In the ubuntu-cpc disk-image binary we need to avail of the ever increasing size
of packages. 2.2GB is now just a bit too small leading to `No space
left on device` errors when the binary hits `grub-install`. This commit
increases $imagesize to 2.5GB (in the binary as an override initially
implemented in ecaaf0484).
This commit also runs `df` just after the grub-pc && grub2-common
installs to make for easier debugging in the future.
Refs: LP: #2115811
netplan apply warns about any /etc/netplan/*.yaml file permissions which
are globally readable. Set permissions 600 for
/etc/netplan/01-network-manager.yaml in target chroot.
LP: #2119020
* Fix daily-dangerous builds:
- Copy hooks.
- Mangle the channel of seeded snaps to use the edge risk of whichever
track they are taken from.
- Update the dangerous model to reference tracks that actually exist.
- Include providers of content plugs when seeding snaps and creating
TPMFDE system.
- Do not attempt to build an UEFI boot image or hyperv desktop image for
this project/subproject combination.
We need edge on the live session too so that subiquity knows about
latest and greatest on TPM FDE support. We will revert that once snapd
is released to the stable channel.
patch create_manifest to produce an sbom when called by an ubuntu-cpc
project. Patch all the ubuntu-cpc hooks and series files to include the
newly generated manifests, filelists, and sboms. Generates a number of
new artifacts in the builds. the snap utilized, cpc-sbom, is an open
source repo and a provided via a hidden snap. there is no intention of
publisizing the snap or how we generate sboms, however partners require
the ability to audit if required.
defensively checks if the snap is already installed, in the case of
multiple hooks being called in a single build (thus sharing a build
host), and only if called in an ubuntu-cpc project.
(cherry picked from commit 7c7b7df89dc96169db1f255d6bba901ebb63a43c)
In cloud-init version 24.3, single process mode where a shared python
systemd service cloud-init-main. In that release, cloud-init.service was
renamed cloud-init-network.service to better clarify cloud-init's
systemd unit names relative to the cloud-init boot stages.
This rename only applies to Oracular and newer releases.
See: https://discourse.ubuntu.com/t/announcement-cloud-init-perfomance-optimization-single-process/47505
functions drops in a complete override for cloud-init.service. That
override in /etc/systemd/system needs to be renamed and refreshed to
latest single process configuration.
LP: #2081325
Support some systems which don't handle partition numbers
higher than 15. (LP: #2072929)
Partition 16 was added for /boot to enable cloud FDE (commit a8b2a9b01)
System override drop-ins cannot redact dependencies (Before or After) and
thus require a full unit override. Avoid writing the unit file delivered
by cloud-init deb package in /lib/systemd/system/cloud-init.service because
it will generate warnings fron debsums -c about modified files.
The correct place to provide a full unit override is in
/etc/systemd/system/cloud-init.service in order to drop
Before=sysinit.target from the packaged cloud-init.service file.
Note vigilance will be needed across cloud-init SRU boundaries to ensure
we sync any cloud-init.service unit changes that are introduced to
stable releases because livecd-rootfs is overriding the whole file.
LP: #2069391
This has become moot now that the code block has been
moved out from live-build/functions to live-build/auto/build
so passing the argument is not needed anymore.
Presence of this field helps in determining if the image is an
unminimized image, which then can be leveraged in the unminimize
script to easily determine the image type.
Template is based on the specification with some rewording for
Ubuntu Pro as agreed.
v2:
- Enabled backports by default (I did not see that!)
- Enabled restricted, multiverse security updates
- Replaced tweaked with adjusted
v3:
- Insert an explanatory sources.list
LP: #2048129
mount_disk_image function expects root partition to be at number 1. But
some images require the root partition to be at other some other number.
For example, EKS Anywhere images for bare metal are used with Tinkerbell
deployment with a default configuration that expects the root device to
be found at /dev/sda2. The knowledge of the root device path is needed
to modify certain files in the root filesystem (e.g. cloud-init configs)
for the machine to join Kubernetes cluster control plane.
The partition number can be changed in the hook by "sgidsk --transpose".
Allow the hook to use mount_disk_image with custom root partition number
by making it an optional third parameter that defaults to 1.
ppc64el still uses /boot/vmlinux so we need to determine the boot file name as non ppc64el use /boot/vmlinuz. This
is then used to determine the kernel major minor version installed so that the correct apparmor features can be used
during snap preseeding. This preseeding was failing for ppc64el for the mantic 6.5 kernel as the /boot/vmlinuz
being checked did not exist.
Fix use of variable declared in conditional branch and used in parent
scope in snap_validate_seed. This would affect binary for images without
kernel and using "set -u". (LP: #2037338)
The image filelists created during ubuntu-cpc project image builds were not sorted.
Soring the filelists makes it easier to compare the filelists without needing to sort first.
fuse3 was previously installed through recommends but with minimized images we no longer install recommends packages.
It is only required when preseeding snaps so does not need to be present in all minimized images so does not
need to be in the cloud-minimal seed.
During Realtime kernel image build, there was an error during
validating snap seed which derivative images copied 5.19
apparmor feature and can't validate when Realtime kernel (5.15)
installed [0].
To prevent this, bind correct apparmor feature with kernel
version.
[0] https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/2024639
(cherry picked from commit 6b54faa6be6286017eb2dc701534cf780ae462ce)
Revert this change for now as /boot then becomes a FAT partition which
breaks DPKG requirements[1]. This change is going to be re-evaluated and
maybe introduced in a different way.
This is not a clean revert because of 3282efb ("ubuntu-cpc: cleanup
disk-images-uefi.binary") which we want to keep.
[1] https://wiki.debian.org/Teams/Dpkg/FAQ#Q:_What_are_the_filesystem_requirements_by_dpkg.3F
This reverts commit 6a66666e0a5ab1ad96cb0e388f278aafbd012ffe.
Canonical Public Cloud's project seems a bad place to build images for
hardware devices however this is how things were done a we now need to
maintain this.
The recent change to mount the ESP on /boot breaks those images, instead
of adding more hacky things in the hook, create a dedicated target for
those images and use a different hook to build UEFI images.
This is driven by online encryption scenarios. In order to efficiently
encrypt the root filesystem without modifying the partition layout, the
kernel should sit in an un-encrypted /boot partition. Instead of
creating a new partition that would change the default partition layout,
we mount the ESP on /boot. We also need to then bind mount /boot on
/boot/efi because that's where Grub expects the ESP to be located.
