The windows launcher is going to be retired.
We need to move those functionalities to rootfs build side: (LP: #2080223)
- enable systemd by default
- ship up to 3 rootfs tarballs, differentiating by the upgrade policy
patch create_manifest to produce an sbom when called by an ubuntu-cpc
project. Patch all the ubuntu-cpc hooks and series files to include the
newly generated manifests, filelists, and sboms. Generates a number of
new artifacts in the builds. the snap utilized, cpc-sbom, is an open
source repo and a provided via a hidden snap. there is no intention of
publisizing the snap or how we generate sboms, however partners require
the ability to audit if required.
defensively checks if the snap is already installed, in the case of
multiple hooks being called in a single build (thus sharing a build
host), and only if called in an ubuntu-cpc project.
(cherry picked from commit 7c7b7df89dc96169db1f255d6bba901ebb63a43c)
ssh-import-id is part of the server-minimal task, which means it and
openssh-server are always installed by Subiquity regardless of user
choice. Since we can't update the Task headers post release,
ensure that openssh-server, openssh-sftp-server, and ssh-import-id
are not included in the minimal and full layers by purging them
in a dedicated hook.
Failing CPC tests show that the preseeded apparmor features don't
include policy:unconfined_restrictions for the 6.5 kernel. This change
adds the feature preseed.
Fixes LP: #2062929
Altering a file maintained by a package can lead to unexpected behaviou expecially in
this case where packages are being removed and added.
Instead use `dpkg-divert` to allow us to mock `lxd` to `true` to allow `unminimize` to work
without error and to avoid installing of the `lxd` snap.
`--force` implies that we wish not to fail `rm` even if the file is not present.
This was not our intention and as such can be removed.
Also use short option `-v` for verbose output as per the test of the code base.
The unminimize script will try to install the lxd snap using the shim script
`/usr/sbin/lxd` from the lxd-installer package.
Previously `unminimize` was using `snap`
to install `lxd` directly which was being diverted by diverting the `snap` command.
This is no longer the case so we can remove `/usr/sbin/lxd` from the lxd-installer package
if it exists and then redirect any calls to `/usr/sbin/lxd` to `/bin/true`.
Commit 3b2eeb0171 wrongly backported a change to not modify
/etc/ssh/sshd_config . The correct fix from ubuntu/master is
3b2eeb0171 where the file is named 60-cloudimg-settings.conf
instead of 10-cloudimg-settings.conf.
This fixes problems with cloud-init which does write
50-cloud-init.conf which should have higher priority than the provided
file from the image.
By invoking LXD, lxd-installer will install LXD from the right
place, thereby make it simpler for us to not hardcode the
channel and manually snap install it.
(cherry picked from commit 795927c48c)
ppc64el still uses /boot/vmlinux so we need to determine the boot file name as non ppc64el use /boot/vmlinuz. This
is then used to determine the kernel major minor version installed so that the correct apparmor features can be used
during snap preseeding. This preseeding was failing for ppc64el for the mantic 6.5 kernel as the /boot/vmlinuz
being checked did not exist.
(cherry picked from commit 089646a32f927f32e9e8961e231391f0bcb6f66b)
# Conflicts:
# debian/changelog
# live-build/functions
lp: #2037567. starting in kernel 6.5.0.1006, there's been an update to
apparmor features. Creates the 6.5 kernel directory, fully populates
with feats checked from a machine running 6.5.0.1006 installed from
proposed (as of 20230927).
(cherry picked from commit 5427e5ad6c)
In the past, we'd directly snap install lxd which defaults to
the latest/stable channel. However, whilst working on enhancing
unminimize, it was observed that we install this snap from
the stable/ubuntu-<version> channel instead.
This was also noted as a failure when running the CTF tests:
`lxd installed from latest/stable, not stable/ubuntu-23.10`
(cherry picked from commit 12a2109c22)
Prior to dpkg/1.21.0, there was a bug where dpkg -V/--verify
couldn't list all the correct packages correctly but with
that being fix and in archive since Jammy, this works perfectly
but the syntax to report the missing files have changed. It
just prints 'missing' now. With that new format, we can now
fix the regex to simply list the packages.
With this patch, the unminimize script works flawlessly
on a minimized image.
(cherry picked from commit 78a98c6835)
Modifying directly /etc/ssh/sshd_config creates "problems" when
upgrading eg. from Focal to Jammy because the upgrade will ask the
user what to do with the modified config. To avoid that, put the
custom configuration into /etc/ssh/sshd_config.d/ so the upgrade of
openssh-server can just replace /etc/ssh/sshd_config without asking
the user.
(cherry picked from commit b54d24ff33)
LP: #2034253 Grub is found to use lsb_release or default to Debian.
buildd does not have lsb_release, so Debian was the GRUB_DISTRIBUTION.
that ends up with issues with the EFI path
LP: 2031943
Same issue as affected 5.19. 6.2 apparmor featureset differs from 5.15.
Identified the same feature as 5.19, so copied over.
populated 6.2 with all of generic directory as well. Compatibility mode for
possible future change
During Realtime kernel image build, there was an error during
validating snap seed which derivative images copied 5.19
apparmor feature and can't validate when Realtime kernel (5.15)
installed [0].
To prevent this, bind correct apparmor feature with kernel
version.
[0] https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/2024639
This now matches the cloud images (7c760864fd)
fixing bootloader updates in the buildd images, but also fixing
compatibility with using devtmpfs for losetup.
live-build/auto/config:
- for Ubuntu Server live images and the arm64+tegra full arch, build a
tegra variant with linux-nvidia-tegra as the flavor and
linux-nvidia-tegra as the kernel meta-package
- default to nvidia-$SUBARCH as the kernel flavor and enable all
components for all images using arm64+tegra as full arch
hooks/03-kernel-metapkg.chroot_early:
- use linux-nvidia-tegra as kernel meta-package for the nvidia-tegra
flavor
the 5.19 kernel added ipc posix_mqueue apparmor features. the generic
set of apparmor features for the 5.15 LTS jammy kernel does not have
this feature. Along with the commit "support kernel with different
apparmor feats", this ensures that the HWE kernel for 5.19 has a
matching set.
note that on the next HWE roll, another directory will need to be added.
For each new HWE kernel roll, checking capabilities, creating the
directory, and adding the correct features will be required.
Jammy HWE is rolling to 5.19. the 5.19 kernel introduced more apparmor
features, specifically ipc. due to the roll, we now must support builds
with 2 different feature sets.
This specifically affects snap-preseeding, where if a snap_preseed is
run with a mismatched apparmor feature set, snap will require a restart
to match the running kernel's feature set. in the clouds, this can add
somehwere between 5-10s (as of checks on 20230404). This is a large boot
time performance hit.
Implementation is done at the `snap_validate_seed` function level. This
function is called in snap scenarios. It checks for an installed kernel
in the chroot, gets the major.min version, and checks for
apparmor/$KERN. If found, it will do a copy of the directory, providing
a naive override mechanism.
For CPC builds, we are adding a call to `snap_validate_seed` at the end
of affected hooks as well. This is a safe procedure to call, as it
reruns the snap_preseed for all snaps. By running at the end of build
processes, it ensures that any kernel changes done during the build are
taken into account.
Loïc Minier
Cody Shepherd
Jess Jang
Michael Hudson-Doyle
Didier Roche
Łukasz 'sil2100' Zemczak
John Chittum
Utkarsh Gupta
Chris Peterson
Ankush Pathak
Simon Poirier
Philip Roche
Thomas Bechtold
Steve Langasek
Brian Murray
Utkarsh Gupta