Attempt to backport ubuntu-image 3.x livecd-rootfs changes for some intel-iot experiments.

intel-iot-changes
Łukasz 'sil2100' Zemczak 9 months ago
parent c38c425704
commit 1e281fe7db

@ -17,81 +17,23 @@ fi
. config/functions . config/functions
# New nf_tables-based versions of iptables don't work well on old kernels.
# We aren't sure exactly how old is a problem: 4.15 works, but with 4.4 new
# rules are added to all chains in the requested table rather than just one,
# and the new rules seem to have no useful effect. In such cases,
# iptables-legacy works better.
#
# We can simplify this once livecd-rootfs no longer needs to support running
# on Ubuntu 16.04 (that is, once Launchpad's build VMs are upgraded to
# Ubuntu 18.04).
run_iptables () {
local kver kver_major kver_minor
kver="$(uname -r)"
kver="${kver%%-*}"
kver_major="${kver%%.*}"
kver="${kver#*.}"
kver_minor="${kver%%.*}"
# LP: #1917920
# I'm seeing issues after iptables got upgraded from 1.8.5 to
# 1.8.7 Somehow installing our nat rule doesn't get activated, and
# no networking is happening at all.
# But somehow calling both iptables -S makes things start working.
# Maybe no default chains are installed in our network namespace?!
# Or 1.8.7 is somehow broken?
iptables -v -t nat -S
iptables-legacy -v -t nat -S
if [ "$kver_major" -lt 4 ] || \
([ "$kver_major" = 4 ] && [ "$kver_minor" -lt 15 ]); then
iptables-legacy "$@"
else
iptables "$@"
fi
}
if [ -n "$REPO_SNAPSHOT_STAMP" ]; then
if [ "`whoami`" != "root" ]; then
echo "Magic repo snapshots only work when running as root." >&2
exit 1
fi
apt-get -qyy install iptables
# Redirect all outgoing traffic to port 80 to proxy instead.
run_iptables -v -t nat -A OUTPUT -p tcp --dport 80 \
-m owner ! --uid-owner daemon -j REDIRECT --to 8080
# Run proxy as "daemon" to avoid infinite loop.
LB_PARENT_MIRROR_BOOTSTRAP=$LB_PARENT_MIRROR_BOOTSTRAP \
/usr/share/livecd-rootfs/magic-proxy \
--address="127.0.0.1" \
--port=8080 \
--run-as=daemon \
--cutoff-time="$REPO_SNAPSHOT_STAMP" \
--log-file=/build/livecd.magic-proxy.log \
--pid-file=config/magic-proxy.pid \
--background \
--setsid
# Quick check that magic proxy & iptables chains are working
timeout 3m apt-get update
fi
# Link output files somewhere launchpad-buildd will be able to find them. # Link output files somewhere launchpad-buildd will be able to find them.
PREFIX="livecd.$PROJECT${SUBARCH:+-$SUBARCH}" PREFIX="livecd.$PROJECT${SUBARCH:+-$SUBARCH}"
if [ "${IMAGEFORMAT:-}" = "ubuntu-image" ]; then if [ "${IMAGEFORMAT:-}" = "ubuntu-image" ]; then
# Use ubuntu-image instead of live-build # Use ubuntu-image instead of live-build
export SNAPPY_STORE_NO_CDN=1
LB_UBUNTU_IMAGE_CHANNEL="${LB_UBUNTU_IMAGE_CHANNEL:-candidate}"
snap install \
--classic --channel="$LB_UBUNTU_IMAGE_CHANNEL" ubuntu-image
# TODO: eventually, this should be handled by a single ubuntu-image
# call without having to do a conditional on ubuntu-core/classic.
# We could already do that, but then we'd still have to do the
# compressing for the core images.
if [ "$PROJECT" = "ubuntu-core" ]; then if [ "$PROJECT" = "ubuntu-core" ]; then
env SNAPPY_STORE_NO_CDN=1 \ /snap/bin/ubuntu-image snap $UBUNTU_IMAGE_ARGS \
ubuntu-image snap $UBUNTU_IMAGE_ARGS \
-O output "$PREFIX".model-assertion -O output "$PREFIX".model-assertion
# XXX: currently we only have one image generated, but really # XXX: currently we only have one image generated, but really
# we should be supporting more than one for models that # we should be supporting more than one for models that
@ -100,20 +42,23 @@ if [ "${IMAGEFORMAT:-}" = "ubuntu-image" ]; then
xz -0 -T4 "$PREFIX".img xz -0 -T4 "$PREFIX".img
mv output/seed.manifest "$PREFIX".manifest mv output/seed.manifest "$PREFIX".manifest
else else
# First we need to build the gadget tree /snap/bin/ubuntu-image classic --debug $UBUNTU_IMAGE_ARGS \
make -C "config/$PREFIX-gadget" \ -O output "$IMAGE_DEFINITION"
ARCH=$ARCH SERIES=$SUITE $GADGET_TARGET # Since the output of the ubuntu-image call can vary based on what
ubuntu-image classic $UBUNTU_IMAGE_ARGS \ # kind of an image we build, the safest bet is to 'export' all the
-s $SUITE -p $PROJECT -a $ARCH --subarch $SUBARCH \ # artifacts from the output directory. The image definition file
-O output config/$PREFIX-gadget/install # should be what defines what is expected, so that we don't have
# XXX: currently we only have one image generated, but really # to tweak livecd-rootfs everytime a different type of artifact
# we should be supporting more than one for models that # is needed.
# define those. for artifact in output/*; do
mv output/*.img "$PREFIX".img # We want to be dynamic, and want to support even
xz -0 -T4 "$PREFIX".img # two-part extensions.
# Also link the output image to a filename that cdimage expects filename=$(basename $artifact)
ln "$PREFIX".img.xz livecd.ubuntu-cpc.disk1.img.xz noversion=$(echo $filename | sed 's/[0-9][0-9]\.[0-9][0-9]//')
mv output/filesystem.manifest "$PREFIX".manifest extension=${noversion#*.}
mv $artifact "$PREFIX".$extension
done
[ -f $PREFIX.img ] && xz -0 -T4 "$PREFIX".img
fi fi
exit 0 exit 0
@ -154,15 +99,8 @@ Expire-Date: 0
lb bootstrap "$@" lb bootstrap "$@"
case $PROJECT:${SUBPROJECT:-} in # Set locale to C.UTF-8 by default. This may be overridden later.
ubuntu-server:*|ubuntu-cpc:*|ubuntu:desktop-preinstalled|ubuntu-wsl:*)
# Set locale to C.UTF-8 by default. We should
# probably do this for all images early in the
# 18.10 cycle but for now just do it for
# server and cpc products.
echo "LANG=C.UTF-8" > chroot/etc/default/locale echo "LANG=C.UTF-8" > chroot/etc/default/locale
;;
esac
if [ "${SUBPROJECT:-}" = minimized ] \ if [ "${SUBPROJECT:-}" = minimized ] \
&& ! Chroot chroot dpkg -l tzdata 2>&1 |grep -q ^ii; then && ! Chroot chroot dpkg -l tzdata 2>&1 |grep -q ^ii; then
@ -281,6 +219,24 @@ if dpkg-query --show --showformat='${db:Status-Status}\n' ubuntu-server 2> /dev/
DEBIAN_FRONTEND=noninteractive apt-get install -y landscape-common DEBIAN_FRONTEND=noninteractive apt-get install -y landscape-common
fi fi
EOF EOF
fi
if [ "$PROJECT" = "ubuntu-cpc" ]; then
# we'd like to transform a minimized image to a base image
# when unminimize is run.
cat >> chroot/usr/local/sbin/unminimize <<'EOF'
# even if ubuntu-server is installed, we should re-install it with --fix-policy --install-recommends
# to ensure all the Recommends of dependencies of ubuntu-server are installed, which aids in transforming
# this minimized image to an equivalent base image.
DEBIAN_FRONTEND=noninteractive apt-get --reinstall --fix-policy --install-recommends install -y ubuntu-server
if dpkg-query --show --showformat='${db:Status-Status}\n' linux-image-virtual 2> /dev/null | grep -q '^installed$'; then
echo "Installing linux-virtual for installing the headers which were stripped in a minimized image"
DEBIAN_FRONTEND=noninteractive apt-get install -y linux-virtual
fi
EOF
fi fi
if [ "$PROJECT" = "ubuntu-cpc" ] || [ "$PROJECT" = "ubuntu-server" ]; then if [ "$PROJECT" = "ubuntu-cpc" ] || [ "$PROJECT" = "ubuntu-server" ]; then
cat >> chroot/usr/local/sbin/unminimize <<'EOF' cat >> chroot/usr/local/sbin/unminimize <<'EOF'
@ -329,6 +285,16 @@ EOF
chmod +x chroot/usr/bin/man chmod +x chroot/usr/bin/man
fi fi
if [ "${SUBPROJECT:-}" != minimized ] \
&& [ "${PROJECT}" != "ubuntu-server" ]
then
# debootstrap doesn't handle Recommends and fixing this is
# non-trivial, so install missing Recommends here
echo "Installing any missing recommends"
Chroot chroot "env DEBIAN_FRONTEND=noninteractive \
apt-get -y --fix-policy install"
fi
if [ -n "${PASSES}" ]; then if [ -n "${PASSES}" ]; then
PATH="config/:$PATH" lb chroot_layered "$@" PATH="config/:$PATH" lb chroot_layered "$@"
else else
@ -340,7 +306,7 @@ EOF
fi fi
if [ -d chroot/etc/apt/preferences.d.save ]; then if [ -d chroot/etc/apt/preferences.d.save ]; then
# https://twitter.com/infinite_scream # https://mastodon.social/@scream@botsin.space
mv chroot/etc/apt/preferences.d.save/* chroot/etc/apt/preferences.d/ mv chroot/etc/apt/preferences.d.save/* chroot/etc/apt/preferences.d/
rmdir chroot/etc/apt/preferences.d.save rmdir chroot/etc/apt/preferences.d.save
fi fi
@ -350,6 +316,9 @@ EOF
# done in chroot hooks. # done in chroot hooks.
if [ -z "$PASSES" ]; then if [ -z "$PASSES" ]; then
if [ "${SUBPROJECT:-}" = minimized ]; then if [ "${SUBPROJECT:-}" = minimized ]; then
# ubuntu-cpc has moved to using ubuntu-cloud-minimal seed
# for minimized images, so don't need these purges anymore.
if [ "$PROJECT" != ubuntu-cpc ]; then
# force removal of initramfs-tools, which we assert is not # force removal of initramfs-tools, which we assert is not
# required for any minimized images but is still pulled in by # required for any minimized images but is still pulled in by
# default # default
@ -364,7 +333,7 @@ EOF
# an initramfs despite the generic dpkg-divert; so remove it # an initramfs despite the generic dpkg-divert; so remove it
# here. # here.
rm -f chroot/boot/initrd.img-* rm -f chroot/boot/initrd.img-*
fi
# temporary workaround: don't remove linux-base which # temporary workaround: don't remove linux-base which
# may have no other reverse-depends currently # may have no other reverse-depends currently
Chroot chroot "env DEBIAN_FRONTEND=noninteractive \ Chroot chroot "env DEBIAN_FRONTEND=noninteractive \
@ -397,7 +366,7 @@ EOF
mkdir -p chroot/var/lib/preinstalled-pool/dists/$LB_DISTRIBUTION/$component/binary-$LB_ARCHITECTURES mkdir -p chroot/var/lib/preinstalled-pool/dists/$LB_DISTRIBUTION/$component/binary-$LB_ARCHITECTURES
done done
apt-ftparchive generate config/indices/apt.conf apt-ftparchive generate config/indices/apt.conf
cat << @@EOF > chroot/etc/apt/sources.list.preinstall cat << @@EOF > chroot/etc/apt/sources.list.d/preinstalled-pool.sources
# This is a sources.list entry for a small pool of packages # This is a sources.list entry for a small pool of packages
# provided on your preinstalled filesystem for your convenience. # provided on your preinstalled filesystem for your convenience.
# #
@ -405,12 +374,13 @@ EOF
# it references, should you want to save disk space and fetch the # it references, should you want to save disk space and fetch the
# packages remotely instead. # packages remotely instead.
# #
deb file:/var/lib/preinstalled-pool/ $LB_DISTRIBUTION $LB_PARENT_ARCHIVE_AREAS Types: deb
# URIs: file:/var/lib/preinstalled-pool/
Suites: $LB_DISTRIBUTION
Components: $LB_PARENT_ARCHIVE_AREAS
Signed-By: /etc/apt/keyrings/preinstalled-pool.gpg
@@EOF @@EOF
cp chroot/etc/apt/sources.list chroot/etc/apt/sources.list.orig
cp chroot/etc/apt/sources.list.preinstall chroot/etc/apt/sources.list
echo "Waiting on gnupg ("$GPG_PROCESS") to finish generating a key." echo "Waiting on gnupg ("$GPG_PROCESS") to finish generating a key."
wait $GPG_PROCESS wait $GPG_PROCESS
@ -434,13 +404,10 @@ deb file:/var/lib/preinstalled-pool/ $LB_DISTRIBUTION $LB_PARENT_ARCHIVE_AREAS
chroot/var/lib/preinstalled-pool/dists/$R_CODENAME/Release chroot/var/lib/preinstalled-pool/dists/$R_CODENAME/Release
mv config/gnupg/Release.asc \ mv config/gnupg/Release.asc \
chroot/var/lib/preinstalled-pool/dists/$R_CODENAME/Release.gpg chroot/var/lib/preinstalled-pool/dists/$R_CODENAME/Release.gpg
apt-key --keyring chroot/etc/apt/trusted.gpg add config/gnupg/pubring.gpg cp config/gnupg/pubring.gpg chroot/etc/apt/keyrings/preinstalled-pool.gpg
find chroot/var/lib/preinstalled-pool/ -name Packages | xargs rm find chroot/var/lib/preinstalled-pool/ -name Packages | xargs rm
# We only want to have a cache for the pre-installed pool at this point
Chroot chroot "apt-get update" Chroot chroot "apt-get update -o Dir::Etc::SourceParts=/dev/null -oDir::Etc::SourceList=etc/apt/sources.list.d/preinstalled-pool.sources"
cat chroot/etc/apt/sources.list.preinstall chroot/etc/apt/sources.list.orig \
> chroot/etc/apt/sources.list
rm chroot/etc/apt/sources.list.preinstall chroot/etc/apt/sources.list.orig
fi fi
case $PROJECT:$SUBPROJECT in case $PROJECT:$SUBPROJECT in
*) *)
@ -463,9 +430,16 @@ serial: $BUILDSTAMP
EOF EOF
fi fi
if [ "$PROJECT" = "ubuntu-oci" ]; then if [ "${PROJECT}" = ubuntu-base ] || [ "${PROJECT}" = "ubuntu-oci" ]; then
if [ -n "$BUILDSTAMP" ]; then if [ -n "$BUILDSTAMP" ]; then
configure_oci chroot "$BUILDSTAMP" mkdir -p chroot/etc/cloud
cat > chroot/etc/cloud/build.info << EOF
build_name: $PROJECT:${SUBPROJECT:-}
serial: $BUILDSTAMP
EOF
if [ "${PROJECT}" = "ubuntu-oci" ]; then
configure_oci chroot
fi
else else
echo "The \$BUILDSTAMP variable is empty" echo "The \$BUILDSTAMP variable is empty"
exit 1 exit 1
@ -491,7 +465,7 @@ EOF
# affected by this, we manually clear out the archive-related Packages # affected by this, we manually clear out the archive-related Packages
# files in the cache. # files in the cache.
case $PROJECT in case $PROJECT in
ubuntu|xubuntu|kubuntu|ubuntu-budgie|ubuntukylin|ubuntu-mate) ubuntu|xubuntu|kubuntu|ubuntu-budgie|ubuntukylin|ubuntu-mate|ubuntucinnamon|ubuntu-unity|edubuntu)
rm -f chroot/var/lib/apt/lists/*ubuntu.com*_Packages rm -f chroot/var/lib/apt/lists/*ubuntu.com*_Packages
;; ;;
esac esac
@ -511,12 +485,6 @@ EOF
if [ -e binary.success ]; then if [ -e binary.success ]; then
rm -f binary.success rm -f binary.success
else else
# Dump the magic-proxy log to stdout on failure to aid debugging
if [ -f /build/livecd.magic-proxy.log ] ; then
echo "================= Magic proxy log (start) ================="
cat /build/livecd.magic-proxy.log
echo "================== Magic proxy log (end) =================="
fi
exit 1 exit 1
fi fi
@ -541,10 +509,13 @@ for OUTPUT in ext2 ext3 ext4 manifest manifest-remove size squashfs; do
done done
# we don't need a manifest-remove for a layered-aware installer # we don't need a manifest-remove for a layered-aware installer
if [ "$PROJECT" = "ubuntu" ] && [ "$SUBPROJECT" = "canary" ]; then # here we have a list of all new-installer flavors
case $PROJECT in
ubuntu|ubuntu-budgie)
rm -f livecd.${PROJECT}-manifest-remove rm -f livecd.${PROJECT}-manifest-remove
rm -f config/manifest-minimal-remove rm -f config/manifest-minimal-remove
fi ;;
esac
if [ -e config/manifest-minimal-remove ]; then if [ -e config/manifest-minimal-remove ]; then
cp config/manifest-minimal-remove "$PREFIX.manifest-minimal-remove" cp config/manifest-minimal-remove "$PREFIX.manifest-minimal-remove"
@ -570,6 +541,14 @@ if [ -e "binary/$INITFS/filesystem.packages" ]; then
ln "binary/$INITFS/filesystem.packages" "$PREFIX.manifest" ln "binary/$INITFS/filesystem.packages" "$PREFIX.manifest"
chmod 644 "$PREFIX.manifest" chmod 644 "$PREFIX.manifest"
fi fi
# If a .filelist is present, use it as the filelist for the image by
# symlinking with expected name and updating permissions
if [ -e "binary/$INITFS/filesystem.filelist" ]; then
ln "binary/$INITFS/filesystem.filelist" "$PREFIX.filelist"
chmod 644 "$PREFIX.filelist"
fi
if [ -e "binary/$INITFS/filesystem.packages-remove" ]; then if [ -e "binary/$INITFS/filesystem.packages-remove" ]; then
# Not a typo, empty manifest-remove has a single LF in it. :/ # Not a typo, empty manifest-remove has a single LF in it. :/
if [ $(cat binary/$INITFS/filesystem.packages-remove | wc -c) -gt 1 ]; then if [ $(cat binary/$INITFS/filesystem.packages-remove | wc -c) -gt 1 ]; then
@ -593,12 +572,12 @@ for FLAVOUR in $LB_LINUX_FLAVOURS; do
allwinner|virtual|generic-hwe-*) allwinner|virtual|generic-hwe-*)
FLAVOUR="generic" FLAVOUR="generic"
;; ;;
lowlatency-hwe-*)
FLAVOUR="lowlatency"
;;
oem-*) oem-*)
FLAVOUR="oem" FLAVOUR="oem"
;; ;;
laptop-*)
FLAVOUR="laptop"
;;
image-intel) image-intel)
FLAVOUR="intel" FLAVOUR="intel"
;; ;;
@ -650,7 +629,7 @@ if [ "$NUMFLAVOURS" = 1 ] && [ "$LB_LINUX_FLAVOURS" != "none" ]; then
fi fi
case $SUBARCH in case $SUBARCH in
raspi|raspi2) raspi)
# copy the kernel and initrd to a predictable directory for # copy the kernel and initrd to a predictable directory for
# ubuntu-image consumption. In some cases, like in pi2/3 # ubuntu-image consumption. In some cases, like in pi2/3
# u-boot, the bootloader needs to contain the kernel and initrd, # u-boot, the bootloader needs to contain the kernel and initrd,
@ -666,35 +645,6 @@ case $SUBARCH in
;; ;;
esac esac
# LTSP chroot building (only in 32bit and for Edubuntu (DVD))
case $PROJECT in
edubuntu-dvd)
if [ "$ARCH" = i386 ]; then
echo "Building LTSP chroot"
ltsp-build-client --base $(pwd) --mirror $LB_PARENT_MIRROR_BOOTSTRAP --arch $ARCH --dist $LB_PARENT_DISTRIBUTION --chroot ltsp-live --late-packages ldm-edubuntu-theme,plymouth-theme-edubuntu --purge-chroot --skipimage
mkdir -p images
mksquashfs ltsp-live images/ltsp-live.img -e cdrom
rm -Rf ltsp-live
if [ -f images/ltsp-live.img ]; then
mv images/ltsp-live.img livecd.$PROJECT-ltsp.squashfs
chmod 0644 livecd.$PROJECT-ltsp.squashfs
rmdir --ignore-fail-on-non-empty images
else
echo "LTSP: Unable to build the chroot, see above for details."
fi
fi
;;
esac
if [ -f "config/magic-proxy.pid" ]; then
kill -TERM $(cat config/magic-proxy.pid)
rm -f config/magic-proxy.pid
# Remove previously-inserted iptables rule.
run_iptables -t nat -D OUTPUT -p tcp --dport 80 \
-m owner ! --uid-owner daemon -j REDIRECT --to 8080
fi
case $PROJECT in case $PROJECT in
ubuntu-cpc) ubuntu-cpc)
config/hooks.d/remove-implicit-artifacts config/hooks.d/remove-implicit-artifacts

File diff suppressed because it is too large Load Diff

@ -4,6 +4,8 @@
imagesize=${IMAGE_SIZE:-2361393152} imagesize=${IMAGE_SIZE:-2361393152}
fs_label="${FS_LABEL:-rootfs}" fs_label="${FS_LABEL:-rootfs}"
AUTOMATION_HEADER="# Automatically generated by installer build process"
rootfs_dev_mapper= rootfs_dev_mapper=
loop_device= loop_device=
loop_raw= loop_raw=
@ -45,7 +47,7 @@ create_manifest() {
if [ "$PROJECT" = ubuntu-cpc ]; then if [ "$PROJECT" = ubuntu-cpc ]; then
echo "create_manifest creating file listing." echo "create_manifest creating file listing."
local target_filelist=${2%.manifest}.filelist local target_filelist=${2%.manifest}.filelist
(cd "${chroot_root}" && find -xdev) > "${target_filelist}" (cd "${chroot_root}" && find -xdev) | sort > "${target_filelist}"
fi fi
echo "create_manifest finished" echo "create_manifest finished"
} }
@ -60,6 +62,7 @@ mount_image() {
trap clean_loops EXIT trap clean_loops EXIT
backing_img="$1" backing_img="$1"
local rootpart="$2" local rootpart="$2"
loop_device=$(losetup --show -f -P -v ${backing_img}) loop_device=$(losetup --show -f -P -v ${backing_img})
if [ ! -b ${loop_device} ]; then if [ ! -b ${loop_device} ]; then
@ -98,8 +101,19 @@ use_lp_archives_in_sourceslist(){
# recover_sourceslist # recover_sourceslist
mountpoint="${1}" mountpoint="${1}"
MOUNTPOINT_BACKUP_SOURCES_LIST="sources.list.tmp"
. config/bootstrap # For the LB_MIRROR_* variables . config/bootstrap # For the LB_MIRROR_* variables
if [ -e "${mountpoint}/etc/apt/sources.list.d/ubuntu.sources" ]; then
MOUNTPOINT_BACKUP_UBUNTU_SOURCES="ubuntu.sources.tmp"
cp -a "${mountpoint}/etc/apt/sources.list.d/ubuntu.sources" "${MOUNTPOINT_BACKUP_UBUNTU_SOURCES}"
sed -i "s#http://archive.ubuntu.com/ubuntu#${LB_PARENT_MIRROR_CHROOT}#g" \
"${mountpoint}/etc/apt/sources.list.d/ubuntu.sources"
sed -i "s#http://security.ubuntu.com/ubuntu#${LB_PARENT_MIRROR_CHROOT}#g" \
"${mountpoint}/etc/apt/sources.list.d/ubuntu.sources"
sha256sum "${mountpoint}/etc/apt/sources.list.d/ubuntu.sources" > ubuntu.sources.sha
fi
if [ -e "${mountpoint}/etc/apt/sources.list" ]; then
MOUNTPOINT_BACKUP_SOURCES_LIST="sources.list.tmp"
cp -a "${mountpoint}/etc/apt/sources.list" "${MOUNTPOINT_BACKUP_SOURCES_LIST}" cp -a "${mountpoint}/etc/apt/sources.list" "${MOUNTPOINT_BACKUP_SOURCES_LIST}"
sed -i "s#http://archive.ubuntu.com/ubuntu#${LB_PARENT_MIRROR_CHROOT}#g" \ sed -i "s#http://archive.ubuntu.com/ubuntu#${LB_PARENT_MIRROR_CHROOT}#g" \
"${mountpoint}/etc/apt/sources.list" "${mountpoint}/etc/apt/sources.list"
@ -107,6 +121,7 @@ use_lp_archives_in_sourceslist(){
"${mountpoint}/etc/apt/sources.list" "${mountpoint}/etc/apt/sources.list"
sha256sum "${mountpoint}/etc/apt/sources.list" > sources.list.sha sha256sum "${mountpoint}/etc/apt/sources.list" > sources.list.sha
fi
} }
recover_sourceslist(){ recover_sourceslist(){
@ -118,10 +133,18 @@ recover_sourceslist(){
# sources.list.sha # sources.list.sha
mountpoint="${1}" mountpoint="${1}"
if [ -e "${MOUNTPOINT_BACKUP_UBUNTU_SOURCES:-/doesnotexist}" ]; then
sha256sum --check ubuntu.sources.sha
mv "${MOUNTPOINT_BACKUP_UBUNTU_SOURCES}" "${mountpoint}/etc/apt/sources.list.d/ubuntu.sources"
unset MOUNTPOINT_BACKUP_UBUNTU_SOURCES
fi
if [ -e "${MOUNTPOINT_BACKUP_SOURCES_LIST:-/doesnotexist}" ]; then
sha256sum --check sources.list.sha sha256sum --check sources.list.sha
mv "${MOUNTPOINT_BACKUP_SOURCES_LIST}" "${mountpoint}/etc/apt/sources.list" mv "${MOUNTPOINT_BACKUP_SOURCES_LIST}" "${mountpoint}/etc/apt/sources.list"
unset MOUNTPOINT_BACKUP_SOURCES_LIST unset MOUNTPOINT_BACKUP_SOURCES_LIST
fi
} }
setup_mountpoint() { setup_mountpoint() {
@ -132,7 +155,8 @@ setup_mountpoint() {
chown root:kmem /dev/mem chown root:kmem /dev/mem
fi fi
mount --rbind /dev "$mountpoint/dev" mount dev-live -t devtmpfs "$mountpoint/dev"
mount devpts-live -t devpts -o nodev,nosuid "$mountpoint/dev/pts"
mount proc-live -t proc "$mountpoint/proc" mount proc-live -t proc "$mountpoint/proc"
mount sysfs-live -t sysfs "$mountpoint/sys" mount sysfs-live -t sysfs "$mountpoint/sys"
mount securityfs -t securityfs "$mountpoint/sys/kernel/security" mount securityfs -t securityfs "$mountpoint/sys/kernel/security"
@ -209,18 +233,24 @@ get_lowerdirs_for_pass () {
mount_disk_image() { mount_disk_image() {
local disk_image=${1} local disk_image=${1}
local mountpoint=${2} local mountpoint=${2}
mount_image ${disk_image} 1 local rootpart=${3:-1}
mount_image ${disk_image} "${rootpart}"
mount_partition "${rootfs_dev_mapper}" $mountpoint mount_partition "${rootfs_dev_mapper}" $mountpoint
local uefi_dev="${loop_device}p15" local boot_dev="${loop_device}p16"
if flock -x ${loop_device} \ if flock -x ${loop_device} \
[ -b ${uefi_dev} -a -e $mountpoint/boot/efi ]; then [ -b ${boot_dev} -a -e $mountpoint/boot ]; then
flock -x ${loop_device} mount "${uefi_dev}" $mountpoint/boot/efi flock -x ${loop_device} mount "${boot_dev}" $mountpoint/boot
fi fi
# Having one partition mounted should avoid udev-triggered partition # Having one partition mounted should avoid udev-triggered partition
# rescans on that device, so we no longer need to flock. # rescans on that device, so we no longer need to flock.
local uefi_dev="${loop_device}p15"
if [ -b ${uefi_dev} -a -e $mountpoint/boot/efi ]; then
mount "${uefi_dev}" $mountpoint/boot/efi
fi
# This is needed to allow for certain operations # This is needed to allow for certain operations
# such as updating grub and installing software # such as updating grub and installing software
cat > $mountpoint/usr/sbin/policy-rc.d << EOF cat > $mountpoint/usr/sbin/policy-rc.d << EOF
@ -375,7 +405,7 @@ create_derivative() {
convert_to_qcow2() { convert_to_qcow2() {
src="$1" src="$1"
destination="$2" destination="$2"
qemu-img convert -c -O qcow2 -o compat=0.10 "$src" "$destination" qemu-img convert -c -O qcow2 "$src" "$destination"
qemu-img info "$destination" qemu-img info "$destination"
} }
@ -717,6 +747,12 @@ snap_preseed() {
SNAP=${SNAP%=*} SNAP=${SNAP%=*}
# strip /classic confinement # strip /classic confinement
local SNAP_NAME=${SNAP%/*} local SNAP_NAME=${SNAP%/*}
# For snap preseed to work, we need to ensure that fuse3 is installed in the chroot.
# fuse3 is a recommends of snapd but if this is a minimized image then recommends are not installed
# and preseeding will fail.
chroot "${CHROOT_ROOT}" apt-get install --assume-yes --no-install-recommends fuse3
# Seed from the specified channel (e.g. core18 latest/stable) # Seed from the specified channel (e.g. core18 latest/stable)
# Or Channel endcoded in the snap name (e.g. lxd=4.0/stable/ubuntu-20.04) # Or Channel endcoded in the snap name (e.g. lxd=4.0/stable/ubuntu-20.04)
# Or Ubuntu policy default channel latest/stable/ubuntu-$(release_ver) # Or Ubuntu policy default channel latest/stable/ubuntu-$(release_ver)
@ -805,56 +841,6 @@ snap_validate_seed() {
} }
snap_from_seed() {
local base_seed=$1
local out=$2
local all_snaps
local seeds_expanded
seeds_expanded=$(inheritance ${base_seed})
for seed in ${seeds_expanded}; do
echo "snap: considering ${seed}"
file=config/germinate-output/${seed}.snaps
[ -e "${file}" ] || continue
# extract the first column (snap package name) from germinate's output
# translate the human-readable "foo (classic)" into a
# more machine readable "foo/classic"
seed_snaps=$(sed -rn '1,/-----/d;/-----/,$d; s/(.*) \|.*/\1/; s, \(classic\),/classic,; p' "${file}")
for snap in ${seed_snaps}; do
echo "snap: found ${snap}"
all_snaps="${all_snaps:+${all_snaps} }${snap}"
done
done
if [ -n "${all_snaps}" ]; then
echo "${all_snaps}" > $out
fi
}
seed_from_task ()
{
# Retrieve the name of the seed from a task name
local task=$1
local seed
local seedfile
local seedfiles
seedfile="$(grep -lE "^Task-Key: +${task}\$" config/germinate-output/*seedtext|head -1)"
if [ -n "$seedfile" ]; then
basename $seedfile .seedtext
return
fi
seedfiles="$(grep -lE "^Task-Per-Derivative: *1\$" config/germinate-output/*seedtext)"
if [ -n "$seedfiles" ]; then
for seed in $(echo $seedfiles | xargs basename -s .seedtext); do
if [ ${PROJECT}-${seed} = $task ]; then
echo ${seed}
return
fi
done
fi
}
list_packages_from_seed () { list_packages_from_seed () {
# Store all packages for a given seed, including its seed dependency # Store all packages for a given seed, including its seed dependency
# $1: Name of the seed to expand to a package list # $1: Name of the seed to expand to a package list
@ -906,48 +892,58 @@ configure_universe() {
# debian-installer's apt-setup: # debian-installer's apt-setup:
cat > chroot/etc/apt/sources.list << EOF cat > chroot/etc/apt/sources.list << EOF
# Ubuntu sources have moved to the /etc/apt/sources.list.d/ubuntu.sources
# file, which uses the deb822 format. Use deb822-formatted .sources files
# to manage package sources in the /etc/apt/sources.list.d/ directory.
# See the sources.list(5) manual page for details.
EOF
cat > chroot/etc/apt/sources.list.d/ubuntu.sources << EOF
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution. # newer versions of the distribution.
deb $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION main restricted
# deb-src $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION main restricted
## Major bug fix updates produced after the final release of the ## Ubuntu distribution repository
##
## The following settings can be adjusted to configure which packages to use from Ubuntu.
## Mirror your choices (except for URIs and Suites) in the security section below to
## ensure timely security updates.
##
## Types: Append deb-src to enable the fetching of source package.
## URIs: A URL to the repository (you may add multiple URLs)
## Suites: The following additional suites can be configured
## <name>-updates - Major bug fix updates produced after the final release of the
## distribution. ## distribution.
deb $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION-updates main restricted ## <name>-backports - software from this repository may not have been tested as
# deb-src $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION universe
# deb-src $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION universe
deb $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION-updates universe
# deb-src $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION multiverse
# deb-src $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION multiverse
deb $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION-updates multiverse
# deb-src $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION-updates multiverse
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes ## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features. ## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review ## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team. ## or updates from the Ubuntu security team.
deb $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION-backports main restricted universe multiverse ## Components: Aside from main, the following components can be added to the list
# deb-src $LB_PARENT_MIRROR_BINARY $LB_DISTRIBUTION-backports main restricted universe multiverse ## restricted - Software that may not be under a free license, or protected by patents.
## universe - Community maintained packages.
deb $LB_PARENT_MIRROR_BINARY_SECURITY $LB_DISTRIBUTION-security main restricted ## Software from this repository is only maintained and supported by Canonical
# deb-src $LB_PARENT_MIRROR_BINARY_SECURITY $LB_DISTRIBUTION-security main restricted ## for machines with Ubuntu Pro subscriptions. Without Ubuntu Pro, the Ubuntu
deb $LB_PARENT_MIRROR_BINARY_SECURITY $LB_DISTRIBUTION-security universe ## community provides best-effort security maintenance.
# deb-src $LB_PARENT_MIRROR_BINARY_SECURITY $LB_DISTRIBUTION-security universe ## multiverse - Community maintained of restricted. Software from this repository is
deb $LB_PARENT_MIRROR_BINARY_SECURITY $LB_DISTRIBUTION-security multiverse ## ENTIRELY UNSUPPORTED by the Ubuntu team, and may not be under a free
# deb-src $LB_PARENT_MIRROR_BINARY_SECURITY $LB_DISTRIBUTION-security multiverse ## licence. Please satisfy yourself as to your rights to use the software.
## Also, please note that software in multiverse WILL NOT receive any
## review or updates from the Ubuntu security team.
##
## See the sources.list(5) manual page for further settings.
Types: deb
URIs: $LB_PARENT_MIRROR_BINARY
Suites: $LB_DISTRIBUTION $LB_DISTRIBUTION-updates $LB_DISTRIBUTION-backports
Components: main universe restricted multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
## Ubuntu security updates. Aside from URIs and Suites,
## this should mirror your choices in the previous section.
Types: deb
URIs: $LB_PARENT_MIRROR_BINARY_SECURITY
Suites: $LB_DISTRIBUTION-security
Components: main universe restricted multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
EOF EOF
fi fi
@ -959,7 +955,6 @@ configure_oci() {
# at https://github.com/tianon/docker-brew-ubuntu-core/blob/master/update.sh # at https://github.com/tianon/docker-brew-ubuntu-core/blob/master/update.sh
local chroot=$1 local chroot=$1
local serial=$2
if [ ! -d "${chroot}" ]; then if [ ! -d "${chroot}" ]; then
echo "The chroot does not exist" echo "The chroot does not exist"
@ -974,13 +969,6 @@ configure_oci() {
Chroot ${chroot} "chmod +x /usr/sbin/policy-rc.d" Chroot ${chroot} "chmod +x /usr/sbin/policy-rc.d"
# Inject a build stamp into the image
mkdir -p ${chroot}/etc/cloud
cat > ${chroot}/etc/cloud/build.info << EOF
serial: $serial
EOF
# https://github.com/docker/docker/blob/9a9fc01af8fb5d98b8eec0740716226fadb3735c/contrib/mkimage/debootstrap#L54-L56 # https://github.com/docker/docker/blob/9a9fc01af8fb5d98b8eec0740716226fadb3735c/contrib/mkimage/debootstrap#L54-L56
Chroot ${chroot} "dpkg-divert --local --rename --add /sbin/initctl" Chroot ${chroot} "dpkg-divert --local --rename --add /sbin/initctl"
cp -a ${chroot}/usr/sbin/policy-rc.d ${chroot}/sbin/initctl cp -a ${chroot}/usr/sbin/policy-rc.d ${chroot}/sbin/initctl
@ -1022,7 +1010,10 @@ EOF
mkdir -p ${chroot}/run/systemd mkdir -p ${chroot}/run/systemd
echo 'docker' > ${chroot}/run/systemd/container echo 'docker' > ${chroot}/run/systemd/container
# Create Ubuntu user
Chroot ${chroot} useradd ubuntu -U -u 1000 --comment Ubuntu --groups adm,audio,cdrom,dialout,dip,floppy,plugdev,sudo,video --shell /bin/bash -m
rm -rf ${chroot}/var/cache/apt/*.bin rm -rf ${chroot}/var/cache/apt/*.bin
echo "==== Configuring OCI done ====" echo "==== Configuring OCI done ===="
} }
@ -1031,7 +1022,7 @@ configure_network_manager() {
# default. Installing NM on an existing system only manages wifi and wwan via # default. Installing NM on an existing system only manages wifi and wwan via
# /usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf. When setting # /usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf. When setting
# the global backend to NM, netplan overrides that file. # the global backend to NM, netplan overrides that file.
if [ -e chroot/usr/sbin/NetworkManager -a ! -f chroot/etc/netplan/01-network-manager-all.yaml ]; then if [ -e chroot/usr/sbin/NetworkManager -a ! -f chroot/etc/netplan/01-network-manager-all.yaml -a "$SUBPROJECT" != "desktop-preinstalled" ]; then
echo "===== Enabling all devices in NetworkManager ====" echo "===== Enabling all devices in NetworkManager ===="
mkdir -p chroot/etc/netplan mkdir -p chroot/etc/netplan
cat <<EOF > chroot/etc/netplan/01-network-manager-all.yaml cat <<EOF > chroot/etc/netplan/01-network-manager-all.yaml
@ -1040,6 +1031,74 @@ network:
version: 2 version: 2
renderer: NetworkManager renderer: NetworkManager
EOF EOF
# Do not limit cloud-init renderers to network-manager as suggested
# in LP: #1982855 because subiquity needs to render full networking
# in ephemeral boot time when autoinstall.network is provided.
# Neither subiquity nor netplan is aware of /etc/NetworkManager config
# artifacts emmitted by cloud-init. It's best if cloud-init reports
# network config directly to /etc/netplan with the configured netplan
# backend: NetworkManager per 01-network-manager-all.yaml above.
# cloud-init's default renderer discovery will prefer netplan.
# Any time subiquity needs to write and apply network config
# it disables all previous network config in /etc/netplan so
# any previous 50-cloud-init.yaml will be rendered inert.
# Position cloud-init.service After=NetworkManager.service.
# (LP: #2008952).
# We override the entire cloud-init.service definition because
# systemd drop-in files only allow adding Before/After constraints
# yet we are dropping the Before=sysinit.target from the upstream
# cloud-init.service.
# This override can be dropped when NetworkManager.service can run
# Before=sysinit.target when it drops strict dbus.service dependency.
cat <<EOF > chroot/lib/systemd/system/cloud-init.service
${AUTOMATION_HEADER}
# Based on cloud-init 23.1 for Desktop LiveCD
[Unit]
Description=Initial cloud-init job (metadata service crawler)
DefaultDependencies=no
Wants=cloud-init-local.service
Wants=sshd-keygen.service
Wants=sshd.service
After=cloud-init-local.service
After=systemd-networkd-wait-online.service
# Installer Added After=NetworkManager* ordering
After=NetworkManager.service
After=NetworkManager-wait-online.service
After=networking.service
Before=network-online.target
Before=sshd-keygen.service
Before=sshd.service
# Before=sysinit.target Installer removed to allow for NM dependency
Before=shutdown.target
Conflicts=shutdown.target
Before=systemd-user-sessions.service
[Service]
Type=oneshot
ExecStart=/usr/bin/cloud-init init
RemainAfterExit=yes
TimeoutSec=0
# Output needs to appear in instance console output
StandardOutput=journal+console
[Install]
WantedBy=cloud-init.target
EOF
# Allow cloud-init clean to inform of strict network-manager config
mkdir -p chroot/etc/cloud/clean.d
cat <<EOF > chroot/etc/cloud/clean.d/99-installer-use-networkmanager
#!/bin/sh
# Inform clone image creators about strict network-manager cfg for cloud-init
if [ -f /etc/cloud/cloud.cfg.d/99-installer-use-networkmanager.cfg ]; then
echo "WARNING: cloud-init network config is limited to using network-manager."
echo "If this is undesirable: rm /etc/cloud/cloud.cfg.d/99-installer-use-networkmanager.cfg"
fi
EOF
chmod +x chroot/etc/cloud/clean.d/99-installer-use-networkmanager
else else
echo "==== NetworkManager not installed ====" echo "==== NetworkManager not installed ===="
fi fi
@ -1125,7 +1184,7 @@ END
} }
setup_cinocloud() { setup_cinocloud() {
if [ "${IMAGE_HAS_HARDCODED_PASSWORD:-}" != "1" ] || [ "${IMAGE_TARGETS:-}" != "disk1-img-xz" ]; then if [ "${IMAGE_HAS_HARDCODED_PASSWORD:-}" != "1" ] || ( [ "${IMAGE_TARGETS:-}" != "disk1-img-xz" ] && [ "${IMAGE_TARGETS:-}" != "disk-image-non-cloud" ] ); then
echo "unexpected attempt to add a hardcoded password to an image" echo "unexpected attempt to add a hardcoded password to an image"
exit 1 exit 1
fi fi
@ -1223,3 +1282,15 @@ EOF
undivert_grub "${mountpoint}" undivert_grub "${mountpoint}"
fi fi
} }
# find all files under /var/lib/snapd in the target directory that aren't
# shipped by the snapd package itself, and remove them
reset_snapd_state() {
rootdir="$1"
/usr/lib/snapd/snap-preseed --reset $(realpath "$rootdir") || true
rm -rf "$rootdir/var/lib/snapd"
setup_mountpoint "$rootdir"
chroot "$rootdir" apt-get install --reinstall -y snapd
teardown_mountpoint "$rootdir"
}

Loading…
Cancel
Save