Automated (unattended) installation from a YAML answer file

[ggiesen]

Addresses #145.

We can add automation support in live-installer, but so far we haven't. The mint developers, myself included, are not experienced with PXE, automation and large scale deployments... If you had an ini file with all the automations you wanted to see happen, what would it look like?

That question has been open since 2022. Rather than answer it on paper, I built a working version and tested it end to end, so there is something concrete to react to.

This is an MVP for unattended installation: mergeable as is, and built to be extended. I am putting it up so you can review it and decide on the direction. It works end to end today (see below), and everything here is open to change.

I want to be clear about one thing up front. The goal is for this to work on Mint, but Mint does not ship live-installer yet (it arrives with Mint 23), so I have only been able to test on LMDE. I cannot test the Mint side until the Mint 23 beta is available. The code has a Mint vs LMDE branch, and I have pinned that branch with unit tests so it will not silently break, but the Mint path has not run end to end. There is more on this further down.

What works today, as automated installs in a VM driven only by an answer file, all on LMDE:

• BIOS and UEFI, on the simple, lvm, and lvm-on-luks layouts
• fully custom partition layouts: explicit partitions, custom LVM (VGs/LVs), btrfs subvolumes (@/@home), and software RAID (md, levels 0/1/5/10, including LVM-on-RAID and a RAID /boot, with GRUB installed to every member disk), validated and verified on the booted system
• static networking: static IPv4/IPv6 addresses, gateways, DNS, routes, 802.1Q VLANs, wifi (WPA-PSK / open), and 802.1X/EAP (wired and WPA-Enterprise; PEAP/TTLS/TLS, certs by reference), expressed in netplan's v2 schema and rendered to NetworkManager keyfiles directly (no netplan binary dependency)
• target disk selection by stable attribute (by-id, by-path, model, size-min, first-non-removable), including picking the right disk out of several, and multi-disk selection for RAID
• a LUKS-encrypted machine that prompts for its passphrase on the serial console at boot and unlocks unattended — by keyfile, or with no passphrase in the answer file at all (prompt-on-first-boot: the installer formats with a random throwaway key embedded in the initramfs so the first boot is unattended, then a one-shot service prompts on the console/serial for the real passphrase, rekeys, and reboots)
• users with SSH keys, packages, package removal, third-party apt repositories (cloud-init's apt: shape), an http(s) proxy, a custom CA trust store (ca_certs:), proprietary/DKMS drivers (drivers:), flatpak remotes and apps, Timeshift snapshots on btrfs, multi-layout keyboards + supplementary locales, pre-install early_commands (%pre-style), post-install commands, kernel command line, serial console
• a full PXE / iPXE netboot install on BIOS and UEFI: the same unattended install with no media at all, network-delivered end to end, verified over SSH on the installed system; plus an IPv6 data-path install (rootfs and answer file fetched over IPv6)
• answer-file delivery over local file, http(s), NFS (v3/v4.2, IPv4/IPv6/hostname), or TFTP (RFC 2347 blksize negotiation with RFC 1350 fallback), plus auto: identity-based discovery so one boot entry serves a whole fleet (it finds its own file by MAC / SMBIOS serial / UUID)
• the GUI installer behaves exactly as today when no answer file is present

It is covered by 356 unit tests and an integration suite that performs real installs in QEMU/KVM (including custom LVM/btrfs layouts, software RAID 1 and RAID 5 + LVM, a first-boot LUKS passphrase prompt over serial, flatpak app installs, static dual-stack IP + VLAN networking, and a no-media PXE netboot install), plus a real-NFS suite that fetches an answer file from a live NFS server over NFSv3 and NFSv4.2 across IPv4, IPv6, and a hostname. All run green in GitHub Actions on standard hosted runners, with no special hardware.

Bugs this turned up

Building and testing this found three pre-existing issues in the installer that affect more than automated installs. I am offering these as fixes regardless of what happens with the feature.

1. A udev race in full_disk_format() (partitioning.py). Each parted call triggers a partition-table rescan, during which udev briefly removes and recreates the partition device nodes. On a multi-partition EFI install, mkfs can race a node that has not reappeared yet. Because the failure was tolerated, the file copy then landed in tmpfs until it filled. This is the sort of sporadic "install failed" or "won't boot" that is very hard to diagnose from a user bug report. The fix is udevadm settle before the node check, and treating a failed mkfs as fatal. The integration harness reproduces it reliably.

2. The LUKS passphrase was logged in cleartext. The engine pipes it with echo <pass> | cryptsetup, which puts it in the process table (ps) and, once commands are logged, on the serial console and in the journal. Serial output is routinely captured off real hardware over BMC and serial-over-LAN. The fix is to feed it to cryptsetup on stdin (--key-file -), and to redact secrets from logs as a backstop.

3. Encrypted installs do not boot in the live environment without help. The engine runs update-initramfs, but in the live session that is a live-tools-diverted no-op, so the crypttab never reaches the initramfs and the encrypted root cannot be unlocked. It drops to a rescue shell. Plain and LVM installs are not affected because they boot from the stock initramfs, which is why this stayed hidden. The fix is in the automated path for now, and I am happy to discuss whether the engine should handle it for the GUI as well.

I am not certain that (2) and (3) reproduce on a normally booted GUI install the same way they do in my harness. They may be partly artifacts of how the test boots. (1) is firmware level and looks real on hardware. The reproductions are in the test suite.

What the answer file looks like

I went with YAML rather than ini. It expresses the lists this needs (users, packages, commands) without ad-hoc conventions. Where it genuinely overlaps with cloud-init, identity, users, packages, apt repositories, CA certs, proxy, and network config, it reuses cloud-init's own key names and structure, so anyone who has used cloud-init or Ubuntu autoinstall should find it familiar. Where the semantics differ I use the name that matches the behaviour rather than overloading a cloud-init key: post-install commands run in the target at install time, so they are late_commands (Ubuntu autoinstall's term, and kickstart's %post), not cloud-init's first-boot runcmd. It is not a drop-in for either format, but the shared parts are deliberately the same shape. PyYAML is already in the live ISO dependency chain.

version: 1

locale: en_US.UTF-8            # cloud-init style, top level
timezone: America/Toronto
hostname: mint-ws-01

keyboard:
  model: pc105
  layout: us
  additional_layouts: [{layout: ca, variant: fr}]   # multi-layout
  toggle: grp:alt_shift_toggle

additional_locales: [fr_CA.UTF-8]                    # generated alongside `locale`

users:
  - name: admin
    gecos: Workstation Admin
    passwd: "$6$rounds=..."    # sha512crypt; plaintext is rejected
    groups: [sudo]             # cloud-init idiom: 'sudo' in groups grants admin
    ssh_authorized_keys:
      - "ssh-ed25519 AAAA... admin@laptop"

storage:
  target:
    match:                       # selected by stable attribute, never /dev/sdX
      by-id: "nvme-Samsung_SSD_980_PRO_*"
      # alternatives: by-path, model, size-min, first-non-removable
    on_no_match: abort
  layout: lvm-on-luks            # presets: simple | lvm | lvm-on-luks (or custom)
  luks:
    passphrase_source: prompt-on-first-boot   # default: nothing secret in the file
    # or: passphrase_source: keyfile + keyfile: "https://cfg.example.com/keys/ws-01.key"

network:                         # netplan v2 subset -> NetworkManager keyfiles
  version: 2
  ethernets:
    lan0:
      match: {macaddress: "52:54:00:aa:bb:01"}
      addresses: [192.168.50.10/24, 2001:db8:50::10/64]   # dual-stack
      routes: [{to: default, via: 192.168.50.1}]
      nameservers: {addresses: [192.168.50.53], search: [lab.example]}
      # auth: {method: peap, identity: ..., ca-certificate: /etc/ssl/certs/corp.pem, ...}  # 802.1X
  vlans:
    vlan50: {id: 50, link: lan0, addresses: [10.50.0.5/24]}
  # wifis: { wlan0: { access-points: { "SSID": { password: "..." } } } }

packages: [openssh-server]
package_remove: [thunderbird]    # declarative removal (extension; cloud-init has none)
proxy: http://proxy.corp.example:3128

apt:                             # cloud-init's apt: shape
  sources:
    vendor:
      source: "deb https://example.com/repo trixie main"
      key_url: https://example.com/repo.gpg   # or cloud-init's key / keyid

flatpak:
  remotes: [{name: flathub, url: "https://flathub.org/repo/flathub.flatpakrepo"}]
  install: [org.gnome.Calculator]

drivers: {install: true}         # recommended proprietary/DKMS drivers (Mint)

kernel:
  serial_console: "ttyS0,115200" # headless: console and LUKS prompt on serial

early_commands:                  # %pre-style, in the live env before partitioning
  - mdadm --stop --scan
late_commands:                   # autoinstall-style; runs in the target at install time
  - /cdrom/scripts/site-setup.sh

on_failure:
  early_command_failure: abort
  partition_mismatch: abort
  network_unavailable: continue
  package_install_failure: abort

logging:
  destination: /var/log/live-installer-auto.log
  also_serial: ttyS0

The storage, users, locale, and keyboard sections map almost one to one onto the existing Setup class in installer.py, which is what makes this tractable.

Four safety rules

These come from a decade of preseed and kickstart pain.

1. No raw /dev/sdX. Disk targeting only via stable match expressions. Enumeration order is not stable across NVMe, SATA, and USB, and "wiped the wrong disk" is the bug class that kills trust. No match, or more than one match, aborts with the list of disks. It never guesses.
2. Crypted password hashes only. Plaintext is rejected outright, with no override.
3. Explicit failure behaviour. Every failure mode has a declared abort or continue policy, and the defaults fail closed (abort). An aborted install leaves the machine unbooted, never half installed.
4. Config is data, not a program. No conditionals, loops, or templating. Generate the YAML beforehand if you need that. (early_commands run shell, but cannot rewrite the partition layout — that stays declarative.)

The whole file is validated strictly. Unknown keys, wrong types, and malformed YAML are hard errors before any disk is touched. A --check mode validates an answer file without touching disks, so it can run in CI, and --list-disks prints a machine's stable disk attributes so an operator can build a match expression.

How it is invoked

• A file at a known path on the install media, for example /cdrom/auto-install.yaml. No infrastructure, covers USB and remastered ISO.
• A kernel argument live-installer.auto=<source>, where source is a path, an http(s)://, nfs://, or tftp:// URL, or auto:<base-url> for fleet-wide identity-based discovery (it finds its own file by MAC / SMBIOS serial / UUID). Cleartext transports that carry secrets are refused unless live-installer.auto-insecure is also passed.
• The same argument is how a full PXE / iPXE netboot triggers the install. Netboot has a few non-obvious image requirements (a single combined squashfs, the kernel/initrd/manifests carried in the rootfs, a NetworkManager-based live system); these are written up in docs/pxe-netboot.md.

With no answer file, the GUI runs exactly as today.

How it fits the existing code

This is what made me think it was worth doing. The engine is already shaped for it.

InstallerEngine has no GTK imports and talks to the UI through two callbacks, set_progress_hook and set_error_hook. The headless driver, auto_installer.py, is a sibling of InstallerWindow that registers console and log implementations of those same hooks. It does not change the engine's control flow. The automated partition path (setup.automated = True) already runs from flat Setup fields and never touches the GTK partition widgets.

The new modules are self-contained: auto_installer.py (driver), schema.py (validation), diskmatch.py (disk selection), discovery.py (answer-file discovery), netconfig.py (renders the network: section to NetworkManager keyfiles), pkgbackend.py (a swappable package backend so the repo/install step is not apt-hardcoded), catrust.py (renders ca_certs: into the system trust store), snapshotbackend.py (renders snapshots: to Timeshift), and commandrunner.py (one place that all shell-outs go through, for logging and secret handling). The swappable backends (package, CA trust, snapshot) all sit behind the commandrunner chroot boundary, so adding dnf/zypper, or a Snapper/rsync snapshot backend, is a drop-in rather than a rewrite. The changes to shared engine code are small and additive, and the CD/GUI path is unaffected: routing the engine's shell-outs through commandrunner (behaviour-preserving); one optional before_unmount_hook parameter on finish_installation() so the driver can do post-install work while the chroot is still mounted; and, for netboot, reading the kernel/initrd/package manifests from the rootfs when they are absent from the medium (a no-op on CD/USB, where they sit next to the squashfs).

Tests and CI

There is no CI in the repo today. This ships with three GitHub Actions workflows you can adopt incrementally.

Unit tests run pytest on Python 3.11 to 3.13, on every push and PR. They need no special hardware, since GTK and parted are stubbed. There are 356 of them.

Integration tests perform real installs in QEMU/KVM, nightly and on demand. The whole matrix (BIOS and UEFI across simple, LVM, and LUKS; multi-disk by-id; custom layouts with LVM and with btrfs subvolumes; software RAID 1 and RAID 5 + LVM-on-RAID; a prompt-on-first-boot LUKS passphrase typed over the serial console; flatpak remote + app installs; Timeshift-on-btrfs; static dual-stack IP + 802.1Q VLAN networking; no-media PXE/iPXE netboot installs on both BIOS and UEFI plus an IPv6 data-path install; and the malformed-input, no-disk-match, bios_grub-on-UEFI, and snapshots-on-ext4 failure cases) runs green on standard GitHub hosted runners. They have KVM, so no self-hosted lab is needed; the PXE scenarios use QEMU's built-in TFTP and iPXE, so they need no real DHCP/TFTP infrastructure. Serial logs are uploaded as artifacts so a failed run is debuggable without reproducing it locally.

A third workflow stands up a real NFS server on the runner (GitHub runners have passwordless sudo and a kernel nfsd) and fetches an answer file through the installer's actual nfs:// transport over the full matrix of protocol version (v3, v4.2) × address form (IPv4, IPv6, hostname), so NFS delivery is exercised end to end rather than mocked.

What it does not do yet

This is a base for the common desktop and workstation case, not a kickstart-class enterprise provisioner. Not implemented:

• Bonding and bridging. Not modelled yet (the rest of the netplan v2 model — static IPv4/IPv6, DNS, routes, VLANs, wifi, and 802.1X/EAP — is covered under "what works today"); wifi and EAP are unit-tested only, since QEMU does not emulate 802.11 and there is no RADIUS server in CI.
• Services enable/disable, firewall, and package groups / metapackages.
• TPM2 or network-bound (Clevis and Tang) LUKS unlock. The schema reserves tpm2, but the driver does keyfile and prompt-on-first-boot.
• IPv6 PXE firmware boot. The IPv6 data path is covered (a CI scenario installs with the rootfs and the answer file both fetched over IPv6), but booting the firmware over IPv6 (DHCPv6 + UEFI HTTP boot) cannot be emulated in QEMU's user-mode network, so that part is verified by reasoning, not by CI.

The biggest caveat is Mint itself, so to repeat it plainly: everything above has been tested on LMDE only. Mint does not ship live-installer until Mint 23, so I cannot run the Mint path end to end until the Mint 23 beta. The integration harness also assumes a Debian-live boot environment, and Mint uses casper, so the harness itself will need a Mint variant before it can cover Mint. The Mint vs LMDE code branch is pinned by unit tests so it will not silently regress, but please treat Mint support as designed-for and not yet verified.

Questions

1. Is YAML acceptable? If you would strongly prefer ini or something else, better to know now.
2. Strict validation currently uses python3-pydantic, which is packaged in Debian and Ubuntu. I can fall back to hand-rolled validation over PyYAML with no new dependencies if you would rather not add one to the live ISO. What is your policy on new dependencies for the ISO?
3. Is live-installer.auto= an acceptable kernel argument, and /cdrom/auto-install.yaml a reasonable well-known path? I handle both /cdrom and LMDE's /run/live/medium.
4. Should the engine own any of the bug fixes above, the udev race especially, or would you rather they stay in the automated path?
5. With Mint 23 unifying on live-installer, would you prefer this lands after 23.0 settles, or earlier?