patch create_manifest to produce an sbom when called by an ubuntu-cpc
project. Patch all the ubuntu-cpc hooks and series files to include the
newly generated manifests, filelists, and sboms. Generates a number of
new artifacts in the builds. the snap utilized, cpc-sbom, is an open
source repo and a provided via a hidden snap. there is no intention of
publisizing the snap or how we generate sboms, however partners require
the ability to audit if required.
defensively checks if the snap is already installed, in the case of
multiple hooks being called in a single build (thus sharing a build
host), and only if called in an ubuntu-cpc project.
(cherry picked from commit 7c7b7df89dc96169db1f255d6bba901ebb63a43c)
ssh-import-id is part of the server-minimal task, which means it and
openssh-server are always installed by Subiquity regardless of user
choice. Since we can't update the Task headers post release,
ensure that openssh-server, openssh-sftp-server, and ssh-import-id
are not included in the minimal and full layers by purging them
in a dedicated hook.
Failing CPC tests show that the preseeded apparmor features don't
include policy:unconfined_restrictions for the 6.5 kernel. This change
adds the feature preseed.
Fixes LP: #2062929
fix: Fix calls to `unminimize` if lxd-installer package not present (LP: #2049723)
The unminimize script will try to install the lxd snap using the shim script
`/usr/sbin/lxd` from the lxd-installer package.
Previously `unminimize` was using `snap`
to install `lxd` directly which was being diverted by diverting the `snap` command.
This is no longer the case so we can remove `/usr/sbin/lxd` from the lxd-installer package
if it exists and then redirect any calls to `/usr/sbin/lxd` to `/bin/true`
MP: https://code.launchpad.net/~philroche/livecd-rootfs/+git/livecd-rootfs/+merge/458910
Altering a file maintained by a package can lead to unexpected behaviou expecially in
this case where packages are being removed and added.
Instead use `dpkg-divert` to allow us to mock `lxd` to `true` to allow `unminimize` to work
without error and to avoid installing of the `lxd` snap.
`--force` implies that we wish not to fail `rm` even if the file is not present.
This was not our intention and as such can be removed.
Also use short option `-v` for verbose output as per the test of the code base.
The unminimize script will try to install the lxd snap using the shim script
`/usr/sbin/lxd` from the lxd-installer package.
Previously `unminimize` was using `snap`
to install `lxd` directly which was being diverted by diverting the `snap` command.
This is no longer the case so we can remove `/usr/sbin/lxd` from the lxd-installer package
if it exists and then redirect any calls to `/usr/sbin/lxd` to `/bin/true`.
Commit 3b2eeb017153cbb wrongly backported a change to not modify
/etc/ssh/sshd_config . The correct fix from ubuntu/master is
3b2eeb017153c where the file is named 60-cloudimg-settings.conf
instead of 10-cloudimg-settings.conf.
This fixes problems with cloud-init which does write
50-cloud-init.conf which should have higher priority than the provided
file from the image.
By invoking LXD, lxd-installer will install LXD from the right
place, thereby make it simpler for us to not hardcode the
channel and manually snap install it.
(cherry picked from commit 795927c48cf2e763e8f222e8c27c63e71d966a5f)
