releasing package livecd-rootfs version 26.04.34

Set build type to Release for final ISO builds.
releasing package livecd-rootfs version 26.04.33
2026-04-18 15:11:02 +00:00 · 2026-04-18 08:22:07 +12:00 · 2026-04-18 08:07:38 +12:00 · 2026-04-17 12:23:23 +02:00 · 2026-04-17 12:16:46 +02:00 · 2026-04-17 12:06:01 +02:00
91 changed files with 592 additions and 340 deletions
--- a/README.local
+++ b/README.local
@ -0,0 +1,106 @@
+# Running livecd-rootfs builds locally
+
+`livecd-rootfs` is notoriously known to be... difficult?
+One question that often comes back is "how do I run that locally?".
+Brace yourself, here is a short guide to help you through this.
+
+## Where to run?
+
+While you could do that directly on your host machine, likely your development
+laptop, that would mean installing all the needed dependencies, and running
+livecd-rootfs as root (because of some `mount` steps, `chroot`, etc...).
+Not ideal.
+What you more likely want, and is documented here, is to run that in a LXD VM
+instead.
+
+## Prerequisites
+
+You need to have LXD installed and configured: https://canonical.com/lxd/install
+A clone of this repository, that will be used directly in the VM so that
+you can iterate and test changes easily before submitting them:
+```
+git clone https://git.launchpad.net/livecd-rootfs
+```
+
+## Build images
+
+All the magic is done by the `./live-build/build-livefs-lxd` script. It will
+basically perform the following actions for you:
+  * Launch (or re-start) a LXD VM on the `series` you're targetting.
+  * Install in there `livecd-rootfs` from the archive, to make sure all
+    dependencies are here and ready to use.
+  * Mount the `livecd-rootfs` sources in `/srv/livecd-rootfs`.
+  * Run `./live-build/build-livefs` with all the additional arguments you give.
+    That's what will build the ISO for you, take a lot of time, and bring your
+    machine down.
+
+Depending on what you want to work on, the iteration time can be quite long.
+Fortunately `livecd-rootfs` provides many different projects to work with,
+providing various experiences in terms of load, space, bandwidth and running
+time.
+
+Very fast and lightweight "fake" ISO:
+```
+❯ ./live-build/build-livefs-lxd --suite resolute --arch amd64 --project ubuntu-test-iso
+```
+
+Ubuntu Desktop, the main flagship, and probably most complex ISO:
+```
+❯ ./live-build/build-livefs-lxd --suite resolute --arch amd64 --project ubuntu
+```
+
+Ubuntu Server Live, lighter ISO:
+```
+❯ ./live-build/build-livefs-lxd --suite resolute --arch amd64 --project ubuntu-server --subproject live
+```
+
+Xubuntu Minimal, lighter desktop ISO:
+```
+❯ ./live-build/build-livefs-lxd --suite resolute --arch amd64 --project xubuntu --subproject minimal
+```
+
+## Fetching the image
+
+Obviously, the image has been built inside the LXD VM, so you then need to extract it. Examples:
+```
+❯ lxc file pull livefs-builder-resolute/root/livecd.ubuntu-test-iso.iso my_ubuntu-test-iso.iso
+❯ lxc file pull livefs-builder-resolute/root/livecd.ubuntu.iso my_ubuntu.iso
+❯ lxc file pull livefs-builder-resolute/root/livecd.ubuntu-server.iso my_ubuntu-server.iso
+❯ lxc file pull livefs-builder-resolute/root/livecd.xubuntu.iso my_xubuntu.iso
+```
+
+The fetched ISO should normally boot and work just fine. For example with QEMU:
+```
+❯ kvm -m 3G -smp 2 -cdrom ./my_xubuntu.iso
+```
+
+## Clean up
+
+This will leave you with a running VM eating some precious 8GB from your host.
+You can stop and/or delete that VM with these:
+```
+❯ lxc stop livefs-builder-resolute
+❯ lxc delete livefs-builder-resolute
+```
+
+## Speeding things up with `apt-cacher-ng`
+
+All the previous steps work just fine, but when iterating, it's often very
+useful to cache all the package downloads, which can speed things up a lot,
+particularly if you don't live in one of Canonical's datacenters.
+
+Basically, on your host:
+```
+❯ sudo apt install apt-cacher-ng
+❯ cat ~/.config/livecd-rootfs/build-livefs.conf
+[defaults]
+mirror =  http://192.168.0.42:3142/archive.ubuntu.com/ubuntu
+```
+
+`~/.config/livecd-rootfs/build-livefs.conf` is indeed stored on your host, but
+will be copied automatically at the right place if it exists.
+
+There, `192.168.0.42` is your local network IP, reachable from the LXD VM, on
+which `apt-cacher-ng` is listening.
+Other `apt` caching solutions might be working, but are untested.
+
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,97 @@
+livecd-rootfs (26.04.34) resolute; urgency=medium
+
+  * Set build type to Release for final ISO builds.
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Sat, 18 Apr 2026 08:21:53 +1200
+
+livecd-rootfs (26.04.33) resolute; urgency=medium
+
+  [ Matthew Stepan ]
+  * Hyper-V: Migrate .pkla files to .rules files following the removal of the
+    polkit-pkla package from the archive.
+  * Hyper-V: Add dracut `hostonly=no` config to fix image boot hanging while 
+    trying to find the rootfs.
+  * Hyper-V: Fix sed to correctly set GDM `InitialSetupEnable=false`.
+
+  [ Michael Hudson-Doyle ]
+  * Do not run 03-initramfs-enforcement.chroot for kubuntu, which is not a
+    layered build.
+
+  [ Denis Lalaj ]
+  * feat(buildd): Set dracut as the default initrd generator
+
+ -- Florent 'Skia' Jacquet <skia@ubuntu.com>  Fri, 17 Apr 2026 12:22:45 +0200
+
+livecd-rootfs (26.04.32) resolute; urgency=medium
+
+  [ Alfonso Sanchez-Beato ]
+  * Add support for building Ubuntu Core 26 images.
+
+  [ Valentin Haudiquet ]
+  * Make sure kernel is 'vmlinux' on riscv64, and not 'vmlinuz'
+
+  [ Michael Hudson-Doyle & Simon Poirier ]
+  * Add a hook 03-initramfs-enforcement.chroot to many ISO builds to ensure
+    that the live layer gets an initramfs built with casper and
+    initramfs-tools. (LP: #2146567)
+
+  [ Aaron Rainbolt ]
+  * Disable Apparmor restrictions in the live environment for Kubuntu and
+    Ubuntu Unity. (LP: #2146196, #2146369)
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Thu, 16 Apr 2026 09:23:08 +1200
+
+livecd-rootfs (26.04.31) resolute; urgency=medium
+
+  [ Ryan Hill ]
+  * Add additional 7.0 kernel apparmor features for
+    successful image preseeding. 
+
+ -- Chloé 'kajiya' Smith <chloe.smith@canonical.com>  Mon, 13 Apr 2026 15:45:19 +0100
+
+livecd-rootfs (26.04.30) resolute; urgency=medium
+
+  [ Florent 'Skia' Jacquet]
+  * Pick a better manifest by using the live pass for layered images (LP: #2147921)
+
+  [ Dan Bungert ]
+  * Exclude boot/grub/i386-pc/eltorito.img from md5sum.txt, as it is expected
+    to change in xorriso output.  (LP: #2147162)
+
+ -- Florent 'Skia' Jacquet <skia@ubuntu.com>  Mon, 13 Apr 2026 15:16:01 +0200
+
+livecd-rootfs (26.04.29) resolute; urgency=medium
+
+  * Make sure to produce a manifest for all images (LP: #2147522)
+
+ -- Florent 'Skia' Jacquet <skia@ubuntu.com>  Wed, 08 Apr 2026 16:12:59 +0200
+
+livecd-rootfs (26.04.28) resolute; urgency=medium
+
+  * Switch arm64 mirror from ports to archive. (LP: #2147101)
+
+ -- Utkarsh Gupta <utkarsh@ubuntu.com>  Thu, 02 Apr 2026 18:34:10 +0530
+
+livecd-rootfs (26.04.27) resolute; urgency=medium
+
+  [ Michael Hudson-Doyle ]
+  * Only publish the ISOs, not the other bits, now that we are publishing the
+    ISOs on cdimage.
+  * Fix mini iso to not contain a pool or squashfs.
+
+  [ Ryan Hill ]
+  * add 7.0 kernel apparmor features preseeds
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Thu, 02 Apr 2026 15:59:29 +1300
+
+livecd-rootfs (26.04.26) resolute; urgency=medium
+
+  * Ensure snapd tracks stable and not edge anymore.
+    We did remove it from multiple places, but this one was left and as a
+    consequence, the latest iso was still having snapd edge.
+
+ -- Didier Roche-Tolomelli <didrocks@ubuntu.com>  Fri, 27 Mar 2026 15:31:21 +0100
+
 livecd-rootfs (26.04.25) resolute; urgency=medium

  * bake LIVECD_ROOTFS_ROOT into config/functions, fixing some build failures
--- a/live-build/apparmor/7.0/capability
+++ b/live-build/apparmor/7.0/capability
@ -0,0 +1 @@
+0xffffff
--- a/live-build/apparmor/7.0/caps/extended
+++ b/live-build/apparmor/7.0/caps/extended
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/caps/mask
+++ b/live-build/apparmor/7.0/caps/mask
@ -0,0 +1 @@
+chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore
--- a/live-build/apparmor/7.0/dbus/mask
+++ b/live-build/apparmor/7.0/dbus/mask
@ -0,0 +1 @@
+acquire send receive
--- a/live-build/apparmor/7.0/domain/attach_conditions/xattr
+++ b/live-build/apparmor/7.0/domain/attach_conditions/xattr
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/change_hat
+++ b/live-build/apparmor/7.0/domain/change_hat
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/change_hatv
+++ b/live-build/apparmor/7.0/domain/change_hatv
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/change_onexec
+++ b/live-build/apparmor/7.0/domain/change_onexec
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/change_profile
+++ b/live-build/apparmor/7.0/domain/change_profile
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/computed_longest_left
+++ b/live-build/apparmor/7.0/domain/computed_longest_left
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/disconnected.ipc
+++ b/live-build/apparmor/7.0/domain/disconnected.ipc
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/disconnected.path
+++ b/live-build/apparmor/7.0/domain/disconnected.path
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/fix_binfmt_elf_mmap
+++ b/live-build/apparmor/7.0/domain/fix_binfmt_elf_mmap
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/interruptible
+++ b/live-build/apparmor/7.0/domain/interruptible
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/kill.signal
+++ b/live-build/apparmor/7.0/domain/kill.signal
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/post_nnp_subset
+++ b/live-build/apparmor/7.0/domain/post_nnp_subset
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/stack
+++ b/live-build/apparmor/7.0/domain/stack
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/unconfined_allowed_children
+++ b/live-build/apparmor/7.0/domain/unconfined_allowed_children
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/domain/version
+++ b/live-build/apparmor/7.0/domain/version
@ -0,0 +1 @@
+1.2
--- a/live-build/apparmor/7.0/file/mask
+++ b/live-build/apparmor/7.0/file/mask
@ -0,0 +1 @@
+create read write exec append mmap_exec link lock
--- a/live-build/apparmor/7.0/io_uring/mask
+++ b/live-build/apparmor/7.0/io_uring/mask
@ -0,0 +1 @@
+sqpoll override_creds
--- a/live-build/apparmor/7.0/ipc/posix_mqueue
+++ b/live-build/apparmor/7.0/ipc/posix_mqueue
@ -0,0 +1 @@
+create read write open delete setattr getattr label
--- a/live-build/apparmor/7.0/mount/mask
+++ b/live-build/apparmor/7.0/mount/mask
@ -0,0 +1 @@
+mount umount pivot_root
--- a/live-build/apparmor/7.0/mount/move_mount
+++ b/live-build/apparmor/7.0/mount/move_mount
@ -0,0 +1 @@
+detached
--- a/live-build/apparmor/7.0/namespaces/mask
+++ b/live-build/apparmor/7.0/namespaces/mask
@ -0,0 +1 @@
+userns_create
--- a/live-build/apparmor/7.0/namespaces/pivot_root
+++ b/live-build/apparmor/7.0/namespaces/pivot_root
@ -0,0 +1 @@
+no
--- a/live-build/apparmor/7.0/namespaces/profile
+++ b/live-build/apparmor/7.0/namespaces/profile
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/namespaces/userns_create
+++ b/live-build/apparmor/7.0/namespaces/userns_create
@ -0,0 +1 @@
+pciu&
--- a/live-build/apparmor/7.0/network/af_mask
+++ b/live-build/apparmor/7.0/network/af_mask
@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp
--- a/live-build/apparmor/7.0/network/af_unix
+++ b/live-build/apparmor/7.0/network/af_unix
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/network_v8/af_inet
+++ b/live-build/apparmor/7.0/network_v8/af_inet
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/network_v8/af_mask
+++ b/live-build/apparmor/7.0/network_v8/af_mask
@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp
--- a/live-build/apparmor/7.0/network_v9/af_mask
+++ b/live-build/apparmor/7.0/network_v9/af_mask
@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp
--- a/live-build/apparmor/7.0/network_v9/af_unix
+++ b/live-build/apparmor/7.0/network_v9/af_unix
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/network_v9_skb/af_mask
+++ b/live-build/apparmor/7.0/network_v9_skb/af_mask
@ -0,0 +1 @@
+inet inet6
--- a/live-build/apparmor/7.0/network_v9_skb/iface
+++ b/live-build/apparmor/7.0/network_v9_skb/iface
@ -0,0 +1 @@
+receive connect, secmark_postroute
--- a/live-build/apparmor/7.0/network_v9_skb/localout
+++ b/live-build/apparmor/7.0/network_v9_skb/localout
@ -0,0 +1 @@
+secmark_set
--- a/live-build/apparmor/7.0/network_v9_skb/postroute
+++ b/live-build/apparmor/7.0/network_v9_skb/postroute
@ -0,0 +1 @@
+secmark_send
--- a/live-build/apparmor/7.0/network_v9_skb/rcv_skb
+++ b/live-build/apparmor/7.0/network_v9_skb/rcv_skb
@ -0,0 +1 @@
+secmark_receive
--- a/live-build/apparmor/7.0/network_v9_skb/relabel
+++ b/live-build/apparmor/7.0/network_v9_skb/relabel
@ -0,0 +1 @@
+setcred
--- a/live-build/apparmor/7.0/policy/metadata_tagging_version
+++ b/live-build/apparmor/7.0/policy/metadata_tagging_version
@ -0,0 +1 @@
+0x000001
--- a/live-build/apparmor/7.0/policy/notify/user
+++ b/live-build/apparmor/7.0/policy/notify/user
@ -0,0 +1 @@
+file tags
--- a/live-build/apparmor/7.0/policy/notify_versions/v3
+++ b/live-build/apparmor/7.0/policy/notify_versions/v3
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/policy/notify_versions/v5
+++ b/live-build/apparmor/7.0/policy/notify_versions/v5
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/policy/outofband
+++ b/live-build/apparmor/7.0/policy/outofband
@ -0,0 +1 @@
+0x000001
--- a/live-build/apparmor/7.0/policy/permstable32
+++ b/live-build/apparmor/7.0/policy/permstable32
@ -0,0 +1 @@
+allow deny subtree cond kill complain prompt audit quiet hide xindex tag label
--- a/live-build/apparmor/7.0/policy/permstable32_version
+++ b/live-build/apparmor/7.0/policy/permstable32_version
@ -0,0 +1 @@
+0x000003
--- a/live-build/apparmor/7.0/policy/set_load
+++ b/live-build/apparmor/7.0/policy/set_load
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/policy/state32
+++ b/live-build/apparmor/7.0/policy/state32
@ -0,0 +1 @@
+0x000001
--- a/live-build/apparmor/7.0/policy/unconfined_restrictions/change_profile
+++ b/live-build/apparmor/7.0/policy/unconfined_restrictions/change_profile
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/policy/unconfined_restrictions/io_uring
+++ b/live-build/apparmor/7.0/policy/unconfined_restrictions/io_uring
@ -0,0 +1 @@
+1
--- a/live-build/apparmor/7.0/policy/unconfined_restrictions/userns
+++ b/live-build/apparmor/7.0/policy/unconfined_restrictions/userns
@ -0,0 +1 @@
+1
--- a/live-build/apparmor/7.0/policy/versions/v5
+++ b/live-build/apparmor/7.0/policy/versions/v5
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/policy/versions/v6
+++ b/live-build/apparmor/7.0/policy/versions/v6
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/policy/versions/v7
+++ b/live-build/apparmor/7.0/policy/versions/v7
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/policy/versions/v8
+++ b/live-build/apparmor/7.0/policy/versions/v8
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/policy/versions/v9
+++ b/live-build/apparmor/7.0/policy/versions/v9
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/ptrace/mask
+++ b/live-build/apparmor/7.0/ptrace/mask
@ -0,0 +1 @@
+read trace
--- a/live-build/apparmor/7.0/query/label/data
+++ b/live-build/apparmor/7.0/query/label/data
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/query/label/multi_transaction
+++ b/live-build/apparmor/7.0/query/label/multi_transaction
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/7.0/query/label/perms
+++ b/live-build/apparmor/7.0/query/label/perms
@ -0,0 +1 @@
+allow deny audit quiet
--- a/live-build/apparmor/7.0/rlimit/mask
+++ b/live-build/apparmor/7.0/rlimit/mask
@ -0,0 +1 @@
+cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
--- a/live-build/apparmor/7.0/signal/mask
+++ b/live-build/apparmor/7.0/signal/mask
@ -0,0 +1 @@
+hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
--- a/live-build/auto/build
+++ b/live-build/auto/build
@ -424,7 +424,12 @@ case $LB_INITRAMFS in
 		;;
 esac

-for OUTPUT in ext2 ext3 ext4 manifest manifest-remove size squashfs; do
+# For MAKE_ISO=yes builds, most artifacts (squashfs, kernel, initrd) are
+# placed directly into the ISO tree by lb_binary_layered and binary hooks.
+# Only create livecd.* intermediate artifacts for non-ISO builds; the manifest
+# is created unconditionally below.
+if [ "${MAKE_ISO}" != "yes" ]; then
+	for OUTPUT in ext2 ext3 ext4 manifest-remove size squashfs; do
 		[ -e "binary/$INITFS/filesystem.$OUTPUT" ] || continue
 		ln "binary/$INITFS/filesystem.$OUTPUT" "$PREFIX.$OUTPUT"
 		chmod 644 "$PREFIX.$OUTPUT"
@ -451,12 +456,6 @@ elif [ -e binary-tar.tar.gz ]; then
 		cp -a binary-tar.tar.gz "$PREFIX.rootfs.tar.gz"
 	fi

-# '--initramfs none' produces different manifest names.
-if [ -e "binary/$INITFS/filesystem.packages" ]; then
-	ln "binary/$INITFS/filesystem.packages" "$PREFIX.manifest"
-	chmod 644 "$PREFIX.manifest"
-fi
-
 	# If a .filelist is present, use it as the filelist for the image by
 	# symlinking with expected name and updating permissions
 	if [ -e "binary/$INITFS/filesystem.filelist" ]; then
@ -472,13 +471,6 @@ if [ -e "binary/$INITFS/filesystem.packages-remove" ]; then
 		fi
 	fi

-# Since snaps are now Ubuntu first-class citizen, so always try fetching the
-# list of seeded snaps into the manifest.  In case of layered images we skip
-# this step, as we assume they're doing it on their own at some earlier stage.
-if [ -z "$PASSES" ] && [ -e "$PREFIX.manifest" ]; then
-	./config/snap-seed-parse "chroot/" "$PREFIX.manifest"
-fi
-
 	for FLAVOUR in $LB_LINUX_FLAVOURS; do
 		if [ -z "$LB_LINUX_FLAVOURS" ] || [ "$LB_LINUX_FLAVOURS" = "none" ]; then
 			continue
@ -562,6 +554,27 @@ case $SUBARCH in
 			cp $PREFIX.kernel $UBOOT_BOOT/vmlinuz || true
 			;;
 	esac
+fi
+
+# Create manifest unconditionally (needed for both ISO and non-ISO builds).
+if [ -e "binary/$INITFS/filesystem.manifest" ]; then
+	ln "binary/$INITFS/filesystem.manifest" "$PREFIX.manifest"
+elif [ -e "binary/$INITFS/filesystem.packages" ]; then
+	# '--initramfs none' produces different manifest names.
+	ln "binary/$INITFS/filesystem.packages" "$PREFIX.manifest"
+elif [ -n "$LIVE_PASSES" ]; then
+	# For layered images, keep the manifest of the last (only?) live pass
+	for _PASS in $LIVE_PASSES; do
+		ln -f "${CASPER_DIR}/$_PASS.manifest.full" "$PREFIX.manifest"
+	done
+fi
+chmod 644 "$PREFIX.manifest"
+# Since snaps are now Ubuntu first-class citizen, so always try fetching the
+# list of seeded snaps into the manifest.  In case of layered images we skip
+# this step, as we assume they're doing it on their own at some earlier stage.
+if [ -z "$PASSES" ] && [ -e "$PREFIX.manifest" ]; then
+	./config/snap-seed-parse "chroot/" "$PREFIX.manifest"
+fi

 case $PROJECT in
    ubuntu-cpc)
@ -569,25 +582,19 @@ case $PROJECT in
 esac

 if [ "${MAKE_ISO}" = "yes" ]; then
-	# Link build artifacts with "for-iso." prefix for isobuild to consume.
-	# Layered builds create squashfs via lb_binary_layered (which already
-	# creates for-iso.*.squashfs files). Single-pass builds only have
-	# ${PREFIX}.squashfs, which does not contain cdrom.sources, so we
-	# create a for-iso.filesystem.squashfs that does.
-	if [ -z "$PASSES" ]; then
+	# For non-layered builds, create squashfs with cdrom.sources directly
+	# in casper/. Layered builds already handle this in lb_binary_layered.
+	if [ -z "$PASSES" ] && [ "$PROJECT" != "ubuntu-mini-iso" ]; then
+		if [ -n "${POOL_SEED_NAME}" ]; then
 			isobuild generate-sources --mountpoint=/cdrom > chroot/etc/apt/sources.list.d/cdrom.sources
-		create_squashfs chroot ${PWD}/for-iso.filesystem.squashfs
-	fi
-	# Link kernel and initrd files. The ${thing#${PREFIX}} expansion strips
-	# the PREFIX, so "livecd.ubuntu-server.kernel-generic" becomes
-	# "for-iso.kernel-generic".
-	for thing in ${PREFIX}.kernel-* ${PREFIX}.initrd-*; do
-		for_iso_path=for-iso${thing#${PREFIX}}
-		if [ ! -f $for_iso_path ]; then
-			ln -v $thing $for_iso_path
 		fi
+		create_squashfs chroot ${PWD}/${CASPER_DIR}/filesystem.squashfs
+		rm chroot/etc/apt/sources.list.d/cdrom.sources
+		for flavor in $LB_LINUX_FLAVOURS; do
+			iso_install_kernel "$flavor" binary/${INITFS}/vmlinu?-* binary/${INITFS}/initrd.img-*
 		done
-	isobuild add-live-filesystem --artifact-prefix for-iso.
+	fi
+	isobuild extract-casper-uuids
 	isobuild make-bootable --project "${PROJECT}" --capproject "$(cat config/iso-ids/capproject)" \
 		${SUBARCH:+--subarch "${SUBARCH}"}
 	isobuild make-iso --volid "$(cat config/iso-ids/vol-id)" --dest ${PREFIX}.iso
--- a/live-build/auto/config
+++ b/live-build/auto/config
@ -41,7 +41,7 @@ if [ -z "$MIRROR" ]; then
 			;;
 		*)
 			case $ARCH in
-				i386|amd64)	MIRROR=http://archive.ubuntu.com/ubuntu/ ;;
+				i386|amd64|arm64)	MIRROR=http://archive.ubuntu.com/ubuntu/ ;;
 				*)			MIRROR=http://ports.ubuntu.com/ubuntu-ports/ ;;
 			esac
 			;;
@ -491,31 +491,23 @@ case $IMAGEFORMAT in
 				*) ;;
 			esac

-			# Ubuntu Core 24
+			# Ubuntu Core 26
 			# For now we stick to updating this by hand, but a more tasteful solution
 			# will follow
-			CORE_MAJOR=24
+			CORE_MAJOR=26

-			# Currently uc24 assertions do not support global channel overrides,
-			# instead we have per-channel models
+			# For UC26+ we build only images using stable channels,
+			# for either signed or dangerous grade.
 			case $CHANNEL in
 				stable)
 					MODEL="ubuntu-core-${CORE_MAJOR}-${MODEL#pc-}"
 					;;
-				candidate|beta|edge|dangerous)
-					MODEL="ubuntu-core-${CORE_MAJOR}-${MODEL#pc-}-${CHANNEL}"
-					;;
-				dangerous-*)
-					# That being said, the dangerous grade *does*
-					# support channel overrides, so we can use the
-					# dangerous model assertion and override the channel
-					# freely.
+				dangerous-stable)
 					MODEL="ubuntu-core-${CORE_MAJOR}-${MODEL#pc-}-dangerous"
 					CHANNEL=${CHANNEL#dangerous-}
-					UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS -c $CHANNEL"
 					;;
 				*)
-					echo "Unknown CHANNEL ${CHANNEL} specification for ${SUITE}"
+					echo "Unsupported CHANNEL ${CHANNEL} specification for ${SUITE}"
 					exit 1
 					;;
 			esac
@ -525,7 +517,7 @@ case $IMAGEFORMAT in
 					EXTRA_SNAPS="$EXTRA_SNAPS core bluez alsa-utils"
 					;;
 				*)
-					# For all Ubuntu Core 24 reference images, add console-conf
+					# For all Ubuntu Core reference images, add console-conf
 					EXTRA_SNAPS="$EXTRA_SNAPS console-conf"
 					;;
 			esac
@ -1183,6 +1175,7 @@ case $PROJECT in
 		KERNEL_FLAVOURS=none
 		BINARY_REMOVE_LINUX=false
 		MAKE_ISO=yes
+		POOL_SEED_NAME=

 		add_package install mini-iso-tools linux-generic
 		case $ARCH in
@ -1567,7 +1560,8 @@ case $PROJECT:${SUBPROJECT:-} in
 	ubuntu-cpc:*|ubuntu-server:live|ubuntu:desktop-preinstalled| \
 		ubuntu-wsl:*|ubuntu-mini-iso:*|ubuntu-test-iso:*|ubuntu:|ubuntu:dangerous|ubuntu-oem:*| \
 		ubuntustudio:*|edubuntu:*|ubuntu-budgie:*|ubuntucinnamon:*|xubuntu:*| \
-	        ubuntukylin:*|ubuntu-mate:*|ubuntu-core-installer:*|lubuntu:*)
+		ubuntukylin:*|ubuntu-mate:*|ubuntu-core-installer:*|lubuntu:*|kubuntu:*| \
+		ubuntu-unity:*)
 		# Ensure that most things e.g. includes.chroot are copied as is
 		for entry in ${LIVECD_ROOTFS_ROOT}/live-build/${PROJECT}/*; do
 			case $entry in
@ -1737,9 +1731,12 @@ EOF
 fi

 if [ "${MAKE_ISO}" = "yes" ]; then
-	# XXX should pass --build-type here.
+	# XXX --build-type should be passed via build args once
+	# https://code.launchpad.net/~mwhudson/launchpad-buildd/+git/launchpad-buildd/+merge/497089
+	# is merged.
 	${LIVECD_ROOTFS_ROOT}/live-build/gen-iso-ids \
 		--project $PROJECT ${SUBPROJECT:+--subproject $SUBPROJECT} \
+		--build-type Release \
 		--arch $ARCH ${SUBARCH:+--subarch $SUBARCH} ${NOW+--serial $NOW} \
 		--output-dir config/iso-ids/
 fi
--- a/live-build/buildd/hooks/52-linux-virtual-image.binary
+++ b/live-build/buildd/hooks/52-linux-virtual-image.binary
@ -50,7 +50,7 @@ env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \

 # Install dependencies
 env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \
-    install -y lsb-release locales initramfs-tools busybox-initramfs \
+    install -y lsb-release locales dracut busybox-initramfs \
               udev dbus netplan.io cloud-init openssh-server sudo snapd \
               lxd-agent-loader

--- a/live-build/edubuntu/hooks/03-initramfs-enforcement.chroot
+++ b/live-build/edubuntu/hooks/03-initramfs-enforcement.chroot
@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot
--- a/live-build/functions
+++ b/live-build/functions
@ -573,7 +573,7 @@ _snap_post_process() {
            # If the 'core' snap is not present, assume we are coreXX-only and
            # install the snapd snap.
            channel=stable
-            if [ "$PROJECT" = "ubuntu" -o "$SUBPROJECT" = "dangerous" ]; then
+            if [ "$SUBPROJECT" = "dangerous" ]; then
                channel=edge
            fi
            if [ ! -f ${snaps_dir}/core_[0-9]*.snap ]; then
@ -1456,3 +1456,17 @@ gpt_root_partition_uuid() {
 isobuild () {
    PYTHONPATH=${LIVECD_ROOTFS_ROOT}/live-build/ ${LIVECD_ROOTFS_ROOT}/live-build/isobuild --workdir config/iso-dir "$@"
 }
+
+CASPER_DIR=config/iso-dir/iso-root/casper
+
+# Install kernel+initrd into the ISO casper directory.
+# Usage: iso_install_kernel <flavor> <kernel-path> <initrd-path>
+iso_install_kernel() {
+    local flavor=$1 kernel=$2 initrd=$3
+    local kernel_name=vmlinuz
+    case $ARCH in ppc64el|riscv64) kernel_name=vmlinux ;; esac
+    local prefix=""
+    case $flavor in *-hwe) prefix="hwe-" ;; esac
+    cp "$kernel" "$CASPER_DIR/${prefix}${kernel_name}"
+    cp "$initrd" "$CASPER_DIR/${prefix}initrd"
+}
--- a/live-build/isobuild
+++ b/live-build/isobuild
@ -39,10 +39,9 @@
 # Generate an apt deb822 source for the pool, assuming it is mounted at the
 # passed mountpoint, and output it on stdout.
 #
-# $ isobuild --work-dir "" add-live-filesystem --artifact-prefix ""
+# $ isobuild --work-dir "" extract-casper-uuids
 #
-# Copy the relevant artifacts to the casper directory (and extract the uuids
-# from the initrds)
+# Extract casper UUID files from the initrds in the casper directory.
 #
 # $ isobuild --work-dir "" make-bootable --project "" --capitalized-project ""
 #            --subarch ""
@ -169,14 +168,9 @@ def generate_sources(builder, mountpoint: str):
    builder.generate_sources(mountpoint)


-@click.option(
-    "--artifact-prefix",
-    type=click.Path(dir_okay=False, resolve_path=True, path_type=pathlib.Path),
-    required=True,
-)
@subcommand
-def add_live_filesystem(builder, artifact_prefix: pathlib.Path):
-    builder.add_live_filesystem(artifact_prefix)
+def extract_casper_uuids(builder):
+    builder.extract_casper_uuids()


@click.option(
--- a/live-build/isobuilder/builder.py
+++ b/live-build/isobuilder/builder.py
@ -218,7 +218,7 @@ class ISOBuilder:
            )
        )

-    def _extract_casper_uuids(self):
+    def extract_casper_uuids(self):
        # Extract UUID files from initrd images for casper (the live boot system).
        # Each initrd contains a conf/uuid.conf with a unique identifier that
        # casper uses at boot time to locate the correct root filesystem. These
@ -255,43 +255,6 @@ class ISOBuilder:
                uuid_conf.rename(dot_disk.joinpath(f"casper-uuid-{suffix}"))
                shutil.rmtree(initrddir)

-    def add_live_filesystem(self, artifact_prefix: pathlib.Path):
-        casper_dir = self.iso_root.joinpath("casper")
-        artifact_dir = artifact_prefix.parent
-        filename_prefix = artifact_prefix.name
-
-        def link(src: pathlib.Path, target_name: str):
-            target = casper_dir.joinpath(target_name)
-            self.logger.log(
-                f"creating link from $ISOROOT/casper/{target_name} to $src/{src.name}"
-            )
-            target.hardlink_to(src)
-
-        kernel_name = "vmlinuz"
-        if self.arch in ("ppc64el", "riscv64"):
-            kernel_name = "vmlinux"
-
-        with self.logger.logged(
-            f"linking artifacts from {casper_dir} to {artifact_dir}"
-        ):
-            for ext in "squashfs", "squashfs.gpg", "size", "manifest", "yaml":
-                for path in artifact_dir.glob(f"{filename_prefix}*.{ext}"):
-                    newname = path.name[len(filename_prefix) :]
-                    link(path, newname)
-
-            for kernel_path in artifact_dir.glob(f"{filename_prefix}kernel*"):
-                suffix = kernel_path.name[len(filename_prefix) + len("kernel") :]
-                prefix = "hwe-" if suffix.endswith("-hwe") else ""
-                link(
-                    artifact_dir.joinpath(f"{filename_prefix}kernel{suffix}"),
-                    f"{prefix}{kernel_name}",
-                )
-                link(
-                    artifact_dir.joinpath(f"{filename_prefix}initrd{suffix}"),
-                    f"{prefix}initrd",
-                )
-        self._extract_casper_uuids()
-
    def make_bootable(self, project: str, capproject: str, subarch: str):
        configurator = make_boot_configurator_for_arch(
            self.arch,
@ -310,11 +273,14 @@ class ISOBuilder:
    def checksum(self):
        # Generate md5sum.txt for ISO integrity verification.
        # - Symlinks are excluded because their targets are already checksummed
+        # - eltorito.img is excluded because xorriso will modify it in output ISO
        # - Files are sorted for deterministic, reproducible output across builds
        # - Paths use "./" prefix and we run md5sum from iso_root so the output
        #   matches what users get when they verify with "md5sum -c" from the ISO
        all_files = []
+        exclusions = ["eltorito.img"]
        for dirpath, dirnames, filenames in self.iso_root.walk():
+            filenames = [fn for fn in filenames if fn not in exclusions]
            filepaths = [dirpath.joinpath(filename) for filename in filenames]
            all_files.extend(
                "./" + str(filepath.relative_to(self.iso_root))
--- a/live-build/kubuntu/hooks/020-kubuntu-live.chroot_early
+++ b/live-build/kubuntu/hooks/020-kubuntu-live.chroot_early
@ -0,0 +1,11 @@
+#! /bin/sh
+
+set -eu
+
+cat <<EOF > /etc/sysctl.d/20-apparmor.conf
+# AppArmor restrictions of unprivileged user namespaces
+
+# Disables AppArmor user namespace restrictions on the live ISO.
+kernel.apparmor_restrict_unprivileged_userns = 0
+kernel.apparmor_restrict_unprivileged_unconfined = 1
+EOF
--- a/live-build/lb_binary_layered
+++ b/live-build/lb_binary_layered
@ -61,7 +61,7 @@ build_layered_squashfs () {

 	# Building squashfs filesystem & manifest
 	local overlay_dir="overlay.${pass}"
-	base="${PWD}/livecd.${PROJECT_FULL}.${pass}"
+	base="${PWD}/${CASPER_DIR}/${pass}"
 	squashfs_f="${base}.squashfs"

 	# We have already treated that pass
@ -91,6 +91,20 @@ build_layered_squashfs () {

 	# Copy initrd and vmlinuz outside of chroot and remove them from the layer squashfs
 	if $(is_live_layer "$pass"); then
+		# For *.live passes (desktop builds), the kernel flavor comes from
+		# LB_LINUX_FLAVOURS.  For other live passes (server installer passes
+		# like "...installer.generic-hwe"), the flavor is encoded as the
+		# final dot-separated component of the pass name.
+		case "$pass" in
+			*.live)
+				for flavor in $LB_LINUX_FLAVOURS; do
+					iso_install_kernel "$flavor" chroot/boot/vmlinu?-* chroot/boot/initrd.img-*
+				done
+				;;
+			*)
+				iso_install_kernel "${pass##*.}" chroot/boot/vmlinu?-* chroot/boot/initrd.img-*
+				;;
+		esac
 		lb binary_linux-image ${*}
 		rm -f chroot/boot/initrd.img-* chroot/boot/vmlinu{x,z}-*
 	fi
@ -116,32 +130,13 @@ build_layered_squashfs () {
 		create_manifest "chroot" "${squashfs_f_manifest}.full"

 		# Delta manifest
-		diff -NU0 ${PWD}/livecd.${PROJECT_FULL}.$(get_parent_pass $pass).manifest.full ${squashfs_f_manifest}.full|grep -v ^@ > $squashfs_f_manifest || true
+		diff -NU0 ${PWD}/${CASPER_DIR}/$(get_parent_pass $pass).manifest.full ${squashfs_f_manifest}.full|grep -v ^@ > $squashfs_f_manifest || true
 		echo "Delta manifest:"
 		cat $squashfs_f_manifest

 		squashfs_f_size="${base}.size"
 		du -B 1 -s "overlay.${pass}/" | cut -f1 > "${squashfs_f_size}"

-		# We take first live pass for "global" ISO properties (used by installers and checkers):
-		# Prepare initrd + kernel
-		# Main manifest and size files
-		prefix="livecd.$PROJECT_FULL"
-		if [ ! -e "${prefix}.manifest" ] && $(is_live_layer "$pass"); then
-			totalsize=$(cat ${squashfs_f_size})
-			curpass="$pass"
-			while :; do
-				curpass=$(get_parent_pass $curpass)
-				# We climbed up the tree to the root layer, we are done
-				[ -z "$curpass" ] && break
-
-				totalsize=$(expr $totalsize + $(cat "${PWD}/livecd.${PROJECT_FULL}.${curpass}.size"))
-			done
-			echo ${totalsize} > "${prefix}.size"
-
-			cp "${squashfs_f_manifest}.full" "${prefix}.manifest"
-		fi
-
 		if [ -n "$lowerdirs" ]; then
 			# Although the current chroot was created as an overlay over
 			# the previous layer, many operations can result in redundant
@ -183,23 +178,17 @@ build_layered_squashfs () {
 			${LIVECD_ROOTFS_ROOT}/sync-mtime chroot "$overlay_dir"
 		fi

-		create_squashfs "${overlay_dir}" ${squashfs_f}
-		# Create a "for-iso" variant of the squashfs for ISO builds. For
-		# the root layer (the base system) when building with a pool, we
-		# need to include cdrom.sources so casper can access the ISO's
-		# package repository. This requires regenerating the squashfs with
-		# that file included, then removing it (so it doesn't pollute the
-		# regular squashfs). Non-root layers (desktop environment, etc.)
-		# and builds without pools can just hardlink to the regular squashfs.
+		# For the root layer when building with a pool, include
+		# cdrom.sources so casper can access the ISO's package repository.
 		if [ -n "${POOL_SEED_NAME}" ] && $(is_root_layer $pass); then
 			isobuild generate-sources --mountpoint=/cdrom > ${overlay_dir}/etc/apt/sources.list.d/cdrom.sources
-			create_squashfs "${overlay_dir}" ${PWD}/for-iso.${pass}.squashfs
-			rm ${overlay_dir}/etc/apt/sources.list.d/cdrom.sources
 		fi
+		create_squashfs "${overlay_dir}" ${squashfs_f}
+		rm -f ${overlay_dir}/etc/apt/sources.list.d/cdrom.sources

 		if [ -f config/$pass.catalog-in.yaml ]; then
 			echo "Expanding catalog entry template for $pass"
-			usc_opts="--output livecd.${PROJECT_FULL}.install-sources.yaml \
+			usc_opts="--output ${CASPER_DIR}/install-sources.yaml \
 				--template config/$pass.catalog-in.yaml \
 				--size $(du -B 1 -s chroot/ | cut -f1) --squashfs ${pass}.squashfs \
 				--translations config/catalog-translations"
@ -225,25 +214,11 @@ do
 	build_layered_squashfs "${_PASS}" ${*}
 done

-if [ -n "$DEFAULT_KERNEL" -a -f livecd.${PROJECT_FULL}.install-sources.yaml ]; then
+if [ -n "$DEFAULT_KERNEL" -a -f ${CASPER_DIR}/install-sources.yaml ]; then
 	write_kernel_yaml "$DEFAULT_KERNEL" "$BRIDGE_KERNEL_REASONS"
 	${LIVECD_ROOTFS_ROOT}/update-source-catalog merge \
-		--output livecd.${PROJECT_FULL}.install-sources.yaml \
+		--output ${CASPER_DIR}/install-sources.yaml \
 		--template config/kernel.yaml
 fi

-# Ubiquity-compatible removal manifest for ISO not using a layered-aware installer
-if [ -n "$(ls livecd.${PROJECT_FULL}.*install.live.manifest.full 2>/dev/null)" ] && \
-   [ -n "$(ls livecd.${PROJECT_FULL}.*install.manifest.full 2>/dev/null)" ]; then
-	echo "$(diff livecd.${PROJECT_FULL}.*install.live.manifest.full livecd.${PROJECT_FULL}.*install.manifest.full | awk '/^< / { print $2 }')" > livecd.${PROJECT_FULL}-manifest-remove
-fi
-
-chmod 644 *.squashfs *.manifest* *.size
-
-prefix=livecd.${PROJECT_FULL}
-for artifact in ${prefix}.*; do
-	for_iso_path=for-iso${artifact#${prefix}}
-	if [ ! -f $for_iso_path ]; then
-		ln -v $artifact $for_iso_path
-	fi
-done
+chmod 644 ${CASPER_DIR}/*.squashfs ${CASPER_DIR}/*.manifest* ${CASPER_DIR}/*.size
--- a/live-build/lubuntu/hooks/03-initramfs-enforcement.chroot
+++ b/live-build/lubuntu/hooks/03-initramfs-enforcement.chroot
@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot
--- a/live-build/ubuntu-budgie/hooks/03-initramfs-enforcement.chroot
+++ b/live-build/ubuntu-budgie/hooks/03-initramfs-enforcement.chroot
@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot
--- a/live-build/ubuntu-core-installer/includes.chroot.base.live/etc/cloud/cloud.cfg
+++ b/live-build/ubuntu-core-installer/includes.chroot.base.live/etc/cloud/cloud.cfg
@ -76,7 +76,7 @@ system_info:
      templates_dir: /etc/cloud/templates/
      upstart_dir: /etc/init/
   package_mirrors:
-     - arches: [i386, amd64]
+     - arches: [i386, amd64, arm64]
       failsafe:
         primary: http://archive.ubuntu.com/ubuntu
         security: http://security.ubuntu.com/ubuntu
@ -86,7 +86,7 @@ system_info:
           - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
           - http://%(region)s.clouds.archive.ubuntu.com/ubuntu/
         security: []
-     - arches: [arm64, armel, armhf]
+     - arches: [armel, armhf]
       failsafe:
         primary: http://ports.ubuntu.com/ubuntu-ports
         security: http://ports.ubuntu.com/ubuntu-ports
--- a/live-build/ubuntu-mate/hooks/03-initramfs-enforcement.chroot
+++ b/live-build/ubuntu-mate/hooks/03-initramfs-enforcement.chroot
@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot
--- a/live-build/ubuntu-mini-iso/hooks/01-mini-iso.binary
+++ b/live-build/ubuntu-mini-iso/hooks/01-mini-iso.binary
@ -1,11 +1,11 @@
 #!/bin/sh

-# Create kernel/initrd artifacts for isobuilder to consume.
-# The standard MAKE_ISO flow in auto/build expects files named
-# ${PREFIX}.kernel-${flavour} and ${PREFIX}.initrd-${flavour}.
+# Install kernel/initrd directly into the ISO casper directory.

 set -eu

+. config/functions
+
 case $ARCH in
    amd64)
        ;;
@ -14,7 +14,4 @@ case $ARCH in
        ;;
 esac

-PREFIX="livecd.${PROJECT}"
-
-cp chroot/boot/vmlinuz "${PREFIX}.kernel-generic"
-cp chroot/boot/initrd.img "${PREFIX}.initrd-generic"
+iso_install_kernel generic chroot/boot/vmlinuz chroot/boot/initrd.img
--- a/live-build/ubuntu-server/hooks/04-kernel-bits.binary
+++ b/live-build/ubuntu-server/hooks/04-kernel-bits.binary
@ -1,21 +0,0 @@
-#!/bin/bash -eux
-# vi: ts=4 noexpandtab
-
-case $PASS in
-    ubuntu-server-minimal.ubuntu-server.installer.*.*)
-        exit 0
-        ;;
-    ubuntu-server-minimal.ubuntu-server.installer.*)
-        flavor=${PASS##*.}
-        ;;
-    *)
-        exit 0
-        ;;
-esac
-
-PROJECT=$PROJECT${SUBARCH:+-$SUBARCH}
-
-# Fish out generated kernel image and initrd
-mv chroot/boot/initrd.img-* ${PWD}/livecd.${PROJECT}.initrd-$flavor
-mv chroot/boot/vmlinu?-* ${PWD}/livecd.${PROJECT}.kernel-$flavor
-chmod a+r ${PWD}/livecd.${PROJECT}.initrd-$flavor ${PWD}/livecd.${PROJECT}.kernel-$flavor
--- a/live-build/ubuntu-server/hooks/05-netboot-tarball.binary
+++ b/live-build/ubuntu-server/hooks/05-netboot-tarball.binary
@ -21,6 +21,8 @@ case $PASS in
        ;;
 esac

+. config/functions
+
 set -eux

 # Extract the flavor from the pass name
@ -29,8 +31,14 @@ flavor=${flavor##*.}

 PROJECT=$PROJECT${SUBARCH:+-$SUBARCH}

-KERNEL=${PWD}/livecd.${PROJECT}.kernel-$flavor
-INITRD=${PWD}/livecd.${PROJECT}.initrd-$flavor
+# Read kernel/initrd from the ISO casper directory where iso_install_kernel
+# placed them.
+kernel_name=vmlinuz
+case $ARCH in ppc64el|riscv64) kernel_name=vmlinux ;; esac
+casper_prefix=""
+case $flavor in *-hwe) casper_prefix="hwe-" ;; esac
+KERNEL=${CASPER_DIR}/${casper_prefix}${kernel_name}
+INITRD=${CASPER_DIR}/${casper_prefix}initrd

 mkdir -p tarball/$ARCH

--- a/live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/cloud/cloud.cfg
+++ b/live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/cloud/cloud.cfg
@ -76,7 +76,7 @@ system_info:
      templates_dir: /etc/cloud/templates/
      upstart_dir: /etc/init/
   package_mirrors:
-     - arches: [i386, amd64]
+     - arches: [i386, amd64, arm64]
       failsafe:
         primary: http://archive.ubuntu.com/ubuntu
         security: http://security.ubuntu.com/ubuntu
@ -86,7 +86,7 @@ system_info:
           - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
           - http://%(region)s.clouds.archive.ubuntu.com/ubuntu/
         security: []
-     - arches: [arm64, armel, armhf]
+     - arches: [armel, armhf]
       failsafe:
         primary: http://ports.ubuntu.com/ubuntu-ports
         security: http://ports.ubuntu.com/ubuntu-ports
--- a/live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/sysctl.d/20-apparmor.conf
+++ b/live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/sysctl.d/20-apparmor.conf
@ -1,16 +1,5 @@
 # AppArmor restrictions of unprivileged user namespaces

-# Allows to restrict the use of unprivileged user namespaces to applications
-# which have an AppArmor profile loaded which specifies the userns
-# permission. All other applications (whether confined by AppArmor or not) will
-# be denied the use of unprivileged user namespaces.
-#
-# See
-# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
-# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined
-#
-# If it is desired to disable this restriction, it is preferable to create an
-# additional file named /etc/sysctl.d/20-apparmor.conf which will override this
-# current file and sets this value to 0 rather than editing this current file
+# Disables AppArmor user namespace restrictions on the live ISO.
 kernel.apparmor_restrict_unprivileged_userns = 0
 kernel.apparmor_restrict_unprivileged_unconfined = 1
--- a/live-build/ubuntu-unity/hooks/020-ubuntu-unity-live.chroot_early
+++ b/live-build/ubuntu-unity/hooks/020-ubuntu-unity-live.chroot_early
@ -0,0 +1,11 @@
+#! /bin/sh
+
+set -eu
+
+cat <<EOF > /etc/sysctl.d/20-apparmor.conf
+# AppArmor restrictions of unprivileged user namespaces
+
+# Disables AppArmor user namespace restrictions on the live ISO.
+kernel.apparmor_restrict_unprivileged_userns = 0
+kernel.apparmor_restrict_unprivileged_unconfined = 1
+EOF
--- a/live-build/ubuntu/hooks/020-ubuntu-live.chroot_early
+++ b/live-build/ubuntu/hooks/020-ubuntu-live.chroot_early
@ -18,18 +18,7 @@ EOF
 cat <<EOF > /etc/sysctl.d/20-apparmor.conf
 # AppArmor restrictions of unprivileged user namespaces

-# Allows to restrict the use of unprivileged user namespaces to applications
-# which have an AppArmor profile loaded which specifies the userns
-# permission. All other applications (whether confined by AppArmor or not) will
-# be denied the use of unprivileged user namespaces.
-#
-# See
-# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
-# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined
-#
-# If it is desired to disable this restriction, it is preferable to create an
-# additional file named /etc/sysctl.d/20-apparmor.conf which will override this
-# current file and sets this value to 0 rather than editing this current file
+# Disables AppArmor user namespace restrictions on the live ISO.
 kernel.apparmor_restrict_unprivileged_userns = 0
 kernel.apparmor_restrict_unprivileged_unconfined = 1
 EOF
--- a/live-build/ubuntu/hooks/040-hyperv-desktop-images.binary
+++ b/live-build/ubuntu/hooks/040-hyperv-desktop-images.binary
@ -44,9 +44,13 @@ trap cleanup_hyperv EXIT
 # use it if they want.
 touch "${scratch_d}/etc/cloud/cloud-init.disabled"

+mkdir -p "${scratch_d}/etc/dracut.conf.d"
+cat > "${scratch_d}/etc/dracut.conf.d/hyperv.conf" << EOF
+hostonly=no
+EOF

 chroot "${scratch_d}" apt-get update -y
-chroot "${scratch_d}" apt-get -y install xrdp linux-azure linux-tools-azure linux-cloud-tools-azure polkitd-pkla oem-config-gtk language-pack-en-base oem-config-slideshow-ubuntu
+chroot "${scratch_d}" apt-get -y install xrdp linux-azure linux-tools-azure linux-cloud-tools-azure oem-config-gtk language-pack-en-base oem-config-slideshow-ubuntu

 cat > ${scratch_d}/etc/modules-load.d/hyperv.conf << EOF
 ${IMAGE_STR}
@ -99,23 +103,30 @@ blacklist vmw_vsock_vmci_transport
 EOF

 # Configure the policy xrdp session
-cat > ${scratch_d}/etc/polkit-1/localauthority/50-local.d/45-allow-colord.pkla << EOF
-${IMAGE_STR}
-[Allow Colord all Users]
-Identity=unix-user:*
-Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;org.freedesktop.color-manager.delete-device;org.freedesktop.color-manager.delete-profile;org.freedesktop.color-manager.modify-device;org.freedesktop.color-manager.modify-profile
-ResultAny=no
-ResultInactive=no
-ResultActive=yes
+cat > ${scratch_d}/etc/polkit-1/rules.d/45-allow-colord.rules << EOF
+// ${IMAGE_STR}
+// Allow Colord all Users
+polkit.addRule(function(action, subject) {
+    if ((action.id == "org.freedesktop.color-manager.create-device" ||
+         action.id == "org.freedesktop.color-manager.create-profile" ||
+         action.id == "org.freedesktop.color-manager.delete-device" ||
+         action.id == "org.freedesktop.color-manager.delete-profile" ||
+         action.id == "org.freedesktop.color-manager.modify-device" ||
+         action.id == "org.freedesktop.color-manager.modify-profile") &&
+        subject.active) {
+        return polkit.Result.YES;
+    }
+});
 EOF

-cat >${scratch_d}/etc/polkit-1/localauthority/50-local.d/46-allow-update-repo.pkla <<EOF
-[Allow Package Management all Users]
-Identity=unix-user:*
-Action=org.freedesktop.packagekit.system-sources-refresh
-ResultAny=yes
-ResultInactive=yes
-ResultActive=yes
+cat >${scratch_d}/etc/polkit-1/rules.d/46-allow-update-repo.rules <<EOF
+// ${IMAGE_STR}
+// Allow Package Management all Users
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.freedesktop.packagekit.system-sources-refresh") {
+        return polkit.Result.YES;
+    }
+});
 EOF

 sed -i${CHANGED_FILE_SUFFIX} -e 's|After=|ConditionPathExists=!/var/lib/oem-config/run\nAfter=|g' "${scratch_d}/lib/systemd/system/xrdp.service"
@ -123,7 +134,7 @@ sed -i${CHANGED_FILE_SUFFIX} -e 's|After=|ConditionPathExists=!/var/lib/oem-conf
 # End xrdp customisation

 # Don't run gnome-initial-setup from gdm
-sed -i${CHANGED_FILE_SUFFIX} "s|#WaylandEnable=false|#WaylandEnable=false\nInitialSetupEnable=false|" "${scratch_d}/etc/gdm3/custom.conf"
+sed -i${CHANGED_FILE_SUFFIX} "s|\[daemon\]|[daemon]\nInitialSetupEnable=false|" "${scratch_d}/etc/gdm3/custom.conf"
 chroot "${scratch_d}" /usr/sbin/useradd -d /home/oem -m -N -u 29999 oem
 chroot "${scratch_d}" /usr/sbin/oem-config-prepare --quiet
 touch "${scratch_d}/var/lib/oem-config/run"
--- a/live-build/ubuntu/includes.chroot.minimal.standard.live/etc/cloud/cloud.cfg
+++ b/live-build/ubuntu/includes.chroot.minimal.standard.live/etc/cloud/cloud.cfg
@ -76,7 +76,7 @@ system_info:
      templates_dir: /etc/cloud/templates/
      upstart_dir: /etc/init/
   package_mirrors:
-     - arches: [i386, amd64]
+     - arches: [i386, amd64, arm64]
       failsafe:
         primary: http://archive.ubuntu.com/ubuntu
         security: http://security.ubuntu.com/ubuntu
@ -86,7 +86,7 @@ system_info:
           - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
           - http://%(region)s.clouds.archive.ubuntu.com/ubuntu/
         security: []
-     - arches: [arm64, armel, armhf]
+     - arches: [armel, armhf]
       failsafe:
         primary: http://ports.ubuntu.com/ubuntu-ports
         security: http://ports.ubuntu.com/ubuntu-ports
--- a/live-build/ubuntucinnamon/hooks/03-initramfs-enforcement.chroot
+++ b/live-build/ubuntucinnamon/hooks/03-initramfs-enforcement.chroot
@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot
--- a/live-build/ubuntukylin/hooks/03-initramfs-enforcement.chroot
+++ b/live-build/ubuntukylin/hooks/03-initramfs-enforcement.chroot
@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot
--- a/live-build/ubuntustudio/hooks/03-initramfs-enforcement.chroot
+++ b/live-build/ubuntustudio/hooks/03-initramfs-enforcement.chroot
@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot
--- a/live-build/xubuntu/hooks/03-initramfs-enforcement.chroot
+++ b/live-build/xubuntu/hooks/03-initramfs-enforcement.chroot
@ -0,0 +1,34 @@
+#!/bin/bash -e
+# vi: ts=4 noexpandtab
+
+# In a kernel layer, we need a freshly updated initrd (to ensure it
+# has been casperized with an appropriate config). A binary hook will
+# pull this out to be a separate build artifact to eventually end up
+# in /casper on the generated ISO.
+
+# In all lower layers, having an initrd just wastes space, as curtin
+# will always call update-initramfs after the layer has been copied to
+# the target system.
+
+# The netboot "layers" are not made into squashfses so there's no need
+# to do anything in those.
+
+. /root/config/common
+. /root/config/functions
+
+set -x
+
+if ! is_live_layer "${PASS}"; then
+	rm -f /boot/initrd.img-*
+	exit 0
+fi
+
+cat <<EOF > /etc/initramfs-tools/conf.d/casperize.conf
+export CASPER_GENERATE_UUID=1
+EOF
+cat <<EOF > /etc/initramfs-tools/conf.d/default-layer.conf
+LAYERFS_PATH=${PASS}.squashfs
+EOF
+# As this hook has deleted the initrds from lower layers we need to
+# pass -c -k all to update-initramfs here (-u will do nothing)
+update-initramfs -c -k all
Author	SHA1	Message	Date
michael.hudson@canonical.com	8b0b18a273	releasing package livecd-rootfs version 26.04.34	2026-04-18 08:22:07 +12:00
michael.hudson@canonical.com	558772b76b	Set build type to Release for final ISO builds.	2026-04-18 08:07:38 +12:00
Florent 'Skia' Jacquet	481697772b	releasing package livecd-rootfs version 26.04.33	2026-04-17 12:23:23 +02:00
Florent 'Skia' Jacquet	b18389e00b	Merge branch 'hyperv-pkla-to-rules' into ubuntu/master https://code.launchpad.net/~mstepan/livecd-rootfs/+git/livecd-rootfs/+merge/503828	2026-04-17 12:16:46 +02:00
Florent 'Skia' Jacquet	57eae14ef2	Merge branch 'fix-kubuntu' into ubuntu/master https://code.launchpad.net/~mwhudson/livecd-rootfs/+git/livecd-rootfs/+merge/503865	2026-04-17 12:06:01 +02:00
Florent 'Skia' Jacquet	fa24747150	changelog	2026-04-17 12:01:27 +02:00
Florent 'Skia' Jacquet	7c7b1b7c28	Merge remote-tracking branch 'dlalaj/buildd-dracut-initrd' into ubuntu/master https://code.launchpad.net/~dlalaj/livecd-rootfs/+git/livecd-rootfs/+merge/503761	2026-04-17 11:59:38 +02:00
michael.hudson@canonical.com	445e2c8664	Do not run 03-initramfs-enforcement.chroot for kubuntu, which is not a layered build.	2026-04-17 10:06:49 +12:00
Matthew Stepan	2f12636aa5	feat(hyperv): Migrate polkit .pkla to .rules for Resolute polkitd-pkla was removed from the archive between Noble and Resolute. We use these .pkla files explicitly in the Hyper-V hook, so these have been updated to .rules files to maintain the same functionality. Add dracut `hostonly=no` to fix a boot failure where systemd would hang waiting for dev-disk-by-label-desktop-rootfs. Fix GDM `InitialSetupEnable=false` sed to anchor on `[daemon]`, as the `#WaylandEnable=false` line no longer exists.	2026-04-16 13:06:27 -06:00
michael.hudson@canonical.com	86849598e0	releasing package livecd-rootfs version 26.04.32	2026-04-16 09:23:38 +12:00
michael.hudson@canonical.com	c698479689	commit message for unity/kubuntu apparmor change	2026-04-16 09:18:49 +12:00
michael.hudson@canonical.com	a68ab81199	Merge remote-tracking branch 'arraybolt3/arraybolt3/apparmor' into ubuntu/master	2026-04-16 09:15:24 +12:00
Denis Lalaj	0d7a22dd26	feat(buildd): Set dracut as the default initrd generator For RR (26.04), dracut should be the initrd generator instead of initramfs-tools. ubuntu-base buildd does not use seeds and therefore the change should enforced at the hook level	2026-04-15 13:16:09 -07:00
michael.hudson@canonical.com	29baaee6b0	Merge remote-tracking branch 'vhaudiquet/riscv64-restore-vmlinux' into ubuntu/master	2026-04-16 08:09:02 +12:00
michael.hudson@canonical.com	621eb44506	Merge branch 'fix/2146567' into ubuntu/master	2026-04-16 08:07:30 +12:00
Valentin Haudiquet	d7615a2237	Make sure kernel is 'vmlinux' on riscv64 Commit 51624c1b444d034ac06d9d0d6e2c02f73e856aa1 introduced a regression, changing kernel name from vmlinux to vmlinux (default) on riscv64. This fixes the regression and the bug in recent riscv64 iso images (preventing boot). Fixes: 51624c1b444d ("Place ISO artifacts directly into the ISO tree") Signed-off-by: Valentin Haudiquet <valentin.haudiquet@canonical.com>	2026-04-15 15:50:46 +02:00
Florent 'Skia' Jacquet	4a0c43b28a	Merge branch 'skia/document_local_builds' into ubuntu/master https://code.launchpad.net/~skia/livecd-rootfs/+git/livecd-rootfs/+merge/503633	2026-04-15 12:15:46 +02:00
Florent 'Skia' Jacquet	55ac901ace	Add README.local	2026-04-15 12:15:15 +02:00
Florent 'Skia' Jacquet	f63cae6452	Revert "Update SEEDMIRROR to point to the new infra" This reverts commit 9d10c8086541a42ab48799d23765251096c3d7fe. Actually, the new infra is not completely ready yet. There were concerns about opening up the firewall/proxy on the builders to a service that is way less strictly controlled than the current Archive toolbox. We'll need to address these concerns first, then we can proceed with the move.	2026-04-15 11:34:22 +02:00
michael.hudson@canonical.com	51d2b8b649	source config from the right location in 03-initramfs-enforcement.chroot	2026-04-15 16:09:14 +12:00
michael.hudson@canonical.com	5c832654a7	add changelog entry	2026-04-15 15:58:33 +12:00
michael.hudson@canonical.com	7b5b77ff68	Merge branch 'ubuntu/master' into fix/2146567	2026-04-15 15:38:36 +12:00
michael.hudson@canonical.com	170f595da5	use is_live_layer to detect a live layer in 03-initramfs-enforcement.chroot	2026-04-15 15:29:53 +12:00
michael.hudson@canonical.com	f1df4aeef1	Merge branch 'alfonsosanchezbeato/support-uc26' into ubuntu/master	2026-04-15 15:04:45 +12:00
Florent 'Skia' Jacquet	57bf691d9d	Merge branch 'skia/update_seeds_mirror' into ubuntu/master https://code.launchpad.net/~skia/livecd-rootfs/+git/livecd-rootfs/+merge/503627	2026-04-14 12:57:22 +02:00
Florent 'Skia' Jacquet	f0f48eaffe	changelog	2026-04-14 12:57:12 +02:00
Florent 'Skia' Jacquet	9d10c80865	Update SEEDMIRROR to point to the new infra	2026-04-14 12:35:06 +02:00
Alfonso Sánchez-Beato	06fe6a52fa	Add support for building Ubuntu Core 26 images	2026-04-13 13:34:29 -04:00
Chloé Smith	503957e278	Add d/ch entry for Resolute	2026-04-13 15:47:14 +01:00
Ryan Hill	cbd0149281	feat(apparmor) add missing network_v9_skb to 7.0 kernel tree	2026-04-13 15:44:52 +01:00
Florent 'Skia' Jacquet	db9f7564b8	Merge branch 'skia/more_manifest_fixes' into ubuntu/master https://code.launchpad.net/~ubuntu-core-dev/livecd-rootfs/+git/livecd-rootfs/+merge/503545	2026-04-13 15:17:55 +02:00
Florent 'Skia' Jacquet	da0b48e2bd	Pick a better manifest by using the live pass for layered images (LP: #2147921 )	2026-04-13 15:16:22 +02:00
Simon Poirier	7ac1f7ceb2	fix(flavors): regen initramfs on live layer for casper (LP: #2146567 ) Seed installation diverts initramfs install hooks. As we move base layers to dracut, casper is still needed for the live layer. This regenerates initrds after live layers install initramfs-tools, to make casper work, in case the base layer was using dracut.	2026-04-10 09:07:34 -04:00
Dan Bungert	7126d85e23	changelog	2026-04-08 16:08:55 -06:00
Dan Bungert	5b043a05e2	isobuilder: exclude eltorito.img from md5sum.txt	2026-04-08 16:08:24 -06:00
Florent 'Skia' Jacquet	b77fefbbba	releasing package livecd-rootfs version 26.04.29	2026-04-08 16:13:31 +02:00
Florent 'Skia' Jacquet	344a43bb0c	Merge branch 'skia/fix_manifest_artifact' into ubuntu/master https://code.launchpad.net/~skia/livecd-rootfs/+git/livecd-rootfs/+merge/503356	2026-04-08 16:11:23 +02:00
Florent 'Skia' Jacquet	f340ef5416	Make sure to produce a manifest for all images (LP: #2147522 )	2026-04-08 14:34:16 +02:00
Utkarsh Gupta	34ed622949	Update d/ch for 26.04.28 release	2026-04-02 18:34:39 +05:30
Utkarsh Gupta	c563ba5bf2	Switch arm64 mirror from ports to archive	2026-04-02 18:34:07 +05:30
michael.hudson@canonical.com	2e501bc3a9	releasing package livecd-rootfs version 26.04.27	2026-04-02 16:00:13 +13:00
michael.hudson@canonical.com	8b3805065d	commit message for 7.0 apparmor features	2026-04-02 15:47:26 +13:00
michael.hudson@canonical.com	b156e2c6ad	Merge remote-tracking branch 'rthill91/7.0-kernel' into ubuntu/master	2026-04-02 15:46:27 +13:00
michael.hudson@canonical.com	93c96af216	still publish manifest for ISO builds	2026-04-02 13:55:18 +13:00
michael.hudson@canonical.com	ace1c5f700	add changelog	2026-04-02 12:33:17 +13:00
michael.hudson@canonical.com	f432528b70	source config/functions in 05-netboot-tarball.binary so CASPER_DIR is defined	2026-04-02 12:32:06 +13:00
michael.hudson@canonical.com	24af8f137c	create_squashfs does not work with relative paths :/	2026-04-02 12:32:05 +13:00
michael.hudson@canonical.com	94963d8070	no pool for mini iso!	2026-04-02 12:32:03 +13:00
michael.hudson@canonical.com	cd968f5717	do not include squashfs on ubuntu-mini-iso	2026-04-02 12:32:00 +13:00
Ryan Hill	6d331d4d0b	add 7.0 kernel apparmor features preseeds Resolute is currently on kernel 7.0 so preseeding fails with a apparmor feature mismatch given that the live-build/apparmor/generic tree is used. Adding a 7.0 tree solves this.	2026-03-31 00:30:24 -05:00
Aaron Rainbolt	edec1f4a3f	Disable AppArmor user namespace restrictions on the live ISOs for Kubuntu and Ubuntu Unity	2026-03-30 11:00:42 -04:00
michael.hudson@canonical.com	51fa2b9b92	auto/build: install kernel into ISO tree for non-layered builds Non-layered MAKE_ISO=yes builds (e.g. kubuntu) had no equivalent of the lb_binary_layered kernel placement added in the previous commit: lb binary_linux-image put the kernel in binary/casper/ but nothing copied it into the ISO tree (CASPER_DIR). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-30 20:30:19 +13:00
michael.hudson@canonical.com	eaef671f74	Move kernel ISO placement from hook into lb_binary_layered 04-kernel-bits.binary only handled ubuntu-server; desktop builds (ubuntu, ubuntu-budgie, lubuntu, etc.) had no equivalent and so the kernel never reached the ISO casper directory for MAKE_ISO=yes builds. Centralise the logic in lb_binary_layered, which already knows which passes are live passes and is where the kernel is subsequently removed from the chroot overlay. The flavor is determined by convention: - passes ending in .live (desktop builds) use LB_LINUX_FLAVOURS - other live passes (server installer passes such as "...installer.generic-hwe") encode the flavor as the final dot-separated component of the pass name The netboot sub-passes (e.g. installer.generic.netboot) are never added to LIVE_PASSES, so is_live_layer already guards against them; the explicit exit-0 that 04-kernel-bits.binary needed is not required. MAKE_ISO is always "yes" when lb_binary_layered runs — every code path that sets PASSES_TO_LAYERS=true also sets MAKE_ISO=yes — so no conditional is needed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-30 20:30:18 +13:00
michael.hudson@canonical.com	816eaed015	Source config/functions in hooks that call iso_install_kernel Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-30 20:30:17 +13:00
michael.hudson@canonical.com	51624c1b44	Place ISO artifacts directly into the ISO tree For MAKE_ISO=yes builds, squashfs, kernel, initrd, manifests, and sizes are now placed directly into config/iso-dir/iso-root/casper/ during the build rather than creating livecd.* intermediates that get linked as for-iso.* files and then copied into casper/ by isobuild. This stops publishing the intermediate livecd.* artifacts so that only livecd..iso and livecd..netboot.tar.gz are published for ISO builds. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-30 20:30:10 +13:00
Didier Roche-Tolomelli	1975bbd52b	releasing package livecd-rootfs version 26.04.26	2026-03-27 15:32:10 +01:00
Didier Roche-Tolomelli	916b693130	Ensure snapd tracks stable and not edge anymore. We did remove it from multiple places, but this one was left and as a consequence, the latest iso was still having snapd edge.	2026-03-27 15:30:31 +01:00
				`@ -0,0 +1 @@`
				`chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore`
				`@ -0,0 +1 @@`
				`create read write exec append mmap_exec link lock`
				`@ -0,0 +1 @@`
				`create read write open delete setattr getattr label`
				`@ -0,0 +1 @@`
				`unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp`
				`@ -0,0 +1 @@`
				`allow deny subtree cond kill complain prompt audit quiet hide xindex tag label`
				`@ -0,0 +1 @@`
				`cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime`
				`@ -0,0 +1 @@`
				`hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost`
				`@ -0,0 +1 @@`
				`../../xubuntu/hooks/03-initramfs-enforcement.chroot`