Skip to content

[User Story] Create aembit-sysext-build repository #166

New issue
New issue
Open
Open
[User Story] Create aembit-sysext-build repository#166
Assignees
noahwhite
Labels
User Story
@noahwhite

Description

@noahwhite
noahwhite
opened on Feb 18, 2026

Story Summary

As a platform engineer, I want the Aembit agent packaged as a systemd-sysext image, so that I can deploy it on Flatcar Container Linux instances.

Phase: Infrastructure Prerequisite (enables Phase 2)

✅ Acceptance Criteria

  • New repository noahwhite/aembit-sysext-build created (public)
  • Dockerfile downloads Aembit agent binary from official releases
  • Build script creates valid sysext image structure:
    • /usr/local/bin/aembit-agent
    • /usr/local/lib/systemd/system/aembit-proxy.service
    • /usr/local/lib/extension-release.d/extension-release.aembit
  • GitHub Actions workflow:
    • Triggered on release or workflow_dispatch
    • Builds sysext image
    • Signs with GPG (same key as Alloy)
    • Generates SHA256SUMS manifest
    • Uploads to R2 bucket
    • Creates PR in ghost-stack to add sysext
  • README documents build process and usage

📝 Additional Context

Repository Structure

aembit-sysext-build/
├── .github/
│   └── workflows/
│       └── build-and-publish.yml
├── Dockerfile
├── build-aembit-sysext.sh
├── scripts/
│   └── fetch-secrets.sh
├── CLAUDE.md
└── README.md

Sysext Image Contents

aembit-<version>.raw
└── usr/
    └── local/
        ├── bin/
        │   └── aembit-agent
        └── lib/
            ├── systemd/
            │   └── system/
            │       └── aembit-proxy.service
            └── extension-release.d/
                └── extension-release.aembit

Service Unit Template

[Unit]
Description=Aembit Proxy Agent
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/usr/local/bin/aembit-agent proxy \
  --enrollment-token-file /etc/aembit/enrollment-token
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target

Parallelization

This story can be worked on in parallel with Phase 1 (GHO-65/GHO-66):

  • Sysext packages the agent binary (no Aembit account needed)
  • OIDC/enrollment token work is separate infrastructure
  • Both must complete before Phase 2 (GHO-68)

📦 Definition of Ready

  • Acceptance criteria defined
  • No unresolved external dependencies (can run in parallel with GHO-65)
  • Story is estimated
  • Team has necessary skills and access
  • Priority is clear
  • Business value understood

✅ Definition of Done

  • All acceptance criteria met
  • Repository created with CI/CD workflow
  • Initial build triggered and successful
  • Sysext image uploaded to R2
  • SHA256SUMS committed to repository
  • PR created in ghost-stack

Metadata

Metadata

Assignees

Labels

User Story

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions