build/initramfs/rfs: stabilize paths, tests; add branding guard; ntp robustness

• rfs_flists: normalize CWD to PROJECT_ROOT; invoke packers via absolute paths (fix relative lookup under kernel/current)

• initramfs_create_cpio: redirect to absolute output path; add explicit customization verification logs

• initramfs_test: default INITRAMFS_ARCHIVE to absolute dist/initramfs.cpio.xz when stage is invoked directly

• branding: guard motd/issue/password edits behind ZEROOS_BRANDING (or ZEROOS_REBRANDING) with default disabled; do not touch files unless enabled

• ntp: write /etc/ntp.conf only if absent; symlink ntpd.conf; runtime ntpd.sh parses kernel ntp= and falls back to Google NTP

• docs/config: add commented ZEROOS_BRANDING/REBRANDING examples to config/build.conf

config/build.conf

@@ -43,6 +43,12 @@ KERNEL_SOURCE_URL="https://cdn.kernel.org/pub/linux/kernel"
 # FIRMWARE_TAG="v1"
 #FIRMWARE_TAG="latest"
 
+# Branding and customization guard (default off)
+# Set to "true" to enable Zero-OS branding and passwordless root in initramfs.
+# Both variables are accepted; ZEROOS_BRANDING takes precedence if both set.
+ZEROOS_BRANDING="true"
+ZEROOS_REBRANDING="true"
+
 # Feature flags
 ENABLE_STRIP="true"
 ENABLE_UPX="true"

initramfs/etc/resolv.conf

@@ -1,2 +1 @@
-nameserver 169.254.1.1
 nameserver 192.168.64.254

scripts/build.sh

@@ -297,16 +297,22 @@ function main_build_process() {
             export FULL_KERNEL_VERSION
             log_info "Resolved FULL_KERNEL_VERSION: ${FULL_KERNEL_VERSION}"
         fi
-        echo =============  $(pwd)
+
+        # Normalize working directory to the project root to avoid relative path issues
+        local _oldpwd
+        _oldpwd="$(pwd)"
+        safe_execute cd "${PROJECT_ROOT}"
+        log_debug "stage_rfs_flists CWD (normalized): $(pwd)"
+
         # Ensure rfs scripts are executable when present (be robust if directory is missing)
-        if [[ -d "./scripts/rfs" ]]; then
+        if [[ -d "${PROJECT_ROOT}/scripts/rfs" ]]; then
-            safe_execute find ./scripts/rfs -type f -name "*.sh" -exec chmod +x {} \;
+            safe_execute find "${PROJECT_ROOT}/scripts/rfs" -type f -name "*.sh" -exec chmod +x {} \;
         else
-            log_warn "scripts/rfs directory not found; will invoke packers via bash to avoid +x requirement"
+            log_warn "scripts/rfs directory not found under PROJECT_ROOT=${PROJECT_ROOT}; invoking packers via bash with absolute paths"
         fi
 
         # Build modules flist (writes to dist/flists/modules-${FULL_KERNEL_VERSION}.fl)
-        safe_execute bash ./scripts/rfs/pack-modules.sh
+        safe_execute bash "${PROJECT_ROOT}/scripts/rfs/pack-modules.sh"
 
         # Build firmware flist with a reproducible tag:
         # Priority: env FIRMWARE_TAG > config/build.conf: FIRMWARE_TAG > "latest"
@@ -321,13 +327,13 @@ function main_build_process() {
             fw_tag="${FIRMWARE_TAG:-latest}"
         fi
         log_info "Using firmware tag: ${fw_tag}"
-        safe_execute env FIRMWARE_TAG="${fw_tag}" bash ./scripts/rfs/pack-firmware.sh
+        safe_execute env FIRMWARE_TAG="${fw_tag}" bash "${PROJECT_ROOT}/scripts/rfs/pack-firmware.sh"
 
         # Embed flists inside initramfs at /etc/rfs for zinit init scripts
         local etc_rfs_dir="${INSTALL_DIR}/etc/rfs"
         safe_mkdir "${etc_rfs_dir}"
 
-        local modules_fl="dist/flists/modules-${FULL_KERNEL_VERSION}.fl"
+        local modules_fl="${PROJECT_ROOT}/dist/flists/modules-${FULL_KERNEL_VERSION}.fl"
         if [[ -f "${modules_fl}" ]]; then
             safe_execute cp "${modules_fl}" "${etc_rfs_dir}/"
             log_info "Embedded modules flist: ${modules_fl} -> ${etc_rfs_dir}/"
@@ -335,7 +341,7 @@ function main_build_process() {
             log_warn "Modules flist not found: ${modules_fl}"
         fi
 
-        local firmware_fl="dist/flists/firmware-${fw_tag}.fl"
+        local firmware_fl="${PROJECT_ROOT}/dist/flists/firmware-${fw_tag}.fl"
         if [[ -f "${firmware_fl}" ]]; then
             # Provide canonical name firmware-latest.fl expected by firmware.sh
             safe_execute cp "${firmware_fl}" "${etc_rfs_dir}/firmware-latest.fl"
@@ -345,6 +351,8 @@ function main_build_process() {
         fi
 
         log_info "RFS flists embedded into initramfs"
+        # Restore previous working directory
+        safe_execute cd "${_oldpwd}"
     }
 
     function stage_cleanup() {
@@ -357,11 +365,25 @@ function main_build_process() {
     
     function stage_initramfs_create() {
         local initramfs_archive="${DIST_DIR}/initramfs.cpio.xz"
+        # Normalize to absolute path to avoid CWD-related issues in later stages
+        if [[ "${initramfs_archive}" != /* ]]; then
+            initramfs_archive="${PROJECT_ROOT}/${initramfs_archive#./}"
+        fi
         initramfs_create_cpio "$INSTALL_DIR" "$initramfs_archive"
         export INITRAMFS_ARCHIVE="$initramfs_archive"
+        log_debug "stage_initramfs_create: INITRAMFS_ARCHIVE=${INITRAMFS_ARCHIVE}"
     }
     
     function stage_initramfs_test() {
+        # Ensure INITRAMFS_ARCHIVE is set when skipping directly to this stage
+        if [[ -z "${INITRAMFS_ARCHIVE:-}" ]]; then
+            local archive_path="${DIST_DIR}/initramfs.cpio.xz"
+            if [[ "${archive_path}" != /* ]]; then
+                archive_path="${PROJECT_ROOT}/${archive_path#./}"
+            fi
+            export INITRAMFS_ARCHIVE="${archive_path}"
+            log_debug "stage_initramfs_test: defaulting INITRAMFS_ARCHIVE=${INITRAMFS_ARCHIVE}"
+        fi
         initramfs_test_archive "$INITRAMFS_ARCHIVE"
     }
     

scripts/lib/initramfs.sh

@@ -572,18 +572,22 @@ function initramfs_finalize_customization() {
     
     section_header "Final Zero-OS Customization"
     
-    # Remove root password for passwordless login
+    # Branding guard (default disabled). Enable by setting ZEROOS_BRANDING=true (or ZEROOS_REBRANDING=true)
-    log_info "Removing root password for passwordless login"
+    local _branding="${ZEROOS_BRANDING:-${ZEROOS_REBRANDING:-false}}"
-    if [[ -f "${initramfs_dir}/etc/passwd" ]]; then
-        safe_execute sed -i 's/^root:[^:]*:/root::/' "${initramfs_dir}/etc/passwd"
-        log_info "✓ Root password removed"
-    else
-        log_warn "/etc/passwd not found, skipping password removal"
-    fi
     
-    # Update /etc/motd to Zero-OS
+    if [[ "${_branding}" == "true" ]]; then
-    log_info "Updating /etc/motd to Zero-OS branding"
+        # Remove root password for passwordless login
-    cat > "${initramfs_dir}/etc/motd" << 'EOF'
+        log_info "Branding enabled: removing root password for passwordless login"
+        if [[ -f "${initramfs_dir}/etc/passwd" ]]; then
+            safe_execute sed -i 's/^root:[^:]*:/root::/' "${initramfs_dir}/etc/passwd"
+            log_info "✓ Root password removed"
+        else
+            log_warn "/etc/passwd not found, skipping password removal"
+        fi
+
+        # Update /etc/motd to Zero-OS
+        log_info "Branding enabled: updating /etc/motd to Zero-OS branding"
+        cat > "${initramfs_dir}/etc/motd" << 'EOF'
 
 Welcome to Zero-OS!
 
@@ -593,18 +597,22 @@ Built on Alpine Linux with ThreeFold components.
 For more information: https://github.com/threefoldtech/zos
 
 EOF
-    
+
-    # Update /etc/issue to Zero-OS
+        # Update /etc/issue to Zero-OS
-    log_info "Updating /etc/issue to Zero-OS branding"
+        log_info "Branding enabled: updating /etc/issue to Zero-OS branding"
-    cat > "${initramfs_dir}/etc/issue" << 'EOF'
+        cat > "${initramfs_dir}/etc/issue" << 'EOF'
 Zero-OS \r \m
 Built on \l
 
 EOF
+    else
+        log_info "Branding disabled: leaving /etc/motd, /etc/issue and root password unchanged"
+    fi
     
-    # Create ntp.conf pointing to Google NTP servers (canonical name for hooks)
+    # Ensure ntp.conf exists for hooks. Create only if absent, do not overwrite.
-    log_info "Creating ntp.conf with Google NTP servers"
+    if [[ ! -f "${initramfs_dir}/etc/ntp.conf" ]]; then
-    cat > "${initramfs_dir}/etc/ntp.conf" << 'EOF'
+        log_info "Creating ntp.conf with Google NTP servers (absent)"
+        cat > "${initramfs_dir}/etc/ntp.conf" << 'EOF'
 # Zero-OS NTP Configuration
 # Using Google public NTP servers for reliable time sync
 
@@ -626,16 +634,19 @@ restrict -6 ::1
 # Drift file for time stability
 driftfile /var/lib/ntp/ntp.drift
 EOF
+    else
+        log_info "Keeping existing /etc/ntp.conf (no overwrite)"
+    fi
 
     # Provide BusyBox ntpd compatibility symlink if needed
     if [[ ! -e "${initramfs_dir}/etc/ntpd.conf" ]]; then
         (cd "${initramfs_dir}/etc" && ln -sf ntp.conf ntpd.conf)
     fi
     
-    # Set proper permissions
+    # Set proper permissions (only if files exist)
-    safe_execute chmod 644 "${initramfs_dir}/etc/motd"
+    [[ -f "${initramfs_dir}/etc/motd" ]] && safe_execute chmod 644 "${initramfs_dir}/etc/motd"
-    safe_execute chmod 644 "${initramfs_dir}/etc/issue"
+    [[ -f "${initramfs_dir}/etc/issue" ]] && safe_execute chmod 644 "${initramfs_dir}/etc/issue"
-    safe_execute chmod 644 "${initramfs_dir}/etc/ntp.conf"
+    [[ -f "${initramfs_dir}/etc/ntp.conf" ]] && safe_execute chmod 644 "${initramfs_dir}/etc/ntp.conf"
     
     # Create ntp drift directory
     safe_mkdir "${initramfs_dir}/var/lib/ntp"