From b94a944e80d5b1fd3eb43dab133fd5f8fec89960 Mon Sep 17 00:00:00 2001 From: Chris Peterson Date: Tue, 30 Jul 2024 09:20:53 -0700 Subject: [PATCH] ubuntu-server: remove openssh-server (LP: #1974483) ssh-import-id is part of the server-minimal task, which means it and openssh-server are always installed by Subiquity regardless of user choice. Since we can't update the Task headers post release, ensure that openssh-server, openssh-sftp-server, and ssh-import-id are not included in the minimal and full layers by purging them in a dedicated hook. --- .../hooks/05-remove-openssh-server.chroot | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100755 live-build/ubuntu-server/hooks/05-remove-openssh-server.chroot diff --git a/live-build/ubuntu-server/hooks/05-remove-openssh-server.chroot b/live-build/ubuntu-server/hooks/05-remove-openssh-server.chroot new file mode 100755 index 00000000..b66432b6 --- /dev/null +++ b/live-build/ubuntu-server/hooks/05-remove-openssh-server.chroot @@ -0,0 +1,30 @@ +#!/bin/bash -ex + +# LP: #1974483 +# We want to make sure that openssh-server is not installed by default. +# Due to ssh-import-id being part of the server-minimal task, and the fact +# task headers can't be updated post-release, we need to do clean-up +# of the layers to ensure openssh-server is not part of a layer that curtin +# will copy to the target. +# +# In practice this means ubuntu-server-minimal (minimal) and +# ubuntu-server-minimal.ubuntu-server (full) need to be cleaned up. +# ubuntu-server-minimal.ubuntu-server.installer (live) _needs_ these +# packages so Subiquity can utilize them, so don't modify that layer. + +case ${PASS} in + ubuntu-server-minimal) + ;; + ubuntu-server-minimal.ubuntu-server) + ;; + *) + exit 0 + ;; +esac + + +# Remove openssh-server packages and ssh-import-id +apt-get remove --purge --yes openssh-server openssh-sftp-server ssh-import-id +# Chroot hooks are run after autoremove step, re-run autoremove to get rid +# of openssh-server dependencies +apt-get autoremove --purge --yes