Ubuntu-Appliance-Interactive-Smoke-Round10.utm/config.plist.plutil -pshows onlyDrive.0asImageType = Diskwith qcow2450a1794-6063-448e-8b38-94c1ab4bdb65.qcow2; no CD/DVD drive remains attached. ps -ax -o pid,commandconfirms the running Round10 QEMU process uses only-device ide-hd/media=diskfor the qcow2 at/Volumes/Extreme SSD/alga-appliance-smoke/vms/Ubuntu-Appliance-Interactive-Smoke-Round10.utm/Data/450a1794-6063-448e-8b38-94c1ab4bdb65.qcow2, with no ISO/CD-ROM drive argument.- ARP maps Round10 MAC
62:B8:F6:E9:2E:FFto192.168.64.20;nc -vz -w 3 192.168.64.20 22andnc -vz -w 3 192.168.64.20 8080both succeed. - Round10 console banner reports
Alga Appliance setup is ready, node IP192.168.64.20, setup URL on port8080, local admin useralga-admin, and the temporary password/change-required flow. curl -i http://192.168.64.20:8080/returns HTTP 200 and theAlga Appliance Setuppage.curl http://192.168.64.20:8080/api/status?token=<current-console-token>returns status JSON whose diagnostics showalga-appliance.serviceloaded/enabled/active running,alga-appliance-console.serviceloaded/enabled/active exited successfully, and the host service listening on:8080. The API reports setup phase because web setup/bootstrap has not been run yet; this still satisfies the install PRD acceptance criterion that the appliance services start normally after installation.
Open Questions
- None for this install-safety PRD. Post-install web setup/bootstrap readiness is a separate flow from the ISO install safety acceptance criteria.
2026-05-03 Implementation Notes
- Added packaged React/Next setup route under
ee/appliance/status-ui/app/setup/page.tsx. - Reworked status UI styling to use Alga-like cards, badges, branded hero, and skeleton loading states.
- Added host-service JSON setup endpoints:
GET /api/setup/config?token=...POST /api/setup?token=...
- Host-service now serves the built status UI from
/opt/alga-appliance/status-ui/distwhen available and falls back to legacy HTML otherwise. - ISO staging now builds and copies the status UI bundle; it fails fast if dependencies or
distare missing unless explicitly skipped. - Ubuntu autoinstall interactive sections now include both
networkandstorage. - Validation included host-service/API static smoke, Next build, and appliance test subset.
2026-05-03 Round9 Storage RBAC Finding
- Round9 local-path-provisioner failed with:
configmaps "local-path-config" is forbidden: User "system:serviceaccount:local-path-storage:local-path-provisioner-service-account" cannot get resource "configmaps". - Root cause is likely RBAC collision/insufficient namespaced RBAC around k3s' built-in local-path objects using generic
local-path-provisioner-*names. - Updated
ee/appliance/manifests/local-path-storage.yamlto use Alga-specific Role/ClusterRole/Binding names and added explicit namespaced configmap read access. - Added test coverage to ensure the manifest avoids the generic ClusterRoleBinding name and grants configmap get/list/watch.