build/initramfs/rfs: stabilize paths, tests; add branding guard; ntp robustness

• rfs_flists: normalize CWD to PROJECT_ROOT; invoke packers via absolute paths (fix relative lookup under kernel/current)

• initramfs_create_cpio: redirect to absolute output path; add explicit customization verification logs

• initramfs_test: default INITRAMFS_ARCHIVE to absolute dist/initramfs.cpio.xz when stage is invoked directly

• branding: guard motd/issue/password edits behind ZEROOS_BRANDING (or ZEROOS_REBRANDING) with default disabled; do not touch files unless enabled

• ntp: write /etc/ntp.conf only if absent; symlink ntpd.conf; runtime ntpd.sh parses kernel ntp= and falls back to Google NTP

• docs/config: add commented ZEROOS_BRANDING/REBRANDING examples to config/build.conf

config/build.conf

@@ -43,6 +43,12 @@ KERNEL_SOURCE_URL="https://cdn.kernel.org/pub/linux/kernel"
 # FIRMWARE_TAG="v1"
 #FIRMWARE_TAG="latest"
 
+# Branding and customization guard (default off)
+# Set to "true" to enable Zero-OS branding and passwordless root in initramfs.
+# Both variables are accepted; ZEROOS_BRANDING takes precedence if both set.
+ZEROOS_BRANDING="true"
+ZEROOS_REBRANDING="true"
+
 # Feature flags
 ENABLE_STRIP="true"
 ENABLE_UPX="true"

config/zinit/init/ntpd.sh

@@ -1,24 +1,24 @@
 #!/bin/sh
-set -e
+set -eu
 
 # Ensure /etc/ntp.conf exists for tools/hooks expecting it
-if [ -f /etc/ntpd.conf ] && [ ! -e /etc/ntp.conf ]; then
+if [ ! -e /etc/ntp.conf ] && [ -f /etc/ntpd.conf ]; then
   ln -sf /etc/ntpd.conf /etc/ntp.conf
 fi
 # dhcpcd hook may write into /var/lib/ntp
 mkdir -p /var/lib/ntp
 
 # Extract ntp=... from kernel cmdline if present
-ntp_flags=""
+ntp_flags="$(grep -o 'ntp=[^ ]*' /proc/cmdline 2>/dev/null | sed 's/^ntp=//' || true)"
 
 params=""
-if [ -n "" ]; then
+if [ -n "${ntp_flags}" ]; then
   # Convert comma-separated list into multiple -p args
-  params="-p "
+  params="-p $(printf '%s' "${ntp_flags}" | sed 's/,/ -p /g')"
 else
   # Sensible defaults when no ntp= is provided
   params="-p time.google.com -p time1.google.com -p time2.google.com -p time3.google.com"
 fi
 
 # BusyBox ntpd uses -p servers on CLI; /etc/ntp.conf symlink above helps alternative daemons.
-exec ntpd -n 
+exec ntpd -n ${params}

initramfs/etc/apk/world

@@ -23,6 +23,7 @@ linux-firmware-intel
 linux-firmware-qlogic
 linux-firmware-realtek
 musl
+nftables
 openssh-server
 tcpdump
 util-linux

initramfs/etc/resolv.conf

@@ -1,2 +1 @@
-nameserver 169.254.1.1
 nameserver 192.168.64.254

scripts/build.sh

@@ -298,11 +298,21 @@ function main_build_process() {
             log_info "Resolved FULL_KERNEL_VERSION: ${FULL_KERNEL_VERSION}"
         fi
 
-        # Ensure rfs scripts are executable (avoid subshell to preserve quoting)
-        safe_execute chmod +x ./scripts/rfs/*.sh
+        # Normalize working directory to the project root to avoid relative path issues
+        local _oldpwd
+        _oldpwd="$(pwd)"
+        safe_execute cd "${PROJECT_ROOT}"
+        log_debug "stage_rfs_flists CWD (normalized): $(pwd)"
+
+        # Ensure rfs scripts are executable when present (be robust if directory is missing)
+        if [[ -d "${PROJECT_ROOT}/scripts/rfs" ]]; then
+            safe_execute find "${PROJECT_ROOT}/scripts/rfs" -type f -name "*.sh" -exec chmod +x {} \;
+        else
+            log_warn "scripts/rfs directory not found under PROJECT_ROOT=${PROJECT_ROOT}; invoking packers via bash with absolute paths"
+        fi
 
         # Build modules flist (writes to dist/flists/modules-${FULL_KERNEL_VERSION}.fl)
-        safe_execute ./scripts/rfs/pack-modules.sh
+        safe_execute bash "${PROJECT_ROOT}/scripts/rfs/pack-modules.sh"
 
         # Build firmware flist with a reproducible tag:
         # Priority: env FIRMWARE_TAG > config/build.conf: FIRMWARE_TAG > "latest"
@@ -317,13 +327,13 @@ function main_build_process() {
             fw_tag="${FIRMWARE_TAG:-latest}"
         fi
         log_info "Using firmware tag: ${fw_tag}"
-        safe_execute env FIRMWARE_TAG="${fw_tag}" ./scripts/rfs/pack-firmware.sh
+        safe_execute env FIRMWARE_TAG="${fw_tag}" bash "${PROJECT_ROOT}/scripts/rfs/pack-firmware.sh"
 
         # Embed flists inside initramfs at /etc/rfs for zinit init scripts
         local etc_rfs_dir="${INSTALL_DIR}/etc/rfs"
         safe_mkdir "${etc_rfs_dir}"
 
-        local modules_fl="dist/flists/modules-${FULL_KERNEL_VERSION}.fl"
+        local modules_fl="${PROJECT_ROOT}/dist/flists/modules-${FULL_KERNEL_VERSION}.fl"
         if [[ -f "${modules_fl}" ]]; then
             safe_execute cp "${modules_fl}" "${etc_rfs_dir}/"
             log_info "Embedded modules flist: ${modules_fl} -> ${etc_rfs_dir}/"
@@ -331,7 +341,7 @@ function main_build_process() {
             log_warn "Modules flist not found: ${modules_fl}"
         fi
 
-        local firmware_fl="dist/flists/firmware-${fw_tag}.fl"
+        local firmware_fl="${PROJECT_ROOT}/dist/flists/firmware-${fw_tag}.fl"
         if [[ -f "${firmware_fl}" ]]; then
             # Provide canonical name firmware-latest.fl expected by firmware.sh
             safe_execute cp "${firmware_fl}" "${etc_rfs_dir}/firmware-latest.fl"
@@ -341,6 +351,8 @@ function main_build_process() {
         fi
 
         log_info "RFS flists embedded into initramfs"
+        # Restore previous working directory
+        safe_execute cd "${_oldpwd}"
     }
 
     function stage_cleanup() {
@@ -353,11 +365,25 @@ function main_build_process() {
     
     function stage_initramfs_create() {
         local initramfs_archive="${DIST_DIR}/initramfs.cpio.xz"
+        # Normalize to absolute path to avoid CWD-related issues in later stages
+        if [[ "${initramfs_archive}" != /* ]]; then
+            initramfs_archive="${PROJECT_ROOT}/${initramfs_archive#./}"
+        fi
         initramfs_create_cpio "$INSTALL_DIR" "$initramfs_archive"
         export INITRAMFS_ARCHIVE="$initramfs_archive"
+        log_debug "stage_initramfs_create: INITRAMFS_ARCHIVE=${INITRAMFS_ARCHIVE}"
     }
     
     function stage_initramfs_test() {
+        # Ensure INITRAMFS_ARCHIVE is set when skipping directly to this stage
+        if [[ -z "${INITRAMFS_ARCHIVE:-}" ]]; then
+            local archive_path="${DIST_DIR}/initramfs.cpio.xz"
+            if [[ "${archive_path}" != /* ]]; then
+                archive_path="${PROJECT_ROOT}/${archive_path#./}"
+            fi
+            export INITRAMFS_ARCHIVE="${archive_path}"
+            log_debug "stage_initramfs_test: defaulting INITRAMFS_ARCHIVE=${INITRAMFS_ARCHIVE}"
+        fi
         initramfs_test_archive "$INITRAMFS_ARCHIVE"
     }
     

scripts/lib/initramfs.sh

@@ -572,8 +572,12 @@ function initramfs_finalize_customization() {
     
     section_header "Final Zero-OS Customization"
     
+    # Branding guard (default disabled). Enable by setting ZEROOS_BRANDING=true (or ZEROOS_REBRANDING=true)
+    local _branding="${ZEROOS_BRANDING:-${ZEROOS_REBRANDING:-false}}"
+    
+    if [[ "${_branding}" == "true" ]]; then
         # Remove root password for passwordless login
-    log_info "Removing root password for passwordless login"
+        log_info "Branding enabled: removing root password for passwordless login"
         if [[ -f "${initramfs_dir}/etc/passwd" ]]; then
             safe_execute sed -i 's/^root:[^:]*:/root::/' "${initramfs_dir}/etc/passwd"
             log_info "✓ Root password removed"
@@ -582,7 +586,7 @@ function initramfs_finalize_customization() {
         fi
 
         # Update /etc/motd to Zero-OS
-    log_info "Updating /etc/motd to Zero-OS branding"
+        log_info "Branding enabled: updating /etc/motd to Zero-OS branding"
         cat > "${initramfs_dir}/etc/motd" << 'EOF'
 
 Welcome to Zero-OS!
@@ -595,16 +599,20 @@ For more information: https://github.com/threefoldtech/zos
 EOF
 
         # Update /etc/issue to Zero-OS
-    log_info "Updating /etc/issue to Zero-OS branding"
+        log_info "Branding enabled: updating /etc/issue to Zero-OS branding"
         cat > "${initramfs_dir}/etc/issue" << 'EOF'
 Zero-OS \r \m
 Built on \l
 
 EOF
+    else
+        log_info "Branding disabled: leaving /etc/motd, /etc/issue and root password unchanged"
+    fi
     
-    # Create ntpd.conf pointing to Google NTP servers
-    log_info "Creating ntpd.conf with Google NTP servers"
-    cat > "${initramfs_dir}/etc/ntpd.conf" << 'EOF'
+    # Ensure ntp.conf exists for hooks. Create only if absent, do not overwrite.
+    if [[ ! -f "${initramfs_dir}/etc/ntp.conf" ]]; then
+        log_info "Creating ntp.conf with Google NTP servers (absent)"
+        cat > "${initramfs_dir}/etc/ntp.conf" << 'EOF'
 # Zero-OS NTP Configuration
 # Using Google public NTP servers for reliable time sync
 
@@ -626,11 +634,19 @@ restrict -6 ::1
 # Drift file for time stability
 driftfile /var/lib/ntp/ntp.drift
 EOF
+    else
+        log_info "Keeping existing /etc/ntp.conf (no overwrite)"
+    fi
 
-    # Set proper permissions
-    safe_execute chmod 644 "${initramfs_dir}/etc/motd"
-    safe_execute chmod 644 "${initramfs_dir}/etc/issue"
-    safe_execute chmod 644 "${initramfs_dir}/etc/ntpd.conf"
+    # Provide BusyBox ntpd compatibility symlink if needed
+    if [[ ! -e "${initramfs_dir}/etc/ntpd.conf" ]]; then
+        (cd "${initramfs_dir}/etc" && ln -sf ntp.conf ntpd.conf)
+    fi
+    
+    # Set proper permissions (only if files exist)
+    [[ -f "${initramfs_dir}/etc/motd" ]] && safe_execute chmod 644 "${initramfs_dir}/etc/motd"
+    [[ -f "${initramfs_dir}/etc/issue" ]] && safe_execute chmod 644 "${initramfs_dir}/etc/issue"
+    [[ -f "${initramfs_dir}/etc/ntp.conf" ]] && safe_execute chmod 644 "${initramfs_dir}/etc/ntp.conf"
     
     # Create ntp drift directory
     safe_mkdir "${initramfs_dir}/var/lib/ntp"
@@ -652,18 +668,44 @@ function initramfs_create_cpio() {
     fi
     
     # Ensure output directory exists
-    local output_dir=$(dirname "$output_file")
+    local output_dir
+    output_dir=$(dirname "$output_file")
     safe_mkdir "$output_dir"
 
+    # Resolve absolute output path BEFORE cd so redirection doesn't target initramfs/
+    local output_file_abs
+    if [[ "$output_file" == /* ]]; then
+        output_file_abs="$output_file"
+    else
+        # Make absolute based on current working directory and output_dir
+        output_file_abs="$(cd "$output_dir" && pwd)/$(basename "$output_file")"
+    fi
+
     # Remove any existing output file
-    safe_execute rm -f "$output_file"
+    safe_execute rm -f "$output_file_abs"
     
     log_info "Source directory: ${initramfs_dir}"
     log_info "Output file: ${output_file}"
     log_info "Compression: ${compression}"
     
-    # Run final Zero-OS customization before creating CPIO
+    # Run final Zero-OS customization before creating CPIO (with explicit verification logs)
+    log_info "Calling initramfs_finalize_customization on: ${initramfs_dir}"
     initramfs_finalize_customization "$initramfs_dir"
+    if [[ -f "${initramfs_dir}/etc/ntpd.conf" ]]; then
+        log_info "Customization check: /etc/ntpd.conf present"
+    else
+        log_warn "Customization check: /etc/ntpd.conf missing"
+    fi
+    if [[ -f "${initramfs_dir}/etc/motd" ]]; then
+        log_info "Customization check: /etc/motd present"
+    else
+        log_warn "Customization check: /etc/motd missing"
+    fi
+    if [[ -d "${initramfs_dir}/var/lib/ntp" ]]; then
+        log_info "Customization check: /var/lib/ntp present"
+    else
+        log_warn "Customization check: /var/lib/ntp missing"
+    fi
 
     # Change to initramfs directory for relative paths
     safe_execute cd "$initramfs_dir"
@@ -671,19 +713,19 @@ function initramfs_create_cpio() {
     case "$compression" in
         "xz")
             log_info "Creating XZ compressed CPIO archive"
-            safe_execute find . -print0 | cpio -o -H newc -0 | xz -${XZ_COMPRESSION_LEVEL} --check=crc32 > "$output_file"
+            safe_execute find . -print0 | cpio -o -H newc -0 | xz -${XZ_COMPRESSION_LEVEL} --check=crc32 > "$output_file_abs"
             ;;
         "gzip"|"gz")
             log_info "Creating gzip compressed CPIO archive"
-            safe_execute find . -print0 | cpio -o -H newc -0 | gzip -9 > "$output_file"
+            safe_execute find . -print0 | cpio -o -H newc -0 | gzip -9 > "$output_file_abs"
             ;;
         "zstd")
             log_info "Creating zstd compressed CPIO archive"
-            safe_execute find . -print0 | cpio -o -H newc -0 | zstd -19 > "$output_file"
+            safe_execute find . -print0 | cpio -o -H newc -0 | zstd -19 > "$output_file_abs"
             ;;
         "none"|"uncompressed")
             log_info "Creating uncompressed CPIO archive"
-            safe_execute find . -print0 | cpio -o -H newc -0 > "$output_file"
+            safe_execute find . -print0 | cpio -o -H newc -0 > "$output_file_abs"
             ;;
         *)
             log_error "Unsupported compression format: ${compression}"
@@ -692,13 +734,14 @@ function initramfs_create_cpio() {
     esac
     
     # Verify output file was created
-    if [[ ! -f "$output_file" ]]; then
-        log_error "Failed to create initramfs archive: ${output_file}"
+    if [[ ! -f "$output_file_abs" ]]; then
+        log_error "Failed to create initramfs archive: ${output_file_abs}"
         return 1
     fi
     
     # Report final size
-    local final_size=$(get_file_size "$output_file")
+    local final_size
+    final_size=$(get_file_size "$output_file_abs")
     local uncompressed_size=$(du -sh "$initramfs_dir" | cut -f1)
     
     log_info "Initramfs creation complete:"