underpost 2.99.4 → 2.99.6

package/src/cli/baremetal.js

@@ -6,15 +6,16 @@
 
 import { fileURLToPath } from 'url';
 import { getNpmRootPath, getUnderpostRootPath } from '../server/conf.js';
-import { openTerminal, pbcopy, shellExec } from '../server/process.js';
+import { pbcopy, shellExec } from '../server/process.js';
 import dotenv from 'dotenv';
-import { loggerFactory } from '../server/logger.js';
+import { loggerFactory, loggerMiddleware } from '../server/logger.js';
 import fs from 'fs-extra';
 import path from 'path';
 import Downloader from '../server/downloader.js';
 import { newInstance, range, s4, timer } from '../client/components/core/CommonJs.js';
 import { spawnSync } from 'child_process';
 import Underpost from '../index.js';
+import express from 'express';
 
 const logger = loggerFactory(import.meta);
 
@@ -27,19 +28,6 @@ const logger = loggerFactory(import.meta);
  */
 class UnderpostBaremetal {
   static API = {
-    /**
-     * @method installPacker
-     * @description Installs Packer CLI.
-     * @memberof UnderpostBaremetal
-     * @returns {Promise<void>}
-     */
-    async installPacker(underpostRoot) {
-      const scriptPath = `${underpostRoot}/scripts/packer-setup.sh`;
-      logger.info(`Installing Packer using script: ${scriptPath}`);
-      shellExec(`sudo chmod +x ${scriptPath}`);
-      shellExec(`sudo ${scriptPath}`);
-    },
-
     /**
      * @method callback
      * @description Initiates a baremetal provisioning workflow based on the provided options.
@@ -64,6 +52,7 @@ class UnderpostBaremetal {
      * @param {string} [options.mac=''] - MAC address of the baremetal machine.
      * @param {boolean} [options.ipxe=false] - Flag to use iPXE for booting.
      * @param {boolean} [options.ipxeRebuild=false] - Flag to rebuild the iPXE binary with embedded script.
+     * @param {string} [options.ipxeBuildIso=''] - Builds a standalone iPXE ISO with embedded script for the specified workflow ID.
      * @param {boolean} [options.installPacker=false] - Flag to install Packer CLI.
      * @param {string} [options.packerMaasImageTemplate] - Template path from canonical/packer-maas to extract (requires workflow-id).
      * @param {string} [options.packerWorkflowId] - Workflow ID for Packer MAAS image operations (used with --packer-maas-image-build or --packer-maas-image-upload).
@@ -76,6 +65,7 @@ class UnderpostBaremetal {
      * @param {boolean} [options.commission=false] - Flag to commission the baremetal machine.
      * @param {number} [options.bootstrapHttpServerPort=8888] - Port for the bootstrap HTTP server.
      * @param {string} [options.bootstrapHttpServerPath='./public/localhost'] - Path for the bootstrap HTTP server files.
+     * @param {boolean} [options.bootstrapHttpServerRun=false] - Flag to start the bootstrap HTTP server.
      * @param {string} [options.isoUrl=''] - Uses a custom ISO URL for baremetal machine commissioning.
      * @param {boolean} [options.ubuntuToolsBuild=false] - Builds ubuntu tools for chroot environment.
      * @param {boolean} [options.ubuntuToolsTest=false] - Tests ubuntu tools in chroot environment.
@@ -86,6 +76,7 @@ class UnderpostBaremetal {
      * @param {boolean} [options.nfsBuild=false] - Flag to build the NFS root filesystem.
      * @param {boolean} [options.nfsBuildServer=false] - Flag to build the NFS server components.
      * @param {boolean} [options.nfsMount=false] - Flag to mount the NFS root filesystem.
+     * @param {boolean} [options.nfsReset=false] - Flag to reset the NFS environment by unmounting and cleaning the host path.
      * @param {boolean} [options.nfsUnmount=false] - Flag to unmount the NFS root filesystem.
      * @param {boolean} [options.nfsSh=false] - Flag to chroot into the NFS environment for shell access.
      * @param {string} [options.logs=''] - Specifies which logs to display ('dhcp', 'cloud', 'machine', 'cloud-config').
@@ -111,6 +102,7 @@ class UnderpostBaremetal {
         mac: '',
         ipxe: false,
         ipxeRebuild: false,
+        ipxeBuildIso: '',
         installPacker: false,
         packerMaasImageTemplate: false,
         packerWorkflowId: '',
@@ -124,6 +116,7 @@ class UnderpostBaremetal {
         commission: false,
         bootstrapHttpServerPort: 8888,
         bootstrapHttpServerPath: './public/localhost',
+        bootstrapHttpServerRun: false,
         isoUrl: '',
         ubuntuToolsBuild: false,
         ubuntuToolsTest: false,
@@ -134,6 +127,7 @@ class UnderpostBaremetal {
         nfsBuild: false,
         nfsBuildServer: false,
         nfsMount: false,
+        nfsReset: false,
         nfsUnmount: false,
         nfsSh: false,
         logs: '',
@@ -218,12 +212,7 @@ class UnderpostBaremetal {
       // Create a new machine in MAAS if the option is set.
       let machine;
       if (options.createMachine === true) {
-        const [searhMachine] = JSON.parse(
-          shellExec(`maas maas machines read hostname=${hostname}`, {
-            stdout: true,
-            silent: true,
-          }),
-        );
+        const [searhMachine] = Underpost.baremetal.maasCliExec(`machines read hostname=${hostname}`);
 
         if (searhMachine) {
           // Check if existing machine's MAC matches the specified MAC
@@ -238,16 +227,14 @@ class UnderpostBaremetal {
             logger.info(`Deleting existing machine ${searhMachine.system_id} to recreate with correct MAC...`);
 
             // Delete the existing machine
-            shellExec(`maas maas machine delete ${searhMachine.system_id}`, {
-              silent: true,
-            });
+            Underpost.baremetal.maasCliExec(`machine delete ${searhMachine.system_id}`);
 
             // Create new machine with correct MAC
             machine = Underpost.baremetal.machineFactory({
               hostname,
               ipAddress,
               macAddress,
-              maas: workflowsConfig[workflowId].maas,
+              architecture: workflowsConfig[workflowId].architecture,
             }).machine;
 
             logger.info(`✓ Machine recreated with MAC ${macAddress}`);
@@ -266,12 +253,33 @@ class UnderpostBaremetal {
               hostname,
               ipAddress,
               macAddress,
-              maas: workflowsConfig[workflowId].maas,
+              architecture: workflowsConfig[workflowId].architecture,
             }).machine;
           }
         }
       }
 
+      if (options.ipxeBuildIso)
+        return await Underpost.baremetal.ipxeBuildIso({
+          workflowId,
+          isoOutputPath: options.ipxeBuildIso,
+          tftpPrefix,
+          ipFileServer,
+          ipAddress,
+          ipConfig,
+          netmask,
+          dnsServer,
+          macAddress,
+          cloudInit: options.cloudInit,
+          dev: options.dev,
+          forceRebuild: options.ipxeRebuild,
+          bootstrapHttpServerPort: Underpost.baremetal.bootstrapHttpServerPortFactory({
+            port: options.bootstrapHttpServerPort,
+            workflowId,
+            workflowsConfig,
+          }),
+        });
+
       if (options.installPacker) {
         await Underpost.baremetal.installPacker(underpostRoot);
         return;
@@ -351,7 +359,7 @@ class UnderpostBaremetal {
 
         // Build phase (skip if upload-only mode)
         if (options.packerMaasImageBuild) {
-          if (shellExec('packer version', { silent: true }).code !== 0) {
+          if (shellExec('packer version').code !== 0) {
             throw new Error('Packer is not installed. Please install Packer to proceed.');
           }
 
@@ -414,29 +422,9 @@ rm -rf ${artifacts.join(' ')}`);
 
         logger.info(`Uploading image to MAAS...`);
 
-        // Detect MAAS profile from 'maas list' output
-        let maasProfile = process.env.MAAS_ADMIN_USERNAME;
-        if (!maasProfile) {
-          const profileList = shellExec('maas list', { silent: true, stdout: true });
-          if (profileList) {
-            const firstLine = profileList.trim().split('\n')[0];
-            const match = firstLine.match(/^(\S+)\s+http/);
-            if (match) {
-              maasProfile = match[1];
-              logger.info(`Detected MAAS profile: ${maasProfile}`);
-            }
-          }
-        }
-
-        if (!maasProfile) {
-          throw new Error(
-            'MAAS profile not found. Please run "maas login" first or set MAAS_ADMIN_USERNAME environment variable.',
-          );
-        }
-
         // Use the upload script to avoid MAAS CLI bugs
         const uploadScript = `${underpostRoot}/scripts/maas-upload-boot-resource.sh`;
-        const uploadCmd = `${uploadScript} ${maasProfile} "${workflow.maas.name}" "${workflow.maas.title}" "${workflow.maas.architecture}" "${workflow.maas.base_image}" "${workflow.maas.filetype}" "${tarballPath}"`;
+        const uploadCmd = `${uploadScript} ${process.env.MAAS_ADMIN_USERNAME} "${workflow.maas.name}" "${workflow.maas.title}" "${workflow.maas.architecture}" "${workflow.maas.base_image}" "${workflow.maas.filetype}" "${tarballPath}"`;
 
         logger.info(`Uploading to MAAS using: ${uploadScript}`);
         const uploadResult = shellExec(uploadCmd);
@@ -679,7 +667,11 @@ rm -rf ${artifacts.join(' ')}`);
             bootstrapArch,
             callbackMetaData,
             steps: [
-              `dnf install -y --allowerasing ${allPackages.join(' ')} 2>/dev/null || yum install -y --allowerasing ${allPackages.join(' ')} 2>/dev/null || echo "Package install completed"`,
+              `dnf install -y --allowerasing ${allPackages.join(
+                ' ',
+              )} 2>/dev/null || yum install -y --allowerasing ${allPackages.join(
+                ' ',
+              )} 2>/dev/null || echo "Package install completed"`,
               `dnf clean all`,
               `echo "=== Installed packages verification ==="`,
               `rpm -qa | grep -E "dracut|kernel|nfs" | sort`,
@@ -735,12 +727,7 @@ rm -rf ${artifacts.join(' ')}`);
 
       // Fetch boot resources and machines if commissioning or listing.
 
-      let resources = JSON.parse(
-        shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} boot-resources read`, {
-          silent: true,
-          stdout: true,
-        }),
-      ).map((o) => ({
+      let resources = Underpost.baremetal.maasCliExec(`boot-resources read`).map((o) => ({
         id: o.id,
         name: o.name,
         architecture: o.architecture,
@@ -748,12 +735,7 @@ rm -rf ${artifacts.join(' ')}`);
       if (options.ls === true) {
         console.table(resources);
       }
-      let machines = JSON.parse(
-        shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} machines read`, {
-          stdout: true,
-          silent: true,
-        }),
-      ).map((m) => ({
+      let machines = Underpost.baremetal.maasCliExec(`machines read`).map((m) => ({
         system_id: m.interface_set[0].system_id,
         mac_address: m.interface_set[0].mac_address,
         hostname: m.hostname,
@@ -819,7 +801,6 @@ rm -rf ${artifacts.join(' ')}`);
               `chmod +x /underpost/shutdown.sh`,
               `chmod +x /underpost/device_scan.sh`,
               `chmod +x /underpost/mac.sh`,
-              `chmod +x /underpost/enlistment.sh`,
               `sudo chmod 700 ~/.ssh/`, // Set secure permissions for .ssh directory.
               `sudo chmod 600 ~/.ssh/authorized_keys`, // Set secure permissions for authorized_keys.
               `sudo chmod 644 ~/.ssh/known_hosts`, // Set permissions for known_hosts.
@@ -875,11 +856,31 @@ rm -rf ${artifacts.join(' ')}`);
           });
       }
 
+      // Generate MAAS authentication credentials
+      const authCredentials =
+        options.commission || options.cloudInit || options.cloudInitUpdate
+          ? Underpost.baremetal.maasAuthCredentialsFactory()
+          : { consumer_key: '', consumer_secret: '', token_key: '', token_secret: '' };
+
+      // Generate cloud-init configuration if needed for commissioning or cloud-init update workflows.
+      let cloudConfigSrc = '';
       if (options.cloudInit || options.cloudInitUpdate) {
         const { chronyc, networkInterfaceName } = workflowsConfig[workflowId];
         const { timezone, chronyConfPath } = chronyc;
-        const authCredentials = Underpost.cloudInit.authCredentialsFactory();
-        const { cloudConfigSrc } = Underpost.cloudInit.configFactory(
+
+        let write_files = [];
+        let runcmd = options.runcmd;
+
+        if (machine && options.commission) {
+          write_files = Underpost.baremetal.commissioningWriteFilesFactory({
+            machine,
+            authCredentials,
+            runnerHostIp: callbackMetaData.runnerHost.ip,
+          });
+          runcmd = '/usr/local/bin/underpost-enlist.sh';
+        }
+
+        cloudConfigSrc = Underpost.cloudInit.configFactory(
           {
             controlServerIp: callbackMetaData.runnerHost.ip,
             hostname,
@@ -891,15 +892,48 @@ rm -rf ${artifacts.join(' ')}`);
             networkInterfaceName,
             ubuntuToolsBuild: options.ubuntuToolsBuild,
             bootcmd: options.bootcmd,
-            runcmd: options.runcmd,
+            runcmd,
+            write_files,
           },
           authCredentials,
-        );
+        ).cloudConfigSrc;
+      }
+
+      // Rocky/RHEL Kickstart generation
+      let kickstartSrc = '';
+      if (Underpost.baremetal.getFamilyBaseOs(workflowsConfig[workflowId].osIdLike).isRhelBased) {
+        kickstartSrc = Underpost.kickstart.kickstartFactory({
+          lang: 'en_US.UTF-8',
+          keyboard: workflowsConfig[workflowId].keyboard?.layout,
+          timezone: workflowsConfig[workflowId].chronyc?.timezone,
+          rootPassword: process.env.MAAS_ADMIN_PASS,
+          authorizedKeys: fs.readFileSync('/home/dd/engine/engine-private/deploy/id_rsa.pub', 'utf8').trim(),
+        });
+      }
 
+      // Build and optionally run the HTTP bootstrap server to serve cloud-init, kickstart, and ISO resources for commissioning and provisioning.
+      if (cloudConfigSrc || kickstartSrc || workflowsConfig[workflowId].isoUrl)
         Underpost.baremetal.httpBootstrapServerStaticFactory({
           bootstrapHttpServerPath,
           hostname,
           cloudConfigSrc,
+          kickstartSrc,
+          isoUrl: workflowsConfig[workflowId].isoUrl,
+        });
+
+      // Set up iptables rules for NAT and port forwarding to enable network connectivity for the baremetal machines.
+      shellExec(`${underpostRoot}/scripts/nat-iptables.sh`, { silent: true });
+
+      // Start HTTP bootstrap server if commissioning or if ISO URL is used (for ISO-based workflows).
+      if (options.bootstrapHttpServerRun || options.commission) {
+        Underpost.baremetal.httpBootstrapServerRunnerFactory({
+          hostname,
+          bootstrapHttpServerPath,
+          bootstrapHttpServerPort: Underpost.baremetal.bootstrapHttpServerPortFactory({
+            port: options.bootstrapHttpServerPort,
+            workflowId,
+            workflowsConfig,
+          }),
         });
       }
 
@@ -909,12 +943,12 @@ rm -rf ${artifacts.join(' ')}`);
         (workflowsConfig[workflowId].type === 'iso-nfs' ||
           workflowsConfig[workflowId].type === 'chroot-debootstrap' ||
           workflowsConfig[workflowId].type === 'chroot-container')
-      ) {
-        shellExec(`${underpostRoot}/scripts/nat-iptables.sh`, { silent: true });
+      )
         Underpost.baremetal.rebuildNfsServer({
           nfsHostPath,
+          nfsReset: options.nfsReset,
         });
-      }
+
       // Handle commissioning tasks
       if (options.commission === true) {
         let { firmwares, networkInterfaceName, maas, menuentryStr, type } = workflowsConfig[workflowId];
@@ -929,9 +963,11 @@ rm -rf ${artifacts.join(' ')}`);
         );
         logger.info('Commissioning resource', resource);
 
-        if (type === 'iso-nfs') {
+        if (
+          Underpost.baremetal.getFamilyBaseOs(workflowsConfig[workflowId].osIdLike).isDebianBased &&
+          (type === 'iso-nfs' || type === 'chroot-debootstrap' || type === 'chroot-container')
+        ) {
           // Prepare NFS casper path if using NFS boot.
-          shellExec(`sudo rm -rf ${nfsHostPath}`);
           shellExec(`mkdir -p ${nfsHostPath}/casper`);
         }
 
@@ -1004,15 +1040,26 @@ rm -rf ${artifacts.join(' ')}`);
             hostname,
             dnsServer,
             networkInterfaceName,
-            fileSystemUrl: kernelFilesPaths.isoUrl,
-            bootstrapHttpServerPort:
-              options.bootstrapHttpServerPort || workflowsConfig[workflowId].bootstrapHttpServerPort || 8888,
+            fileSystemUrl:
+              type === 'iso-ram'
+                ? `http://${callbackMetaData.runnerHost.ip}:${Underpost.baremetal.bootstrapHttpServerPortFactory({
+                    port: options.bootstrapHttpServerPort,
+                    workflowId,
+                    workflowsConfig,
+                  })}/${hostname}/${kernelFilesPaths.isoUrl.split('/').pop()}`
+                : kernelFilesPaths.isoUrl,
+            bootstrapHttpServerPort: Underpost.baremetal.bootstrapHttpServerPortFactory({
+              port: options.bootstrapHttpServerPort,
+              workflowId,
+              workflowsConfig,
+            }),
             type,
             macAddress,
             cloudInit: options.cloudInit,
-            machine,
             dev: options.dev,
             osIdLike: workflowsConfig[workflowId].osIdLike || '',
+            authCredentials,
+            architecture: workflowsConfig[workflowId].architecture,
           });
 
           // Check if iPXE mode is enabled AND the iPXE EFI binary exists
@@ -1083,13 +1130,6 @@ rm -rf ${artifacts.join(' ')}`);
         shellExec(`sudo chown -R $(whoami):$(whoami) ${process.env.TFTP_ROOT}`);
         shellExec(`sudo sudo chmod 755 ${process.env.TFTP_ROOT}`);
 
-        Underpost.baremetal.httpBootstrapServerRunnerFactory({
-          hostname,
-          bootstrapHttpServerPath,
-          bootstrapHttpServerPort:
-            options.bootstrapHttpServerPort || workflowsConfig[workflowId].bootstrapHttpServerPort,
-        });
-
         if (type === 'chroot-debootstrap' || type === 'chroot-container')
           await Underpost.baremetal.nfsMountCallback({
             hostname,
@@ -1102,11 +1142,7 @@ rm -rf ${artifacts.join(' ')}`);
           macAddress,
           ipAddress,
           hostname,
-          architecture:
-            workflowsConfig[workflowId].maas?.commissioning?.architecture ||
-            workflowsConfig[workflowId].container?.architecture ||
-            workflowsConfig[workflowId].debootstrap?.image?.architecture ||
-            'arm64/generic',
+          architecture: Underpost.baremetal.fallbackArchitecture(workflowsConfig[workflowId]),
           machine,
         };
         logger.info('Waiting for commissioning...', {
@@ -1114,20 +1150,177 @@ rm -rf ${artifacts.join(' ')}`);
           machine: machine ? machine.system_id : null,
         });
 
-        const { discovery } = await Underpost.baremetal.commissionMonitor(commissionMonitorPayload);
+        const { discovery, machine: discoveredMachine } =
+          await Underpost.baremetal.commissionMonitor(commissionMonitorPayload);
+        if (discoveredMachine) machine = discoveredMachine;
+      }
+    },
 
-        if ((type === 'chroot-debootstrap' || type === 'chroot-container') && options.cloudInit === true) {
-          openTerminal(`node ${underpostRoot}/bin baremetal ${workflowId} ${ipAddress} ${hostname} --logs cloud-init`);
-          openTerminal(
-            `node ${underpostRoot}/bin baremetal ${workflowId} ${ipAddress} ${hostname} --logs cloud-init-machine`,
-          );
-          shellExec(
-            `node ${underpostRoot}/bin baremetal ${workflowId} ${ipAddress} ${hostname} --logs cloud-init-config`,
-          );
+    /**
+     * @method installPacker
+     * @description Installs Packer CLI.
+     * @memberof UnderpostBaremetal
+     * @returns {Promise<void>}
+     */
+    async installPacker(underpostRoot) {
+      const scriptPath = `${underpostRoot}/scripts/packer-setup.sh`;
+      logger.info(`Installing Packer using script: ${scriptPath}`);
+      shellExec(`sudo chmod +x ${scriptPath}`);
+      shellExec(`sudo ${scriptPath}`);
+    },
+
+    /**
+     * @method ipxeBuildIso
+     * @description Builds a UEFI-bootable iPXE ISO with an embedded bridge script.
+     * @param {object} params
+     * @param {string} params.workflowId - The workflow identifier (e.g., 'hp-envy-iso-ram').
+     * @param {string} params.isoOutputPath - Output path for the generated ISO file.
+     * @param {string} params.tftpPrefix - TFTP prefix directory (e.g., 'envy').
+     * @param {string} params.ipFileServer - IP address of the TFTP/file server to chain to.
+     * @param {string} [params.ipAddress='192.168.1.191'] - The IP address of the client machine.
+     * @param {string} [params.ipConfig='none'] - IP configuration method (e.g., 'dhcp', 'none').
+     * @param {string} [params.netmask='255.255.255.0'] - The network mask.
+     * @param {string} [params.dnsServer='8.8.8.8'] - The DNS server address.
+     * @param {string} [params.macAddress=''] - The MAC address of the client machine.
+     * @param {boolean} [params.cloudInit=false] - Flag to enable cloud-init.
+     * @param {boolean} [params.dev=false] - Development mode flag to determine paths.
+     * @param {boolean} [params.forceRebuild=false] - Force a complete iPXE rebuild. Without this, reuses existing ISO.
+     * @param {number} [params.bootstrapHttpServerPort=8888] - Port for the bootstrap HTTP server used in ISO RAM workflows.
+     * @memberof UnderpostBaremetal
+     * @returns {Promise<void>}
+     */
+    async ipxeBuildIso({
+      workflowId,
+      isoOutputPath,
+      tftpPrefix,
+      ipFileServer,
+      ipAddress,
+      ipConfig,
+      netmask,
+      dnsServer,
+      macAddress,
+      cloudInit,
+      dev,
+      forceRebuild = false,
+      bootstrapHttpServerPort,
+    }) {
+      const outputPath = !isoOutputPath || isoOutputPath === '.' ? `./ipxe-${workflowId}.iso` : isoOutputPath;
+      shellExec(`mkdir -p $(dirname ${outputPath})`);
+
+      const workflowsConfig = Underpost.baremetal.loadWorkflowsConfig();
+      if (!workflowsConfig[workflowId]) {
+        throw new Error(`Workflow configuration not found for ID: ${workflowId}`);
+      }
+
+      const authCredentials = cloudInit
+        ? Underpost.baremetal.maasAuthCredentialsFactory()
+        : { consumer_key: '', consumer_secret: '', token_key: '', token_secret: '' };
+
+      const { cmd } = Underpost.baremetal.kernelCmdBootParamsFactory({
+        ipClient: ipAddress,
+        ipDhcpServer: ipFileServer,
+        ipFileServer,
+        ipConfig,
+        netmask,
+        hostname: workflowId,
+        dnsServer,
+        fileSystemUrl:
+          dev && workflowsConfig[workflowId].type === 'iso-ram'
+            ? `http://${ipFileServer}:${Underpost.baremetal.bootstrapHttpServerPortFactory({
+                port: bootstrapHttpServerPort,
+                workflowId,
+                workflowsConfig,
+              })}/${workflowId}/${workflowsConfig[workflowId].isoUrl.split('/').pop()}`
+            : workflowsConfig[workflowId].isoUrl,
+        type: workflowsConfig[workflowId].type,
+        architecture: workflowsConfig[workflowId].architecture,
+        macAddress,
+        cloudInit,
+        osIdLike: workflowsConfig[workflowId].osIdLike,
+        networkInterfaceName: workflowsConfig[workflowId].networkInterfaceName,
+        authCredentials,
+        bootstrapHttpServerPort: Underpost.baremetal.bootstrapHttpServerPortFactory({
+          port: bootstrapHttpServerPort,
+          workflowId,
+          workflowsConfig,
+        }),
+        dev,
+      });
+
+      const ipxeSrcDir = '/home/dd/ipxe/src';
+      const embedScriptName = `embed_${workflowId}.ipxe`;
+      const embedScriptPath = path.join(ipxeSrcDir, embedScriptName);
+
+      const embedScriptContent = Underpost.baremetal.ipxeScriptFactory({
+        maasIp: ipFileServer,
+        tftpPrefix,
+        kernelCmd: cmd,
+        minimal: true,
+      });
+
+      fs.writeFileSync(embedScriptPath, embedScriptContent);
+      logger.info(`Created embedded script at ${embedScriptPath}`);
+
+      // Determine target architecture
+      let targetArch = 'x86_64';
+      if (
+        workflowsConfig[workflowId].architecture === 'arm64' ||
+        workflowsConfig[workflowId].architecture === 'aarch64'
+      ) {
+        targetArch = 'arm64';
+      }
+
+      const platformDir = targetArch === 'arm64' ? 'bin-arm64-efi' : 'bin-x86_64-efi';
+      const makeTarget = `${platformDir}/ipxe.iso`;
+      const builtIsoPath = path.join(ipxeSrcDir, makeTarget);
+
+      if (!forceRebuild && fs.existsSync(builtIsoPath)) {
+        fs.copySync(builtIsoPath, outputPath);
+        logger.info(`Reusing existing iPXE ISO: ${builtIsoPath} -> ${outputPath}`);
+      } else {
+        logger.info(`Rebuild: cleaning iPXE build artifacts...`);
+        shellExec(`cd ${ipxeSrcDir} && make clean`);
+
+        const hostArch = process.arch === 'arm64' ? 'arm64' : 'x86_64';
+        let crossCompile = '';
+        if (hostArch === 'x86_64' && targetArch === 'arm64') {
+          crossCompile = 'CROSS_COMPILE=aarch64-linux-gnu-';
+        } else if (hostArch === 'arm64' && targetArch === 'x86_64') {
+          crossCompile = 'CROSS_COMPILE=x86_64-linux-gnu-';
+        }
+
+        logger.info(
+          `Building iPXE ISO for ${targetArch} on ${hostArch}: make ${makeTarget} ${crossCompile} EMBED=${embedScriptName}`,
+        );
+
+        const buildCmd = `cd ${ipxeSrcDir} && make ${makeTarget} ${crossCompile} EMBED=${embedScriptName}`;
+        shellExec(buildCmd);
+
+        if (fs.existsSync(builtIsoPath)) {
+          fs.copySync(builtIsoPath, outputPath);
+          logger.info(`ISO successfully built and copied to ${outputPath}`);
+        } else {
+          logger.error(`Failed to build ISO at ${builtIsoPath}`);
         }
       }
     },
 
+    /**
+     * @method fallbackArchitecture
+     * @description Determines the architecture to use for boot resources, with a fallback mechanism.
+     * @param {object} workflowsConfig - The configuration object for the current workflow.
+     * @returns {string} The architecture string (e.g., 'arm64', 'amd64') to use for boot resources.
+     * @memberof UnderpostBaremetal
+     */
+    fallbackArchitecture(workflowsConfig) {
+      return (
+        workflowsConfig.architecture ||
+        workflowsConfig.maas?.commissioning?.architecture ||
+        workflowsConfig.container?.architecture ||
+        workflowsConfig.debootstrap?.image?.architecture
+      );
+    },
+
     /**
      * @method macAddressFactory
      * @description Generates or returns a MAC address based on options.
@@ -1179,8 +1372,7 @@ rm -rf ${artifacts.join(' ')}`);
       const isoFilename = isoUrl.split('/').pop();
 
       // Determine OS family from osIdLike
-      const isDebianBased = osIdLike && osIdLike.match(/debian|ubuntu/i);
-      const isRhelBased = osIdLike && osIdLike.match(/rhel|centos|fedora|alma|rocky/i);
+      const { isDebianBased, isRhelBased } = Underpost.baremetal.getFamilyBaseOs(osIdLike);
 
       // Set extraction directory based on OS family
       const extractDirName = isDebianBased ? 'casper' : 'iso-extract';
@@ -1206,16 +1398,16 @@ rm -rf ${artifacts.join(' ')}`);
         logger.info(`Downloaded ISO to ${isoPath} (${(stats.size / 1024 / 1024 / 1024).toFixed(2)} GB)`);
       }
 
-      // Mount ISO and extract boot files
+      // ISO Logic
       const mountPoint = `${nfsHostPath}/mnt-iso-${arch}`;
       shellExec(`mkdir -p ${mountPoint}`);
 
       // Ensure mount point is not already mounted
-      shellExec(`sudo umount ${mountPoint} 2>/dev/null`, { silent: true });
+      shellExec(`sudo umount ${mountPoint} 2>/dev/null`);
 
       try {
         // Mount the ISO
-        shellExec(`sudo mount -o loop,ro ${isoPath} ${mountPoint}`, { silent: false });
+        shellExec(`sudo mount -o loop,ro ${isoPath} ${mountPoint}`);
         logger.info(`Mounted ISO at ${mountPoint}`);
 
         // Distribution-specific extraction logic
@@ -1227,16 +1419,25 @@ rm -rf ${artifacts.join(' ')}`);
           logger.info(`Checking casper directory contents...`);
           shellExec(`ls -la ${mountPoint}/casper/ 2>/dev/null || echo "casper directory not found"`);
           shellExec(`sudo cp -a ${mountPoint}/casper/* ${extractDir}/`);
+        } else if (isRhelBased) {
+          // RHEL/Rocky: Extract from images/pxeboot directory
+          const pxebootDir = `${mountPoint}/images/pxeboot`;
+          if (!fs.existsSync(pxebootDir)) {
+            throw new Error(`Failed to mount ISO or images/pxeboot directory not found: ${isoPath}`);
+          }
+          logger.info(`Extracting kernel and initrd from ${pxebootDir}...`);
+          shellExec(`sudo cp -a ${pxebootDir}/vmlinuz ${extractDir}/vmlinuz`);
+          shellExec(`sudo cp -a ${pxebootDir}/initrd.img ${extractDir}/initrd`);
         }
       } finally {
         shellExec(`ls -la ${mountPoint}/`);
 
         shellExec(`sudo chown -R $(whoami):$(whoami) ${extractDir}`);
         // Unmount ISO
-        shellExec(`sudo umount ${mountPoint}`, { silent: true });
+        shellExec(`sudo umount ${mountPoint}`);
         logger.info(`Unmounted ISO`);
         // Clean up temporary mount point
-        shellExec(`rmdir ${mountPoint}`, { silent: true });
+        shellExec(`rmdir ${mountPoint}`);
       }
 
       return {
@@ -1253,8 +1454,8 @@ rm -rf ${artifacts.join(' ')}`);
      * @param {string} options.macAddress - The MAC address of the machine.
      * @param {string} options.hostname - The hostname for the machine.
      * @param {string} options.ipAddress - The IP address for the machine.
+     * @param {string} options.architecture - The architecture for the machine (default is 'arm64').
      * @param {string} options.powerType - The power type for the machine (default is 'manual').
-     * @param {object} options.maas - Additional MAAS-specific options.
      * @returns {object} An object containing the created machine details.
      * @memberof UnderpostBaremetal
      */
@@ -1263,13 +1464,13 @@ rm -rf ${artifacts.join(' ')}`);
         macAddress: '',
         hostname: '',
         ipAddress: '',
+        architecture: 'arm64',
         powerType: 'manual',
-        architecture: 'arm64/generic',
       },
     ) {
       if (!options.powerType) options.powerType = 'manual';
       const payload = {
-        architecture: (options.architecture || 'arm64/generic').match('arm') ? 'arm64/generic' : 'amd64/generic',
+        architecture: options.architecture.match('arm') ? 'arm64/generic' : 'amd64/generic',
         mac_address: options.macAddress,
         mac_addresses: options.macAddress,
         hostname: options.hostname,
@@ -1277,18 +1478,13 @@ rm -rf ${artifacts.join(' ')}`);
         ip: options.ipAddress,
       };
       logger.info('Creating MAAS machine', payload);
-      const machine = shellExec(
-        `maas ${process.env.MAAS_ADMIN_USERNAME} machines create ${Object.keys(payload)
+      const machine = Underpost.baremetal.maasCliExec(
+        `machines create ${Object.keys(payload)
           .map((k) => `${k}="${payload[k]}"`)
           .join(' ')}`,
-        {
-          silent: true,
-          stdout: true,
-        },
       );
-      // console.log(machine);
       try {
-        return { machine: JSON.parse(machine) };
+        return { machine };
       } catch (error) {
         console.log(error);
         logger.error(error);
@@ -1296,6 +1492,20 @@ rm -rf ${artifacts.join(' ')}`);
       }
     },
 
+    /**
+     * @method getFamilyBaseOs
+     * @description Determines if the OS belongs to Debian-based or RHEL-based family based on osIdLike string.
+     * @param {string} osIdLike - The os_id_like string from MAAS boot resource or workflow configuration.
+     * @returns {object} An object with boolean properties isDebianBased and isRhelBased indicating the OS family.
+     * @memberof UnderpostBaremetal
+     */
+    getFamilyBaseOs(osIdLike = '') {
+      return {
+        isDebianBased: osIdLike.match(/debian|ubuntu/i),
+        isRhelBased: osIdLike.match(/rhel|centos|fedora|alma|rocky/i),
+      };
+    },
+
     /**
      * @method kernelFactory
      * @description Retrieves kernel, initrd, and root filesystem paths from a MAAS boot resource.
@@ -1312,8 +1522,10 @@ rm -rf ${artifacts.join(' ')}`);
       // For disk-based commissioning (casper/iso), use live ISO files
       if (type === 'iso-ram' || type === 'iso-nfs') {
         logger.info('Using live ISO for boot (disk-based commissioning)');
-        const arch = resource.architecture.split('/')[0];
         const workflowsConfig = Underpost.baremetal.loadWorkflowsConfig();
+        const arch = resource?.architecture
+          ? resource.architecture.split('/')[0]
+          : workflowsConfig[workflowId].architecture;
         const kernelFilesPaths = Underpost.baremetal.downloadISO({
           resource,
           architecture: arch,
@@ -1325,13 +1537,7 @@ rm -rf ${artifacts.join(' ')}`);
         return { kernelFilesPaths, resourcesPath };
       }
 
-      const resourceData = JSON.parse(
-        shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} boot-resource read ${resource.id}`, {
-          stdout: true,
-          silent: true,
-          disableLog: true,
-        }),
-      );
+      const resourceData = Underpost.baremetal.maasCliExec(`boot-resource read ${resource.id}`);
       let kernelFilesPaths = {};
       const bootFiles = resourceData.sets[Object.keys(resourceData.sets)[0]].files;
       const arch = resource.architecture.split('/')[0];
@@ -1392,7 +1598,7 @@ rm -rf ${artifacts.join(' ')}`);
           shellExec(`mkdir -p ${tempExtractDir}`);
 
           // List files in archive to find kernel and initrd
-          const tarList = shellExec(`tar -tf ${rootArchivePath}`, { silent: true }).stdout.split('\n');
+          const tarList = shellExec(`tar -tf ${rootArchivePath}`).stdout.split('\n');
 
           // Look for boot/vmlinuz* and boot/initrd* (handling potential leading ./)
           // Skip rescue, kdump, and other special images
@@ -1524,7 +1730,7 @@ rm -rf ${artifacts.join(' ')}`);
      */
     removeDiscoveredMachines() {
       logger.info('Removing all discovered machines from MAAS...');
-      shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} discoveries clear all=true`);
+      Underpost.baremetal.maasCliExec(`discoveries clear all=true`);
     },
 
     /**
@@ -1657,16 +1863,28 @@ shell
      * @method ipxeScriptFactory
      * @description Generates the iPXE script content for stable identity.
      * This iPXE script uses directly boots kernel/initrd via TFTP.
+     * When minimal mode is enabled, generates a simple dhcp+kernel+initrd+boot script.
      * @param {object} params - The parameters for generating the script.
-     * @param {string} params.maasIp - The IP address of the MAAS server.
+     * @param {string} params.maasIp - The IP address of the MAAS/file server.
      * @param {string} [params.macAddress] - The MAC address registered in MAAS (for display only).
-     * @param {string} params.architecture - The architecture (arm64/amd64).
+     * @param {string} [params.architecture] - The architecture (arm64/amd64).
      * @param {string} params.tftpPrefix - The TFTP prefix path (e.g., 'rpi4mb').
      * @param {string} params.kernelCmd - The kernel command line parameters.
+     * @param {boolean} [params.minimal=false] - Generate a minimal embedded script for ISO builds.
      * @returns {string} The iPXE script content.
      * @memberof UnderpostBaremetal
      */
-    ipxeScriptFactory({ maasIp, macAddress, architecture, tftpPrefix, kernelCmd }) {
+    ipxeScriptFactory({ maasIp, macAddress, architecture, tftpPrefix, kernelCmd, minimal = false }) {
+      if (minimal) {
+        return `#!ipxe
+dhcp
+set server_ip ${maasIp}
+set tftp_prefix ${tftpPrefix}
+kernel tftp://\${server_ip}/\${tftp_prefix}/pxe/vmlinuz-efi ${kernelCmd}
+initrd tftp://\${server_ip}/\${tftp_prefix}/pxe/initrd.img
+boot || shell
+`;
+      }
       const macInfo =
         macAddress && macAddress !== '00:00:00:00:00:00'
           ? `echo Registered MAC: ${macAddress}`
@@ -1704,7 +1922,11 @@ echo ========================================
 echo Loading kernel and initrd via TFTP...
 echo Kernel: tftp://${maasIp}/${kernelPath}
 echo Initrd: tftp://${maasIp}/${initrdPath}
-${macAddress && macAddress !== '00:00:00:00:00:00' ? `echo Kernel will use MAC: ${macAddress} (via ifname parameter)` : 'echo Kernel will use hardware MAC'}
+${
+  macAddress && macAddress !== '00:00:00:00:00:00'
+    ? `echo Kernel will use MAC: ${macAddress} (via ifname parameter)`
+    : 'echo Kernel will use hardware MAC'
+}
 echo ========================================
 
 # Load kernel via TFTP
@@ -1735,7 +1957,9 @@ echo ========================================
 # Fallback: Try MAAS HTTP bootloader (may have certificate issues)
 set boot-url http://${maasIp}:5248/images/bootloader
 echo Boot URL: \${boot-url}
-chain \${boot-url}/uefi/${architecture}/${grubBootloader === 'grubaa64.efi' ? 'bootaa64.efi' : 'bootx64.efi'} || goto error
+chain \${boot-url}/uefi/${architecture}/${
+        grubBootloader === 'grubaa64.efi' ? 'bootaa64.efi' : 'bootx64.efi'
+      } || goto error
 
 :error
 echo ========================================
@@ -1771,22 +1995,12 @@ shell
      * @memberof UnderpostBaremetal
      */
     ipxeEfiFactory({ tftpRootPath, ipxeCacheDir, arch, underpostRoot, embeddedScriptPath, forceRebuild = false }) {
-      const shouldRebuild =
-        forceRebuild || (!fs.existsSync(`${tftpRootPath}/ipxe.efi`) && !fs.existsSync(`${ipxeCacheDir}/ipxe.efi`));
+      const embedArg =
+        embeddedScriptPath && fs.existsSync(embeddedScriptPath) ? ` --embed-script ${embeddedScriptPath}` : '';
+      const rebuildArg = forceRebuild ? ' --rebuild' : '';
 
-      if (!shouldRebuild) return;
-
-      if (embeddedScriptPath && fs.existsSync(embeddedScriptPath)) {
-        logger.info('Rebuilding iPXE with embedded boot script...', {
-          embeddedScriptPath,
-          forced: forceRebuild,
-        });
-        shellExec(
-          `${underpostRoot}/scripts/ipxe-setup.sh ${tftpRootPath} --target-arch ${arch} --embed-script ${embeddedScriptPath} --rebuild`,
-        );
-      } else if (shouldRebuild) {
-        shellExec(`${underpostRoot}/scripts/ipxe-setup.sh ${tftpRootPath} --target-arch ${arch}`);
-      }
+      logger.info('Building iPXE EFI binary...', { embeddedScriptPath, forced: forceRebuild });
+      shellExec(`${underpostRoot}/scripts/ipxe-setup.sh ${tftpRootPath} --target-arch ${arch}${embedArg}${rebuildArg}`);
 
       shellExec(`mkdir -p ${ipxeCacheDir}`);
       shellExec(`cp ${tftpRootPath}/ipxe.efi ${ipxeCacheDir}/ipxe.efi`);
@@ -1840,7 +2054,11 @@ shell
       echo "${menuentryStr}"
       echo " ${Underpost.version}"
       echo "Date: ${new Date().toISOString()}"
-      ${cmd.match('/MAAS/metadata/by-id/') ? `echo "System ID: ${cmd.split('/MAAS/metadata/by-id/')[1].split('/')[0]}"` : ''}
+      ${
+        cmd.match('/MAAS/metadata/by-id/')
+          ? `echo "System ID: ${cmd.split('/MAAS/metadata/by-id/')[1].split('/')[0]}"`
+          : ''
+      }
       echo "TFTP server: ${tftpIp}"
       echo "Kernel path: ${kernelPath}"
       echo "Initrd path: ${initrdPath}"
@@ -1856,6 +2074,72 @@ shell
       };
     },
 
+    /**
+     * @method bootstrapHttpServerPortFactory
+     * @description Determines the bootstrap HTTP server port.
+     * @param {object} params - Parameters for determining the port.
+     * @param {number} [params.port] - The port passed via options.
+     * @param {string} params.workflowId - The workflow identifier.
+     * @param {object} params.workflowsConfig - The loaded workflows configuration.
+     * @returns {number} The determined port number.
+     * @memberof UnderpostBaremetal
+     */
+    bootstrapHttpServerPortFactory({ port, workflowId, workflowsConfig }) {
+      return port || workflowsConfig[workflowId]?.bootstrapHttpServerPort || 8888;
+    },
+
+    /**
+     * @method commissioningWriteFilesFactory
+     * @description Generates the write_files configuration for the commissioning script.
+     * @param {object} params
+     * @param {object} params.machine - The machine object.
+     * @param {object} params.authCredentials - MAAS authentication credentials.
+     * @param {string} params.runnerHostIp - The IP address of the runner host.
+     * @memberof UnderpostBaremetal
+     * @returns {Array} The write_files array.
+     */
+    commissioningWriteFilesFactory({ machine, authCredentials, runnerHostIp }) {
+      const { consumer_key, token_key, token_secret } = authCredentials;
+      return [
+        {
+          path: '/usr/local/bin/underpost-enlist.sh',
+          permissions: '0755',
+          owner: 'root:root',
+          content: `#!/bin/bash
+# set -euo pipefail
+CONSUMER_KEY="${consumer_key}"
+TOKEN_KEY="${token_key}"
+TOKEN_SECRET="${token_secret}"
+LOG_FILE="/var/log/underpost-enlistment.log"
+RESPONSE_FILE="/tmp/maas_response.txt"
+STATUS_FILE="/tmp/maas_status.txt"
+
+echo "Starting MAAS Commissioning Request..." | tee -a "$LOG_FILE"
+
+curl -X POST \\
+  --location --verbose \\
+  --header "Authorization: OAuth oauth_version=\\"1.0\\", oauth_signature_method=\\"PLAINTEXT\\", oauth_consumer_key=\\"$CONSUMER_KEY\\", oauth_token=\\"$TOKEN_KEY\\", oauth_signature=\\"&$TOKEN_SECRET\\", oauth_nonce=\\"$(uuidgen)\\", oauth_timestamp=\\"$(date +%s)\\"" \\
+  -F "enable_ssh=1" \\
+  http://${runnerHostIp}:5240/MAAS/api/2.0/machines/${machine.system_id}/op-commission \\
+  --output "$RESPONSE_FILE" --write-out "%{http_code}" > "$STATUS_FILE" 2>> "$LOG_FILE"
+
+HTTP_STATUS=$(cat "$STATUS_FILE")
+
+echo "HTTP Status: $HTTP_STATUS" | tee -a "$LOG_FILE"
+echo "Response Body:" | tee -a "$LOG_FILE"
+cat "$RESPONSE_FILE" | tee -a "$LOG_FILE"
+
+if [ "$HTTP_STATUS" -eq 200 ]; then
+  echo "Commissioning requested successfully." | tee -a "$LOG_FILE"
+else
+  echo "ERROR: MAAS commissioning failed with status $HTTP_STATUS" | tee -a "$LOG_FILE"
+  exit 0
+fi
+`,
+        },
+      ];
+    },
+
     /**
      * @method httpBootstrapServerStaticFactory
      * @description Creates static files for the bootstrap HTTP server including cloud-init configuration.
@@ -1863,36 +2147,40 @@ shell
      * @param {string} params.bootstrapHttpServerPath - The path where static files will be created.
      * @param {string} params.hostname - The hostname of the client machine.
      * @param {string} params.cloudConfigSrc - The cloud-init configuration YAML source.
-     * @param {object} [params.metadata] - Optional metadata to include in meta-data file.
-     * @param {string} [params.vendorData] - Optional vendor-data content (default: empty string).
+     * @param {string} params.kickstartSrc - The kickstart configuration content.
+     * @param {string} params.vendorData - The cloud-init vendor-data content.
+     * @param {string} params.isoUrl - Optional ISO URL to cache and serve.
      * @memberof UnderpostBaremetal
      * @returns {void}
      */
     httpBootstrapServerStaticFactory({
-      bootstrapHttpServerPath,
-      hostname,
-      cloudConfigSrc,
-      metadata = {},
+      bootstrapHttpServerPath = '',
+      hostname = '',
+      cloudConfigSrc = '',
+      kickstartSrc = '',
       vendorData = '',
+      isoUrl = '',
     }) {
-      // Create directory structure
-      shellExec(`mkdir -p ${bootstrapHttpServerPath}/${hostname}/cloud-init`);
+      shellExec(`mkdir -p ${bootstrapHttpServerPath}/${hostname}`);
 
-      // Write user-data file
-      fs.writeFileSync(
-        `${bootstrapHttpServerPath}/${hostname}/cloud-init/user-data`,
-        `#cloud-config\n${cloudConfigSrc}`,
-        'utf8',
-      );
+      Underpost.cloudInit.httpServerStaticFactory({ bootstrapHttpServerPath, hostname, cloudConfigSrc, vendorData });
+      Underpost.kickstart.httpServerStaticFactory({ bootstrapHttpServerPath, hostname, kickstartSrc });
 
-      // Write meta-data file
-      const metaDataContent = `instance-id: ${metadata.instanceId || hostname}\nlocal-hostname: ${metadata.localHostname || hostname}`;
-      fs.writeFileSync(`${bootstrapHttpServerPath}/${hostname}/cloud-init/meta-data`, metaDataContent, 'utf8');
+      if (isoUrl) {
+        const isoFilename = isoUrl.split('/').pop();
+        const isoCacheDir = `/var/tmp/live-iso`;
+        const isoCachePath = `${isoCacheDir}/${isoFilename}`;
+        const isoDestPath = `${bootstrapHttpServerPath}/${hostname}/${isoFilename}`;
 
-      // Write vendor-data file
-      fs.writeFileSync(`${bootstrapHttpServerPath}/${hostname}/cloud-init/vendor-data`, vendorData, 'utf8');
+        if (!fs.existsSync(isoCachePath)) {
+          logger.info(`Downloading ISO to cache: ${isoUrl}`);
+          shellExec(`mkdir -p ${isoCacheDir}`);
+          shellExec(`wget --progress=bar:force -O ${isoCachePath} "${isoUrl}"`);
+        }
 
-      logger.info(`Cloud-init files written to ${bootstrapHttpServerPath}/${hostname}/cloud-init`);
+        logger.info(`Copying ISO to bootstrap server: ${isoDestPath}`);
+        shellExec(`cp ${isoCachePath} ${isoDestPath}`);
+      }
     },
 
     /**
@@ -1912,15 +2200,17 @@ shell
       const bootstrapHttpServerPath = options.bootstrapHttpServerPath || './public/localhost';
       const hostname = options.hostname || 'localhost';
 
-      shellExec(`mkdir -p ${bootstrapHttpServerPath}/${hostname}/cloud-init`);
+      shellExec(`node bin run kill ${port}`, { silent: true });
 
-      // Kill any existing HTTP server
-      shellExec(`sudo pkill -f 'python3 -m http.server ${port}'`, { silent: true });
+      const app = express();
 
-      shellExec(
-        `cd ${bootstrapHttpServerPath} && nohup python3 -m http.server ${port} --bind 0.0.0.0 > /tmp/http-boot-server.log 2>&1 &`,
-        { silent: true, async: true },
-      );
+      app.use(loggerMiddleware(import.meta, 'debug', () => false));
+
+      app.use('/', express.static(bootstrapHttpServerPath));
+
+      app.listen(port, () => {
+        logger.info(`Static file server running on port ${port}`);
+      });
 
       // Configure iptables to allow incoming LAN connections
       shellExec(
@@ -1949,9 +2239,10 @@ shell
      */
     updateKernelFiles({ commissioningImage, resourcesPath, tftpRootPath, kernelFilesPaths }) {
       // Copy EFI bootloaders to TFTP path.
-      const efiFiles = commissioningImage.architecture.match('arm64')
-        ? ['bootaa64.efi', 'grubaa64.efi']
-        : ['bootx64.efi', 'grubx64.efi'];
+      const arch = resourcesPath.split('/').pop();
+      const efiFiles =
+        arch === 'arm64' || arch === 'aarch64' ? ['bootaa64.efi', 'grubaa64.efi'] : ['bootx64.efi', 'grubx64.efi'];
+
       for (const file of efiFiles) {
         shellExec(`sudo cp -a ${resourcesPath}/${file} ${tftpRootPath}/pxe/${file}`);
       }
@@ -1963,7 +2254,7 @@ shell
         // GRUB on ARM64 often crashes with synchronous exception (0x200) if handling large compressed kernels directly.
         if (file === 'vmlinuz-efi') {
           const kernelDest = `${tftpRootPath}/pxe/${file}`;
-          const fileType = shellExec(`file ${kernelDest}`, { silent: true }).stdout;
+          const fileType = shellExec(`file ${kernelDest}`).stdout;
 
           // Handle gzip compressed kernels
           if (fileType.includes('gzip compressed data')) {
@@ -2003,6 +2294,12 @@ shell
      * @param {object} options.machine - The machine object containing system_id.
      * @param {boolean} [options.dev=false] - Whether to enable dev mode with dracut debugging parameters.
      * @param {string} [options.osIdLike=''] - OS family identifier (e.g., 'rhel centos fedora' or 'debian ubuntu').
+     * @param {object} options.authCredentials - Authentication credentials for fetching files (if needed).
+     * @param {string} options.authCredentials.consumer_key - Consumer key for authentication.
+     * @param {string} options.authCredentials.consumer_secret - Consumer secret for authentication.
+     * @param {string} options.authCredentials.token_key - Token key for authentication.
+     * @param {string} options.authCredentials.token_secret - Token secret for authentication.
+     * @param {string} options.architecture - The architecture of the machine (e.g., 'amd64', 'arm64').
      * @returns {object} An object containing the constructed command line string.
      * @memberof UnderpostBaremetal
      */
@@ -2021,9 +2318,10 @@ shell
         type: '',
         macAddress: '',
         cloudInit: false,
-        machine: { system_id: '' },
         dev: false,
         osIdLike: '',
+        authCredentials: { consumer_key: '', consumer_secret: '', token_key: '', token_secret: '' },
+        architecture,
       },
     ) {
       // Construct kernel command line arguments for NFS boot.
@@ -2042,12 +2340,15 @@ shell
         macAddress,
         cloudInit,
         osIdLike,
+        architecture,
       } = options;
 
-      const ipParam = true
-        ? `ip=${ipClient}:${ipFileServer}:${ipDhcpServer}:${netmask}:${hostname}` +
-          `:${networkInterfaceName ? networkInterfaceName : 'eth0'}:${ipConfig}:${dnsServer}`
-        : 'ip=dhcp';
+      // Determine OS family from osIdLike
+      const { isDebianBased, isRhelBased } = Underpost.baremetal.getFamilyBaseOs(options.osIdLike);
+
+      const ipParam =
+        `ip=${ipClient}:${ipFileServer}:${ipDhcpServer}:${netmask}:${hostname}` +
+        `:${networkInterfaceName ? networkInterfaceName : 'eth0'}:${ipConfig}:${dnsServer}`;
 
       const nfsOptions = `${
         type === 'chroot-debootstrap' || type === 'chroot-container'
@@ -2074,7 +2375,9 @@ shell
           : []
       }`;
 
-      const nfsRootParam = `nfsroot=${ipFileServer}:${process.env.NFS_EXPORT_PATH}/${hostname}${nfsOptions ? `,${nfsOptions}` : ''}`;
+      const nfsRootParam = `nfsroot=${ipFileServer}:${process.env.NFS_EXPORT_PATH}/${hostname}${
+        nfsOptions ? `,${nfsOptions}` : ''
+      }`;
 
       const permissionsParams = [
         `rw`,
@@ -2092,9 +2395,9 @@ shell
         // `layerfs-path=filesystem.squashfs`,
         // `root=/dev/ram0`,
         // `toram`,
-        'nomodeset',
-        `editable_rootfs=tmpfs`,
-        `ramdisk_size=3550000`,
+        // 'nomodeset',
+        // `editable_rootfs=tmpfs`, // all writes to rootfs go to RAM, keeping underlying storage pristine
+        // `ramdisk_size=3550000`,
         // `root=/dev/sda1`, // rpi4 usb port unit
         'apparmor=0', // Disable AppArmor security
         ...(networkInterfaceName === 'eth0'
@@ -2136,51 +2439,34 @@ shell
 
       let cmd = [];
       if (type === 'iso-ram') {
-        const netBootParams = [`netboot=url`];
-        if (fileSystemUrl) netBootParams.push(`url=${fileSystemUrl.replace('https', 'http')}`);
-        cmd = [ipParam, `boot=casper`, ...netBootParams, ...kernelParams];
-      } else if (type === 'chroot-debootstrap' || type === 'chroot-container') {
-        let qemuNfsRootParams = [`root=/dev/nfs`, `rootfstype=nfs`];
-
-        // Determine OS family from osIdLike configuration
-        const isRhelBased = osIdLike && osIdLike.match(/rhel|centos|fedora|alma|rocky/i);
-        const isDebianBased = osIdLike && osIdLike.match(/debian|ubuntu/i);
-
-        // Add RHEL/Rocky/Fedora based images specific parameters
         if (isRhelBased) {
-          qemuNfsRootParams = qemuNfsRootParams.concat([`rd.neednet=1`, `rd.timeout=180`, `selinux=0`, `enforcing=0`]);
-        }
-        // Add Debian/Ubuntu based images specific parameters
-        else if (isDebianBased) {
-          qemuNfsRootParams = qemuNfsRootParams.concat([`initrd=initrd.img`, `init=/sbin/init`]);
-        }
-
-        // Add debugging parameters in dev mode for dracut troubleshooting
-        if (options.dev) {
-          // qemuNfsRootParams = qemuNfsRootParams.concat([`rd.shell`, `rd.debug`]);
+          cmd = Underpost.kickstart.kernelParamsFactory(macAddress, [ipParam, ...kernelParams], options);
+        } else {
+          // ISO-RAM (Debian/Ubuntu): full live ISO downloaded into RAM via casper toram.
+          const netBootParams = [`netboot=url`];
+          if (fileSystemUrl) netBootParams.push(`url=${fileSystemUrl.replace('https', 'http')}`);
+          cmd = [ipParam, `boot=casper`, 'toram', ...netBootParams, ...kernelParams, ...performanceParams];
         }
-
+      } else if (type === 'chroot-debootstrap' || type === 'chroot-container') {
+        let qemuNfsRootParams = [`root=/dev/nfs`, `rootfstype=nfs`];
         cmd = [ipParam, ...qemuNfsRootParams, nfsRootParam, ...kernelParams];
       } else {
-        // 'iso-nfs'
+        // 'iso-nfs' — Debian/Ubuntu NFS root boot: kernel/initrd from ISO, root filesystem served via NFS.
         cmd = [ipParam, `netboot=nfs`, nfsRootParam, ...kernelParams, ...performanceParams];
+      }
 
-        cmd.push(`ifname=${networkInterfaceName}:${macAddress}`);
-
-        if (cloudInit) {
-          const cloudInitPreseedUrl = `http://${ipDhcpServer}:5248/MAAS/metadata/by-id/${options.machine?.system_id ? options.machine.system_id : 'system-id'}/?op=get_preseed`;
-          cmd = cmd.concat([
-            `cloud-init=enabled`,
-            'autoinstall',
-            `cloud-config-url=${cloudInitPreseedUrl}`,
-            `ds=nocloud-net;s=${cloudInitPreseedUrl}`,
-            `log_host=${ipDhcpServer}`,
-            `log_port=5247`,
-            // `BOOTIF=${macAddress}`,
-            // `cc:{'datasource_list': ['MAAS']}end_cc`,
-          ]);
-        }
+      // Add RHEL/Rocky/Fedora based images specific parameters
+      if (isRhelBased) {
+        cmd = cmd.concat([`rd.neednet=1`, `rd.timeout=180`, `selinux=0`, `enforcing=0`]);
+        if (options.dev) cmd = cmd.concat([`rd.shell`, `rd.debug`]);
+      }
+      // Add Debian/Ubuntu based images specific parameters
+      else if (isDebianBased) {
+        cmd = cmd.concat([`initrd=initrd.img`, `init=/sbin/init`]);
+        if (options.dev) cmd = cmd.concat([`debug`, `ignore_loglevel`]);
       }
+
+      if (cloudInit) cmd = Underpost.cloudInit.kernelParamsFactory(macAddress, cmd, options);
       // cmd.push('---');
       const cmdStr = cmd.join(' ');
       logger.info('Constructed kernel command line');
@@ -2204,12 +2490,7 @@ shell
     async commissionMonitor({ macAddress, ipAddress, hostname, architecture, machine }) {
       {
         // Query observed discoveries from MAAS.
-        const discoveries = JSON.parse(
-          shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} discoveries read`, {
-            silent: true,
-            stdout: true,
-          }),
-        );
+        const discoveries = Underpost.baremetal.maasCliExec(`discoveries read`);
 
         for (const discovery of discoveries) {
           const discoverHostname = discovery.hostname
@@ -2227,6 +2508,20 @@ shell
           if (discovery.ip === ipAddress) {
             logger.info('Machine discovered!', discovery);
             if (!machine) {
+              // Check if a machine with the discovered MAC already exists to avoid conflicts
+              const [existingMachine] =
+                Underpost.baremetal.maasCliExec(`machines read mac_address=${discovery.mac_address}`) || [];
+
+              if (existingMachine) {
+                logger.warn(
+                  `Machine ${existingMachine.hostname} (${existingMachine.system_id}) already exists with MAC ${discovery.mac_address}`,
+                );
+                logger.info(
+                  `Deleting existing machine ${existingMachine.system_id} to create new machine ${hostname}...`,
+                );
+                Underpost.baremetal.maasCliExec(`machine delete ${existingMachine.system_id}`);
+              }
+
               logger.info('Creating new machine with discovered hardware MAC...', {
                 discoveredMAC: discovery.mac_address,
                 ipAddress,
@@ -2238,12 +2533,18 @@ shell
                 hostname,
                 architecture,
               }).machine;
-              console.log('New machine system id:', machine.system_id.bgYellow.bold.black);
-              Underpost.baremetal.writeGrubConfigToFile({
-                grubCfgSrc: Underpost.baremetal
-                  .getGrubConfigFromFile()
-                  .grubCfgSrc.replaceAll('system-id', machine.system_id),
-              });
+
+              if (machine && machine.system_id) {
+                console.log('New machine system id:', machine.system_id.bgYellow.bold.black);
+                Underpost.baremetal.writeGrubConfigToFile({
+                  grubCfgSrc: Underpost.baremetal
+                    .getGrubConfigFromFile()
+                    .grubCfgSrc.replaceAll('system-id', machine.system_id),
+                });
+              } else {
+                logger.error('Failed to create machine or obtain system_id', machine);
+                throw new Error('Machine creation failed');
+              }
             } else {
               const systemId = machine.system_id;
               console.log('Using pre-registered machine system_id:', systemId.bgYellow.bold.black);
@@ -2256,22 +2557,45 @@ shell
                   discoveredMAC: discovery.mac_address,
                 });
 
-                shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} machine mark-broken ${systemId}`, {
-                  silent: true,
-                });
+                // Check current machine status before attempting state transitions
+                const currentMachine = Underpost.baremetal.maasCliExec(`machine read ${systemId}`);
+                const currentStatus = currentMachine ? currentMachine.status_name : 'Unknown';
+                logger.info('Current machine status before interface update:', { systemId, status: currentStatus });
+
+                // Only mark-broken if the machine is in a state that supports it (e.g. Ready, New, Allocated)
+                // Machines already in Broken state don't need to be marked broken again
+                if (currentStatus !== 'Broken') {
+                  try {
+                    Underpost.baremetal.maasCliExec(`machine mark-broken ${systemId}`);
+                    logger.info('Machine marked as broken successfully');
+                  } catch (markBrokenError) {
+                    logger.warn('Failed to mark machine as broken, attempting interface update anyway...', {
+                      error: markBrokenError.message,
+                      currentStatus,
+                    });
+                  }
+                } else {
+                  logger.info('Machine is already in Broken state, skipping mark-broken');
+                }
 
-                shellExec(
-                  // name=${networkInterfaceName}
-                  `maas ${process.env.MAAS_ADMIN_USERNAME} interface update ${systemId} ${machine.boot_interface.id}` +
-                    ` mac_address=${discovery.mac_address}`,
-                  {
-                    silent: true,
-                  },
+                Underpost.baremetal.maasCliExec(
+                  `interface update ${systemId} ${machine.boot_interface.id}` + ` mac_address=${discovery.mac_address}`,
                 );
 
-                shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} machine mark-fixed ${systemId}`, {
-                  silent: true,
-                });
+                // Re-check status before mark-fixed — only attempt if actually Broken
+                const updatedMachine = Underpost.baremetal.maasCliExec(`machine read ${systemId}`);
+                const updatedStatus = updatedMachine ? updatedMachine.status_name : 'Unknown';
+
+                if (updatedStatus === 'Broken') {
+                  try {
+                    Underpost.baremetal.maasCliExec(`machine mark-fixed ${systemId}`);
+                    logger.info('Machine marked as fixed successfully');
+                  } catch (markFixedError) {
+                    logger.warn('Failed to mark machine as fixed:', { error: markFixedError.message });
+                  }
+                } else {
+                  logger.info('Machine is not in Broken state, skipping mark-fixed', { status: updatedStatus });
+                }
 
                 logger.info('✓ Machine interface MAC address updated successfully');
 
@@ -2300,6 +2624,73 @@ shell
       }
     },
 
+    /**
+     * @method maasCliExec
+     * @description Executes a MAAS CLI command and returns the parsed JSON output.
+     * This method abstracts the execution of MAAS CLI commands, ensuring that the output is captured and parsed correctly.
+     * @param {string} cmd - The MAAS CLI command to execute (e.g., 'machines read').
+     * @returns {object|null} The parsed JSON output from the MAAS CLI command, or null if there is no output.
+     * @memberof UnderpostBaremetal
+     */
+    maasCliExec(cmd) {
+      const output = shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} ${cmd}`, {
+        stdout: true,
+        silent: true,
+      }).trim();
+      try {
+        return output ? JSON.parse(output) : null;
+      } catch (error) {
+        console.log('output', output);
+        logger.error(error);
+        throw error;
+      }
+    },
+
+    /**
+     * @method maasAuthCredentialsFactory
+     * @description Retrieves MAAS API key credentials from the MAAS CLI.
+     * This method parses the output of `maas apikey` to extract the consumer key,
+     * consumer secret, token key, and token secret.
+     * @returns {object} An object containing the MAAS authentication credentials.
+     * @memberof UnderpostBaremetal
+     * @throws {Error} If the MAAS API key format is invalid.
+     */
+    maasAuthCredentialsFactory() {
+      // Expected formats:
+      // <consumer_key>:<consumer_token>:<secret> (older format)
+      // <consumer_key>:<consumer_secret>:<token_key>:<token_secret> (newer format)
+      // Commands used to generate API keys:
+      // maas apikey --with-names --username ${process.env.MAAS_ADMIN_USERNAME}
+      // maas ${process.env.MAAS_ADMIN_USERNAME} account create-authorisation-token
+      // maas apikey --generate --username ${process.env.MAAS_ADMIN_USERNAME}
+      // Reference: https://github.com/CanonicalLtd/maas-docs/issues/647
+
+      const parts = shellExec(`maas apikey --with-names --username ${process.env.MAAS_ADMIN_USERNAME}`, {
+        stdout: true,
+      })
+        .trim()
+        .split(`\n`)[0] // Take only the first line of output.
+        .split(':'); // Split by colon to get individual parts.
+
+      let consumer_key, consumer_secret, token_key, token_secret;
+
+      // Determine the format of the API key and assign parts accordingly.
+      if (parts.length === 4) {
+        [consumer_key, consumer_secret, token_key, token_secret] = parts;
+      } else if (parts.length === 3) {
+        // Handle older 3-part format, setting consumer_secret as empty.
+        [consumer_key, token_key, token_secret] = parts;
+        consumer_secret = '';
+        token_secret = token_secret.split(' MAAS consumer')[0].trim(); // Clean up token secret.
+      } else {
+        // Throw an error if the format is not recognized.
+        throw new Error('Invalid token format');
+      }
+
+      logger.info('Maas api token generated', { consumer_key, consumer_secret, token_key, token_secret });
+      return { consumer_key, consumer_secret, token_key, token_secret };
+    },
+
     /**
      * @method mountBinfmtMisc
      * @description Mounts the binfmt_misc filesystem to enable QEMU user-static binfmt support.
@@ -2335,7 +2726,7 @@ shell
         const systemId = typeof machine === 'string' ? machine : machine.system_id;
         if (ignore && ignore.find((mId) => mId === systemId)) continue;
         logger.info(`Removing machine: ${systemId}`);
-        shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} machine delete ${systemId}`);
+        Underpost.baremetal.maasCliExec(`machine delete ${systemId}`);
       }
       return [];
     },
@@ -2349,9 +2740,9 @@ shell
      * @returns {void}
      */
     clearDiscoveries({ force }) {
-      shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} discoveries clear all=true`);
+      Underpost.baremetal.maasCliExec(`discoveries clear all=true`);
       if (force === true) {
-        shellExec(`maas ${process.env.MAAS_ADMIN_USERNAME} discoveries scan force=true`);
+        Underpost.baremetal.maasCliExec(`discoveries scan force=true`);
       }
     },
 
@@ -2892,9 +3283,10 @@ logdir /var/log/chrony
      * @param {string} params.nfsHostPath - The path to the NFS server export.
      * @memberof UnderpostBaremetal
      * @param {string} [params.subnet='192.168.1.0/24'] - The subnet allowed to access the NFS export.
+     * @param {boolean} [params.nfsReset=false] - Flag to completely reset the NFS server (restart service).
      * @returns {void}
      */
-    rebuildNfsServer({ nfsHostPath, subnet }) {
+    rebuildNfsServer({ nfsHostPath, subnet, nfsReset }) {
       if (!subnet) subnet = '192.168.1.0/24'; // Default subnet if not provided.
       // Write the NFS exports configuration to /etc/exports.
       fs.writeFileSync(
@@ -2943,9 +3335,11 @@ udp-port = 32766
 
       // Restart the nfs-server service to apply all configuration changes,
       // including port settings from /etc/nfs.conf and export changes.
-      logger.info('Restarting nfs-server service...');
-      shellExec(`sudo systemctl restart nfs-server`);
-      logger.info('NFS server restarted.');
+      if (nfsReset) {
+        logger.info('Restarting nfs-server service...');
+        shellExec(`sudo systemctl restart nfs-server`);
+        logger.info('NFS server restarted.');
+      }
     },
 
     /**
@@ -2967,10 +3361,10 @@ udp-port = 32766
         // Check both /usr/local/bin (compiled) and system paths
         let qemuAarch64Path = null;
 
-        if (shellExec('test -x /usr/local/bin/qemu-system-aarch64', { silent: true }).code === 0) {
+        if (shellExec('test -x /usr/local/bin/qemu-system-aarch64').code === 0) {
           qemuAarch64Path = '/usr/local/bin/qemu-system-aarch64';
-        } else if (shellExec('which qemu-system-aarch64', { silent: true }).code === 0) {
-          qemuAarch64Path = shellExec('which qemu-system-aarch64', { silent: true }).stdout.trim();
+        } else if (shellExec('which qemu-system-aarch64').code === 0) {
+          qemuAarch64Path = shellExec('which qemu-system-aarch64').stdout.trim();
         }
 
         if (!qemuAarch64Path) {
@@ -2983,7 +3377,7 @@ udp-port = 32766
         logger.info(`Found qemu-system-aarch64 at: ${qemuAarch64Path}`);
 
         // Verify that the installed qemu supports the 'virt' machine type (required for arm64)
-        const machineHelp = shellExec(`${qemuAarch64Path} -machine help`, { silent: true }).stdout;
+        const machineHelp = shellExec(`${qemuAarch64Path} -machine help`).stdout;
         if (!machineHelp.includes('virt')) {
           throw new Error(
             'The installed qemu-system-aarch64 does not support the "virt" machine type.\n' +
@@ -2996,10 +3390,10 @@ udp-port = 32766
         // Check both /usr/local/bin (compiled) and system paths
         let qemuX86Path = null;
 
-        if (shellExec('test -x /usr/local/bin/qemu-system-x86_64', { silent: true }).code === 0) {
+        if (shellExec('test -x /usr/local/bin/qemu-system-x86_64').code === 0) {
           qemuX86Path = '/usr/local/bin/qemu-system-x86_64';
-        } else if (shellExec('which qemu-system-x86_64', { silent: true }).code === 0) {
-          qemuX86Path = shellExec('which qemu-system-x86_64', { silent: true }).stdout.trim();
+        } else if (shellExec('which qemu-system-x86_64').code === 0) {
+          qemuX86Path = shellExec('which qemu-system-x86_64').stdout.trim();
         }
 
         if (!qemuX86Path) {
@@ -3012,7 +3406,7 @@ udp-port = 32766
         logger.info(`Found qemu-system-x86_64 at: ${qemuX86Path}`);
 
         // Verify that the installed qemu supports the 'pc' or 'q35' machine type (required for x86_64)
-        const machineHelp = shellExec(`${qemuX86Path} -machine help`, { silent: true }).stdout;
+        const machineHelp = shellExec(`${qemuX86Path} -machine help`).stdout;
         if (!machineHelp.includes('pc') && !machineHelp.includes('q35')) {
           throw new Error(
             'The installed qemu-system-x86_64 does not support the "pc" or "q35" machine type.\n' +