releasing package livecd-rootfs version 25.10.16

* bryalex/bryalex/6.14-master:
  Add debian/changelog entry (LP: #2116199)
  feat(apparmor): Add missing components to 6.14 kernel apparmor features' preseeds

debian/changelog

@@ -1,3 +1,52 @@
+livecd-rootfs (25.10.16) questing; urgency=medium
+
+  * Put the uc20-style system seed for TPM backed FDE in the live layer.
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Wed, 13 Aug 2025 10:34:39 +1200
+
+livecd-rootfs (25.10.15) questing; urgency=medium
+
+  * Add missing components to 6.14 kernel apparmor features' preseeds.
+    (LP: #2116199)
+
+ -- Bryan Alexander <bryan.alexander@canonical.com>  Thu, 17 Jul 2025 13:27:17 -0700
+
+livecd-rootfs (25.10.14) questing; urgency=medium
+
+  [ Didier Roche-Tolomelli ]
+  [ Tim Andersson ]
+  [ Daniel Bungert ]
+  * desktop TPMFDE: move snaps back to stable channels
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Thu, 07 Aug 2025 16:21:32 -0600
+
+livecd-rootfs (25.10.13) questing; urgency=medium
+
+  [ Olivier Gayot ]
+  * Build ubuntu-server with multipath-tools-boot installed, so that the
+    multipath stack ends up present in the initramfs.
+    The LVM stack is already present in the initramfs of the installer. And
+    since kinetic, the /dev/mapper entries for LVM devices are created during
+    the initramfs phase. This is a problem when we have LVM on top of a
+    multipath disk because LVM ends up creating /dev/mapper entries out of
+    /dev/sdX (or /dev/sdXpY) devices, not out of /dev/mapper/mpatha as it
+    should. Adding the multipath stack in the initramfs gives multipath a
+    chance to take ownership of /dev/sdX (or /dev/sdXpY) devices before LVM
+    does (LP: #2080474).
+
+ -- Dan Bungert <daniel.bungert@canonical.com>  Thu, 24 Jul 2025 17:37:33 -0600
+
+livecd-rootfs (25.10.12) questing; urgency=medium
+
+  [ Zygmunt Krynicki ]
+  * Use snap wait system seed.loaded to wait for snapd (LP: #2114923)
+
+  [ Dennis Loose ]
+  [ Didier Roche-Tolomelli ]
+  * Allow the ubuntu-desktop-installer to request snap seeding state
+
+ -- Didier Roche-Tolomelli <didrocks@ubuntu.com>  Tue, 15 Jul 2025 16:30:41 +0200
+
 livecd-rootfs (25.10.11) questing; urgency=medium
 
   * Fix installer startup to wait for snapd to be preseeded first

live-build/apparmor/6.14/domain/disconnected.ipc

@@ -0,0 +1 @@
+yes

live-build/apparmor/6.14/policy/unconfined_restrictions/io_uring

@@ -1 +1 @@
-0
+1

live-build/auto/config

@@ -1009,6 +1009,14 @@ case $PROJECT in
 				add_package ubuntu-server-minimal lxd-installer
 				add_task ubuntu-server-minimal.ubuntu-server minimal standard server
 				add_package ubuntu-server-minimal.ubuntu-server cloud-init
+				# If we have a multipath disk with LVM on top, we want to give
+				# multipath a chance to create the /dev/mapper/mpatha entry
+				# during the initramfs phase. Otherwise LVM will "steal" the
+				# device (e.g., /dev/sda2) and prevent multipath from using it
+				# after pivoting to the root filesystem of the live
+				# environment.
+				# See LP: #2080474 and LP: #1480399.
+				add_package ubuntu-server-minimal.ubuntu-server.installer multipath-tools-boot
 
 				add_task ubuntu-server-minimal.ubuntu-server.installer server-live
 

live-build/functions

@@ -566,10 +566,11 @@ _snap_post_process() {
             # If the 'core' snap is not present, assume we are coreXX-only and
             # install the snapd snap.
             channel=stable
-            # FIXME: TPM-FDE spike, to be removed after the spike is over.
+            # FIXME: This can be commented and uncommented to enable snaps from
-            if [ $PROJECT = "ubuntu" ]; then
+            # edge for development spikes.
-                channel=edge
+            # if [ $PROJECT = "ubuntu" ]; then
-            fi
+            #     channel=edge
+            # fi
             if [ ! -f ${snaps_dir}/core_[0-9]*.snap ]; then
                 _snap_preseed $CHROOT_ROOT snapd "$channel"
             fi

live-build/ubuntu/hooks/020-ubuntu-enhanced-sb.binary

@@ -1,71 +1,24 @@
 #! /bin/sh
 
+# We need to remove the snapd seed configuration for the layers that
+# will be the installation source for a TPM-backed FDE install or
+# snapd gets very confused on the boot of the target system.
+
 set -eux
 
 case ${PASS:-} in
-    minimal.standard.enhanced-secureboot)
+    *.enhanced-secureboot)
-        ;;
-    minimal.enhanced-secureboot)
         ;;
     *)
         exit 0
         ;;
 esac
 
+. config/functions
+
 if [ -n "${SUBPROJECT:-}" ]; then
     echo "We don't run Ubuntu Desktop hooks for this project."
     exit 0
 fi
 
-. config/binary
-. config/functions
-
-# Generation of the model:
-# * At https://github.com/canonical/models one can find a repo of raw,
-#   unsigned, input .json files, and their signed .model equivalents.
-# * At least once per cycle, update the json for the new Ubuntu version.
-#   To do this, take the previous cycle ubuntu-classic-$ver-amd64.json file,
-#   rename for the new version, and do any necessary updates including fixing
-#   the versions of tracks.
-# * When this is done, the json needs to be signed.  This needs to be done by
-#   a Canonical employee - try asking someone who has recently opened PRs on
-#   https://github.com/canonical/models with the signed models.
-# * Ensure the signed and unsigned version of the models are updated in the
-#   models repo.
-# * The signed model can then be placed here in livecd-rootfs at
-#   live-build/${PROJECT}/ubuntu-classic-amd64.model
-
-# env SNAPPY_STORE_NO_CDN=1 snap known --remote model series=16 brand-id=canonical model=ubuntu-classic-2410-amd64 > config/classic-model.model
-model=/usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-classic-amd64.model
-
-# see below note about "dangerous" model
-CHANNEL=${CHANNEL:-stable}
-
-channel=""
-if [ -n "${CHANNEL:-}" ]; then
-    channel="--channel $CHANNEL"
-fi
-
 reset_snapd_state chroot
-
-# Set UBUNTU_STORE_COHORT_KEY="+" to force prepare-image to fetch the latest
-# snap versions regardless of phasing status
-
-# this is the normal prepare-image invocation.  This is not used right now as
-# the model in question is the "dangerous" model so that we can override the
-# channel of pc-kernel to get a matching set of snaps.
-#   env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
-#       --classic $model $channel chroot
-# so instead we're doing this, including forcing channel to stable for
-# everything but pc-kernel.
-env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
-    --classic $model $channel \
-    --snap=pc-kernel=25.10/candidate \
-    --snap=snapd=latest/edge \
-    --snap=desktop-security-center=1/edge \
-    --snap=firmware-updater=1/edge \
-    chroot
-
-mv chroot/system-seed/systems/* chroot/system-seed/systems/enhanced-secureboot-desktop
-rm -rf chroot/var/lib/snapd/seed
-mv chroot/system-seed chroot/var/lib/snapd/seed

live-build/ubuntu/hooks/030-ubuntu-live-system-seed.binary

@@ -0,0 +1,74 @@
+#!/bin/bash
+
+# create the system seed for TPM-backed FDE in the live layer of the installer.
+
+set -eux
+
+case ${PASS:-} in
+    *.live)
+        ;;
+    *)
+        exit 0
+        ;;
+esac
+
+if [ -n "${SUBPROJECT:-}" ]; then
+    echo "We don't run Ubuntu Desktop hooks for this project."
+    exit 0
+fi
+
+. config/binary
+. config/functions
+
+# Generation of the model:
+# * At https://github.com/canonical/models one can find a repo of raw,
+#   unsigned, input .json files, and their signed .model equivalents.
+# * At least once per cycle, update the json for the new Ubuntu version.
+#   To do this, take the previous cycle ubuntu-classic-$ver-amd64.json file,
+#   rename for the new version, and do any necessary updates including fixing
+#   the versions of tracks.
+# * When this is done, the json needs to be signed.  This needs to be done by
+#   a Canonical employee - try asking someone who has recently opened PRs on
+#   https://github.com/canonical/models with the signed models.
+# * Ensure the signed and unsigned version of the models are updated in the
+#   models repo.
+# * The signed model can then be placed here in livecd-rootfs at
+#   live-build/${PROJECT}/ubuntu-classic-amd64.model
+
+# env SNAPPY_STORE_NO_CDN=1 snap known --remote model series=16 brand-id=canonical model=ubuntu-classic-2410-amd64 > config/classic-model.model
+model=/usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-classic-amd64.model
+
+# see below note about "dangerous" model
+CHANNEL=${CHANNEL:-stable}
+
+channel=""
+if [ -n "${CHANNEL:-}" ]; then
+    channel="--channel $CHANNEL"
+fi
+
+# Set UBUNTU_STORE_COHORT_KEY="+" to force prepare-image to fetch the latest
+# snap versions regardless of phasing status
+
+# this is the normal prepare-image invocation.  This is not used right now as
+# the model in question is the "dangerous" model so that we can override the
+# channel of pc-kernel and others to get a matching set of snaps.
+#   env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
+#       --classic $model $channel chroot
+# FIXME - go back to the stable model and remove all the `--snap` overrides
+env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
+    --classic $model $channel \
+    --snap=pc=classic-25.10/stable \
+    --snap=pc-kernel=25.10/candidate \
+    --snap=firmware-updater=1/stable/ubuntu-25.10 \
+    --snap=desktop-security-center=1/stable/ubuntu-25.10 \
+    --snap=prompting-client=1/stable/ubuntu-25.10 \
+    --snap=snap-store=2/stable/ubuntu-25.10 \
+    --snap=gtk-common-themes=latest/stable/ubuntu-25.10 \
+    --snap=firefox=latest/stable/ubuntu-25.10 \
+    --snap=gnome-42-2204=latest/stable/ubuntu-25.10 \
+    --snap=snapd-desktop-integration=latest/stable/ubuntu-25.10 \
+    chroot
+
+mv chroot/system-seed/systems/* chroot/system-seed/systems/enhanced-secureboot-desktop
+rsync -av chroot/system-seed/{systems,snaps} chroot/var/lib/snapd/seed
+rm -rf chroot/system-seed/

live-build/ubuntu/includes.chroot.minimal.standard.live/etc/polkit-1/rules.d/10-allow-installer-wait-on-snap.rules

@@ -0,0 +1,13 @@
+// -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*-
+//
+// THIS FILE IS ONLY AVAILABLE ON THE LIVE SYSTEM
+//
+// Allow the ubuntu-desktop-installer to request snap seeding state
+// used before starting.
+
+polkit.addRule(function(action, subject) {
+    if (action.id == "io.snapcraft.snapd.manage-configuration") {
+            return polkit.Result.YES;
+    }
+});
+

live-build/ubuntu/includes.chroot.minimal.standard.live/usr/lib/systemd/user/ubuntu-desktop-installer.service

@@ -4,14 +4,14 @@
 Description=Ubuntu Desktop Installer
 PartOf=graphical-session.target
 After=graphical-session.target
-# Make sure that the system was seeded to access the snap
-After=snapd.seeded.service
 
 # Never run in GDM
 Conflicts=gnome-session@gnome-login.target
 
 [Service]
 Type=oneshot
+# Make sure that the system was seeded to access the snap
+ExecStartPre=/usr/bin/snap wait system seed.loaded
 ExecStart=/snap/bin/ubuntu-desktop-bootstrap --try-or-install
 ExecStopPost=sh -c "gsettings set org.gnome.shell.extensions.dash-to-dock dock-fixed true; gsettings set org.gnome.shell.extensions.dash-to-dock intellihide true; gnome-extensions enable ding@rastersoft.com"
 Restart=no