releasing package livecd-rootfs version 25.10.14

This reverts commit 1c631c99dc2a8fd5759e9c8f872610b1f2238ddf.

We're unfortunately not ready for the standard model yet.

debian/changelog

@@ -1,3 +1,168 @@
+livecd-rootfs (25.10.14) questing; urgency=medium
+
+  [ Didier Roche-Tolomelli ]
+  [ Tim Andersson ]
+  [ Daniel Bungert ]
+  * desktop TPMFDE: move snaps back to stable channels
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Thu, 07 Aug 2025 16:21:32 -0600
+
+livecd-rootfs (25.10.13) questing; urgency=medium
+
+  [ Olivier Gayot ]
+  * Build ubuntu-server with multipath-tools-boot installed, so that the
+    multipath stack ends up present in the initramfs.
+    The LVM stack is already present in the initramfs of the installer. And
+    since kinetic, the /dev/mapper entries for LVM devices are created during
+    the initramfs phase. This is a problem when we have LVM on top of a
+    multipath disk because LVM ends up creating /dev/mapper entries out of
+    /dev/sdX (or /dev/sdXpY) devices, not out of /dev/mapper/mpatha as it
+    should. Adding the multipath stack in the initramfs gives multipath a
+    chance to take ownership of /dev/sdX (or /dev/sdXpY) devices before LVM
+    does (LP: #2080474).
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Thu, 24 Jul 2025 17:37:33 -0600
+
+livecd-rootfs (25.10.12) questing; urgency=medium
+
+  [ Zygmunt Krynicki ]
+  * Use snap wait system seed.loaded to wait for snapd (LP: #2114923)
+
+  [ Dennis Loose ]
+  [ Didier Roche-Tolomelli ]
+  * Allow the ubuntu-desktop-installer to request snap seeding state
+
+ -- Didier Roche-Tolomelli <didrocks@ubuntu.com>  Tue, 15 Jul 2025 16:30:41 +0200
+
+livecd-rootfs (25.10.11) questing; urgency=medium
+
+  * Fix installer startup to wait for snapd to be preseeded first
+    (LP: #2114923)
+
+ -- Didier Roche-Tolomelli <didrocks@ubuntu.com>  Fri, 11 Jul 2025 14:57:56 +0200
+
+livecd-rootfs (25.10.10) questing; urgency=medium
+
+  * risc-v cloud images: enable cpc fixes for riscv64
+
+ -- Adriano Cordova <adriano.cordova@canonical.com>  Tue, 01 Jul 2025 09:11:16 -0400
+
+livecd-rootfs (25.10.9) questing; urgency=medium
+
+  * desktop and server: read $SUBARCH to allow the use of nvidia's kernel
+    instead of generic (LP: #2109822)
+
+ -- Antoine Lassagne <antoine.lassagne@canonical.com>  Tue, 17 Jun 2025 22:23:11 +1200
+
+livecd-rootfs (25.10.8) questing; urgency=medium
+
+  [ Didier Roche-Tolomelli ]
+  * desktop: use snapd from edge
+  * desktop: tpmfde image use desktop-security-center and firmware-updater
+    from edge
+
+  [ Dan Bungert ]
+  * lb_binary_layered: try #2 to fix mtimes in layered squashfses. (LP2107332)
+    Constrain mtime sync to the current upperdir so that files in lower layers
+    are not redundantly included.
+  * server: fix failure to process the hwe kernel layer due to multiple
+    kernels being present (LP: #2112501)
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Fri, 13 Jun 2025 12:00:20 -0600
+
+livecd-rootfs (25.10.7) questing; urgency=medium
+
+  * revert 25.10.6 due to duplicated snaps
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Tue, 10 Jun 2025 07:55:40 -0600
+
+livecd-rootfs (25.10.6) questing; urgency=medium
+
+  * lb_binary_layered: fix mtimes in layered squashfses. (LP: #2107332)
+    Failing to preserve mtime causes unnecessary python pyc rebuilds due to
+    mtime mismatch, and it's generally strange that reinstalling a package
+    that is already installed changes the files on the system (minus
+    intentional differences such as what's going on in the minimized install
+    source).
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Fri, 30 May 2025 17:05:15 -0600
+
+livecd-rootfs (25.10.5) questing; urgency=medium
+
+  * desktop: TPMFDE snapd from latest/edge
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Wed, 28 May 2025 10:27:47 -0600
+
+livecd-rootfs (25.10.4) questing; urgency=medium
+
+  * desktop: TPMFDE kernel from 25.10/candidate
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Sun, 25 May 2025 23:18:59 -0600
+
+livecd-rootfs (25.10.3) questing; urgency=medium
+
+  * desktop: update TPMFDE model and don't skip 020-ubuntu-enhanced-sb.binary.
+    (LP: #2110195)  Temporarily use the model that allows overriding snap
+    channels so we can get matching snaps.
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Fri, 23 May 2025 12:59:40 -0600
+
+livecd-rootfs (25.10.2) questing; urgency=medium
+
+  * desktop: skip 020-ubuntu-enhanced-sb.binary until a matching kernel is
+    ready for snapd 2.68.x
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Tue, 06 May 2025 08:24:10 +0200
+
+livecd-rootfs (25.10.1) questing; urgency=medium
+
+  * desktop: no longer involve cloud-init in early networking (LP: #2107225)
+  * server: provide network config direct to netplan
+  * server: update default netplan config for IPv6 autoconfiguration &
+    connectivity
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Mon, 28 Apr 2025 09:53:34 -0600
+
+livecd-rootfs (25.04.26) plucky; urgency=medium
+
+  * cpc: Restore UseDomains=true in cloud images (LP: #2106729)
+
+ -- Tomáš Virtus <tomas.virtus@canonical.com>  Thu, 10 Apr 2025 13:07:25 +0000
+
+livecd-rootfs (25.04.25) plucky; urgency=medium
+
+  * live-build/auto/build: Use --workdir in ubuntu-image to avoid filling
+    tmpfs-based /tmp (LP: #2103735)
+
+ -- Dave Jones <dave.jones@canonical.com>  Thu, 20 Mar 2025 17:22:47 +0000
+
+livecd-rootfs (25.04.24) plucky; urgency=medium
+
+  * desktop: update TPMFDE model to move pc-kernel to channel 25.04/stable.
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Thu, 13 Mar 2025 17:17:30 -0600
+
+livecd-rootfs (25.04.23) plucky; urgency=medium
+
+  * Add 6.14 kernel apparmor features' preseeds. (LP: #2102120)
+
+ -- Jess Jang <jess.jang@canonical.com>  Wed, 12 Mar 2025 21:08:31 -0500
+
+livecd-rootfs (25.04.22) plucky; urgency=medium
+
+  * server: leave the initrd.img symlink, we want that later for probably
+    several reasons but at least for LP: #2101831
+  * desktop: update TPMFDE model for 25.04.
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Tue, 11 Mar 2025 09:16:03 -0600
+
+livecd-rootfs (25.04.21) plucky; urgency=medium
+
+  * With subiquity builds, setup install-sources to offer bridge kernel.
+  * Add USE_BRIDGE_KERNEL to make it easier to control in the future.
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Wed, 05 Mar 2025 08:18:54 -0700
+
 livecd-rootfs (25.04.20) plucky; urgency=medium
 
   [ Adriano Cordova ]

debian/install

@@ -4,3 +4,4 @@ get-ppa-fingerprint usr/share/livecd-rootfs
 minimize-manual usr/share/livecd-rootfs
 checkout-translations-branch usr/share/livecd-rootfs
 update-source-catalog usr/share/livecd-rootfs
+sync-mtime usr/share/livecd-rootfs

live-build/apparmor/6.14/capability

@@ -0,0 +1 @@
+0xffffff

live-build/apparmor/6.14/caps/extended

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/caps/mask

@@ -0,0 +1 @@
+chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore

live-build/apparmor/6.14/dbus/mask

@@ -0,0 +1 @@
+acquire send receive

live-build/apparmor/6.14/domain/attach_conditions/xattr

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/domain/change_hat

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/domain/change_hatv

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/domain/change_onexec

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/domain/change_profile

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/domain/computed_longest_left

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/domain/disconnected.path

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/domain/fix_binfmt_elf_mmap

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/domain/interruptible

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/domain/kill.signal

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/domain/post_nnp_subset

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/domain/stack

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/domain/unconfined_allowed_children

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/domain/version

@@ -0,0 +1 @@
+1.2

live-build/apparmor/6.14/file/mask

@@ -0,0 +1 @@
+create read write exec append mmap_exec link lock

live-build/apparmor/6.14/io_uring/mask

@@ -0,0 +1 @@
+sqpoll override_creds

live-build/apparmor/6.14/ipc/posix_mqueue

@@ -0,0 +1 @@
+create read write open delete setattr getattr

live-build/apparmor/6.14/mount/mask

@@ -0,0 +1 @@
+mount umount pivot_root

live-build/apparmor/6.14/mount/move_mount

@@ -0,0 +1 @@
+detached

live-build/apparmor/6.14/namespaces/mask

@@ -0,0 +1 @@
+userns_create

live-build/apparmor/6.14/namespaces/pivot_root

@@ -0,0 +1 @@
+no

live-build/apparmor/6.14/namespaces/profile

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/namespaces/userns_create

@@ -0,0 +1 @@
+pciu&

live-build/apparmor/6.14/network/af_mask

@@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp

live-build/apparmor/6.14/network/af_unix

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/network_v8/af_inet

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/network_v8/af_mask

@@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp

live-build/apparmor/6.14/network_v9/af_mask

@@ -0,0 +1,2 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp
+

live-build/apparmor/6.14/network_v9/af_unix

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/policy/notify/user

@@ -0,0 +1 @@
+file

live-build/apparmor/6.14/policy/outofband

@@ -0,0 +1 @@
+0x000001

live-build/apparmor/6.14/policy/permstable32

@@ -0,0 +1 @@
+allow deny subtree cond kill complain prompt audit quiet hide xindex tag label

live-build/apparmor/6.14/policy/permstable32_version

@@ -0,0 +1 @@
+0x000003

live-build/apparmor/6.14/policy/set_load

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/policy/state32

@@ -0,0 +1 @@
+0x000001

live-build/apparmor/6.14/policy/unconfined_restrictions/change_profile

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/policy/unconfined_restrictions/io_uring

@@ -0,0 +1 @@
+0

live-build/apparmor/6.14/policy/unconfined_restrictions/userns

@@ -0,0 +1 @@
+1

live-build/apparmor/6.14/policy/versions/v5

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/policy/versions/v6

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/policy/versions/v7

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/policy/versions/v8

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/policy/versions/v9

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/ptrace/mask

@@ -0,0 +1 @@
+read trace

live-build/apparmor/6.14/query/label/data

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/query/label/multi_transaction

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/query/label/perms

@@ -0,0 +1 @@
+allow deny audit quiet

live-build/apparmor/6.14/rlimit/mask

@@ -0,0 +1 @@
+cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime

live-build/apparmor/6.14/signal/mask

@@ -0,0 +1 @@
+hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost

live-build/auto/build

@@ -48,8 +48,9 @@ if [ "${IMAGEFORMAT:-}" = "ubuntu-image" ]; then
 		exit 0
 	else
 		# Ubuntu classic preinstalled images
+		# --workdir is specified to avoid filling /tmp which is now a tmpfs
 		/snap/bin/ubuntu-image classic --verbose $UBUNTU_IMAGE_ARGS \
-			-O output "$IMAGE_DEFINITION"
+			--workdir work -O output "$IMAGE_DEFINITION"
 		# Since the output of the ubuntu-image call can vary based on what
 		# kind of an image we build, the safest bet is to 'export' all the
 		# artifacts from the output directory. The image definition file
@@ -483,6 +484,9 @@ for FLAVOUR in $LB_LINUX_FLAVOURS; do
 		lowlatency-hwe-*)
 			FLAVOUR="lowlatency"
 			;;
+		nvidia-hwe-*)
+			FLAVOUR="nvidia"
+			;;
 	esac
 	KVERS="$( (cd "binary/$INITFS"; ls vmlinu?-* 2>/dev/null || true) | (fgrep -v .efi || true) | sed -n "s/^vmlinu.-\\([^-]*-[^-]*-$FLAVOUR\\)$/\\1/p" )"
 	if [ -z "$KVERS" ]; then

live-build/auto/config

@@ -3,7 +3,7 @@ set -e
 
 case $ARCH:$SUBARCH in
 	amd64:|amd64:generic|amd64:intel-iot|\
-	arm64:|arm64:generic|arm64:raspi|arm64:snapdragon|\
+	arm64:|arm64:generic|arm64:raspi|arm64:snapdragon|arm64:nvidia|\
 	arm64:tegra|arm64:tegra-igx|arm64:tegra-jetson|arm64:x13s|\
 	arm64:largemem|\
 	armhf:|\
@@ -78,6 +78,14 @@ BINARY_HOOKS=
 
 APT_OPTIONS=" --yes -oDebug::pkgDepCache::AutoInstall=yes "
 
+# Should we attempt to offer both the bridge and default kernel?
+USE_BRIDGE_KERNEL=false
+# Why are we using bridge kernel?  Value is ignored for USE_BRIDGE_KERNEL=false.
+# Possible reasons are zfs, drivers.
+BRIDGE_KERNEL_REASONS="zfs,drivers"
+# When building install-sources, what kernel is the default?
+DEFAULT_KERNEL=
+
 PASSES_TO_LAYERS=false
 _PASSES_TO_LAYERS=		# Stores the initial value of PASSES_TO_LAYERS
 PASSES=
@@ -240,28 +248,6 @@ add_snap ()
 	done
 }
 
-write_kernel_yaml () {
-	# Generate the kernel.yaml fragment used as input for
-	# update-source-catalog.  Handles default kernel specification.
-	# $1 kernel metapackage name
-	local metapkg="$1"
-	cat <<-EOF > config/kernel.yaml
-		kernel:
-		  default: "$metapkg"
-	EOF
-
-	# To specify fallback to a bridge kernel, construct a kernel.yaml
-	# with the following:
-	#
-	# kernel:
-	#   default: foo
-	#   bridge: bar
-	#   bridge_reasons: [zfs, drivers]
-	#
-	# If an install is using zfs or "drivers", use the bridge kernel, else
-	# use the default kernel.
-}
-
 get_seeded_languages () {
 	# We assume any seed name of the form ${no_lang_seed}-${foo} where
 	# ${foo} is only two or three characters long is a default language
@@ -812,7 +798,7 @@ do_layered_desktop_image() {
 		EOF
 	fi
 
-	write_kernel_yaml "linux-$KERNEL_FLAVOURS"
+	DEFAULT_KERNEL="linux-$KERNEL_FLAVOURS"
 
 	if [ "$LOCALE_SUPPORT" != none ]; then
 		/usr/share/livecd-rootfs/checkout-translations-branch \
@@ -858,6 +844,16 @@ case $PROJECT in
 				HAS_DEFAULT_LANGUAGES=yes
 				LANGUAGE_BASE=desktop
 				KERNEL_FLAVOURS='generic-hwe-24.04'
+
+				case $SUBARCH in
+					nvidia)
+						KERNEL_FLAVOURS="nvidia-hwe-24.04"
+						;;
+					*)
+						# nothing to do here.
+						;;
+				esac
+				
 				do_layered_desktop_image
 
 				# Enchanced secureboot stuff
@@ -1013,6 +1009,14 @@ case $PROJECT in
 				add_package ubuntu-server-minimal lxd-installer
 				add_task ubuntu-server-minimal.ubuntu-server minimal standard server
 				add_package ubuntu-server-minimal.ubuntu-server cloud-init
+				# If we have a multipath disk with LVM on top, we want to give
+				# multipath a chance to create the /dev/mapper/mpatha entry
+				# during the initramfs phase. Otherwise LVM will "steal" the
+				# device (e.g., /dev/sda2) and prevent multipath from using it
+				# after pivoting to the root filesystem of the live
+				# environment.
+				# See LP: #2080474 and LP: #1480399.
+				add_package ubuntu-server-minimal.ubuntu-server.installer multipath-tools-boot
 
 				add_task ubuntu-server-minimal.ubuntu-server.installer server-live
 
@@ -1037,6 +1041,9 @@ case $PROJECT in
 						# variants='ga-64k hwe-64k'
 						variants='ga-64k'
 						;;
+					nvidia)
+						variants='nvidia'
+						;;
 					*)
 						# variants='ga hwe'
 						variants='ga'
@@ -1074,21 +1081,20 @@ case $PROJECT in
 					elif [ "$variant" = "tegra-jetson" ]; then
 						kernel_metapkg=linux-nvidia-tegra-jetson
 						flavor=nvidia-tegra-jetson
+					elif [ "$variant" = "nvidia" ]; then
+						kernel_metapkg=linux-nvidia-hwe-$(lsb_release -sr)
+						flavor=nvidia
 					else
 						echo "bogus variant: $variant"
 						exit 1
 					fi
 
-					add_pass ubuntu-server-minimal.ubuntu-server.installer.$flavor
 					if [ "$first_kernel" = "y" ]; then
 						# Put the first kernel offered into the base layer
-						kernel_layer=ubuntu-server-minimal
 						first_kernel=n
-					else
-						# and subsequent ones into their own layer
-						kernel_layer=ubuntu-server-minimal.ubuntu-server.installer.$flavor
+						add_package ubuntu-server-minimal $kernel_metapkg
 					fi
-					add_package $kernel_layer $kernel_metapkg
+					add_package ubuntu-server-minimal.ubuntu-server.installer.$flavor $kernel_metapkg
 
 					LIVE_PASSES="${LIVE_PASSES:+$LIVE_PASSES }ubuntu-server-minimal.ubuntu-server.installer.$flavor"
 				done
@@ -1105,7 +1111,7 @@ case $PROJECT in
 				esac
 				NO_SQUASHFS_PASSES=ubuntu-server-minimal.ubuntu-server.installer.$flavor.netboot
 
-				write_kernel_yaml $kernel_metapkg
+				DEFAULT_KERNEL="$kernel_metapkg"
 				/usr/share/livecd-rootfs/checkout-translations-branch \
 					https://git.launchpad.net/subiquity po config/catalog-translations
 				;;
@@ -1133,7 +1139,8 @@ case $PROJECT in
 	    add_package base.live linux-image-generic
 
 	    # Core installer images use the pc-kernel snap for its kernel
-	    write_kernel_yaml "snap:pc-kernel"
+	    USE_BRIDGE_KERNEL=false
+	    DEFAULT_KERNEL="snap:pc-kernel"
 
 	    /usr/share/livecd-rootfs/checkout-translations-branch \
 		https://git.launchpad.net/subiquity po config/catalog-translations
@@ -1399,6 +1406,9 @@ echo "BUILDSTAMP=\"$NOW\"" >> config/binary
 echo "SUBPROJECT=\"${SUBPROJECT:-}\"" >> config/binary
 echo "LB_DISTRIBUTION=\"$SUITE\"" >> config/binary
 echo "CHANNEL=\"${CHANNEL:-}\"" >> config/binary
+echo "USE_BRIDGE_KERNEL=\"${USE_BRIDGE_KERNEL:-}\"" >> config/binary
+echo "BRIDGE_KERNEL_REASONS=\"${BRIDGE_KERNEL_REASONS:-}\"" >> config/binary
+echo "DEFAULT_KERNEL=\"${DEFAULT_KERNEL:-}\"" >> config/binary
 
 if [ "${IMAGE_HAS_HARDCODED_PASSWORD:-}" = "1" ]; then
 	echo IMAGE_HAS_HARDCODED_PASSWORD=1 >> config/binary

live-build/functions

@@ -565,8 +565,14 @@ _snap_post_process() {
         core[0-9]*)
             # If the 'core' snap is not present, assume we are coreXX-only and
             # install the snapd snap.
+            channel=stable
+            # FIXME: This can be commented and uncommented to enable snaps from
+            # edge for development spikes.
+            # if [ $PROJECT = "ubuntu" ]; then
+            #     channel=edge
+            # fi
             if [ ! -f ${snaps_dir}/core_[0-9]*.snap ]; then
-                _snap_preseed $CHROOT_ROOT snapd stable
+                _snap_preseed $CHROOT_ROOT snapd "$channel"
             fi
             ;;
         core)
@@ -1337,3 +1343,39 @@ reset_snapd_state() {
     chroot "$rootdir" apt-get install --reinstall -y snapd
     teardown_mountpoint "$rootdir"
 }
+
+write_kernel_yaml() {
+    # Generate the kernel.yaml fragment used as input for
+    # update-source-catalog.
+    #
+    # the newer kernel is the default kernel!
+    # bridge is the older, fallback kernel.
+    # $1 string, default kernel, such as "linux-generic"
+    # $2 string with comma seperated list of bridge reasons,
+    #    usually "zfs,drivers"
+    local default="$1"
+    local reasons="$2"
+
+    cat <<EOF > config/kernel.yaml
+kernel:
+  default: "$default"
+EOF
+
+    # To specify fallback to a bridge kernel, construct a kernel.yaml
+    # with the following:
+    #
+    # kernel:
+    #   default: linux-foo
+    #   bridge: linux-foo-brg-YY.MM
+    #   bridge_reasons: [zfs, drivers]
+    #
+    # If an install is using zfs or "drivers", use the bridge kernel, else
+    # use the default kernel.
+
+    if $USE_BRIDGE_KERNEL ; then
+        cat <<EOF >> config/kernel.yaml
+  bridge: "${default}-brg-$(release_ver)"
+  bridge_reasons: [$reasons]
+EOF
+    fi
+}

live-build/lb_binary_layered

@@ -163,15 +163,24 @@ build_layered_squashfs () {
 			#    (rather than the default which is to skip copies based
 			#    on size + mtime)
 			#  --no-times to not copy mtimes from source to dest (we
-			#    don't care about mtime in the image and want to
+			#    do care about mtime in the image but want to
 			#    deduplicate files that have indentical contents but
-			#    different mtimes)
+			#    different mtimes, and mtime will be fixed below)
 			#  --del because we want to remove files that have been
 			#    deleted in this layer.
 			rsync -aXHAS --checksum --no-times --del chroot/ chroot-2/
 			umount chroot-2
 			rmdir chroot-2
 			overlay_dir="$overlay_dir-2"
+			# We use rsync with --no-times rsync (see above)
+			# for the absolute best size reduction.  But there are
+			# cases where we want mtime preservation to match what
+			# was found in the original archive packages, such as
+			# keeping .py mtime in sync with the matching .pyc.
+			# Operate on the upperdir directly, so that we are only
+			# modifying mtime on files that are actually changed in
+			# this layer. LP: #2107332
+			/usr/share/livecd-rootfs/sync-mtime chroot "$overlay_dir"
 		fi
 
 		create_squashfs "${overlay_dir}" ${squashfs_f}
@@ -204,7 +213,8 @@ do
 	build_layered_squashfs "${_PASS}" ${*}
 done
 
-if [ -f config/kernel.yaml ]; then
+if [ -n "$DEFAULT_KERNEL" -a -f livecd.${PROJECT_FULL}.install-sources.yaml ]; then
+	write_kernel_yaml "$DEFAULT_KERNEL" "$BRIDGE_KERNEL_REASONS"
 	/usr/share/livecd-rootfs/update-source-catalog merge \
 		--output livecd.${PROJECT_FULL}.install-sources.yaml \
 		--template config/kernel.yaml

live-build/ubuntu-core-installer/includes.chroot.base.live/etc/cloud/cloud.cfg

@@ -18,20 +18,6 @@ ssh_pwauth: yes
 chpasswd:
     expire: false
 
-# This is the initial network config.
-# It can be overwritten by cloud-init or subiquity.
-network:
-    version: 2
-    ethernets:
-        zz-all-en:
-            match:
-                name: "en*"
-            dhcp4: true
-        zz-all-eth:
-            match:
-                name: "eth*"
-            dhcp4: true
-
 # We used to have a custom final_message here.  Just use the default instead.
 
 # Example datasource config

live-build/ubuntu-cpc/hooks.d/chroot/060-use-domains.chroot

@@ -0,0 +1,9 @@
+#!/bin/bash
+ 
+# See https://bugs.launchpad.net/cloud-images/+bug/2106729
+
+mkdir -p /etc/systemd/networkd.conf.d/
+cat >/etc/systemd/networkd.conf.d/50-cloudimg-settings.conf <<EOF
+[Network]
+UseDomains=true
+EOF

live-build/ubuntu-cpc/hooks.d/chroot/999-cpc-fixes.chroot

@@ -100,7 +100,7 @@ fi
 
 case $arch in
 	# ppc, riscv64 and s390x images are special
-	powerpc|ppc64el|s390x|riscv64)
+	powerpc|ppc64el|s390x)
 		exit 0
 		;;
 esac

live-build/ubuntu-server/hooks/02-hwe-kernel.chroot_early

@@ -0,0 +1,18 @@
+#!/bin/bash -eux
+# vi: ts=4 noexpandtab
+
+case $PASS in
+    ubuntu-server-minimal.ubuntu-server.installer.*.*)
+        exit 0
+        ;;
+    ubuntu-server-minimal.ubuntu-server.installer.*)
+        ;;
+    *)
+        exit 0
+        ;;
+esac
+
+# remove excess kernels.  auto/config arranges for the correct one to be
+# installed.
+
+apt-get --yes remove --purge 'linux-image*'

live-build/ubuntu-server/hooks/03-initramfs-enforcement.chroot

@@ -20,7 +20,7 @@ case $PASS in
     ubuntu-server-minimal.ubuntu-server.installer.*)
         ;;
     *)
-        rm -f /boot/initrd.img*
+        rm -f /boot/initrd.img-*
         exit 0
         ;;
 esac

live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/cloud/cloud.cfg

@@ -18,20 +18,6 @@ ssh_pwauth: yes
 chpasswd:
     expire: false
 
-# This is the initial network config.
-# It can be overwritten by cloud-init or subiquity.
-network:
-    version: 2
-    ethernets:
-        zz-all-en:
-            match:
-                name: "en*"
-            dhcp4: true
-        zz-all-eth:
-            match:
-                name: "eth*"
-            dhcp4: true
-
 # We used to have a custom final_message here.  Just use the default instead.
 
 # Example datasource config

live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/netplan/00-installer-config.yaml

@@ -0,0 +1,19 @@
+# This is the initial network config.
+# It can be overwritten by cloud-init or subiquity.
+# For more information, see netplan(5)
+
+network:
+    version: 2
+    ethernets:
+        zz-all-en:
+            match:
+                name: "en*"
+            dhcp4: true
+            dhcp6: true
+            accept-ra: true
+        zz-all-eth:
+            match:
+                name: "eth*"
+            dhcp4: true
+            dhcp6: true
+            accept-ra: true

live-build/ubuntu/hooks/020-ubuntu-enhanced-sb.binary

@@ -20,98 +20,26 @@ fi
 . config/binary
 . config/functions
 
-# env SNAPPY_STORE_NO_CDN=1 snap known --remote model series=16 brand-id=canonical model=ubuntu-classic-2410-amd64 > config/classic-model.model
-cat <<EOF > config/classic-model.model
-type: model
-authority-id: canonical
-series: 16
-brand-id: canonical
-model: ubuntu-classic-2410-amd64
-architecture: amd64
-base: core22
-classic: true
-distribution: ubuntu
-grade: signed
-snaps:
-  -
-    default-channel: classic-24.10/stable
-    id: UqFziVZDHLSyO3TqSWgNBoAdHbLI4dAH
-    name: pc
-    type: gadget
-  -
-    default-channel: 24.10/stable
-    id: pYVQrBcKmBa0mZ4CCN7ExT6jH8rY1hza
-    name: pc-kernel
-    type: kernel
-  -
-    default-channel: latest/stable
-    id: amcUKQILKXHHTlmSa7NMdnXSx02dNeeT
-    name: core22
-    type: base
-  -
-    default-channel: latest/stable
-    id: PMrrV4ml8uWuEUDBT8dSGnKUYbevVhc4
-    name: snapd
-    type: snapd
-  -
-    default-channel: latest/stable
-    id: EISPgh06mRh1vordZY9OZ34QHdd7OrdR
-    name: bare
-    type: base
-  -
-    default-channel: latest/stable/ubuntu-24.10
-    id: 3wdHCAVyZEmYsCMFDE9qt92UV8rC8Wdk
-    name: firefox
-    type: app
-  -
-    default-channel: latest/stable/ubuntu-24.10
-    id: lATO8HzwVvrAPrlZRAWpfyrJKlAJrZS3
-    name: gnome-42-2204
-    type: app
-  -
-    default-channel: latest/stable/ubuntu-24.10
-    id: jZLfBRzf1cYlYysIjD2bwSzNtngY0qit
-    name: gtk-common-themes
-    type: app
-  -
-    default-channel: latest/stable/ubuntu-24.10
-    id: IrwRHakqtzhFRHJOOPxKVPU0Kk7Erhcu
-    name: snapd-desktop-integration
-    type: app
-  -
-    default-channel: 1/stable/ubuntu-24.10
-    id: EI0D1KHjP8XiwMZKqSjuh6W8zvcowUVP
-    name: firmware-updater
-    type: app
-  -
-    default-channel: 1/stable/ubuntu-24.10
-    id: FppXWunWzuRT2NUT9CwoBPNJNZBYOCk0
-    name: desktop-security-center
-    type: app
-  -
-    default-channel: 1/stable/ubuntu-24.10
-    id: aoc5lfC8aUd2VL8VpvynUJJhGXp5K6Dj
-    name: prompting-client
-    type: app
-  -
-    default-channel: 2/stable/ubuntu-24.10
-    id: gjf3IPXoRiipCu9K0kVu52f0H56fIksg
-    name: snap-store
-    type: app
-timestamp: 2024-06-18T12:00:00.0Z
-sign-key-sha3-384: 9tydnLa6MTJ-jaQTFUXEwHl1yRx7ZS4K5cyFDhYDcPzhS7uyEkDxdUjg9g08BtNn
+# Generation of the model:
+# * At https://github.com/canonical/models one can find a repo of raw,
+#   unsigned, input .json files, and their signed .model equivalents.
+# * At least once per cycle, update the json for the new Ubuntu version.
+#   To do this, take the previous cycle ubuntu-classic-$ver-amd64.json file,
+#   rename for the new version, and do any necessary updates including fixing
+#   the versions of tracks.
+# * When this is done, the json needs to be signed.  This needs to be done by
+#   a Canonical employee - try asking someone who has recently opened PRs on
+#   https://github.com/canonical/models with the signed models.
+# * Ensure the signed and unsigned version of the models are updated in the
+#   models repo.
+# * The signed model can then be placed here in livecd-rootfs at
+#   live-build/${PROJECT}/ubuntu-classic-amd64.model
 
-AcLBXAQAAQoABgUCZv8eAQAKCRDgT5vottzAEu4rD/9UbdQMAYBD9kJnKZpgDQLK6WCV4DU4vBF0
-exKeVREhjGlcGNTKZDBTu/thVu9xCbGdKFxucoBr3y5kGmRkFaHXqzCGUcGOIRnGqlLHAwskcsHY
-LJYvPcUl6+UJhLHEN+kz50iPuEOe2qdmwAYyOTpkhWatFI8gjOyUN79aiMIPvbuKxmz6reozxi92
-bPhr0emR20Moc23x8ANNc04FY062eJI1gXBWfakk8whQvUk+++sJZDUXcd6yfR7HtIhZaBlgLSOG
-wIO74vlTaGNqbnOik2LhI/75Rpmelb3H2qukcBl6x847Pt588hERQHvy7LwrLTiqDFoWC2QaRa5U
-VCoV0QOjmoPbc3SESLyQbjbC01I1rYgPnsVOZ6jiI8lx6ODH5But3ziA4Z2ikosQoc4EwpkJa/yk
-1ca6/MgHxSD4A4TDn031zs4hPQxF33xPB3/4AJHmNwae+9yeoLF9Fen/NaE6GsNA9JsXvTt4qplu
-U6oiKIBuRj6MyyIf1RALSF1jZUQblif5exbkp+q0mdbaTvLCOEBuVzildhtpmS3ZbNYgwp7VPSjM
-KNwBBQiu4Ewdlhn0801ruI+eGwR5KVhIrSFdcjsU39jLG7SkWM5NO74t1x75gvUXsmti3WswbIPO
-JlxI5Z1CQv+Uqbg5qZkt/v4EuptvA1CzEcoBzTa05w==
-EOF
+# env SNAPPY_STORE_NO_CDN=1 snap known --remote model series=16 brand-id=canonical model=ubuntu-classic-2410-amd64 > config/classic-model.model
+model=/usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-classic-amd64.model
+
+# see below note about "dangerous" model
+CHANNEL=${CHANNEL:-stable}
 
 channel=""
 if [ -n "${CHANNEL:-}" ]; then
@@ -122,8 +50,27 @@ reset_snapd_state chroot
 
 # Set UBUNTU_STORE_COHORT_KEY="+" to force prepare-image to fetch the latest
 # snap versions regardless of phasing status
+
+# this is the normal prepare-image invocation.  This is not used right now as
+# the model in question is the "dangerous" model so that we can override the
+# channel of pc-kernel and others to get a matching set of snaps.
+#   env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
+#       --classic $model $channel chroot
+# FIXME - go back to the stable model and remove all the `--snap` overrides
 env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
-    --classic config/classic-model.model $channel chroot
+    --classic $model $channel \
+    --snap=pc=classic-25.10/stable \
+    --snap=pc-kernel=25.10/candidate \
+    --snap=firmware-updater=1/stable/ubuntu-25.10 \
+    --snap=desktop-security-center=1/stable/ubuntu-25.10 \
+    --snap=prompting-client=1/stable/ubuntu-25.10 \
+    --snap=snap-store=2/stable/ubuntu-25.10 \
+    --snap=gtk-common-themes=latest/stable/ubuntu-25.10 \
+    --snap=firefox=latest/stable/ubuntu-25.10 \
+    --snap=gnome-42-2204=latest/stable/ubuntu-25.10 \
+    --snap=snapd-desktop-integration=latest/stable/ubuntu-25.10 \
+    chroot
+
 mv chroot/system-seed/systems/* chroot/system-seed/systems/enhanced-secureboot-desktop
 rm -rf chroot/var/lib/snapd/seed
 mv chroot/system-seed chroot/var/lib/snapd/seed

live-build/ubuntu/includes.chroot.minimal.standard.live/etc/cloud/cloud.cfg

@@ -18,20 +18,6 @@ ssh_pwauth: yes
 chpasswd:
     expire: false
 
-# This is the initial network config.
-# It can be overwritten by cloud-init or subiquity.
-network:
-    version: 2
-    ethernets:
-        zz-all-en:
-            match:
-                name: "en*"
-            dhcp4: true
-        zz-all-eth:
-            match:
-                name: "eth*"
-            dhcp4: true
-
 # We used to have a custom final_message here.  Just use the default instead.
 
 # Example datasource config

live-build/ubuntu/includes.chroot.minimal.standard.live/etc/polkit-1/rules.d/10-allow-installer-wait-on-snap.rules

@@ -0,0 +1,13 @@
+// -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*-
+//
+// THIS FILE IS ONLY AVAILABLE ON THE LIVE SYSTEM
+//
+// Allow the ubuntu-desktop-installer to request snap seeding state
+// used before starting.
+
+polkit.addRule(function(action, subject) {
+    if (action.id == "io.snapcraft.snapd.manage-configuration") {
+            return polkit.Result.YES;
+    }
+});
+

live-build/ubuntu/includes.chroot.minimal.standard.live/usr/lib/systemd/user/ubuntu-desktop-installer.service

@@ -10,6 +10,8 @@ Conflicts=gnome-session@gnome-login.target
 
 [Service]
 Type=oneshot
+# Make sure that the system was seeded to access the snap
+ExecStartPre=/usr/bin/snap wait system seed.loaded
 ExecStart=/snap/bin/ubuntu-desktop-bootstrap --try-or-install
 ExecStopPost=sh -c "gsettings set org.gnome.shell.extensions.dash-to-dock dock-fixed true; gsettings set org.gnome.shell.extensions.dash-to-dock intellihide true; gnome-extensions enable ding@rastersoft.com"
 Restart=no

live-build/ubuntu/ubuntu-classic-amd64.model

@@ -0,0 +1,89 @@
+type: model
+authority-id: canonical
+series: 16
+brand-id: canonical
+model: ubuntu-classic-2510-amd64-dangerous
+architecture: amd64
+base: core24
+classic: true
+distribution: ubuntu
+grade: dangerous
+snaps:
+  -
+    default-channel: classic-25.10/edge
+    id: UqFziVZDHLSyO3TqSWgNBoAdHbLI4dAH
+    name: pc
+    type: gadget
+  -
+    default-channel: 25.10/edge
+    id: pYVQrBcKmBa0mZ4CCN7ExT6jH8rY1hza
+    name: pc-kernel
+    type: kernel
+  -
+    default-channel: latest/edge
+    id: amcUKQILKXHHTlmSa7NMdnXSx02dNeeT
+    name: core22
+    type: base
+  -
+    default-channel: latest/edge
+    id: PMrrV4ml8uWuEUDBT8dSGnKUYbevVhc4
+    name: snapd
+    type: snapd
+  -
+    default-channel: latest/edge
+    id: EISPgh06mRh1vordZY9OZ34QHdd7OrdR
+    name: bare
+    type: base
+  -
+    default-channel: latest/edge
+    id: EI0D1KHjP8XiwMZKqSjuh6W8zvcowUVP
+    name: firmware-updater
+    type: app
+  -
+    default-channel: latest/edge
+    id: FppXWunWzuRT2NUT9CwoBPNJNZBYOCk0
+    name: desktop-security-center
+    type: app
+  -
+    default-channel: latest/edge
+    id: aoc5lfC8aUd2VL8VpvynUJJhGXp5K6Dj
+    name: prompting-client
+    type: app
+  -
+    default-channel: latest/edge
+    id: gjf3IPXoRiipCu9K0kVu52f0H56fIksg
+    name: snap-store
+    type: app
+  -
+    default-channel: latest/edge
+    id: jZLfBRzf1cYlYysIjD2bwSzNtngY0qit
+    name: gtk-common-themes
+    type: app
+  -
+    default-channel: latest/edge
+    id: 3wdHCAVyZEmYsCMFDE9qt92UV8rC8Wdk
+    name: firefox
+    type: app
+  -
+    default-channel: latest/edge
+    id: lATO8HzwVvrAPrlZRAWpfyrJKlAJrZS3
+    name: gnome-42-2204
+    type: app
+  -
+    default-channel: latest/edge
+    id: IrwRHakqtzhFRHJOOPxKVPU0Kk7Erhcu
+    name: snapd-desktop-integration
+    type: app
+timestamp: 2025-05-01T12:00:00.0Z
+sign-key-sha3-384: 9tydnLa6MTJ-jaQTFUXEwHl1yRx7ZS4K5cyFDhYDcPzhS7uyEkDxdUjg9g08BtNn
+
+AcLBXAQAAQoABgUCaBpC0wAKCRDgT5vottzAEmTaD/4+m7UJU64O0/Nu5OimYd5aSYoi1PSH5nq6
+HK9F3vJnL0xpJRtnNgmUi1STghVa8ej2TOMvcTmgNcB+XG7xTadUEJIOu+GP7Q1WChnDQJjEFf0v
+9rL9/KI80ij00BHupRq3NZrru24TP72Rccd1I9Y1g0v6Y7eZODj6DLrIId9iIoYUqy3/jLAjoNq/
+Njm2+tlfC219gkyHQxYDtXRg5gPLpw58y9TkcaPj90WZAL1S3u/O6WvC3TSm8x1ESCx0HEfuHke8
+KcccjoTGshHKUsNHrdAs09SmJRS5m+JtgmO3yA1Fi/DiHHf6MAqxfTxao9vcu1yZlH/x710shOYS
+ySDMLllIKpU0p69Oo23uRgl/4fmuxiK/tGEYusMPTGmcy7jmnfRha6iYt4Dj3fWbZn88kkcwzheb
+RAzDItXBX/xcyqnBYt9821hDrGAgtpgNPWXx0l944VcYBoSEMx3LS+XITdiPwg08A9UZIgYBbc6z
+Pc02I4+7ObGmyxBpfFSNUxApkhph9fq97OfVe6LSnXR2p8m8EQ7tFBlIO+Wco9AeTxf6aS+vRjgd
+nhxfIfE7qlhzFEFV6BOQMPtR0zovramo3QYfig57erCLzt6YQvs/bUmdlIB5M7W6cdwC9X+jqV/f
+LHe4yOQIv4zZzcTxZeSVrlkIo2FcqpD6ishUecThqw==

sync-mtime

@@ -0,0 +1,38 @@
+#!/usr/bin/python3
+
+# usage: sync-mtime src dst
+#
+# synchronize atime/mtime on files between src and dst.
+#
+# src and dst are directories, where dst is expected to contain a subset of the
+# files found in src. for each file present in dst or a subdirectory thereof,
+# if atime/mtime differ between the same file in src and that file in dst,
+# update atime/mtime on the file in dst.
+
+import os
+import sys
+from pathlib import Path
+
+
+def time_eq(a: os.stat_result, b: os.stat_result) -> bool:
+    return (
+        (a.st_mtime_ns == b.st_mtime_ns) and
+        (a.st_atime_ns == b.st_atime_ns)
+    )
+
+
+src, dst = sys.argv[1:]
+for dirpath, dirnames, filenames in Path(dst).walk():
+    for filename in filenames:
+        dst_file = dirpath / filename
+        if not dst_file.is_file():
+            continue
+        src_file = src / dst_file.relative_to(dst)
+
+        src_stat = src_file.stat(follow_symlinks=False)
+        dst_stat = dst_file.stat(follow_symlinks=False)
+        if time_eq(src_stat, dst_stat):
+            continue
+
+        ns = (src_stat.st_atime_ns, src_stat.st_mtime_ns)
+        os.utime(dst_file, ns=ns, follow_symlinks=False)