2238 Commits

Author SHA1 Message Date
Dan Bungert
83022a6ebe desktop: add notes about generation of a signed model 2025-05-22 10:29:05 -06:00
Dan Bungert
237595f90a desktop: no long skip 020-ubuntu-enhanced-sb.binary 2025-05-14 16:14:28 +02:00
Dan Bungert
f472f1e437 desktop: update TPMFDE model for questing 2025-05-14 16:14:28 +02:00
Dan Bungert
5dc5cd082a desktop: skip 020-ubuntu-enhanced-sb.binary 2025-05-05 15:06:53 +02:00
Dan Bungert
8c4996cce7 server: provide network config direct to netplan 2025-04-28 09:26:35 -06:00
Dan Bungert
5f5a686760 desktop: no longer involve cloud-init in early networking
LP: #2107225
2025-04-23 16:23:19 -06:00
Tomáš Virtus
60641d7411
ubuntu-cpc: Restore UseDomains=true
Also see https://bugs.launchpad.net/cloud-images/+bug/2106729.

Since Oracular[1]:

    Ubuntu’s systemd-networkd no longer sets UseDomains=true for managed
    network interfaces. In effect, this means that search domains
    configured in DHCP leases will not be reflected in /etc/resolv.conf
    by default. This change aligns Ubuntu’s default behavior with that
    of upstream. System administrators may choose to override this
    default on a global, or per-interface basis. See systemd.network 4
    for details.

The default in systemd is UseDomains=false. From systemd.network(5)[2]:

    DHCP=

        Furthermore, note that by default the domain name specified
        through DHCP is not used for name resolution. See option
        UseDomains= below.

    UseDomains=

        It is recommended to enable this option only on trusted
        networks, as setting this affects resolution of all hostnames,
        in particular of single-label names. It is generally safer to
        use the supplied domain only as routing domain, rather than as
        search domain, in order to not have it affect local resolution
        of single-label names.

It has been reported to us by few clouds that this breaks local name
resolution. For instance, in Google Cloud Compute, users can no longer
reach instances in the same zone[3] nor Google Cloud services[4] by
their names.

Arguably, the security concerns for having this option disabled are not
valid in cloud environments. As one of our partners said:

    IIUC, the motivation to disable UseDomains by default is that a
    laptop might be used on an untrusted network where the domains
    provided by DHCP can be a security issue, directing users to places
    they don't intend.

    But it's not possible for a cloud instance to be connected to an
    untrusted network (barring a breached account).

    The way I'm looking at this is that DHCP option 119 exists for the
    express purpose of allowing a network administrator to configure the
    DNS search path for computers on that network. I understand there's
    a security concern if that network isn't a datacenter. But in the
    cloud there's no concern (in some clouds, it's not even possible for
    DHCP response packets to come from anywhere but the cloud's own
    DHCP).

We should restore this setting in cloud images.

[1] https://discourse.ubuntu.com/t/oracular-oriole-release-notes/44878
[2] https://manpages.ubuntu.com/manpages/plucky/en/man5/systemd.network.5.html
[3] https://cloud.google.com/compute/docs/internal-dns
[4] https://cloud.google.com/compute/docs/metadata/overview
2025-04-10 17:25:16 +02:00
Dave Jones
8add8daa49
ubuntu-image: Avoid filling tmpfs-based /tmp 2025-03-20 17:22:32 +00:00
Dan Bungert
c1d898ed2c desktop: update tpmfde model for pc-kernel channel
* Updated model to move pc-kernel to channel 25.04/stable
* Move model from heredoc to a file
2025-03-13 11:03:10 -06:00
Jess Jang
fa00c36419 feat: Add 6.14 kernel apparmor features' preseeds 2025-03-12 21:05:01 -05:00
Dan Bungert
20590f0dbf ubuntu-desktop: update model for 25.04 and components
This model intentionally uses pc-kernel from a branch, for components
testing purposes.  We'll have to update this again before release when
the desired pc-kernel is on a stable channel.
2025-03-11 09:14:18 -06:00
Dan Bungert
b79160bf08 server: delete the initrd but not initrd.img symlink
The initrd is recreated later.  Leave the symlink.
2025-03-10 16:27:45 -06:00
Dan Bungert
d2050181d4 subiquity: easier bridge kernel setup
For subiquity installs, make it easier to enable bridge kernel, just a
boolean to set true/false.  Don't enable yet though.
2025-03-04 15:50:15 -07:00
Michael Hudson-Doyle
e814e02bf4 Again in ubuntu-server builds, configure LAYERFS_PATH in the kernel layer and ensure the initrd is freshly regenerated in that layer. LAYERFS_PATH was being set to the layer below the kernel layer, which meant that the live session did not get access to all the modules in the case that the kernel had not been installed in the base layer, which in turn means that installs fail. (LP: #2100148)
* Again in ubuntu-server builds, configure LAYERFS_PATH in the kernel layer
  and ensure the initrd is freshly regenerated in that layer. LAYERFS_PATH
  was being set to the layer below the kernel layer, which meant that the
  live session did not get access to all the modules in the case that the
  kernel had not been installed in the base layer, which in turn means that
  installs fail. (LP: #2100148)
* While we're at it, delete any initrd from any other layer than a kernel
  layer, as they just waste space on the ISO.
2025-02-27 20:32:56 +13:00
Michael Hudson-Doyle
ff331b2d94 In ubuntu-server builds, install the first kernel in the base layer, not the "ga" kernel (which may not be installed at all, as is the case in e.g. the arm64+largemem builds). 2025-02-27 20:31:38 +13:00
Adriano Cordova
949f980646 riscv: add SUBARCH 'jh7110'
Add SUBARCH 'jh7110' for jh7110-based boards.
2025-02-25 15:28:36 -03:00
John Chittum
e85f367421
feat(ubuntu-cpc): sbom generation everywhere
patch create_manifest to produce an sbom when called by an ubuntu-cpc
project. Patch all the ubuntu-cpc hooks and series files to include the
newly generated manifests, filelists, and sboms. Generates a number of
new artifacts in the builds. the snap utilized, cpc-sbom, is an open
source repo and a provided via a hidden snap. there is no intention of
publisizing the snap or how we generate sboms, however partners require
the ability to audit if required.

defensively checks if the snap is already installed, in the case of
multiple hooks being called in a single build (thus sharing a build
host), and only if called in an ubuntu-cpc project.

(cherry picked from commit 7c7b7df89dc96169db1f255d6bba901ebb63a43c)
2025-02-25 13:18:55 +01:00
Simon Poirier
7f5b9374b2 fix: increase ppc64el disk size to 2.4Gib
ppc64el was and still is a bit low compared to other ubuntu-cpc archs
and started running out of space.
2025-02-19 16:12:28 -05:00
Simon Quigley
00b7f2dc35 Correct back to sh from previous commit for now 2025-02-19 02:18:53 -06:00
Simon Quigley
818af83d4d Add support for multiple pools (/var/lib/{livefs,preinstalled}-pool/). 2025-02-19 02:15:04 -06:00
Simon Quigley
784c7d3060 Make the package completely Lintian-clean except for no-dep5-copyright. 2025-02-18 22:53:52 -06:00
Simon Quigley
29ee4398e8 Move from http://ppa.launchpad.net to https://ppa.launchpadcontent.net when specifying EXTRA_PPAS. 2025-02-18 22:22:10 -06:00
Michael Hudson-Doyle
5fb3d42d36 Pre-emptively include the override to not try to build HWE kernel layer in post .2 server riscv64 ISOs. 2025-02-17 11:17:35 +13:00
Michael Hudson-Doyle
99f61b2ad7 live-build/ubuntu-mini-iso/hooks/01-mini-iso.chroot_early: Fix paths that should have been adjusted when code moved from binary to chroot hook. 2025-02-14 11:02:21 +13:00
Michael Hudson-Doyle
11f1a1dc84 live-build/ubuntu-mini-iso/hooks/01-mini-iso.binary: Drop the assumption that the uncompressed part of the initrd is unpacked to a directory called "main". 2025-02-14 11:01:45 +13:00
Dan Bungert
bf17ce99e1 build: fix FLAVOUR set for lowlatency
similar to: 06fd5dacc34d018142e8fa713b6eba6011ababfc
(cherry picked from commit 2a9992ad7d538567a6449059d998bfc8c6d3103f)
2025-02-13 13:00:16 -07:00
Simon Poirier
1ee581ca0c fix(buildd): add udev to buildd images. (LP: #2092196)
On 24.10 forward, networkd relies on udev for interface setup. This addresses
forever pending interfaces in networkd on buildd lxd images.
2025-02-13 13:42:50 -05:00
Thomas Bechtold
5c61d04183
Add 6.12 kernel apparmor features preseeds
Plucky is currently on kernel 6.12 so preseeding fails with a apparmor
feature mismatch given that the live-build/apparmor/generic tree is
used. Adding a 6.12 tree (which is identical with the 6.11 tree)
solves this.
2025-02-13 12:12:35 +01:00
Dan Bungert
e3355e29d8 ubuntu-server: default-layer.conf in casper pass
default-layer.conf needs to be done in the casperization pass or we
don't get that file.
2025-02-11 08:30:38 -07:00
Chris Peterson
03f95a7c04 ubuntu-core-installer: update install-sources.yaml with kernel 2025-02-05 13:58:18 -08:00
Chris Peterson
86506c838d write_kernel_yaml: quote the default argument 2025-02-05 13:58:10 -08:00
Michael Hudson-Doyle
e7153d9d3d Similar changes for ubuntu-mini-iso build. 2025-02-05 11:24:25 +13:00
Michael Hudson-Doyle
8d7efb4d15 Move configuration of casper in ubuntu-serve:live builds to a "chroot early" hook for the installer layer and remove the now unnecessary update-initramfs from the binary hook that breaks because mkinitramfs now requires that /sys is mounted. (LP: #2097280) 2025-02-05 11:23:58 +13:00
Michael Hudson-Doyle
bdd7d035e2 Stop producing a rootfs tarball for the ubuntu-mini-iso builds. 2025-02-05 11:20:18 +13:00
Michael Hudson-Doyle
c17a99bc1f Allow snapd to re-exec in installer environment (the issues between snapd, overlayfs and apparmer that meant re-execing caused problems were fixed in snapd a long time ago). 2025-01-29 06:39:25 +13:00
Heinrich Schuchardt
0c5b7dfd0c riscv: correct installation path of dtbs
U-Boot with distroboot has:

efi_dtb_prefixes=/ /dtb/ /dtb/current/

So we should install the device-trees into dtb/ and not dtbs/ on the EFI
system partition.

Fixes: 365435ad2dbe ("riscv: copy device trees to the ESP")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2025-01-27 13:49:26 +01:00
Adriano Cordova
365435ad2d riscv: copy device trees to the ESP
Commit f9c5020200ce ("riscv: directly copy device trees to /boot/dtbs")
incorrectly copied devicetrees into /boot/dtbs/$kvers instead of /boot/efi/dtbs,
inside the ESP and where U-boot expects them. This commit fixes this path.

Fixes: f9c5020200ce ("riscv: directly copy device trees to /boot/dtbs")
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
2025-01-24 11:16:32 +13:00
Didier Roche
420545f892
Update reference to wsl-setup now in /usr/lib/wsl/
Microsoft expects this binary to be under that path.
2025-01-22 10:22:18 +01:00
Adriano Cordova
f9c5020200 riscv: directly copy device trees to /boot/dtbs
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
2024-12-20 08:55:21 -03:00
Didier Roche
8a0f0357b5
Create wsl-distribution.conf for WSL images
This file is required in the new Microsoft WSL package format.

Co-authored-by: Carlos Nihelton <carlos.santanadeoliveira@canonical.com>
2024-12-09 14:29:28 +01:00
Didier Roche
42f3b442e9
Create livecd-roots tarball as a .wsl extension
Co-authored-by: Carlos Nihelton <carlos.santanadeoliveira@canonical.com>
2024-12-09 14:29:27 +01:00
Didier Roche
b53628564c
Keep a single wsl rootfs upgrade policy
We are removing our different variants of wsl rootfs with the new
Microsoft format. We only keep one following the distribution policy:
- lts to lts
- intermediate release to next one

Co-authored-by: Carlos Nihelton <carlos.santanadeoliveira@canonical.com>
2024-12-09 14:29:22 +01:00
Michael Hudson-Doyle
524c0f5c4e Refer to LB_DISTRIBUTION, not SUITE, in the ubuntu-mini-iso binary hook. 2024-12-06 09:56:55 +13:00
Michael Hudson-Doyle
c59b2165fd fix ubuntu-mini-iso build
replace reliance on cd-boot-images-amd64 with direct use of debian-cd sccripts.
2024-12-04 12:50:25 +13:00
Loïc Minier
9f0bc6a17c Merge remote-tracking branch 'rmartin013/rename-tegra-igx' into ubuntu/master
Fix typo in live-build/auto/config
2024-11-26 13:49:19 +00:00
Simon Quigley
3c39128f16 Add optional Dracut support for installed images, enable it for Lubuntu. 2024-11-23 13:49:04 -06:00
Simon Quigley
c73b51ec43 Switch Lubuntu to stacked squashfses, and split apart the common functionality to avoid Subiquity-specific commands. 2024-11-23 13:48:02 -06:00
Remy MARTIN
a666bf4110
Add tegra-jetson subarch,model,variant
The previous Tegra kernel metapackage implementation (linux-nvidia-tegra-igx)
was initially planned to apply both for Jetson devices and IGX systems. It turned
out recently (LP: #2069179) that we now need to reserve the metapackage name
linux-nvidia-tegra-igx for IGX systems, and use the new linux-nvidia-tegra-jetson
metapackage for Jetson devices. For the sake of clarity, the image name, model,
sub-arch, variant should align with the kernel metapackage name.
2024-11-06 15:47:23 +01:00
John Chittum
e128704c77
fix(buildd): create buildd homedir
LP:2083240

starting in noble, adduser no longer creates a homedir for system users.
The buildd user then does not have a home directory, causing snaps to be
unable to run, as well as possibly other issues from a missing assumed
homedir. Explicitly create /home/buildd
2024-11-06 07:17:16 -05:00
Dan Bungert
dbfe42ad25 live-server: omit kernel-meta-package file 2024-10-16 12:40:44 -06:00