bastion/Dockerfile.bastion

# Dockerfile.bastion -- PXE boot server (dnsmasq DHCP/TFTP + HTTP)
# Requires host networking and NET_ADMIN/NET_RAW capabilities.

# ── Stage 1: Build ───────────────────────────────────────────────
FROM node:22-alpine AS builder

RUN corepack enable && corepack prepare pnpm@9.15.0 --activate

WORKDIR /app

# Copy workspace config and package manifests first (layer cache)
COPY pnpm-workspace.yaml pnpm-lock.yaml package.json tsconfig.base.json tsconfig.json ./
COPY src/shared/package.json   src/shared/tsconfig.json   src/shared/
COPY src/bastion/package.json  src/bastion/tsconfig.json  src/bastion/
COPY src/cli/package.json      src/cli/tsconfig.json      src/cli/
COPY src/modules/package.json  src/modules/tsconfig.json  src/modules/

# Install all dependencies (dev included -- needed for build)
RUN pnpm install --frozen-lockfile

# Copy source code
COPY src/shared/src/  src/shared/src/
COPY src/bastion/src/ src/bastion/src/
COPY src/cli/src/     src/cli/src/
COPY src/modules/src/ src/modules/src/
COPY src/modules/modules/ src/modules/modules/

# Build TypeScript
RUN pnpm build

# ── Stage 1b: Build iPXE snp.efi (uses UEFI SNP protocol for ISO boot) ──
FROM fedora:43 AS ipxe-builder

RUN dnf install -y git gcc make perl-interpreter xz-devel gcc-aarch64-linux-gnu && dnf clean all
RUN git clone --depth=1 https://github.com/ipxe/ipxe.git /tmp/ipxe
RUN cd /tmp/ipxe/src && make bin-x86_64-efi/snp.efi && \
    make CROSS_COMPILE=aarch64-linux-gnu- bin-arm64-efi/snp.efi

# ── Stage 2: Production runtime (Fedora -- needs dnsmasq) ───────
FROM fedora:43

RUN dnf install -y \
    dnsmasq \
    ipxe-bootimgs-x86 \
    ipxe-bootimgs-aarch64 \
    iproute \
    curl \
    openssh-clients \
    nodejs \
    npm \
    xorriso \
    mtools \
    && dnf clean all

# iPXE snp.efi built from source (Fedora only ships snponly, which can't
# boot from CD-ROM/USB -- it requires PXE chainloading)
COPY --from=ipxe-builder /tmp/ipxe/src/bin-x86_64-efi/snp.efi /usr/share/ipxe/ipxe-snp-x86_64.efi
COPY --from=ipxe-builder /tmp/ipxe/src/bin-arm64-efi/snp.efi /usr/share/ipxe/arm64-efi/ipxe-snp.efi

# Install pnpm
RUN npm install -g pnpm@9

WORKDIR /app

# Copy workspace config and package manifests
COPY pnpm-workspace.yaml pnpm-lock.yaml package.json ./
COPY src/shared/package.json  src/shared/
COPY src/bastion/package.json src/bastion/
COPY src/cli/package.json     src/cli/
COPY src/modules/package.json src/modules/

# Install production dependencies
RUN pnpm install --frozen-lockfile --prod 2>/dev/null || pnpm install --prod

# Copy built output from builder
COPY --from=builder /app/src/shared/dist/  src/shared/dist/
COPY --from=builder /app/src/bastion/dist/ src/bastion/dist/
COPY --from=builder /app/src/cli/dist/     src/cli/dist/
COPY --from=builder /app/src/modules/dist/ src/modules/dist/

# Create data directories
RUN mkdir -p /data/state /data/tftp /data/http

ENV NODE_ENV=production
ENV BASTION_DIR=/data
ENV HTTP_PORT=8080

EXPOSE 8080/tcp
EXPOSE 67/udp
EXPOSE 69/udp
EXPOSE 4011/udp

ENTRYPOINT ["node", "src/cli/dist/index.js", "init", "bastion", "standalone", "start", "--foreground"]
feat: install logging, error trapping, PXE/ISO integration tests Kickstart installs on real hardware failed silently — no error reporting, only 3 progress callbacks, zero log streaming. This overhaul makes every install fully observable. Kickstart improvements: - Error trapping in %pre and %post (trap ERR sends failure details to bastion) - 12+ granular progress stages (was 3): SSH, hostname, k3s prep, EFI boot, metadata - Background log streamer: tails %post output and batch-sends to /api/log - bastion_log() function for explicit log lines from kickstart scripts Bastion API: - POST /api/log — receives raw log lines from kickstart (single or batch) - InstallLogBuffer — per-MAC ring buffer (2000 lines) + file persistence - GET /api/logs/:mac — now returns log_lines + log_total alongside stages - SSE /api/logs/:mac/follow — uses named events (event: stage vs event: log) - Progress events forwarded to labd via bastion-progress WebSocket message - Post-provision k3s logs routed through progressBus (was console-only) dnsmasq fixes found during VM testing: - HTTP Boot filename: ipxe-real.efi → ipxe.efi (leftover from old 2-stage approach) - pxe-service directives: only in proxy mode (breaks OVMF PXE in full mode) - PXEClient vendor class echo for UEFI firmware compatibility Integration tests: - PXE boot test: blank UEFI VM → dnsmasq → HTTP Boot → iPXE → bastion → install - ISO boot test: blank VM boots from bastion-generated ISO → same flow - Shared helpers: pxe-network (no DHCP, nftables fix), pxe-vm (UEFI + ISO boot) - test-provision.sh: runs both PXE + ISO tests with prerequisite checks - 250GB sparse QCOW2 disk (LVM layout needs ~204GB) 201 unit tests passing (11 new). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 22:26:33 +00:00			`# Dockerfile.bastion -- PXE boot server (dnsmasq DHCP/TFTP + HTTP)`
			`# Requires host networking and NET_ADMIN/NET_RAW capabilities.`

			`# ── Stage 1: Build ───────────────────────────────────────────────`
			`FROM node:22-alpine AS builder`

			`RUN corepack enable && corepack prepare pnpm@9.15.0 --activate`

			`WORKDIR /app`

			`# Copy workspace config and package manifests first (layer cache)`
			`COPY pnpm-workspace.yaml pnpm-lock.yaml package.json tsconfig.base.json tsconfig.json ./`
			`COPY src/shared/package.json src/shared/tsconfig.json src/shared/`
			`COPY src/bastion/package.json src/bastion/tsconfig.json src/bastion/`
			`COPY src/cli/package.json src/cli/tsconfig.json src/cli/`
			`COPY src/modules/package.json src/modules/tsconfig.json src/modules/`

			`# Install all dependencies (dev included -- needed for build)`
			`RUN pnpm install --frozen-lockfile`

			`# Copy source code`
			`COPY src/shared/src/ src/shared/src/`
			`COPY src/bastion/src/ src/bastion/src/`
			`COPY src/cli/src/ src/cli/src/`
			`COPY src/modules/src/ src/modules/src/`
			`COPY src/modules/modules/ src/modules/modules/`

			`# Build TypeScript`
			`RUN pnpm build`

			`# ── Stage 1b: Build iPXE snp.efi (uses UEFI SNP protocol for ISO boot) ──`
			`FROM fedora:43 AS ipxe-builder`

			`RUN dnf install -y git gcc make perl-interpreter xz-devel gcc-aarch64-linux-gnu && dnf clean all`
			`RUN git clone --depth=1 https://github.com/ipxe/ipxe.git /tmp/ipxe`
			`RUN cd /tmp/ipxe/src && make bin-x86_64-efi/snp.efi && \`
			`make CROSS_COMPILE=aarch64-linux-gnu- bin-arm64-efi/snp.efi`

			`# ── Stage 2: Production runtime (Fedora -- needs dnsmasq) ───────`
			`FROM fedora:43`

			`RUN dnf install -y \`
			`dnsmasq \`
			`ipxe-bootimgs-x86 \`
			`ipxe-bootimgs-aarch64 \`
			`iproute \`
			`curl \`
			`openssh-clients \`
			`nodejs \`
			`npm \`
			`xorriso \`
			`mtools \`
			`&& dnf clean all`

			`# iPXE snp.efi built from source (Fedora only ships snponly, which can't`
			`# boot from CD-ROM/USB -- it requires PXE chainloading)`
			`COPY --from=ipxe-builder /tmp/ipxe/src/bin-x86_64-efi/snp.efi /usr/share/ipxe/ipxe-snp-x86_64.efi`
			`COPY --from=ipxe-builder /tmp/ipxe/src/bin-arm64-efi/snp.efi /usr/share/ipxe/arm64-efi/ipxe-snp.efi`

			`# Install pnpm`
			`RUN npm install -g pnpm@9`

			`WORKDIR /app`

			`# Copy workspace config and package manifests`
			`COPY pnpm-workspace.yaml pnpm-lock.yaml package.json ./`
			`COPY src/shared/package.json src/shared/`
			`COPY src/bastion/package.json src/bastion/`
			`COPY src/cli/package.json src/cli/`
			`COPY src/modules/package.json src/modules/`

			`# Install production dependencies`
			`RUN pnpm install --frozen-lockfile --prod 2>/dev/null \|\| pnpm install --prod`

			`# Copy built output from builder`
			`COPY --from=builder /app/src/shared/dist/ src/shared/dist/`
			`COPY --from=builder /app/src/bastion/dist/ src/bastion/dist/`
			`COPY --from=builder /app/src/cli/dist/ src/cli/dist/`
			`COPY --from=builder /app/src/modules/dist/ src/modules/dist/`

			`# Create data directories`
			`RUN mkdir -p /data/state /data/tftp /data/http`

			`ENV NODE_ENV=production`
			`ENV BASTION_DIR=/data`
			`ENV HTTP_PORT=8080`

			`EXPOSE 8080/tcp`
			`EXPOSE 67/udp`
			`EXPOSE 69/udp`
			`EXPOSE 4011/udp`

			`ENTRYPOINT ["node", "src/cli/dist/index.js", "init", "bastion", "standalone", "start", "--foreground"]`