releasing package livecd-rootfs version 25.10.16

do not completely delete the seed from the live layer
Put the uc20-style system seed for TPM backed FDE in the live layer.
2025-08-14 18:24:15 +00:00 · 2025-08-13 10:34:53 +12:00 · 2025-08-13 10:32:03 +12:00 · 2025-08-13 10:32:03 +12:00 · 2025-08-12 19:37:11 +05:30 · 2025-08-12 19:36:17 +05:30
9 changed files with 167 additions and 59 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,59 @@
+livecd-rootfs (25.10.16) questing; urgency=medium
+
+  * Put the uc20-style system seed for TPM backed FDE in the live layer.
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Wed, 13 Aug 2025 10:34:39 +1200
+
+livecd-rootfs (25.10.15) questing; urgency=medium
+
+  * Add missing components to 6.14 kernel apparmor features' preseeds.
+    (LP: #2116199)
+
+ -- Bryan Alexander <bryan.alexander@canonical.com>  Thu, 17 Jul 2025 13:27:17 -0700
+
+livecd-rootfs (25.10.14) questing; urgency=medium
+
+  [ Didier Roche-Tolomelli ]
+  [ Tim Andersson ]
+  [ Daniel Bungert ]
+  * desktop TPMFDE: move snaps back to stable channels
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Thu, 07 Aug 2025 16:21:32 -0600
+
+livecd-rootfs (25.10.13) questing; urgency=medium
+
+  [ Olivier Gayot ]
+  * Build ubuntu-server with multipath-tools-boot installed, so that the
+    multipath stack ends up present in the initramfs.
+    The LVM stack is already present in the initramfs of the installer. And
+    since kinetic, the /dev/mapper entries for LVM devices are created during
+    the initramfs phase. This is a problem when we have LVM on top of a
+    multipath disk because LVM ends up creating /dev/mapper entries out of
+    /dev/sdX (or /dev/sdXpY) devices, not out of /dev/mapper/mpatha as it
+    should. Adding the multipath stack in the initramfs gives multipath a
+    chance to take ownership of /dev/sdX (or /dev/sdXpY) devices before LVM
+    does (LP: #2080474).
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Thu, 24 Jul 2025 17:37:33 -0600
+
+livecd-rootfs (25.10.12) questing; urgency=medium
+
+  [ Zygmunt Krynicki ]
+  * Use snap wait system seed.loaded to wait for snapd (LP: #2114923)
+
+  [ Dennis Loose ]
+  [ Didier Roche-Tolomelli ]
+  * Allow the ubuntu-desktop-installer to request snap seeding state
+
+ -- Didier Roche-Tolomelli <didrocks@ubuntu.com>  Tue, 15 Jul 2025 16:30:41 +0200
+
+livecd-rootfs (25.10.11) questing; urgency=medium
+
+  * Fix installer startup to wait for snapd to be preseeded first
+    (LP: #2114923)
+
+ -- Didier Roche-Tolomelli <didrocks@ubuntu.com>  Fri, 11 Jul 2025 14:57:56 +0200
+
 livecd-rootfs (25.10.10) questing; urgency=medium

  * risc-v cloud images: enable cpc fixes for riscv64
--- a/live-build/apparmor/6.14/domain/disconnected.ipc
+++ b/live-build/apparmor/6.14/domain/disconnected.ipc
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/6.14/policy/unconfined_restrictions/io_uring
+++ b/live-build/apparmor/6.14/policy/unconfined_restrictions/io_uring
@ -1 +1 @@
-0
+1
--- a/live-build/auto/config
+++ b/live-build/auto/config
@ -1009,6 +1009,14 @@ case $PROJECT in
 				add_package ubuntu-server-minimal lxd-installer
 				add_task ubuntu-server-minimal.ubuntu-server minimal standard server
 				add_package ubuntu-server-minimal.ubuntu-server cloud-init
+				# If we have a multipath disk with LVM on top, we want to give
+				# multipath a chance to create the /dev/mapper/mpatha entry
+				# during the initramfs phase. Otherwise LVM will "steal" the
+				# device (e.g., /dev/sda2) and prevent multipath from using it
+				# after pivoting to the root filesystem of the live
+				# environment.
+				# See LP: #2080474 and LP: #1480399.
+				add_package ubuntu-server-minimal.ubuntu-server.installer multipath-tools-boot

 				add_task ubuntu-server-minimal.ubuntu-server.installer server-live

--- a/live-build/functions
+++ b/live-build/functions
@ -566,10 +566,11 @@ _snap_post_process() {
            # If the 'core' snap is not present, assume we are coreXX-only and
            # install the snapd snap.
            channel=stable
-            # FIXME: TPM-FDE spike, to be removed after the spike is over.
-            if [ $PROJECT = "ubuntu" ]; then
-                channel=edge
-            fi
+            # FIXME: This can be commented and uncommented to enable snaps from
+            # edge for development spikes.
+            # if [ $PROJECT = "ubuntu" ]; then
+            #     channel=edge
+            # fi
            if [ ! -f ${snaps_dir}/core_[0-9]*.snap ]; then
                _snap_preseed $CHROOT_ROOT snapd "$channel"
            fi
--- a/live-build/ubuntu/hooks/020-ubuntu-enhanced-sb.binary
+++ b/live-build/ubuntu/hooks/020-ubuntu-enhanced-sb.binary
@ -1,71 +1,24 @@
 #! /bin/sh

+# We need to remove the snapd seed configuration for the layers that
+# will be the installation source for a TPM-backed FDE install or
+# snapd gets very confused on the boot of the target system.
+
 set -eux

 case ${PASS:-} in
-    minimal.standard.enhanced-secureboot)
-        ;;
-    minimal.enhanced-secureboot)
+    *.enhanced-secureboot)
        ;;
    *)
        exit 0
        ;;
 esac

+. config/functions
+
 if [ -n "${SUBPROJECT:-}" ]; then
    echo "We don't run Ubuntu Desktop hooks for this project."
    exit 0
 fi

-. config/binary
-. config/functions
-
-# Generation of the model:
-# * At https://github.com/canonical/models one can find a repo of raw,
-#   unsigned, input .json files, and their signed .model equivalents.
-# * At least once per cycle, update the json for the new Ubuntu version.
-#   To do this, take the previous cycle ubuntu-classic-$ver-amd64.json file,
-#   rename for the new version, and do any necessary updates including fixing
-#   the versions of tracks.
-# * When this is done, the json needs to be signed.  This needs to be done by
-#   a Canonical employee - try asking someone who has recently opened PRs on
-#   https://github.com/canonical/models with the signed models.
-# * Ensure the signed and unsigned version of the models are updated in the
-#   models repo.
-# * The signed model can then be placed here in livecd-rootfs at
-#   live-build/${PROJECT}/ubuntu-classic-amd64.model
-
-# env SNAPPY_STORE_NO_CDN=1 snap known --remote model series=16 brand-id=canonical model=ubuntu-classic-2410-amd64 > config/classic-model.model
-model=/usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-classic-amd64.model
-
-# see below note about "dangerous" model
-CHANNEL=${CHANNEL:-stable}
-
-channel=""
-if [ -n "${CHANNEL:-}" ]; then
-    channel="--channel $CHANNEL"
-fi
-
 reset_snapd_state chroot
-
-# Set UBUNTU_STORE_COHORT_KEY="+" to force prepare-image to fetch the latest
-# snap versions regardless of phasing status
-
-# this is the normal prepare-image invocation.  This is not used right now as
-# the model in question is the "dangerous" model so that we can override the
-# channel of pc-kernel to get a matching set of snaps.
-#   env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
-#       --classic $model $channel chroot
-# so instead we're doing this, including forcing channel to stable for
-# everything but pc-kernel.
-env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
-    --classic $model $channel \
-    --snap=pc-kernel=25.10/candidate \
-    --snap=snapd=latest/edge \
-    --snap=desktop-security-center=1/edge \
-    --snap=firmware-updater=1/edge \
-    chroot
-
-mv chroot/system-seed/systems/* chroot/system-seed/systems/enhanced-secureboot-desktop
-rm -rf chroot/var/lib/snapd/seed
-mv chroot/system-seed chroot/var/lib/snapd/seed
--- a/live-build/ubuntu/hooks/030-ubuntu-live-system-seed.binary
+++ b/live-build/ubuntu/hooks/030-ubuntu-live-system-seed.binary
@ -0,0 +1,74 @@
+#!/bin/bash
+
+# create the system seed for TPM-backed FDE in the live layer of the installer.
+
+set -eux
+
+case ${PASS:-} in
+    *.live)
+        ;;
+    *)
+        exit 0
+        ;;
+esac
+
+if [ -n "${SUBPROJECT:-}" ]; then
+    echo "We don't run Ubuntu Desktop hooks for this project."
+    exit 0
+fi
+
+. config/binary
+. config/functions
+
+# Generation of the model:
+# * At https://github.com/canonical/models one can find a repo of raw,
+#   unsigned, input .json files, and their signed .model equivalents.
+# * At least once per cycle, update the json for the new Ubuntu version.
+#   To do this, take the previous cycle ubuntu-classic-$ver-amd64.json file,
+#   rename for the new version, and do any necessary updates including fixing
+#   the versions of tracks.
+# * When this is done, the json needs to be signed.  This needs to be done by
+#   a Canonical employee - try asking someone who has recently opened PRs on
+#   https://github.com/canonical/models with the signed models.
+# * Ensure the signed and unsigned version of the models are updated in the
+#   models repo.
+# * The signed model can then be placed here in livecd-rootfs at
+#   live-build/${PROJECT}/ubuntu-classic-amd64.model
+
+# env SNAPPY_STORE_NO_CDN=1 snap known --remote model series=16 brand-id=canonical model=ubuntu-classic-2410-amd64 > config/classic-model.model
+model=/usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-classic-amd64.model
+
+# see below note about "dangerous" model
+CHANNEL=${CHANNEL:-stable}
+
+channel=""
+if [ -n "${CHANNEL:-}" ]; then
+    channel="--channel $CHANNEL"
+fi
+
+# Set UBUNTU_STORE_COHORT_KEY="+" to force prepare-image to fetch the latest
+# snap versions regardless of phasing status
+
+# this is the normal prepare-image invocation.  This is not used right now as
+# the model in question is the "dangerous" model so that we can override the
+# channel of pc-kernel and others to get a matching set of snaps.
+#   env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
+#       --classic $model $channel chroot
+# FIXME - go back to the stable model and remove all the `--snap` overrides
+env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
+    --classic $model $channel \
+    --snap=pc=classic-25.10/stable \
+    --snap=pc-kernel=25.10/candidate \
+    --snap=firmware-updater=1/stable/ubuntu-25.10 \
+    --snap=desktop-security-center=1/stable/ubuntu-25.10 \
+    --snap=prompting-client=1/stable/ubuntu-25.10 \
+    --snap=snap-store=2/stable/ubuntu-25.10 \
+    --snap=gtk-common-themes=latest/stable/ubuntu-25.10 \
+    --snap=firefox=latest/stable/ubuntu-25.10 \
+    --snap=gnome-42-2204=latest/stable/ubuntu-25.10 \
+    --snap=snapd-desktop-integration=latest/stable/ubuntu-25.10 \
+    chroot
+
+mv chroot/system-seed/systems/* chroot/system-seed/systems/enhanced-secureboot-desktop
+rsync -av chroot/system-seed/{systems,snaps} chroot/var/lib/snapd/seed
+rm -rf chroot/system-seed/
--- a/live-build/ubuntu/includes.chroot.minimal.standard.live/etc/polkit-1/rules.d/10-allow-installer-wait-on-snap.rules
+++ b/live-build/ubuntu/includes.chroot.minimal.standard.live/etc/polkit-1/rules.d/10-allow-installer-wait-on-snap.rules
@ -0,0 +1,13 @@
+// -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*-
+//
+// THIS FILE IS ONLY AVAILABLE ON THE LIVE SYSTEM
+//
+// Allow the ubuntu-desktop-installer to request snap seeding state
+// used before starting.
+
+polkit.addRule(function(action, subject) {
+    if (action.id == "io.snapcraft.snapd.manage-configuration") {
+            return polkit.Result.YES;
+    }
+});
+
--- a/live-build/ubuntu/includes.chroot.minimal.standard.live/usr/lib/systemd/user/ubuntu-desktop-installer.service
+++ b/live-build/ubuntu/includes.chroot.minimal.standard.live/usr/lib/systemd/user/ubuntu-desktop-installer.service
@ -10,6 +10,8 @@ Conflicts=gnome-session@gnome-login.target

 [Service]
 Type=oneshot
+# Make sure that the system was seeded to access the snap
+ExecStartPre=/usr/bin/snap wait system seed.loaded
 ExecStart=/snap/bin/ubuntu-desktop-bootstrap --try-or-install
 ExecStopPost=sh -c "gsettings set org.gnome.shell.extensions.dash-to-dock dock-fixed true; gsettings set org.gnome.shell.extensions.dash-to-dock intellihide true; gnome-extensions enable ding@rastersoft.com"
 Restart=no
Author	SHA1	Message	Date
Michael Hudson-Doyle	b1604eadc4	releasing package livecd-rootfs version 25.10.16	2025-08-13 10:34:53 +12:00
Michael Hudson-Doyle	af76e8089d	do not completely delete the seed from the live layer	2025-08-13 10:32:03 +12:00
Michael Hudson-Doyle	5494522a14	Put the uc20-style system seed for TPM backed FDE in the live layer.	2025-08-13 10:32:03 +12:00
Utkarsh Gupta	e733e7b129	Update d/ch for 25.10.15 release	2025-08-12 19:37:11 +05:30
Utkarsh Gupta	793965ba6c	Merge remote-tracking branch 'bryalex/bryalex/6.14-master' into ubuntu/master * bryalex/bryalex/6.14-master: Add debian/changelog entry (LP: #2116199) feat(apparmor): Add missing components to 6.14 kernel apparmor features' preseeds	2025-08-12 19:36:17 +05:30
Dan Bungert	bcf7ded68e	releasing package livecd-rootfs version 25.10.14	2025-08-07 16:21:33 -06:00
Dan Bungert	6c2b20e070	desktop TPMFDE: move most snaps to stable channels	2025-08-07 16:18:04 -06:00
Dan Bungert	e46416e873	Revert "Move back ubuntu classic to a standard model" This reverts commit 1c631c99dc2a8fd5759e9c8f872610b1f2238ddf. We're unfortunately not ready for the standard model yet.	2025-08-07 16:17:20 -06:00
Didier Roche	1c631c99dc	Move back ubuntu classic to a standard model We don’t use edge anymore. The model still needs to be signed though.	2025-08-06 07:36:59 +02:00
Tim Andersson	3dd6f72a21	switch snaps back to stable now that the TPM FDE spike is over. This was enabled for more rapid development on the snaps that go into the live desktop image. Revert now that the spike is over.	2025-07-30 16:49:10 +01:00
Olivier Gayot	b706c97ac2	releasing package livecd-rootfs version 25.10.13	2025-07-24 17:37:44 -06:00
Olivier Gayot	a54084218f	Build with multipath-tools-boot Signed-off-by: Olivier Gayot <olivier.gayot@canonical.com>	2025-07-24 00:34:44 +02:00
Bryan Alexander	88cd42efd1	Add debian/changelog entry (LP: #2116199 )	2025-07-17 13:27:40 -07:00
Bryan Alexander	727e75341a	feat(apparmor): Add missing components to 6.14 kernel apparmor features' preseeds - Add the domain/disconnected.ipc component - Modified the policy/unconfined_restrictions/io_uring component (LP: #2116199)	2025-07-17 13:25:12 -07:00
Didier Roche	30107ce354	releasing package livecd-rootfs version 25.10.12	2025-07-15 16:52:14 +02:00
Didier Roche	59e55cb364	Merge branch 'polkit-allow-snap-seeding' into ubuntu/master	2025-07-15 16:30:33 +02:00
Didier Roche	69f6b3795b	Allow the ubuntu-desktop-installer to request snap seeding state This is used to only start the installer after all snaps have been seeded. Co-Authored-By: Dennis Loose <dennis.loose@canonical.com>	2025-07-15 16:24:10 +02:00
Zygmunt Krynicki	c4fbaf5d3b	Use snap wait system seed.loaded to wait for snapd We cannot use After=snapd.service as user services cannot synchronize with system services. Using `snap system wait seed.loaded` should work, except for the fact that it requires polkit authentication to perform this operation. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>	2025-07-14 11:15:50 +02:00
Didier Roche	9fbd9ba71e	releasing package livecd-rootfs version 25.10.11	2025-07-11 14:59:06 +02:00
Didier Roche	e672f5ca4c	Update debian/changelog	2025-07-11 14:58:47 +02:00
Didier Roche	8a70acb1ec	Make sure the system was seeded before starting the installer The installer is a snap, and as such, the system needs to be seeded first to avoid a race during live boot. Fixes https://bugs.launchpad.net/ubuntu-desktop-provision/+bug/2114923	2025-07-11 13:05:08 +02:00