fix: shorten non-FIPS NIC names on fresh bare-metal installs

Earthfile

@@ -286,6 +286,7 @@ build-uki-iso:
     ENV ISO_NAME=${ISO_NAME}
     COPY overlay/files-iso/ /overlay/
     COPY --if-exists +validate-user-data/user-data /overlay/config.yaml
+
     COPY --platform=linux/${ARCH} +stylus-image-pack/stylus-image.tar /overlay/stylus-image.tar
     COPY --platform=linux/${ARCH} (+third-party/luet --binary=luet)  /overlay/luet
     COPY --if-exists "$EDGE_CUSTOM_CONFIG" /overlay/.edge_custom_config.yaml
@@ -772,12 +773,7 @@ base-image:
                 rm -rf /var/lib/apt/lists/*
             RUN kernel=$(ls /boot/vmlinuz-* | tail -n1) && \
            	ln -sf "${kernel#/boot/}" /boot/vmlinuz
-            # Skip dracut when FIPS is enabled - the Dockerfile will include custom dracut modules.fips
-            IF [ "$FIPS_ENABLED" = "false" ]
-                RUN kernel=$(printf '%s\n' /lib/modules/* | xargs -n1 basename | sort -V | tail -1) && \
-                   dracut -f "/boot/initrd-${kernel}" "${kernel}" && \
-                   ln -sf "initrd-${kernel}" /boot/initrd
-            END
+
             RUN kernel=$(printf '%s\n' /lib/modules/* | xargs -n1 basename | sort -V | tail -1) && \
            	depmod -a "${kernel}"
 
@@ -806,7 +802,6 @@ base-image:
 
         IF [ -e "/usr/bin/dracut" ]
             RUN --no-cache kernel=$(printf '%s\n' /lib/modules/* | xargs -n1 basename | sort -V | tail -1) && depmod -a "${kernel}"
-            RUN --no-cache kernel=$(printf '%s\n' /lib/modules/* | xargs -n1 basename | sort -V | tail -1) && dracut -f "/boot/initrd-${kernel}" "${kernel}" && ln -sf "initrd-${kernel}" /boot/initrd
         END
 
         RUN zypper install -y zstd vim iputils bridge-utils curl ethtool tcpdump && \
@@ -825,6 +820,22 @@ base-image:
         RUN yum install -y openssl rsyslog logrotate
     END
 
+    # Non-FIPS: strip np* phys-port suffixes from predictable NIC names (bare metal).
+    # Install-only via /oem marker (see cloudconfigs/80_canvos_net_naming.yaml).
+    # Installed for all OS/arch (ubuntu, opensuse-leap, sles, rhel) and image types
+    # (ISO, UKI, cloud/agent-mode AWS, MAAS). Legacy day-2 upgrades keep long names.
+    IF [ "$FIPS_ENABLED" = "false" ]
+        COPY overlay/files/usr/lib/canvos/canvos-strip-np-suffix /usr/lib/canvos/canvos-strip-np-suffix
+        RUN chmod 755 /usr/lib/canvos/canvos-strip-np-suffix
+        COPY overlay/files/etc/udev/rules.d/99-canvos-net-naming.rules /etc/udev/rules.d/99-canvos-net-naming.rules
+        COPY cloudconfigs/80_canvos_net_naming.yaml /etc/kairos/80_canvos_net_naming.yaml
+        IF [ "$IS_UKI" = "false" ] && [ -e "/usr/bin/dracut" ]
+            RUN --no-cache kernel=$(printf '%s\n' /lib/modules/* | xargs -n1 basename | sort -V | tail -1) && \
+                dracut -f "/boot/initrd-${kernel}" "${kernel}" && \
+                ln -sf "initrd-${kernel}" /boot/initrd
+        END
+    END
+
     DO +OS_RELEASE --OS_VERSION=$KAIROS_VERSION
 
     DO +KAIROS_RELEASE --OS_VERSION=$OS_VERSION --OS_DISTRIBUTION=$OS_DISTRIBUTION --ARCH=$ARCH --IS_MAAS=$IS_MAAS
@@ -848,6 +859,7 @@ base-image:
         RUN if ! grep -Fq "systemd.unified_cgroup_hierarchy=1" /etc/cos/bootargs.cfg; then \
                 sed -i 's|\(set baseCmd="[^"]*\)"|\1 systemd.unified_cgroup_hierarchy=1"|' /etc/cos/bootargs.cfg; \
             fi
+
     END
 
 KAIROS_RELEASE:

cloudconfigs/80_canvos_net_naming.yaml

@@ -0,0 +1,25 @@
+#cloud-config
+stages:
+  after-install:
+    - name: "Enable CanvOS np suffix stripping on fresh install"
+      if: '[ ! -f $STYLUS_ROOT/opt/spectrocloud/state/agent-mode ]'
+      commands:
+        - mkdir -p /etc/canvos
+        - touch /etc/canvos/strip-np-enabled
+    - if: '[ ! -e "/run/cos/uki_boot_mode" ] && [ ! -e "/run/cos/uki_install_mode" ] && [ ! -f $STYLUS_ROOT/opt/spectrocloud/state/agent-mode ]'
+      name: "Persist CanvOS np suffix stripping marker on oem"
+      commands:
+        - if mount | grep /oem >/dev/null; then umount /oem || /bin/true; fi
+        - mount $(findfs PARTLABEL=oem) /oem
+        - touch /oem/.canvos-strip-np-enabled
+        - umount /oem || /bin/true
+    - if: '[ -e "/run/cos/uki_install_mode" ] && [ ! -f $STYLUS_ROOT/opt/spectrocloud/state/agent-mode ]'
+      name: "Persist CanvOS np suffix stripping marker on oem (UKI)"
+      commands:
+        - if mount | grep /oem >/dev/null; then umount /oem || /bin/true; fi
+        - for d in /dev/mapper/*; do if [ ! "$d" = "/dev/mapper/control" ]; then cryptsetup close $d; fi; done
+        - /usr/lib/systemd/systemd-cryptsetup attach oem $(findfs PARTLABEL=oem) - tpm2-device=auto
+        - mount /dev/mapper/oem /oem
+        - touch /oem/.canvos-strip-np-enabled
+        - if mount | grep /oem >/dev/null; then umount /oem || /bin/true; fi
+        - if [ -e /dev/mapper/oem ]; then cryptsetup close /dev/mapper/oem; fi

overlay/files/etc/udev/rules.d/99-canvos-net-naming.rules

@@ -0,0 +1,6 @@
+# Shorten bare-metal NIC names like eno12399np0 -> eno12399 after 80-net-setup-link.
+# Install-only: enabled when /oem/.canvos-strip-np-enabled exists (fresh install).
+# Safe no-op for legacy nodes, VMware/AWS ens*, and agent-mode cloud VMs.
+SUBSYSTEM=="net", ACTION=="add", ENV{ID_NET_NAME}=="?*", \
+  PROGRAM="/usr/lib/canvos/canvos-strip-np-suffix %E{ID_NET_NAME}", \
+  NAME="%c"

overlay/files/usr/lib/canvos/canvos-strip-np-suffix

@@ -0,0 +1,25 @@
+#!/bin/sh
+# Strip trailing np<N> suffix from predictable interface names assigned by udev.
+# Enabled only on fresh installs (marker on /oem or /etc). Legacy nodes pass through.
+# Names without np* (VMware ens*, AWS ens*, etc.) are unchanged either way.
+set -eu
+
+name=${1:-}
+if [ -z "$name" ]; then
+	exit 1
+fi
+
+for marker in \
+	/oem/.canvos-strip-np-enabled \
+	/etc/canvos/strip-np-enabled \
+	/sysroot/oem/.canvos-strip-np-enabled \
+	/sysroot/etc/canvos/strip-np-enabled
+do
+	if [ -f "$marker" ]; then
+		short=$(printf '%s' "$name" | sed -E 's/np[0-9]+$//')
+		printf '%s\n' "$short" | cut -c1-15
+		exit 0
+	fi
+done
+
+printf '%s\n' "$name" | cut -c1-15