releasing package livecd-rootfs version 26.04.33

https://code.launchpad.net/~mstepan/livecd-rootfs/+git/livecd-rootfs/+merge/503828

README.local

@@ -0,0 +1,106 @@
+# Running livecd-rootfs builds locally
+
+`livecd-rootfs` is notoriously known to be... difficult?
+One question that often comes back is "how do I run that locally?".
+Brace yourself, here is a short guide to help you through this.
+
+## Where to run?
+
+While you could do that directly on your host machine, likely your development
+laptop, that would mean installing all the needed dependencies, and running
+livecd-rootfs as root (because of some `mount` steps, `chroot`, etc...).
+Not ideal.
+What you more likely want, and is documented here, is to run that in a LXD VM
+instead.
+
+## Prerequisites
+
+You need to have LXD installed and configured: https://canonical.com/lxd/install
+A clone of this repository, that will be used directly in the VM so that
+you can iterate and test changes easily before submitting them:
+```
+git clone https://git.launchpad.net/livecd-rootfs
+```
+
+## Build images
+
+All the magic is done by the `./live-build/build-livefs-lxd` script. It will
+basically perform the following actions for you:
+  * Launch (or re-start) a LXD VM on the `series` you're targetting.
+  * Install in there `livecd-rootfs` from the archive, to make sure all
+    dependencies are here and ready to use.
+  * Mount the `livecd-rootfs` sources in `/srv/livecd-rootfs`.
+  * Run `./live-build/build-livefs` with all the additional arguments you give.
+    That's what will build the ISO for you, take a lot of time, and bring your
+    machine down.
+
+Depending on what you want to work on, the iteration time can be quite long.
+Fortunately `livecd-rootfs` provides many different projects to work with,
+providing various experiences in terms of load, space, bandwidth and running
+time.
+
+Very fast and lightweight "fake" ISO:
+```
+❯ ./live-build/build-livefs-lxd --suite resolute --arch amd64 --project ubuntu-test-iso
+```
+
+Ubuntu Desktop, the main flagship, and probably most complex ISO:
+```
+❯ ./live-build/build-livefs-lxd --suite resolute --arch amd64 --project ubuntu
+```
+
+Ubuntu Server Live, lighter ISO:
+```
+❯ ./live-build/build-livefs-lxd --suite resolute --arch amd64 --project ubuntu-server --subproject live
+```
+
+Xubuntu Minimal, lighter desktop ISO:
+```
+❯ ./live-build/build-livefs-lxd --suite resolute --arch amd64 --project xubuntu --subproject minimal
+```
+
+## Fetching the image
+
+Obviously, the image has been built inside the LXD VM, so you then need to extract it. Examples:
+```
+❯ lxc file pull livefs-builder-resolute/root/livecd.ubuntu-test-iso.iso my_ubuntu-test-iso.iso
+❯ lxc file pull livefs-builder-resolute/root/livecd.ubuntu.iso my_ubuntu.iso
+❯ lxc file pull livefs-builder-resolute/root/livecd.ubuntu-server.iso my_ubuntu-server.iso
+❯ lxc file pull livefs-builder-resolute/root/livecd.xubuntu.iso my_xubuntu.iso
+```
+
+The fetched ISO should normally boot and work just fine. For example with QEMU:
+```
+❯ kvm -m 3G -smp 2 -cdrom ./my_xubuntu.iso
+```
+
+## Clean up
+
+This will leave you with a running VM eating some precious 8GB from your host.
+You can stop and/or delete that VM with these:
+```
+❯ lxc stop livefs-builder-resolute
+❯ lxc delete livefs-builder-resolute
+```
+
+## Speeding things up with `apt-cacher-ng`
+
+All the previous steps work just fine, but when iterating, it's often very
+useful to cache all the package downloads, which can speed things up a lot,
+particularly if you don't live in one of Canonical's datacenters.
+
+Basically, on your host:
+```
+❯ sudo apt install apt-cacher-ng
+❯ cat ~/.config/livecd-rootfs/build-livefs.conf
+[defaults]
+mirror =  http://192.168.0.42:3142/archive.ubuntu.com/ubuntu
+```
+
+`~/.config/livecd-rootfs/build-livefs.conf` is indeed stored on your host, but
+will be copied automatically at the right place if it exists.
+
+There, `192.168.0.42` is your local network IP, reachable from the LXD VM, on
+which `apt-cacher-ng` is listening.
+Other `apt` caching solutions might be working, but are untested.
+

debian/changelog

@@ -1,3 +1,119 @@
+livecd-rootfs (26.04.33) resolute; urgency=medium
+
+  [ Matthew Stepan ]
+  * Hyper-V: Migrate .pkla files to .rules files following the removal of the
+    polkit-pkla package from the archive.
+  * Hyper-V: Add dracut `hostonly=no` config to fix image boot hanging while 
+    trying to find the rootfs.
+  * Hyper-V: Fix sed to correctly set GDM `InitialSetupEnable=false`.
+
+  [ Michael Hudson-Doyle ]
+  * Do not run 03-initramfs-enforcement.chroot for kubuntu, which is not a
+    layered build.
+
+  [ Denis Lalaj ]
+  * feat(buildd): Set dracut as the default initrd generator
+
+ -- Florent 'Skia' Jacquet <skia@ubuntu.com>  Fri, 17 Apr 2026 12:22:45 +0200
+
+livecd-rootfs (26.04.32) resolute; urgency=medium
+
+  [ Alfonso Sanchez-Beato ]
+  * Add support for building Ubuntu Core 26 images.
+
+  [ Valentin Haudiquet ]
+  * Make sure kernel is 'vmlinux' on riscv64, and not 'vmlinuz'
+
+  [ Michael Hudson-Doyle & Simon Poirier ]
+  * Add a hook 03-initramfs-enforcement.chroot to many ISO builds to ensure
+    that the live layer gets an initramfs built with casper and
+    initramfs-tools. (LP: #2146567)
+
+  [ Aaron Rainbolt ]
+  * Disable Apparmor restrictions in the live environment for Kubuntu and
+    Ubuntu Unity. (LP: #2146196, #2146369)
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Thu, 16 Apr 2026 09:23:08 +1200
+
+livecd-rootfs (26.04.31) resolute; urgency=medium
+
+  [ Ryan Hill ]
+  * Add additional 7.0 kernel apparmor features for
+    successful image preseeding. 
+
+ -- Chloé 'kajiya' Smith <chloe.smith@canonical.com>  Mon, 13 Apr 2026 15:45:19 +0100
+
+livecd-rootfs (26.04.30) resolute; urgency=medium
+
+  [ Florent 'Skia' Jacquet]
+  * Pick a better manifest by using the live pass for layered images (LP: #2147921)
+
+  [ Dan Bungert ]
+  * Exclude boot/grub/i386-pc/eltorito.img from md5sum.txt, as it is expected
+    to change in xorriso output.  (LP: #2147162)
+
+ -- Florent 'Skia' Jacquet <skia@ubuntu.com>  Mon, 13 Apr 2026 15:16:01 +0200
+
+livecd-rootfs (26.04.29) resolute; urgency=medium
+
+  * Make sure to produce a manifest for all images (LP: #2147522)
+
+ -- Florent 'Skia' Jacquet <skia@ubuntu.com>  Wed, 08 Apr 2026 16:12:59 +0200
+
+livecd-rootfs (26.04.28) resolute; urgency=medium
+
+  * Switch arm64 mirror from ports to archive. (LP: #2147101)
+
+ -- Utkarsh Gupta <utkarsh@ubuntu.com>  Thu, 02 Apr 2026 18:34:10 +0530
+
+livecd-rootfs (26.04.27) resolute; urgency=medium
+
+  [ Michael Hudson-Doyle ]
+  * Only publish the ISOs, not the other bits, now that we are publishing the
+    ISOs on cdimage.
+  * Fix mini iso to not contain a pool or squashfs.
+
+  [ Ryan Hill ]
+  * add 7.0 kernel apparmor features preseeds
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Thu, 02 Apr 2026 15:59:29 +1300
+
+livecd-rootfs (26.04.26) resolute; urgency=medium
+
+  * Ensure snapd tracks stable and not edge anymore.
+    We did remove it from multiple places, but this one was left and as a
+    consequence, the latest iso was still having snapd edge.
+
+ -- Didier Roche-Tolomelli <didrocks@ubuntu.com>  Fri, 27 Mar 2026 15:31:21 +0100
+
+livecd-rootfs (26.04.25) resolute; urgency=medium
+
+  * bake LIVECD_ROOTFS_ROOT into config/functions, fixing some build failures
+    (for at least ubuntu and some ubuntu-cpc configurations).
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Fri, 20 Mar 2026 06:47:44 +1300
+
+livecd-rootfs (26.04.24) resolute; urgency=medium
+
+  [ Allen Abraham ]
+  * Added a hook to produce a working minimal Ubuntu image using imagecraft
+
+  [ Michael Hudson-Doyle ]
+  * Various quality of life improvements for hacking on livecd-rootfs:
+    - Add a "ubuntu-test-iso" project that builds a not very useful ISO in 2-5 minutes.
+    - Add a build-livefs script that takes care of copying the auto scripts and
+      invoking lb clean/config/build with the right environment.
+    - Add a build-livefs-lxd script to run the above script in a lxd vm.
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Mon, 16 Mar 2026 11:05:13 +1300
+
+livecd-rootfs (26.04.23) resolute; urgency=medium
+
+  [ Tobias Heider ]
+  * Fix ISO builds when KERNEL_FLAVOUR != generic.
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Mon, 02 Mar 2026 10:51:47 +1300
+
 livecd-rootfs (26.04.22) resolute; urgency=medium
 
   [ Oliver Gayot ]

debian/livecd-rootfs.links

@@ -0,0 +1 @@
+usr/share/livecd-rootfs/live-build/build-livefs usr/bin/build-livefs

live-build/apparmor/7.0/capability

@@ -0,0 +1 @@
+0xffffff

live-build/apparmor/7.0/caps/extended

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/caps/mask

@@ -0,0 +1 @@
+chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore

live-build/apparmor/7.0/dbus/mask

@@ -0,0 +1 @@
+acquire send receive

live-build/apparmor/7.0/domain/attach_conditions/xattr

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/domain/change_hat

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/domain/change_hatv

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/domain/change_onexec

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/domain/change_profile

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/domain/computed_longest_left

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/domain/disconnected.ipc

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/domain/disconnected.path

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/domain/fix_binfmt_elf_mmap

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/domain/interruptible

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/domain/kill.signal

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/domain/post_nnp_subset

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/domain/stack

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/domain/unconfined_allowed_children

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/domain/version

@@ -0,0 +1 @@
+1.2

live-build/apparmor/7.0/file/mask

@@ -0,0 +1 @@
+create read write exec append mmap_exec link lock

live-build/apparmor/7.0/io_uring/mask

@@ -0,0 +1 @@
+sqpoll override_creds

live-build/apparmor/7.0/ipc/posix_mqueue

@@ -0,0 +1 @@
+create read write open delete setattr getattr label

live-build/apparmor/7.0/mount/mask

@@ -0,0 +1 @@
+mount umount pivot_root

live-build/apparmor/7.0/mount/move_mount

@@ -0,0 +1 @@
+detached

live-build/apparmor/7.0/namespaces/mask

@@ -0,0 +1 @@
+userns_create

live-build/apparmor/7.0/namespaces/pivot_root

@@ -0,0 +1 @@
+no

live-build/apparmor/7.0/namespaces/profile

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/namespaces/userns_create

@@ -0,0 +1 @@
+pciu&

live-build/apparmor/7.0/network/af_mask

@@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp

live-build/apparmor/7.0/network/af_unix

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/network_v8/af_inet

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/network_v8/af_mask

@@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp

live-build/apparmor/7.0/network_v9/af_mask

@@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp

live-build/apparmor/7.0/network_v9/af_unix

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/network_v9_skb/af_mask

@@ -0,0 +1 @@
+inet inet6

live-build/apparmor/7.0/network_v9_skb/iface

@@ -0,0 +1 @@
+receive connect, secmark_postroute

live-build/apparmor/7.0/network_v9_skb/localout

@@ -0,0 +1 @@
+secmark_set

live-build/apparmor/7.0/network_v9_skb/postroute

@@ -0,0 +1 @@
+secmark_send

live-build/apparmor/7.0/network_v9_skb/rcv_skb

@@ -0,0 +1 @@
+secmark_receive

live-build/apparmor/7.0/network_v9_skb/relabel

@@ -0,0 +1 @@
+setcred

live-build/apparmor/7.0/policy/metadata_tagging_version

@@ -0,0 +1 @@
+0x000001

live-build/apparmor/7.0/policy/notify/user

@@ -0,0 +1 @@
+file tags

live-build/apparmor/7.0/policy/notify_versions/v3

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/policy/notify_versions/v5

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/policy/outofband

@@ -0,0 +1 @@
+0x000001

live-build/apparmor/7.0/policy/permstable32

@@ -0,0 +1 @@
+allow deny subtree cond kill complain prompt audit quiet hide xindex tag label

live-build/apparmor/7.0/policy/permstable32_version

@@ -0,0 +1 @@
+0x000003

live-build/apparmor/7.0/policy/set_load

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/policy/state32

@@ -0,0 +1 @@
+0x000001

live-build/apparmor/7.0/policy/unconfined_restrictions/change_profile

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/policy/unconfined_restrictions/io_uring

@@ -0,0 +1 @@
+1

live-build/apparmor/7.0/policy/unconfined_restrictions/userns

@@ -0,0 +1 @@
+1

live-build/apparmor/7.0/policy/versions/v5

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/policy/versions/v6

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/policy/versions/v7

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/policy/versions/v8

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/policy/versions/v9

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/ptrace/mask

@@ -0,0 +1 @@
+read trace

live-build/apparmor/7.0/query/label/data

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/query/label/multi_transaction

@@ -0,0 +1 @@
+yes

live-build/apparmor/7.0/query/label/perms

@@ -0,0 +1 @@
+allow deny audit quiet

live-build/apparmor/7.0/rlimit/mask

@@ -0,0 +1 @@
+cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime

live-build/apparmor/7.0/signal/mask

@@ -0,0 +1 @@
+hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost

live-build/auto/build

@@ -375,7 +375,7 @@ EOF
 		(cd chroot && find usr/share/doc -maxdepth 1 -type d | xargs du -s | sort -nr)
 		echo END docdirs
 
-		/usr/share/livecd-rootfs/minimize-manual chroot
+		${LIVECD_ROOTFS_ROOT}/minimize-manual chroot
 
 		clean_debian_chroot
 	fi
@@ -424,62 +424,54 @@ case $LB_INITRAMFS in
 		;;
 esac
 
-for OUTPUT in ext2 ext3 ext4 manifest manifest-remove size squashfs; do
+# For MAKE_ISO=yes builds, most artifacts (squashfs, kernel, initrd) are
+# placed directly into the ISO tree by lb_binary_layered and binary hooks.
+# Only create livecd.* intermediate artifacts for non-ISO builds; the manifest
+# is created unconditionally below.
+if [ "${MAKE_ISO}" != "yes" ]; then
+	for OUTPUT in ext2 ext3 ext4 manifest-remove size squashfs; do
 		[ -e "binary/$INITFS/filesystem.$OUTPUT" ] || continue
 		ln "binary/$INITFS/filesystem.$OUTPUT" "$PREFIX.$OUTPUT"
 		chmod 644 "$PREFIX.$OUTPUT"
-done
+	done
 
-# we don't need a manifest-remove for a layered-aware installer
-# here we have a list of all new-installer flavors
-case $PROJECT in
+	# we don't need a manifest-remove for a layered-aware installer
+	# here we have a list of all new-installer flavors
+	case $PROJECT in
 		ubuntu|ubuntu-budgie|lubuntu)
 			rm -f livecd.${PROJECT}-manifest-remove
 			rm -f config/manifest-minimal-remove
 			;;
-esac
+	esac
 
-if [ -e config/manifest-minimal-remove ]; then
+	if [ -e config/manifest-minimal-remove ]; then
 		cp config/manifest-minimal-remove  "$PREFIX.manifest-minimal-remove"
-fi
+	fi
 
-if [ -e "binary/$INITFS/filesystem.dir" ]; then
+	if [ -e "binary/$INITFS/filesystem.dir" ]; then
 		(cd "binary/$INITFS/filesystem.dir/" && tar -c --sort=name --xattrs *) | \
 			gzip -9 --rsyncable > "$PREFIX.rootfs.tar.gz"
 		chmod 644 "$PREFIX.rootfs.tar.gz"
-elif [ -e binary-tar.tar.gz ]; then
+	elif [ -e binary-tar.tar.gz ]; then
 		cp -a binary-tar.tar.gz "$PREFIX.rootfs.tar.gz"
-fi
+	fi
 
-# '--initramfs none' produces different manifest names.
-if [ -e "binary/$INITFS/filesystem.packages" ]; then
-	ln "binary/$INITFS/filesystem.packages" "$PREFIX.manifest"
-	chmod 644 "$PREFIX.manifest"
-fi
-
-# If a .filelist is present, use it as the filelist for the image by
-# symlinking with expected name and updating permissions
-if [ -e "binary/$INITFS/filesystem.filelist" ]; then
+	# If a .filelist is present, use it as the filelist for the image by
+	# symlinking with expected name and updating permissions
+	if [ -e "binary/$INITFS/filesystem.filelist" ]; then
 		ln "binary/$INITFS/filesystem.filelist" "$PREFIX.filelist"
 		chmod 644 "$PREFIX.filelist"
-fi
+	fi
 
-if [ -e "binary/$INITFS/filesystem.packages-remove" ]; then
+	if [ -e "binary/$INITFS/filesystem.packages-remove" ]; then
 		# Not a typo, empty manifest-remove has a single LF in it. :/
 		if [ $(cat binary/$INITFS/filesystem.packages-remove | wc -c) -gt 1 ]; then
 			ln "binary/$INITFS/filesystem.packages-remove" "$PREFIX.manifest-remove"
 			chmod 644 "$PREFIX.manifest-remove"
 		fi
-fi
+	fi
 
-# Since snaps are now Ubuntu first-class citizen, so always try fetching the
-# list of seeded snaps into the manifest.  In case of layered images we skip
-# this step, as we assume they're doing it on their own at some earlier stage.
-if [ -z "$PASSES" ] && [ -e "$PREFIX.manifest" ]; then
-	./config/snap-seed-parse "chroot/" "$PREFIX.manifest"
-fi
-
-for FLAVOUR in $LB_LINUX_FLAVOURS; do
+	for FLAVOUR in $LB_LINUX_FLAVOURS; do
 		if [ -z "$LB_LINUX_FLAVOURS" ] || [ "$LB_LINUX_FLAVOURS" = "none" ]; then
 			continue
 		fi
@@ -527,10 +519,10 @@ for FLAVOUR in $LB_LINUX_FLAVOURS; do
 			ln "binary/$INITFS/initrd.img-$KVERS" "$PREFIX.initrd-$FLAVOUR"
 			chmod 644 "$PREFIX.initrd-$FLAVOUR"
 		fi
-done
+	done
 
-NUMFLAVOURS="$(set -- $LB_LINUX_FLAVOURS; echo $#)"
-if [ "$NUMFLAVOURS" = 1 ] && [ "$LB_LINUX_FLAVOURS" != "none" ]; then
+	NUMFLAVOURS="$(set -- $LB_LINUX_FLAVOURS; echo $#)"
+	if [ "$NUMFLAVOURS" = 1 ] && [ "$LB_LINUX_FLAVOURS" != "none" ]; then
 		# only one kernel flavour
 		if [ -f "binary/$INITFS/vmlinuz" ] && ! [ -h "binary/$INITFS/vmlinuz" ]; then
 			ln "binary/$INITFS/vmlinuz" "$PREFIX.kernel"
@@ -544,9 +536,9 @@ if [ "$NUMFLAVOURS" = 1 ] && [ "$LB_LINUX_FLAVOURS" != "none" ]; then
 		else
 			ln -sf "$PREFIX.initrd-$LB_LINUX_FLAVOURS" "$PREFIX.initrd"
 		fi
-fi
+	fi
 
-case $SUBARCH in
+	case $SUBARCH in
 		raspi)
 			# copy the kernel and initrd to a predictable directory for
 			# ubuntu-image consumption.  In some cases, like in pi2/3
@@ -561,7 +553,28 @@ case $SUBARCH in
 			cp $PREFIX.initrd $UBOOT_BOOT/initrd.img || true
 			cp $PREFIX.kernel $UBOOT_BOOT/vmlinuz || true
 			;;
-esac
+	esac
+fi
+
+# Create manifest unconditionally (needed for both ISO and non-ISO builds).
+if [ -e "binary/$INITFS/filesystem.manifest" ]; then
+	ln "binary/$INITFS/filesystem.manifest" "$PREFIX.manifest"
+elif [ -e "binary/$INITFS/filesystem.packages" ]; then
+	# '--initramfs none' produces different manifest names.
+	ln "binary/$INITFS/filesystem.packages" "$PREFIX.manifest"
+elif [ -n "$LIVE_PASSES" ]; then
+	# For layered images, keep the manifest of the last (only?) live pass
+	for _PASS in $LIVE_PASSES; do
+		ln -f "${CASPER_DIR}/$_PASS.manifest.full" "$PREFIX.manifest"
+	done
+fi
+chmod 644 "$PREFIX.manifest"
+# Since snaps are now Ubuntu first-class citizen, so always try fetching the
+# list of seeded snaps into the manifest.  In case of layered images we skip
+# this step, as we assume they're doing it on their own at some earlier stage.
+if [ -z "$PASSES" ] && [ -e "$PREFIX.manifest" ]; then
+	./config/snap-seed-parse "chroot/" "$PREFIX.manifest"
+fi
 
 case $PROJECT in
     ubuntu-cpc)
@@ -569,25 +582,19 @@ case $PROJECT in
 esac
 
 if [ "${MAKE_ISO}" = "yes" ]; then
-	# Link build artifacts with "for-iso." prefix for isobuild to consume.
-	# Layered builds create squashfs via lb_binary_layered (which already
-	# creates for-iso.*.squashfs files). Single-pass builds only have
-	# ${PREFIX}.squashfs, which does not contain cdrom.sources, so we
-	# create a for-iso.filesystem.squashfs that does.
-	if [ -z "$PASSES" ]; then
+	# For non-layered builds, create squashfs with cdrom.sources directly
+	# in casper/. Layered builds already handle this in lb_binary_layered.
+	if [ -z "$PASSES" ] && [ "$PROJECT" != "ubuntu-mini-iso" ]; then
+		if [ -n "${POOL_SEED_NAME}" ]; then
 			isobuild generate-sources --mountpoint=/cdrom > chroot/etc/apt/sources.list.d/cdrom.sources
-		create_squashfs chroot ${PWD}/for-iso.filesystem.squashfs
-	fi
-	# Link kernel and initrd files. The ${thing#${PREFIX}} expansion strips
-	# the PREFIX, so "livecd.ubuntu-server.kernel-generic" becomes
-	# "for-iso.kernel-generic".
-	for thing in ${PREFIX}.kernel-* ${PREFIX}.initrd-*; do
-		for_iso_path=for-iso${thing#${PREFIX}}
-		if [ ! -f $for_iso_path ]; then
-			ln -v $thing $for_iso_path
 		fi
+		create_squashfs chroot ${PWD}/${CASPER_DIR}/filesystem.squashfs
+		rm chroot/etc/apt/sources.list.d/cdrom.sources
+		for flavor in $LB_LINUX_FLAVOURS; do
+			iso_install_kernel "$flavor" binary/${INITFS}/vmlinu?-* binary/${INITFS}/initrd.img-*
 		done
-	isobuild add-live-filesystem --artifact-prefix for-iso.
+	fi
+	isobuild extract-casper-uuids
 	isobuild make-bootable --project "${PROJECT}" --capproject "$(cat config/iso-ids/capproject)" \
 		${SUBARCH:+--subarch "${SUBARCH}"}
 	isobuild make-iso --volid "$(cat config/iso-ids/vol-id)" --dest ${PREFIX}.iso

live-build/auto/config

@@ -1,6 +1,8 @@
 #!/bin/bash
 set -e
 
+LIVECD_ROOTFS_ROOT=${LIVECD_ROOTFS_ROOT:-/usr/share/livecd-rootfs}
+
 case $ARCH:$SUBARCH in
 	amd64:|amd64:generic|amd64:intel-iot|\
 	arm64:|arm64:generic|arm64:raspi|arm64:snapdragon|arm64:nvidia|\
@@ -39,7 +41,7 @@ if [ -z "$MIRROR" ]; then
 			;;
 		*)
 			case $ARCH in
-				i386|amd64)	MIRROR=http://archive.ubuntu.com/ubuntu/ ;;
+				i386|amd64|arm64)	MIRROR=http://archive.ubuntu.com/ubuntu/ ;;
 				*)			MIRROR=http://ports.ubuntu.com/ubuntu-ports/ ;;
 			esac
 			;;
@@ -47,12 +49,14 @@ if [ -z "$MIRROR" ]; then
 fi
 
 mkdir -p config
-cp -af /usr/share/livecd-rootfs/live-build/functions config/functions
-cp -af /usr/share/livecd-rootfs/live-build/lb_*_layered config/
-cp -af /usr/share/livecd-rootfs/live-build/snap-seed-parse.py config/snap-seed-parse
-cp -af /usr/share/livecd-rootfs/live-build/snap-seed-missing-providers.py config/snap-seed-missing-providers
-cp -af /usr/share/livecd-rootfs/live-build/expand-task config/expand-task
-cp -af /usr/share/livecd-rootfs/live-build/squashfs-exclude-files config/
+echo "LIVECD_ROOTFS_ROOT=\"$LIVECD_ROOTFS_ROOT\"" > config/functions
+chmod --reference=${LIVECD_ROOTFS_ROOT}/live-build/functions config/functions
+cat ${LIVECD_ROOTFS_ROOT}/live-build/functions >> config/functions
+cp -af ${LIVECD_ROOTFS_ROOT}/live-build/lb_*_layered config/
+cp -af ${LIVECD_ROOTFS_ROOT}/live-build/snap-seed-parse.py config/snap-seed-parse
+cp -af ${LIVECD_ROOTFS_ROOT}/live-build/snap-seed-missing-providers.py config/snap-seed-missing-providers
+cp -af ${LIVECD_ROOTFS_ROOT}/live-build/expand-task config/expand-task
+cp -af ${LIVECD_ROOTFS_ROOT}/live-build/squashfs-exclude-files config/
 
 mkdir -p config/package-lists
 
@@ -390,7 +394,7 @@ if [ -z "${IMAGEFORMAT:-}" ]; then
 					;;
 			esac
 			;;
-		ubuntu-server:live|ubuntu-mini-iso:|ubuntu-core-installer:*)
+		ubuntu-server:live|ubuntu-mini-iso:|ubuntu-test-iso:|ubuntu-core-installer:*)
 			IMAGEFORMAT=plain
 			;;
 	esac
@@ -426,7 +430,7 @@ case $IMAGEFORMAT in
 			ubuntu-server:live|ubuntu-core-installer:*)
 				touch config/universe-enabled
 				;;
-			ubuntu-mini-iso:)
+			ubuntu-mini-iso:|ubuntu-test-iso:)
 				fs=none
 				;;
 			*)
@@ -487,31 +491,23 @@ case $IMAGEFORMAT in
 				*) ;;
 			esac
 
-			# Ubuntu Core 24
+			# Ubuntu Core 26
 			# For now we stick to updating this by hand, but a more tasteful solution
 			# will follow
-			CORE_MAJOR=24
+			CORE_MAJOR=26
 
-			# Currently uc24 assertions do not support global channel overrides,
-			# instead we have per-channel models
+			# For UC26+ we build only images using stable channels,
+			# for either signed or dangerous grade.
 			case $CHANNEL in
 				stable)
 					MODEL="ubuntu-core-${CORE_MAJOR}-${MODEL#pc-}"
 					;;
-				candidate|beta|edge|dangerous)
-					MODEL="ubuntu-core-${CORE_MAJOR}-${MODEL#pc-}-${CHANNEL}"
-					;;
-				dangerous-*)
-					# That being said, the dangerous grade *does*
-					# support channel overrides, so we can use the
-					# dangerous model assertion and override the channel
-					# freely.
+				dangerous-stable)
 					MODEL="ubuntu-core-${CORE_MAJOR}-${MODEL#pc-}-dangerous"
 					CHANNEL=${CHANNEL#dangerous-}
-					UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS -c $CHANNEL"
 					;;
 				*)
-					echo "Unknown CHANNEL ${CHANNEL} specification for ${SUITE}"
+					echo "Unsupported CHANNEL ${CHANNEL} specification for ${SUITE}"
 					exit 1
 					;;
 			esac
@@ -521,7 +517,7 @@ case $IMAGEFORMAT in
 					EXTRA_SNAPS="$EXTRA_SNAPS core bluez alsa-utils"
 					;;
 				*)
-					# For all Ubuntu Core 24 reference images, add console-conf
+					# For all Ubuntu Core reference images, add console-conf
 					EXTRA_SNAPS="$EXTRA_SNAPS console-conf"
 					;;
 			esac
@@ -636,7 +632,7 @@ case $PROJECT in
 esac
 
 case $PROJECT in
-	ubuntu-mini-iso)
+	ubuntu-mini-iso|ubuntu-test-iso)
 		COMPONENTS='main'
 		;;
 	edubuntu|ubuntu-budgie|ubuntucinnamon|ubuntukylin)
@@ -653,7 +649,14 @@ case $SUBPROJECT in
 		;;
 esac
 
-if ! [ -e config/germinate-output/structure ]; then
+case $PROJECT in
+	ubuntu-test-iso)
+		# ubuntu-test-iso uses only add_package (not add_task) and has no
+		# pool, so germinate output is never needed.
+		touch config/germinate-output/structure
+		;;
+	*)
+		if ! [ -e config/germinate-output/structure ]; then
 			echo "Running germinate..."
 			if [ -n "$COMPONENTS" ]; then
 				GERMINATE_ARG="-c $(echo $COMPONENTS | sed -e's/ \+/,/g')"
@@ -661,7 +664,9 @@ if ! [ -e config/germinate-output/structure ]; then
 			(cd config/germinate-output && germinate --no-rdepends --no-installer \
 				-S $SEEDMIRROR -m $MIRROR -d $SUITE,$SUITE-updates \
 				-s $FLAVOUR.$SUITE $GERMINATE_ARG -a ${ARCH_VARIANT:-$ARCH})
-fi
+		fi
+		;;
+esac
 
 # ISO build configuration. These defaults are overridden per-project below.
 #
@@ -674,6 +679,9 @@ MAKE_ISO=no
 # - "server-ship-live" for Ubuntu Server (includes server-specific packages)
 # - "" (empty) for images without a pool, like Ubuntu Core Installer
 POOL_SEED_NAME=ship-live
+# SQUASHFS_COMP: compression algorithm for squashfs images. lz4 is ~10x
+# faster than xz and useful for test builds that don't need small images.
+SQUASHFS_COMP=xz
 
 # Common functionality for layered desktop images
 common_layered_desktop_image() {
@@ -804,7 +812,7 @@ do_layered_desktop_image() {
 	DEFAULT_KERNEL="linux-$KERNEL_FLAVOURS"
 
 	if [ "$LOCALE_SUPPORT" != none ]; then
-		/usr/share/livecd-rootfs/checkout-translations-branch \
+		${LIVECD_ROOTFS_ROOT}/checkout-translations-branch \
 			https://git.launchpad.net/subiquity po \
 			config/catalog-translations
 	fi
@@ -1124,7 +1132,7 @@ case $PROJECT in
 				NO_SQUASHFS_PASSES=ubuntu-server-minimal.ubuntu-server.installer.$flavor.netboot
 
 				DEFAULT_KERNEL="$kernel_metapkg"
-				/usr/share/livecd-rootfs/checkout-translations-branch \
+				${LIVECD_ROOTFS_ROOT}/checkout-translations-branch \
 					https://git.launchpad.net/subiquity po config/catalog-translations
 				;;
 			*)
@@ -1142,7 +1150,7 @@ case $PROJECT in
 	    # created in ubuntu-core-installer/hooks/05-prepare-image.binary, which
 	    # subiquity knows how to install.
 	    if [ ${SUBPROJECT} == "desktop" ]; then
-		cp /usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-core-desktop-24-amd64.model-assertion config/
+		cp ${LIVECD_ROOTFS_ROOT}/live-build/${PROJECT}/ubuntu-core-desktop-24-amd64.model-assertion config/
 	    fi
 	    OPTS="${OPTS:+$OPTS }--bootstrap-flavour=minimal"
 	    PASSES_TO_LAYERS=true
@@ -1156,7 +1164,7 @@ case $PROJECT in
 	    USE_BRIDGE_KERNEL=false
 	    DEFAULT_KERNEL="snap:pc-kernel"
 
-	    /usr/share/livecd-rootfs/checkout-translations-branch \
+	    ${LIVECD_ROOTFS_ROOT}/checkout-translations-branch \
 		https://git.launchpad.net/subiquity po config/catalog-translations
 	    ;;
 
@@ -1167,6 +1175,7 @@ case $PROJECT in
 		KERNEL_FLAVOURS=none
 		BINARY_REMOVE_LINUX=false
 		MAKE_ISO=yes
+		POOL_SEED_NAME=
 
 		add_package install mini-iso-tools linux-generic
 		case $ARCH in
@@ -1179,6 +1188,22 @@ case $PROJECT in
 		esac
 		;;
 
+	ubuntu-test-iso)
+		OPTS="${OPTS:+$OPTS }--bootstrap-flavour=minimal"
+		KERNEL_FLAVOURS=virtual
+		BINARY_REMOVE_LINUX=false
+		MAKE_ISO=yes
+		POOL_SEED_NAME=
+		SQUASHFS_COMP=lz4
+		PASSES_TO_LAYERS=true
+		add_package base linux-$KERNEL_FLAVOURS
+		add_package base.live casper
+		case $ARCH in
+			amd64) ;;
+			*) echo "ubuntu-test-iso only supports amd64"; exit 1 ;;
+		esac
+		;;
+
 	ubuntu-base|ubuntu-oci)
 		OPTS="${OPTS:+$OPTS }--bootstrap-flavour=minimal"
 		;;
@@ -1278,7 +1303,7 @@ case $SUBPROJECT in
 		# and a variety of things fail without it.
 		add_package install tzdata
 
-		cp -af /usr/share/livecd-rootfs/live-build/make-lxd-metadata.py config/make-lxd-metadata
+		cp -af ${LIVECD_ROOTFS_ROOT}/live-build/make-lxd-metadata.py config/make-lxd-metadata
 		;;
 esac
 
@@ -1403,11 +1428,13 @@ echo "LB_CHROOT_HOOKS=\"$CHROOT_HOOKS\"" >> config/chroot
 echo "SUBPROJECT=\"${SUBPROJECT:-}\"" >> config/chroot
 echo "LB_DISTRIBUTION=\"$SUITE\"" >> config/chroot
 echo "IMAGEFORMAT=\"$IMAGEFORMAT\"" >> config/chroot
+echo "LIVECD_ROOTFS_ROOT=\"$LIVECD_ROOTFS_ROOT\"" >> config/common
 if [ -n "$PASSES" ]; then
 	echo "PASSES=\"$PASSES\"" >> config/common
 fi
 echo "MAKE_ISO=\"$MAKE_ISO\"" >> config/common
 echo "POOL_SEED_NAME=\"$POOL_SEED_NAME\"" >> config/common
+echo "SQUASHFS_COMP=\"$SQUASHFS_COMP\"" >> config/common
 if [ -n "$NO_SQUASHFS_PASSES" ]; then
     echo "NO_SQUASHFS_PASSES=\"$NO_SQUASHFS_PASSES\"" >> config/common
 fi
@@ -1443,7 +1470,7 @@ rm -fv /etc/ssl/private/ssl-cert-snakeoil.key \
 EOF
 
 case $PROJECT in
-  ubuntu-cpc|ubuntu-core|ubuntu-base|ubuntu-oci|ubuntu-wsl|ubuntu-mini-iso)
+  ubuntu-cpc|ubuntu-core|ubuntu-base|ubuntu-oci|ubuntu-wsl|ubuntu-mini-iso|ubuntu-test-iso)
     # ubuntu-cpc gets this added in 025-create-groups.chroot, and we do
     # not want this group in projects that are effectively just chroots
     ;;
@@ -1531,11 +1558,12 @@ fi
 
 case $PROJECT:${SUBPROJECT:-} in
 	ubuntu-cpc:*|ubuntu-server:live|ubuntu:desktop-preinstalled| \
-		ubuntu-wsl:*|ubuntu-mini-iso:*|ubuntu:|ubuntu:dangerous|ubuntu-oem:*| \
+		ubuntu-wsl:*|ubuntu-mini-iso:*|ubuntu-test-iso:*|ubuntu:|ubuntu:dangerous|ubuntu-oem:*| \
 		ubuntustudio:*|edubuntu:*|ubuntu-budgie:*|ubuntucinnamon:*|xubuntu:*| \
-	        ubuntukylin:*|ubuntu-mate:*|ubuntu-core-installer:*|lubuntu:*)
+		ubuntukylin:*|ubuntu-mate:*|ubuntu-core-installer:*|lubuntu:*|kubuntu:*| \
+		ubuntu-unity:*)
 		# Ensure that most things e.g. includes.chroot are copied as is
-		for entry in /usr/share/livecd-rootfs/live-build/${PROJECT}/*; do
+		for entry in ${LIVECD_ROOTFS_ROOT}/live-build/${PROJECT}/*; do
 			case $entry in
 				*hooks*)
 					# But hooks are shared across the projects with symlinks
@@ -1570,11 +1598,11 @@ esac
 case $PROJECT in
 	ubuntu-oem|ubuntustudio|edubuntu|ubuntu-budgie|ubuntucinnamon| \
 	xubuntu|ubuntukylin|ubuntu-mate|lubuntu)
-		cp -af /usr/share/livecd-rootfs/live-build/ubuntu/includes.chroot \
+		cp -af ${LIVECD_ROOTFS_ROOT}/live-build/ubuntu/includes.chroot \
 			config/includes.chroot
 
 		LIVE_LAYER=${LIVE_PREFIX}live
-		cp -af /usr/share/livecd-rootfs/live-build/ubuntu/includes.chroot.minimal.standard.live \
+		cp -af ${LIVECD_ROOTFS_ROOT}/live-build/ubuntu/includes.chroot.minimal.standard.live \
 			config/includes.chroot.$LIVE_LAYER
 
 		if [ $PROJECT != ubuntu-oem ]; then
@@ -1590,7 +1618,7 @@ esac
 
 case $SUBPROJECT in
 	buildd)
-		cp -af /usr/share/livecd-rootfs/live-build/buildd/* config/
+		cp -af ${LIVECD_ROOTFS_ROOT}/live-build/buildd/* config/
 		;;
 esac
 
@@ -1614,7 +1642,7 @@ if [ "$EXTRA_PPAS" ]; then
 			extra_ppa=${extra_ppa%:*}
 			;;
 		esac
-		extra_ppa_fingerprint="$(/usr/share/livecd-rootfs/get-ppa-fingerprint "$extra_ppa")"
+		extra_ppa_fingerprint="$(${LIVECD_ROOTFS_ROOT}/get-ppa-fingerprint "$extra_ppa")"
 
 		cat >> config/archives/extra-ppas.list.chroot <<EOF
 deb https://ppa.launchpadcontent.net/$extra_ppa/ubuntu @DISTRIBUTION@ main
@@ -1704,8 +1732,19 @@ fi
 
 if [ "${MAKE_ISO}" = "yes" ]; then
 	# XXX should pass --build-type here.
-	/usr/share/livecd-rootfs/live-build/gen-iso-ids \
+	${LIVECD_ROOTFS_ROOT}/live-build/gen-iso-ids \
 		--project $PROJECT ${SUBPROJECT:+--subproject $SUBPROJECT} \
 		--arch $ARCH ${SUBARCH:+--subarch $SUBARCH} ${NOW+--serial $NOW} \
 		--output-dir config/iso-ids/
 fi
+
+if [ -n "$http_proxy" ]; then
+    mkdir -p /etc/systemd/system/snapd.service.d/
+    cat > /etc/systemd/system/snapd.service.d/snap_proxy.conf <<EOF
+[Service]
+Environment="HTTP_PROXY=${http_proxy}"
+Environment="HTTPS_PROXY=${http_proxy}"
+EOF
+    systemctl daemon-reload
+    systemctl restart snapd.service
+fi

live-build/build-livefs

@@ -0,0 +1,218 @@
+#!/usr/bin/python3
+
+import configparser
+import os
+import pathlib
+import platform
+import subprocess
+
+import click
+
+
+_CONFIG_FILE = pathlib.Path.home() / ".config" / "livecd-rootfs" / "build-livefs.conf"
+
+
+def _read_config() -> dict[str, str]:
+    """Read default values from the user config file if it exists.
+
+    The config file uses INI format with a [defaults] section, e.g.:
+
+        [defaults]
+        http-proxy = http://squid.internal:3128/
+        mirror = http://ftpmaster.internal/ubuntu/
+    """
+    cp = configparser.ConfigParser()
+    cp.read(_CONFIG_FILE)
+    return dict(cp["defaults"]) if "defaults" in cp else {}
+
+
+_MACHINE_TO_ARCH = {
+    "x86_64": "amd64",
+    "aarch64": "arm64",
+    "ppc64le": "ppc64el",
+    "s390x": "s390x",
+    "riscv64": "riscv64",
+    "armv7l": "armhf",
+}
+
+
+def _default_arch():
+    machine = platform.machine()
+    try:
+        return _MACHINE_TO_ARCH[machine]
+    except KeyError:
+        raise click.UsageError(
+            f"Cannot determine default arch for machine {machine!r}; use --arch"
+        )
+
+
+@click.command()
+@click.option(
+    "--work-dir",
+    default=".",
+    type=click.Path(file_okay=False, path_type=pathlib.Path),
+    help="Working directory for the build (default: current directory)",
+)
+@click.option("--project", required=True, help="Project name (e.g. ubuntu, ubuntu-cpc)")
+@click.option("--suite", required=True, help="Ubuntu suite/series (e.g. noble)")
+@click.option("--arch", default=None, help="Target architecture (default: host arch)")
+@click.option("--arch-variant", default=None, help="Architecture variant")
+@click.option("--subproject", default=None, help="Subproject")
+@click.option("--subarch", default=None, help="Sub-architecture")
+@click.option("--channel", default=None, help="Channel")
+@click.option(
+    "--image-target",
+    "image_targets",
+    multiple=True,
+    help="Image target (may be repeated)",
+)
+@click.option("--repo-snapshot-stamp", default=None, help="Repository snapshot stamp")
+@click.option(
+    "--snapshot-service-timestamp", default=None, help="Snapshot service timestamp"
+)
+@click.option("--cohort-key", default=None, help="Cohort key")
+@click.option("--datestamp", default=None, help="Datestamp (sets NOW)")
+@click.option("--image-format", default=None, help="Image format (sets IMAGEFORMAT)")
+@click.option(
+    "--proposed",
+    is_flag=True,
+    default=False,
+    help="Enable proposed pocket (sets PROPOSED=1)",
+)
+@click.option(
+    "--extra-ppa", "extra_ppas", multiple=True, help="Extra PPA (may be repeated)"
+)
+@click.option(
+    "--extra-snap", "extra_snaps", multiple=True, help="Extra snap (may be repeated)"
+)
+@click.option("--build-type", default=None, help="Build type")
+@click.option(
+    "--http-proxy",
+    default=None,
+    help="HTTP proxy (sets http_proxy, HTTP_PROXY, LB_APT_HTTP_PROXY)",
+)
+@click.option(
+    "--mirror",
+    default=None,
+    help="Ubuntu archive mirror URL (sets MIRROR)",
+)
+@click.option(
+    "--debug", is_flag=True, default=False, help="Enable debug mode (set -x in lb scripts)"
+)
+def main(
+    work_dir,
+    project,
+    suite,
+    arch,
+    arch_variant,
+    subproject,
+    subarch,
+    channel,
+    image_targets,
+    repo_snapshot_stamp,
+    snapshot_service_timestamp,
+    cohort_key,
+    datestamp,
+    image_format,
+    proposed,
+    extra_ppas,
+    extra_snaps,
+    build_type,
+    http_proxy,
+    mirror,
+    debug,
+):
+    cfg = _read_config()
+    if http_proxy is None:
+        http_proxy = cfg.get("http-proxy")
+    if mirror is None:
+        mirror = cfg.get("mirror")
+
+    if arch is None:
+        arch = _default_arch()
+
+    # Locate auto/ scripts relative to this script, following symlinks.
+    # Works for: git checkout, installed deb, and /usr/bin/build-livefs symlink.
+    live_build_dir = pathlib.Path(__file__).resolve().parent
+    auto_source = live_build_dir / "auto"
+
+    # base_env is passed to both lb config and lb build
+    base_env = {
+        "PROJECT": project,
+        "ARCH": arch,
+        "LIVECD_ROOTFS_ROOT": str(live_build_dir.parent),
+    }
+    if arch_variant is not None:
+        base_env["ARCH_VARIANT"] = arch_variant
+    if subproject is not None:
+        base_env["SUBPROJECT"] = subproject
+    if subarch is not None:
+        base_env["SUBARCH"] = subarch
+    if channel is not None:
+        base_env["CHANNEL"] = channel
+    if image_targets:
+        base_env["IMAGE_TARGETS"] = " ".join(image_targets)
+    if repo_snapshot_stamp is not None:
+        base_env["REPO_SNAPSHOT_STAMP"] = repo_snapshot_stamp
+    if snapshot_service_timestamp is not None:
+        base_env["SNAPSHOT_SERVICE_TIMESTAMP"] = snapshot_service_timestamp
+    if cohort_key is not None:
+        base_env["COHORT_KEY"] = cohort_key
+    if http_proxy is not None:
+        base_env["http_proxy"] = http_proxy
+        base_env["HTTP_PROXY"] = http_proxy
+        base_env["LB_APT_HTTP_PROXY"] = http_proxy
+
+    # config_env adds lb-config-only vars on top of base_env
+    config_env = {
+        **base_env,
+        "SUITE": suite,
+    }
+    if datestamp is not None:
+        config_env["NOW"] = datestamp
+    if image_format is not None:
+        config_env["IMAGEFORMAT"] = image_format
+    if proposed:
+        config_env["PROPOSED"] = "1"
+    if extra_ppas:
+        config_env["EXTRA_PPAS"] = " ".join(extra_ppas)
+    if extra_snaps:
+        config_env["EXTRA_SNAPS"] = " ".join(extra_snaps)
+    if build_type is not None:
+        config_env["BUILD_TYPE"] = build_type
+    if mirror is not None:
+        config_env["MIRROR"] = mirror
+
+    work_dir = work_dir.resolve()
+    work_dir.mkdir(parents=True, exist_ok=True)
+
+    # Create/replace auto/ symlinks
+    auto_dir = work_dir / "auto"
+    auto_dir.mkdir(exist_ok=True)
+    for script in ("config", "build", "clean"):
+        link = auto_dir / script
+        if link.is_symlink() or link.exists():
+            link.unlink()
+        link.symlink_to(auto_source / script)
+
+    # Write debug.sh if requested
+    if debug:
+        debug_dir = work_dir / "local" / "functions"
+        debug_dir.mkdir(parents=True, exist_ok=True)
+        (debug_dir / "debug.sh").write_text("set -x\n")
+
+    def run(cmd, env_extra):
+        env = os.environ.copy()
+        env.update(env_extra)
+        if os.getuid() != 0:
+            env_args = [f"{k}={v}" for k, v in env_extra.items()]
+            cmd = ["sudo", "env"] + env_args + cmd
+        subprocess.run(cmd, cwd=work_dir, env=env, check=True)
+
+    run(["lb", "clean", "--purge"], base_env)
+    run(["lb", "config"], config_env)
+    run(["lb", "build"], base_env)
+
+
+if __name__ == "__main__":
+    main()

live-build/build-livefs-lxd

@@ -0,0 +1,150 @@
+#!/usr/bin/env python3
+
+import configparser
+import pathlib
+import subprocess
+import time
+
+import click
+
+
+_CONFIG_FILE = pathlib.Path.home() / ".config" / "livecd-rootfs" / "build-livefs.conf"
+
+
+def _read_config() -> dict[str, str]:
+    cp = configparser.ConfigParser()
+    cp.read(_CONFIG_FILE)
+    return dict(cp["defaults"]) if "defaults" in cp else {}
+
+
+@click.command(
+    context_settings={"ignore_unknown_options": True, "allow_extra_args": True}
+)
+@click.option("--suite", required=True, help="Ubuntu suite/series (e.g. noble)")
+@click.option(
+    "--vm-name",
+    default=None,
+    help="LXD VM name (default: livefs-builder-{suite})",
+)
+@click.option(
+    "--http-proxy",
+    default=None,
+    help="HTTP proxy URL for apt inside the VM (also read from build-livefs.conf)",
+)
+@click.argument("extra_args", nargs=-1, type=click.UNPROCESSED)
+def main(suite, vm_name, http_proxy, extra_args):
+    livecd_rootfs_root = pathlib.Path(__file__).resolve().parent.parent
+    vm_name = vm_name or f"livefs-builder-{suite}"
+    host_conf = (
+        pathlib.Path.home() / ".config" / "livecd-rootfs" / "build-livefs.conf"
+    )
+
+    if http_proxy is None:
+        http_proxy = _read_config().get("http-proxy")
+
+    result = subprocess.run(["lxc", "info", vm_name], capture_output=True)
+    if result.returncode != 0:
+        launch_cmd = [
+            "lxc", "launch", f"ubuntu-daily:{suite}", vm_name, "--vm",
+            "--config", "limits.cpu=4",
+            "--config", "limits.memory=8GiB",
+            "--device", "root,size=100GiB",
+        ]
+        user_data = "#cloud-config\npackage_update: true\n"
+        if http_proxy is not None:
+            user_data += (
+                "apt:\n"
+                f"  http_proxy: {http_proxy}\n"
+                f"  https_proxy: {http_proxy}\n"
+            )
+        launch_cmd += ["--config", f"user.user-data={user_data}"]
+        subprocess.run(launch_cmd, check=True)
+
+    device_info = subprocess.run(
+        ["lxc", "config", "device", "show", vm_name],
+        capture_output=True,
+        text=True,
+        check=True,
+    ).stdout
+    if "livecd-rootfs" not in device_info:
+        subprocess.run(
+            [
+                "lxc",
+                "config",
+                "device",
+                "add",
+                vm_name,
+                "livecd-rootfs",
+                "disk",
+                f"source={livecd_rootfs_root}",
+                "path=/srv/livecd-rootfs",
+            ],
+            check=True,
+        )
+
+    info = subprocess.run(
+        ["lxc", "info", vm_name], capture_output=True, text=True, check=True
+    ).stdout
+    if "Status: STOPPED" in info:
+        subprocess.run(["lxc", "start", vm_name], check=True)
+
+    for _ in range(30):
+        result = subprocess.run(
+            ["lxc", "exec", vm_name, "--", "true"], capture_output=True
+        )
+        if result.returncode == 0:
+            break
+        time.sleep(2)
+    else:
+        raise click.ClickException(f"VM {vm_name!r} did not become ready in time")
+
+    subprocess.run(
+        ["lxc", "exec", vm_name, "--", "cloud-init", "status", "--wait"], check=True
+    )
+
+    subprocess.run(
+        ["lxc", "exec", vm_name, "--", "apt-get", "install", "-y", "livecd-rootfs"],
+        check=True,
+    )
+
+    if host_conf.exists():
+        subprocess.run(
+            [
+                "lxc",
+                "exec",
+                vm_name,
+                "--",
+                "mkdir",
+                "-p",
+                "/root/.config/livecd-rootfs",
+            ],
+            check=True,
+        )
+        subprocess.run(
+            [
+                "lxc",
+                "file",
+                "push",
+                str(host_conf),
+                f"{vm_name}/root/.config/livecd-rootfs/build-livefs.conf",
+            ],
+            check=True,
+        )
+
+    subprocess.run(
+        [
+            "lxc",
+            "exec",
+            vm_name,
+            "--",
+            "/srv/livecd-rootfs/live-build/build-livefs",
+            "--suite",
+            suite,
+            *extra_args,
+        ],
+        check=True,
+    )
+
+
+if __name__ == "__main__":
+    main()

live-build/buildd/hooks/52-linux-virtual-image.binary

@@ -50,7 +50,7 @@ env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \
 
 # Install dependencies
 env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \
-    install -y lsb-release locales initramfs-tools busybox-initramfs \
+    install -y lsb-release locales dracut busybox-initramfs \
                udev dbus netplan.io cloud-init openssh-server sudo snapd \
                lxd-agent-loader
 

live-build/edubuntu/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot

live-build/functions

@@ -188,8 +188,8 @@ setup_mountpoint() {
     mount sysfs-live -t sysfs "$mountpoint/sys"
     mount securityfs -t securityfs "$mountpoint/sys/kernel/security"
     # Provide more up to date apparmor features, matching target kernel
-    mount -o bind /usr/share/livecd-rootfs/live-build/apparmor/generic "$mountpoint/sys/kernel/security/apparmor/features/"
-    mount -o bind /usr/share/livecd-rootfs/live-build/seccomp/generic.actions_avail "$mountpoint/proc/sys/kernel/seccomp/actions_avail"
+    mount -o bind ${LIVECD_ROOTFS_ROOT}/live-build/apparmor/generic "$mountpoint/sys/kernel/security/apparmor/features/"
+    mount -o bind ${LIVECD_ROOTFS_ROOT}/live-build/seccomp/generic.actions_avail "$mountpoint/proc/sys/kernel/seccomp/actions_avail"
     # cgroup2 mount for LP: 1944004
     mount -t cgroup2 none "$mountpoint/sys/fs/cgroup"
     mount -t tmpfs none "$mountpoint/tmp"
@@ -408,7 +408,7 @@ create_squashfs() {
     squashfs_file="$2"
     config_dir="$PWD/config"
     (cd $rootfs_dir &&
-        mksquashfs . $squashfs_file -no-progress -xattrs -comp xz \
+        mksquashfs . $squashfs_file -no-progress -xattrs -comp "${SQUASHFS_COMP:-xz}" \
             -ef "$config_dir/squashfs-exclude-files")
 
 }
@@ -573,7 +573,7 @@ _snap_post_process() {
             # If the 'core' snap is not present, assume we are coreXX-only and
             # install the snapd snap.
             channel=stable
-            if [ "$PROJECT" = "ubuntu" -o "$SUBPROJECT" = "dangerous" ]; then
+            if [ "$SUBPROJECT" = "dangerous" ]; then
                 channel=edge
             fi
             if [ ! -f ${snaps_dir}/core_[0-9]*.snap ]; then
@@ -860,7 +860,7 @@ snap_validate_seed() {
     fi
     if [ ${boot_filename} != undefined ]; then  # we have a known boot file so we can proceed with checking for features to mount
         kern_major_min=$(readlink --canonicalize --no-newline ${CHROOT_ROOT}/boot/${boot_filename} | grep  --extended-regexp --only-matching --max-count 1 '[0-9]+\.[0-9]+')
-        if [ -d /usr/share/livecd-rootfs/live-build/apparmor/${kern_major_min} ]; then
+        if [ -d ${LIVECD_ROOTFS_ROOT}/live-build/apparmor/${kern_major_min} ]; then
             # if an Ubuntu version has different kernel apparmor features between LTS and HWE kernels
             # a snap pre-seeding issue can occur, where the incorrect apparmor features are reported
             # basic copy of a directory structure overriding the "generic" feature set
@@ -868,7 +868,7 @@ snap_validate_seed() {
 
             # Bind kernel apparmor directory to feature directory for snap preseeding
             umount "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
-            mount --bind /usr/share/livecd-rootfs/live-build/apparmor/${kern_major_min} "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+            mount --bind ${LIVECD_ROOTFS_ROOT}/live-build/apparmor/${kern_major_min} "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
         fi
     fi
 
@@ -894,7 +894,7 @@ snap_validate_seed() {
     # mount generic apparmor feature again (cleanup)
     if [ -d /build/config/hooks.d/extra/apparmor/${kern_major_min} ]; then
         umount "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
-        mount -o bind /usr/share/livecd-rootfs/live-build/apparmor/generic "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+        mount -o bind ${LIVECD_ROOTFS_ROOT}/live-build/apparmor/generic "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
     fi
 
 }
@@ -1254,7 +1254,7 @@ setup_cidata() {
     local mountpoint=$(mktemp -d)
     mkfs.vfat -F 32 -n CIDATA ${cidata_dev}
     mount ${cidata_dev} ${mountpoint}
-    cp /usr/share/livecd-rootfs/live-build/cidata/* ${mountpoint}
+    cp ${LIVECD_ROOTFS_ROOT}/live-build/cidata/* ${mountpoint}
     cat >>${mountpoint}/meta-data.sample <<END
 #instance-id: iid-$(openssl rand -hex 8)
 
@@ -1454,5 +1454,19 @@ gpt_root_partition_uuid() {
 # is importable, and uses config/iso-dir as the standard working directory
 # for ISO metadata and intermediate files.
 isobuild () {
-    PYTHONPATH=/usr/share/livecd-rootfs/live-build/ /usr/share/livecd-rootfs/live-build/isobuild --workdir config/iso-dir "$@"
+    PYTHONPATH=${LIVECD_ROOTFS_ROOT}/live-build/ ${LIVECD_ROOTFS_ROOT}/live-build/isobuild --workdir config/iso-dir "$@"
+}
+
+CASPER_DIR=config/iso-dir/iso-root/casper
+
+# Install kernel+initrd into the ISO casper directory.
+# Usage: iso_install_kernel <flavor> <kernel-path> <initrd-path>
+iso_install_kernel() {
+    local flavor=$1 kernel=$2 initrd=$3
+    local kernel_name=vmlinuz
+    case $ARCH in ppc64el|riscv64) kernel_name=vmlinux ;; esac
+    local prefix=""
+    case $flavor in *-hwe) prefix="hwe-" ;; esac
+    cp "$kernel" "$CASPER_DIR/${prefix}${kernel_name}"
+    cp "$initrd" "$CASPER_DIR/${prefix}initrd"
 }

live-build/gen-iso-ids

@@ -42,6 +42,7 @@ project_to_capproject_map = {
     "ubuntu-core-installer": "Ubuntu-Core-Installer",
     "ubuntu-mate": "Ubuntu-MATE",
     "ubuntu-mini-iso": "Ubuntu-Mini-ISO",
+    "ubuntu-test-iso": "Ubuntu-Test-ISO",
     "ubuntu-oem": "Ubuntu OEM",
     "ubuntu-server": "Ubuntu-Server",
     "ubuntu-unity": "Ubuntu-Unity",

live-build/isobuild

@@ -39,10 +39,9 @@
 # Generate an apt deb822 source for the pool, assuming it is mounted at the
 # passed mountpoint, and output it on stdout.
 #
-# $ isobuild --work-dir "" add-live-filesystem --artifact-prefix ""
+# $ isobuild --work-dir "" extract-casper-uuids
 #
-# Copy the relevant artifacts to the casper directory (and extract the uuids
-# from the initrds)
+# Extract casper UUID files from the initrds in the casper directory.
 #
 # $ isobuild --work-dir "" make-bootable --project "" --capitalized-project ""
 #            --subarch ""
@@ -169,14 +168,9 @@ def generate_sources(builder, mountpoint: str):
     builder.generate_sources(mountpoint)
 
 
-@click.option(
-    "--artifact-prefix",
-    type=click.Path(dir_okay=False, resolve_path=True, path_type=pathlib.Path),
-    required=True,
-)
 @subcommand
-def add_live_filesystem(builder, artifact_prefix: pathlib.Path):
-    builder.add_live_filesystem(artifact_prefix)
+def extract_casper_uuids(builder):
+    builder.extract_casper_uuids()
 
 
 @click.option(

live-build/isobuilder/builder.py

@@ -218,7 +218,7 @@ class ISOBuilder:
             )
         )
 
-    def _extract_casper_uuids(self):
+    def extract_casper_uuids(self):
         # Extract UUID files from initrd images for casper (the live boot system).
         # Each initrd contains a conf/uuid.conf with a unique identifier that
         # casper uses at boot time to locate the correct root filesystem. These
@@ -255,44 +255,6 @@ class ISOBuilder:
                 uuid_conf.rename(dot_disk.joinpath(f"casper-uuid-{suffix}"))
                 shutil.rmtree(initrddir)
 
-    def add_live_filesystem(self, artifact_prefix: pathlib.Path):
-        casper_dir = self.iso_root.joinpath("casper")
-        artifact_dir = artifact_prefix.parent
-        filename_prefix = artifact_prefix.name
-
-        def link(src: pathlib.Path, target_name: str):
-            target = casper_dir.joinpath(target_name)
-            self.logger.log(
-                f"creating link from $ISOROOT/casper/{target_name} to $src/{src.name}"
-            )
-            target.hardlink_to(src)
-
-        kernel_name = "vmlinuz"
-        if self.arch in ("ppc64el", "riscv64"):
-            kernel_name = "vmlinux"
-
-        with self.logger.logged(
-            f"linking artifacts from {casper_dir} to {artifact_dir}"
-        ):
-            for ext in "squashfs", "squashfs.gpg", "size", "manifest", "yaml":
-                for path in artifact_dir.glob(f"{filename_prefix}*.{ext}"):
-                    newname = path.name[len(filename_prefix) :]
-                    link(path, newname)
-            for suffix, prefix in (
-                ("-generic", ""),
-                ("-generic-hwe", "hwe-"),
-            ):
-                if artifact_dir.joinpath(f"{filename_prefix}kernel{suffix}").exists():
-                    link(
-                        artifact_dir.joinpath(f"{filename_prefix}kernel{suffix}"),
-                        f"{prefix}{kernel_name}",
-                    )
-                    link(
-                        artifact_dir.joinpath(f"{filename_prefix}initrd{suffix}"),
-                        f"{prefix}initrd",
-                    )
-        self._extract_casper_uuids()
-
     def make_bootable(self, project: str, capproject: str, subarch: str):
         configurator = make_boot_configurator_for_arch(
             self.arch,
@@ -311,11 +273,14 @@ class ISOBuilder:
     def checksum(self):
         # Generate md5sum.txt for ISO integrity verification.
         # - Symlinks are excluded because their targets are already checksummed
+        # - eltorito.img is excluded because xorriso will modify it in output ISO
         # - Files are sorted for deterministic, reproducible output across builds
         # - Paths use "./" prefix and we run md5sum from iso_root so the output
         #   matches what users get when they verify with "md5sum -c" from the ISO
         all_files = []
+        exclusions = ["eltorito.img"]
         for dirpath, dirnames, filenames in self.iso_root.walk():
+            filenames = [fn for fn in filenames if fn not in exclusions]
             filepaths = [dirpath.joinpath(filename) for filename in filenames]
             all_files.extend(
                 "./" + str(filepath.relative_to(self.iso_root))

live-build/kubuntu/hooks/020-kubuntu-live.chroot_early

@@ -0,0 +1,11 @@
+#! /bin/sh
+
+set -eu
+
+cat <<EOF > /etc/sysctl.d/20-apparmor.conf
+# AppArmor restrictions of unprivileged user namespaces
+
+# Disables AppArmor user namespace restrictions on the live ISO.
+kernel.apparmor_restrict_unprivileged_userns = 0
+kernel.apparmor_restrict_unprivileged_unconfined = 1
+EOF

live-build/lb_binary_layered

@@ -61,7 +61,7 @@ build_layered_squashfs () {
 
 	# Building squashfs filesystem & manifest
 	local overlay_dir="overlay.${pass}"
-	base="${PWD}/livecd.${PROJECT_FULL}.${pass}"
+	base="${PWD}/${CASPER_DIR}/${pass}"
 	squashfs_f="${base}.squashfs"
 
 	# We have already treated that pass
@@ -91,6 +91,20 @@ build_layered_squashfs () {
 
 	# Copy initrd and vmlinuz outside of chroot and remove them from the layer squashfs
 	if $(is_live_layer "$pass"); then
+		# For *.live passes (desktop builds), the kernel flavor comes from
+		# LB_LINUX_FLAVOURS.  For other live passes (server installer passes
+		# like "...installer.generic-hwe"), the flavor is encoded as the
+		# final dot-separated component of the pass name.
+		case "$pass" in
+			*.live)
+				for flavor in $LB_LINUX_FLAVOURS; do
+					iso_install_kernel "$flavor" chroot/boot/vmlinu?-* chroot/boot/initrd.img-*
+				done
+				;;
+			*)
+				iso_install_kernel "${pass##*.}" chroot/boot/vmlinu?-* chroot/boot/initrd.img-*
+				;;
+		esac
 		lb binary_linux-image ${*}
 		rm -f chroot/boot/initrd.img-* chroot/boot/vmlinu{x,z}-*
 	fi
@@ -116,32 +130,13 @@ build_layered_squashfs () {
 		create_manifest "chroot" "${squashfs_f_manifest}.full"
 
 		# Delta manifest
-		diff -NU0 ${PWD}/livecd.${PROJECT_FULL}.$(get_parent_pass $pass).manifest.full ${squashfs_f_manifest}.full|grep -v ^@ > $squashfs_f_manifest || true
+		diff -NU0 ${PWD}/${CASPER_DIR}/$(get_parent_pass $pass).manifest.full ${squashfs_f_manifest}.full|grep -v ^@ > $squashfs_f_manifest || true
 		echo "Delta manifest:"
 		cat $squashfs_f_manifest
 
 		squashfs_f_size="${base}.size"
 		du -B 1 -s "overlay.${pass}/" | cut -f1 > "${squashfs_f_size}"
 
-		# We take first live pass for "global" ISO properties (used by installers and checkers):
-		# Prepare initrd + kernel
-		# Main manifest and size files
-		prefix="livecd.$PROJECT_FULL"
-		if [ ! -e "${prefix}.manifest" ] && $(is_live_layer "$pass"); then
-			totalsize=$(cat ${squashfs_f_size})
-			curpass="$pass"
-			while :; do
-				curpass=$(get_parent_pass $curpass)
-				# We climbed up the tree to the root layer, we are done
-				[ -z "$curpass" ] && break
-
-				totalsize=$(expr $totalsize + $(cat "${PWD}/livecd.${PROJECT_FULL}.${curpass}.size"))
-			done
-			echo ${totalsize} > "${prefix}.size"
-
-			cp "${squashfs_f_manifest}.full" "${prefix}.manifest"
-		fi
-
 		if [ -n "$lowerdirs" ]; then
 			# Although the current chroot was created as an overlay over
 			# the previous layer, many operations can result in redundant
@@ -180,33 +175,27 @@ build_layered_squashfs () {
 			# Operate on the upperdir directly, so that we are only
 			# modifying mtime on files that are actually changed in
 			# this layer. LP: #2107332
-			/usr/share/livecd-rootfs/sync-mtime chroot "$overlay_dir"
+			${LIVECD_ROOTFS_ROOT}/sync-mtime chroot "$overlay_dir"
 		fi
 
-		create_squashfs "${overlay_dir}" ${squashfs_f}
-		# Create a "for-iso" variant of the squashfs for ISO builds. For
-		# the root layer (the base system) when building with a pool, we
-		# need to include cdrom.sources so casper can access the ISO's
-		# package repository. This requires regenerating the squashfs with
-		# that file included, then removing it (so it doesn't pollute the
-		# regular squashfs). Non-root layers (desktop environment, etc.)
-		# and builds without pools can just hardlink to the regular squashfs.
+		# For the root layer when building with a pool, include
+		# cdrom.sources so casper can access the ISO's package repository.
 		if [ -n "${POOL_SEED_NAME}" ] && $(is_root_layer $pass); then
 			isobuild generate-sources --mountpoint=/cdrom > ${overlay_dir}/etc/apt/sources.list.d/cdrom.sources
-			create_squashfs "${overlay_dir}" ${PWD}/for-iso.${pass}.squashfs
-			rm ${overlay_dir}/etc/apt/sources.list.d/cdrom.sources
 		fi
+		create_squashfs "${overlay_dir}" ${squashfs_f}
+		rm -f ${overlay_dir}/etc/apt/sources.list.d/cdrom.sources
 
 		if [ -f config/$pass.catalog-in.yaml ]; then
 			echo "Expanding catalog entry template for $pass"
-			usc_opts="--output livecd.${PROJECT_FULL}.install-sources.yaml \
+			usc_opts="--output ${CASPER_DIR}/install-sources.yaml \
 				--template config/$pass.catalog-in.yaml \
 				--size $(du -B 1 -s chroot/ | cut -f1) --squashfs ${pass}.squashfs \
 				--translations config/catalog-translations"
 			if [ -f config/seeded-languages ]; then
 				usc_opts="$usc_opts --langs $(cat config/seeded-languages)"
 			fi
-			/usr/share/livecd-rootfs/update-source-catalog source $usc_opts
+			${LIVECD_ROOTFS_ROOT}/update-source-catalog source $usc_opts
 		else
 			echo "No catalog entry template for $pass"
 		fi
@@ -225,25 +214,11 @@ do
 	build_layered_squashfs "${_PASS}" ${*}
 done
 
-if [ -n "$DEFAULT_KERNEL" -a -f livecd.${PROJECT_FULL}.install-sources.yaml ]; then
+if [ -n "$DEFAULT_KERNEL" -a -f ${CASPER_DIR}/install-sources.yaml ]; then
 	write_kernel_yaml "$DEFAULT_KERNEL" "$BRIDGE_KERNEL_REASONS"
-	/usr/share/livecd-rootfs/update-source-catalog merge \
-		--output livecd.${PROJECT_FULL}.install-sources.yaml \
+	${LIVECD_ROOTFS_ROOT}/update-source-catalog merge \
+		--output ${CASPER_DIR}/install-sources.yaml \
 		--template config/kernel.yaml
 fi
 
-# Ubiquity-compatible removal manifest for ISO not using a layered-aware installer
-if [ -n "$(ls livecd.${PROJECT_FULL}.*install.live.manifest.full 2>/dev/null)" ] && \
-   [ -n "$(ls livecd.${PROJECT_FULL}.*install.manifest.full 2>/dev/null)" ]; then
-	echo "$(diff livecd.${PROJECT_FULL}.*install.live.manifest.full livecd.${PROJECT_FULL}.*install.manifest.full | awk '/^< / { print $2 }')" > livecd.${PROJECT_FULL}-manifest-remove
-fi
-
-chmod 644 *.squashfs *.manifest* *.size
-
-prefix=livecd.${PROJECT_FULL}
-for artifact in ${prefix}.*; do
-	for_iso_path=for-iso${artifact#${prefix}}
-	if [ ! -f $for_iso_path ]; then
-		ln -v $artifact $for_iso_path
-	fi
-done
+chmod 644 ${CASPER_DIR}/*.squashfs ${CASPER_DIR}/*.manifest* ${CASPER_DIR}/*.size

live-build/lb_chroot_layered

@@ -237,7 +237,7 @@ create_chroot_pass () {
 	lb chroot_interactive ${*}
 
 	# Misc ubuntu cleanup and post-layer configuration
-	/usr/share/livecd-rootfs/minimize-manual chroot
+	${LIVECD_ROOTFS_ROOT}/minimize-manual chroot
 	clean_debian_chroot
 
 	Chroot chroot "dpkg-query -W" > chroot.packages.${pass}

live-build/lubuntu/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot

live-build/ubuntu-budgie/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot

live-build/ubuntu-core-installer/hooks/05-prepare-image.binary

@@ -11,6 +11,7 @@ case ${PASS:-} in
 esac
 
 . config/binary
+. config/common
 . config/functions
 
 case ${SUBPROJECT} in
@@ -56,4 +57,4 @@ PROJECT_FULL=$PROJECT${SUBARCH:+-$SUBARCH}
 usc_opts="--output livecd.${PROJECT_FULL}.install-sources.yaml \
           --template config/edge.catalog-in.yaml \
           --size 0"
-/usr/share/livecd-rootfs/update-source-catalog source $usc_opts
+${LIVECD_ROOTFS_ROOT}/update-source-catalog source $usc_opts

live-build/ubuntu-core-installer/includes.chroot.base.live/etc/cloud/cloud.cfg

@@ -76,7 +76,7 @@ system_info:
       templates_dir: /etc/cloud/templates/
       upstart_dir: /etc/init/
    package_mirrors:
-     - arches: [i386, amd64]
+     - arches: [i386, amd64, arm64]
        failsafe:
          primary: http://archive.ubuntu.com/ubuntu
          security: http://security.ubuntu.com/ubuntu
@@ -86,7 +86,7 @@ system_info:
            - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
            - http://%(region)s.clouds.archive.ubuntu.com/ubuntu/
          security: []
-     - arches: [arm64, armel, armhf]
+     - arches: [armel, armhf]
        failsafe:
          primary: http://ports.ubuntu.com/ubuntu-ports
          security: http://ports.ubuntu.com/ubuntu-ports

live-build/ubuntu-cpc/hooks.d/base/imagecraft-configs/cloud-init/etc/cloud/cloud.cfg.d/99-os_cloud.cfg

@@ -0,0 +1 @@
+datasource_list: [ OpenStack, None ]

live-build/ubuntu-cpc/hooks.d/base/imagecraft-configs/cloud-init/var/lib/cloud/seed/nocloud/meta-data

@@ -0,0 +1,2 @@
+dsmode: local
+instance_id: ubuntu-server

live-build/ubuntu-cpc/hooks.d/base/imagecraft-configs/imagecraft.yaml

@@ -0,0 +1,104 @@
+name: ubuntu-minimal
+version: "0.1"
+base: bare
+build-base: devel
+summary: Minimal Ubuntu image for CPC
+description: A minimal Ubuntu image to be built using livecd-rootfs by CPC
+
+platforms:
+  amd64:
+
+volumes:
+  pc:
+    schema: gpt
+    structure:
+      # 1. BIOS Boot
+      - name: bios-boot
+        type: 21686148-6449-6E6F-744E-656564454649
+        role: system-boot
+        filesystem: vfat
+        size: 4M
+        partition-number: 14
+      # 2. EFI System Partition
+      - name: efi
+        type: C12A7328-F81F-11D2-BA4B-00A0C93EC93B
+        filesystem: vfat
+        filesystem-label: UEFI
+        role: system-boot
+        size: 106M
+        partition-number: 15
+      # 3. Linux Extended Boot
+      - name: boot
+        type: 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+        filesystem: ext4
+        filesystem-label: BOOT
+        role: system-data
+        size: 1G
+        partition-number: 13
+      # 4. Root Filesystem
+      - name: rootfs
+        type: 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+        filesystem: ext4
+        filesystem-label: cloudimg-rootfs
+        role: system-data
+        size: 3G
+        partition-number: 1
+
+filesystems:
+  default:
+    - mount: "/"
+      device: "(volume/pc/rootfs)"
+    - mount: "/boot"
+      device: "(volume/pc/boot)"
+    - mount: "/boot/efi"
+      device: "(volume/pc/efi)"
+
+parts:
+  rootfs:
+    plugin: nil
+    build-packages: ["mmdebstrap"]
+    override-build: |
+      mmdebstrap --arch $CRAFT_ARCH_BUILD_FOR \
+       --mode=sudo \
+       --format=dir \
+       --variant=minbase \
+       --include=apt \
+       resolute \
+       $CRAFT_PART_INSTALL/ \
+       http://archive.ubuntu.com/ubuntu/
+      rm -r $CRAFT_PART_INSTALL/dev/*
+      mkdir $CRAFT_PART_INSTALL/boot/efi
+    organize:
+      '*': (overlay)/
+
+  packages:
+    plugin: nil
+    overlay-packages:
+      - ubuntu-server-minimal
+      - grub2-common
+      - grub-pc
+      - shim-signed
+      - linux-image-generic
+    overlay-script: |
+      rm $CRAFT_OVERLAY/etc/cloud/cloud.cfg.d/90_dpkg.cfg
+
+  snaps:
+    plugin: nil
+    after: [packages]
+    overlay-script: |
+      env SNAPPY_STORE_NO_CDN=1 snap prepare-image --classic \
+        --arch=amd64 --snap snapd --snap core24 "" $CRAFT_OVERLAY
+
+  fstab:
+    plugin: nil
+    after: [snaps]
+    overlay-script: |
+      cat << EOF > $CRAFT_OVERLAY/etc/fstab
+      LABEL=cloudimg-rootfs  /          ext4    discard,errors=remount-ro  0  1
+      LABEL=BOOT             /boot      ext4    defaults                   0  2
+      LABEL=UEFI             /boot/efi  vfat    umask=0077                 0  1
+      EOF
+
+  cloud-init:
+    plugin: dump
+    source: cloud-init/

live-build/ubuntu-cpc/hooks.d/base/imagecraft-image.binary

@@ -0,0 +1,81 @@
+#!/bin/bash -eux
+
+. config/functions
+
+ARCH="${ARCH:-}"
+SUBPROJECT="${SUBPROJECT:-}"
+
+# We want to start off imagecraft builds with just amd64 support right now
+case $ARCH in
+  amd64)
+    ;;
+  *)
+    echo "imagecraft build is currently not implemented for ARCH=${ARCH:-unset}."
+    exit 0
+    ;;
+esac
+
+case ${SUBPROJECT} in
+  minimized)
+    ;;
+  *)
+    echo "imagecraft build is currently not implemented for SUBPROJECT=${SUBPROJECT:-unset}."
+    exit 0
+    ;;
+esac
+
+_src_d=$(dirname $(readlink -f ${0}))
+
+snap install imagecraft --classic --channel latest/edge
+
+cp -r "$_src_d"/imagecraft-configs/* .
+
+CRAFT_BUILD_ENVIRONMENT=host imagecraft --verbosity debug pack
+
+# We are using this function instead of mount_disk_image from functions
+# because imagecraft doesn't currently support XBOOTLDR's GUID and
+# mount_disk_image has an explicit check for the XBOOTLDR GUID
+# TODO: Use mount_disk_image once imagecraft supports XBOOTLDR's GUID
+mount_image_partitions() {
+  mount_image "${disk_image}" "$ROOT_PARTITION"
+
+  # Making sure that the loop device is ready
+  partprobe "${loop_device}"
+  udevadm settle
+  mount_partition "${rootfs_dev_mapper}" "$mountpoint"
+  mount "${loop_device}p13" "$mountpoint/boot"
+  mount "${loop_device}p15" "$mountpoint/boot/efi"
+}
+
+install_grub_on_image() {
+  divert_grub "$mountpoint"
+  chroot "$mountpoint" grub-install --target=i386-pc "${loop_device}"
+  chroot "$mountpoint" update-grub
+  undivert_grub "$mountpoint"
+
+  echo "GRUB for BIOS boot installed successfully."
+}
+
+unmount_image_partitions() {
+  umount "$mountpoint/boot/efi"
+  umount "$mountpoint/boot"
+
+  umount_partition "$mountpoint"
+  rmdir "$mountpoint"
+}
+
+disk_image="pc.img"
+ROOT_PARTITION=1
+mountpoint=$(mktemp -d)
+
+mount_image_partitions
+
+install_grub_on_image
+create_manifest  "$mountpoint/" "$PWD/livecd.ubuntu-cpc.imagecraft.manifest" "$PWD/livecd.ubuntu-cpc.imagecraft.spdx"  "cloud-image-$ARCH-$(date +%Y%m%dT%H:%M:%S)" "false"
+
+unmount_image_partitions
+
+clean_loops
+trap - EXIT
+
+qemu-img convert -f raw -O qcow2 "${disk_image}" livecd.ubuntu-cpc.imagecraft.img

live-build/ubuntu-cpc/hooks.d/base/series/base

@@ -6,3 +6,4 @@ depends qcow2
 depends vmdk
 depends vagrant
 depends wsl
+depends imagecraft-image

live-build/ubuntu-cpc/hooks.d/base/series/imagecraft-image

@@ -0,0 +1,5 @@
+base/imagecraft-image.binary
+
+provides livecd.ubuntu-cpc.imagecraft.img
+provides livecd.ubuntu-cpc.imagecraft.manifest
+provides livecd.ubuntu-cpc.imagecraft.filelist

live-build/ubuntu-mate/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot

live-build/ubuntu-mini-iso/hooks/01-mini-iso.binary

@@ -1,11 +1,11 @@
 #!/bin/sh
 
-# Create kernel/initrd artifacts for isobuilder to consume.
-# The standard MAKE_ISO flow in auto/build expects files named
-# ${PREFIX}.kernel-${flavour} and ${PREFIX}.initrd-${flavour}.
+# Install kernel/initrd directly into the ISO casper directory.
 
 set -eu
 
+. config/functions
+
 case $ARCH in
     amd64)
         ;;
@@ -14,7 +14,4 @@ case $ARCH in
         ;;
 esac
 
-PREFIX="livecd.${PROJECT}"
-
-cp chroot/boot/vmlinuz "${PREFIX}.kernel-generic"
-cp chroot/boot/initrd.img "${PREFIX}.initrd-generic"
+iso_install_kernel generic chroot/boot/vmlinuz chroot/boot/initrd.img

live-build/ubuntu-server/hooks/04-kernel-bits.binary

@@ -1,21 +0,0 @@
-#!/bin/bash -eux
-# vi: ts=4 noexpandtab
-
-case $PASS in
-    ubuntu-server-minimal.ubuntu-server.installer.*.*)
-        exit 0
-        ;;
-    ubuntu-server-minimal.ubuntu-server.installer.*)
-        flavor=${PASS##*.}
-        ;;
-    *)
-        exit 0
-        ;;
-esac
-
-PROJECT=$PROJECT${SUBARCH:+-$SUBARCH}
-
-# Fish out generated kernel image and initrd
-mv chroot/boot/initrd.img-* ${PWD}/livecd.${PROJECT}.initrd-$flavor
-mv chroot/boot/vmlinu?-* ${PWD}/livecd.${PROJECT}.kernel-$flavor
-chmod a+r ${PWD}/livecd.${PROJECT}.initrd-$flavor ${PWD}/livecd.${PROJECT}.kernel-$flavor

live-build/ubuntu-server/hooks/05-netboot-tarball.binary

@@ -21,6 +21,8 @@ case $PASS in
         ;;
 esac
 
+. config/functions
+
 set -eux
 
 # Extract the flavor from the pass name
@@ -29,8 +31,14 @@ flavor=${flavor##*.}
 
 PROJECT=$PROJECT${SUBARCH:+-$SUBARCH}
 
-KERNEL=${PWD}/livecd.${PROJECT}.kernel-$flavor
-INITRD=${PWD}/livecd.${PROJECT}.initrd-$flavor
+# Read kernel/initrd from the ISO casper directory where iso_install_kernel
+# placed them.
+kernel_name=vmlinuz
+case $ARCH in ppc64el|riscv64) kernel_name=vmlinux ;; esac
+casper_prefix=""
+case $flavor in *-hwe) casper_prefix="hwe-" ;; esac
+KERNEL=${CASPER_DIR}/${casper_prefix}${kernel_name}
+INITRD=${CASPER_DIR}/${casper_prefix}initrd
 
 mkdir -p tarball/$ARCH
 

live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/cloud/cloud.cfg

@@ -76,7 +76,7 @@ system_info:
       templates_dir: /etc/cloud/templates/
       upstart_dir: /etc/init/
    package_mirrors:
-     - arches: [i386, amd64]
+     - arches: [i386, amd64, arm64]
        failsafe:
          primary: http://archive.ubuntu.com/ubuntu
          security: http://security.ubuntu.com/ubuntu
@@ -86,7 +86,7 @@ system_info:
            - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
            - http://%(region)s.clouds.archive.ubuntu.com/ubuntu/
          security: []
-     - arches: [arm64, armel, armhf]
+     - arches: [armel, armhf]
        failsafe:
          primary: http://ports.ubuntu.com/ubuntu-ports
          security: http://ports.ubuntu.com/ubuntu-ports

live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/sysctl.d/20-apparmor.conf

@@ -1,16 +1,5 @@
 # AppArmor restrictions of unprivileged user namespaces
 
-# Allows to restrict the use of unprivileged user namespaces to applications
-# which have an AppArmor profile loaded which specifies the userns
-# permission. All other applications (whether confined by AppArmor or not) will
-# be denied the use of unprivileged user namespaces.
-#
-# See
-# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
-# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined
-#
-# If it is desired to disable this restriction, it is preferable to create an
-# additional file named /etc/sysctl.d/20-apparmor.conf which will override this
-# current file and sets this value to 0 rather than editing this current file
+# Disables AppArmor user namespace restrictions on the live ISO.
 kernel.apparmor_restrict_unprivileged_userns = 0
 kernel.apparmor_restrict_unprivileged_unconfined = 1

live-build/ubuntu-test-iso/hooks/01-test-iso.chroot_early

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -eu
+
+mkdir -p "etc/initramfs-tools/conf.d"
+cat > etc/initramfs-tools/conf.d/casperize.conf <<EOF
+export CASPER_GENERATE_UUID=1
+EOF

live-build/ubuntu-test-iso/hooks/02-test-iso-kernel.binary

@@ -0,0 +1,15 @@
+#!/bin/sh
+# Copy kernel/initrd artifacts for isobuilder to consume.
+# The MAKE_ISO flow in auto/build expects ${PREFIX}.kernel-* and
+# ${PREFIX}.initrd-* files. With --linux-packages=none live-build won't
+# create them, so we do it here (mirroring ubuntu-mini-iso's approach).
+# This hook runs for every pass; exit early when the kernel isn't present.
+
+set -eu
+
+[ -e chroot/boot/vmlinuz ] || exit 0
+[ -e chroot/boot/initrd.img ] || exit 0
+
+PREFIX="livecd.${PROJECT}"
+cp chroot/boot/vmlinuz  "${PREFIX}.kernel-generic"
+cp chroot/boot/initrd.img "${PREFIX}.initrd-generic"

live-build/ubuntu-unity/hooks/020-ubuntu-unity-live.chroot_early

@@ -0,0 +1,11 @@
+#! /bin/sh
+
+set -eu
+
+cat <<EOF > /etc/sysctl.d/20-apparmor.conf
+# AppArmor restrictions of unprivileged user namespaces
+
+# Disables AppArmor user namespace restrictions on the live ISO.
+kernel.apparmor_restrict_unprivileged_userns = 0
+kernel.apparmor_restrict_unprivileged_unconfined = 1
+EOF

live-build/ubuntu/hooks/020-ubuntu-live.chroot_early

@@ -18,18 +18,7 @@ EOF
 cat <<EOF > /etc/sysctl.d/20-apparmor.conf
 # AppArmor restrictions of unprivileged user namespaces
 
-# Allows to restrict the use of unprivileged user namespaces to applications
-# which have an AppArmor profile loaded which specifies the userns
-# permission. All other applications (whether confined by AppArmor or not) will
-# be denied the use of unprivileged user namespaces.
-#
-# See
-# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
-# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined
-#
-# If it is desired to disable this restriction, it is preferable to create an
-# additional file named /etc/sysctl.d/20-apparmor.conf which will override this
-# current file and sets this value to 0 rather than editing this current file
+# Disables AppArmor user namespace restrictions on the live ISO.
 kernel.apparmor_restrict_unprivileged_userns = 0
 kernel.apparmor_restrict_unprivileged_unconfined = 1
 EOF

live-build/ubuntu/hooks/040-hyperv-desktop-images.binary

@@ -44,9 +44,13 @@ trap cleanup_hyperv EXIT
 # use it if they want.
 touch "${scratch_d}/etc/cloud/cloud-init.disabled"
 
+mkdir -p "${scratch_d}/etc/dracut.conf.d"
+cat > "${scratch_d}/etc/dracut.conf.d/hyperv.conf" << EOF
+hostonly=no
+EOF
 
 chroot "${scratch_d}" apt-get update -y
-chroot "${scratch_d}" apt-get -y install xrdp linux-azure linux-tools-azure linux-cloud-tools-azure polkitd-pkla oem-config-gtk language-pack-en-base oem-config-slideshow-ubuntu
+chroot "${scratch_d}" apt-get -y install xrdp linux-azure linux-tools-azure linux-cloud-tools-azure oem-config-gtk language-pack-en-base oem-config-slideshow-ubuntu
 
 cat > ${scratch_d}/etc/modules-load.d/hyperv.conf << EOF
 ${IMAGE_STR}
@@ -99,23 +103,30 @@ blacklist vmw_vsock_vmci_transport
 EOF
 
 # Configure the policy xrdp session
-cat > ${scratch_d}/etc/polkit-1/localauthority/50-local.d/45-allow-colord.pkla << EOF
-${IMAGE_STR}
-[Allow Colord all Users]
-Identity=unix-user:*
-Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;org.freedesktop.color-manager.delete-device;org.freedesktop.color-manager.delete-profile;org.freedesktop.color-manager.modify-device;org.freedesktop.color-manager.modify-profile
-ResultAny=no
-ResultInactive=no
-ResultActive=yes
+cat > ${scratch_d}/etc/polkit-1/rules.d/45-allow-colord.rules << EOF
+// ${IMAGE_STR}
+// Allow Colord all Users
+polkit.addRule(function(action, subject) {
+    if ((action.id == "org.freedesktop.color-manager.create-device" ||
+         action.id == "org.freedesktop.color-manager.create-profile" ||
+         action.id == "org.freedesktop.color-manager.delete-device" ||
+         action.id == "org.freedesktop.color-manager.delete-profile" ||
+         action.id == "org.freedesktop.color-manager.modify-device" ||
+         action.id == "org.freedesktop.color-manager.modify-profile") &&
+        subject.active) {
+        return polkit.Result.YES;
+    }
+});
 EOF
 
-cat >${scratch_d}/etc/polkit-1/localauthority/50-local.d/46-allow-update-repo.pkla <<EOF
-[Allow Package Management all Users]
-Identity=unix-user:*
-Action=org.freedesktop.packagekit.system-sources-refresh
-ResultAny=yes
-ResultInactive=yes
-ResultActive=yes
+cat >${scratch_d}/etc/polkit-1/rules.d/46-allow-update-repo.rules <<EOF
+// ${IMAGE_STR}
+// Allow Package Management all Users
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.freedesktop.packagekit.system-sources-refresh") {
+        return polkit.Result.YES;
+    }
+});
 EOF
 
 sed -i${CHANGED_FILE_SUFFIX} -e 's|After=|ConditionPathExists=!/var/lib/oem-config/run\nAfter=|g' "${scratch_d}/lib/systemd/system/xrdp.service"
@@ -123,7 +134,7 @@ sed -i${CHANGED_FILE_SUFFIX} -e 's|After=|ConditionPathExists=!/var/lib/oem-conf
 # End xrdp customisation
 
 # Don't run gnome-initial-setup from gdm
-sed -i${CHANGED_FILE_SUFFIX} "s|#WaylandEnable=false|#WaylandEnable=false\nInitialSetupEnable=false|" "${scratch_d}/etc/gdm3/custom.conf"
+sed -i${CHANGED_FILE_SUFFIX} "s|\[daemon\]|[daemon]\nInitialSetupEnable=false|" "${scratch_d}/etc/gdm3/custom.conf"
 chroot "${scratch_d}" /usr/sbin/useradd -d /home/oem -m -N -u 29999 oem
 chroot "${scratch_d}" /usr/sbin/oem-config-prepare --quiet
 touch "${scratch_d}/var/lib/oem-config/run"