releasing package livecd-rootfs version 26.04.34

https://code.launchpad.net/~mstepan/livecd-rootfs/+git/livecd-rootfs/+merge/503828

README.local

@@ -0,0 +1,106 @@
+# Running livecd-rootfs builds locally
+
+`livecd-rootfs` is notoriously known to be... difficult?
+One question that often comes back is "how do I run that locally?".
+Brace yourself, here is a short guide to help you through this.
+
+## Where to run?
+
+While you could do that directly on your host machine, likely your development
+laptop, that would mean installing all the needed dependencies, and running
+livecd-rootfs as root (because of some `mount` steps, `chroot`, etc...).
+Not ideal.
+What you more likely want, and is documented here, is to run that in a LXD VM
+instead.
+
+## Prerequisites
+
+You need to have LXD installed and configured: https://canonical.com/lxd/install
+A clone of this repository, that will be used directly in the VM so that
+you can iterate and test changes easily before submitting them:
+```
+git clone https://git.launchpad.net/livecd-rootfs
+```
+
+## Build images
+
+All the magic is done by the `./live-build/build-livefs-lxd` script. It will
+basically perform the following actions for you:
+  * Launch (or re-start) a LXD VM on the `series` you're targetting.
+  * Install in there `livecd-rootfs` from the archive, to make sure all
+    dependencies are here and ready to use.
+  * Mount the `livecd-rootfs` sources in `/srv/livecd-rootfs`.
+  * Run `./live-build/build-livefs` with all the additional arguments you give.
+    That's what will build the ISO for you, take a lot of time, and bring your
+    machine down.
+
+Depending on what you want to work on, the iteration time can be quite long.
+Fortunately `livecd-rootfs` provides many different projects to work with,
+providing various experiences in terms of load, space, bandwidth and running
+time.
+
+Very fast and lightweight "fake" ISO:
+```
+❯ ./live-build/build-livefs-lxd --suite resolute --arch amd64 --project ubuntu-test-iso
+```
+
+Ubuntu Desktop, the main flagship, and probably most complex ISO:
+```
+❯ ./live-build/build-livefs-lxd --suite resolute --arch amd64 --project ubuntu
+```
+
+Ubuntu Server Live, lighter ISO:
+```
+❯ ./live-build/build-livefs-lxd --suite resolute --arch amd64 --project ubuntu-server --subproject live
+```
+
+Xubuntu Minimal, lighter desktop ISO:
+```
+❯ ./live-build/build-livefs-lxd --suite resolute --arch amd64 --project xubuntu --subproject minimal
+```
+
+## Fetching the image
+
+Obviously, the image has been built inside the LXD VM, so you then need to extract it. Examples:
+```
+❯ lxc file pull livefs-builder-resolute/root/livecd.ubuntu-test-iso.iso my_ubuntu-test-iso.iso
+❯ lxc file pull livefs-builder-resolute/root/livecd.ubuntu.iso my_ubuntu.iso
+❯ lxc file pull livefs-builder-resolute/root/livecd.ubuntu-server.iso my_ubuntu-server.iso
+❯ lxc file pull livefs-builder-resolute/root/livecd.xubuntu.iso my_xubuntu.iso
+```
+
+The fetched ISO should normally boot and work just fine. For example with QEMU:
+```
+❯ kvm -m 3G -smp 2 -cdrom ./my_xubuntu.iso
+```
+
+## Clean up
+
+This will leave you with a running VM eating some precious 8GB from your host.
+You can stop and/or delete that VM with these:
+```
+❯ lxc stop livefs-builder-resolute
+❯ lxc delete livefs-builder-resolute
+```
+
+## Speeding things up with `apt-cacher-ng`
+
+All the previous steps work just fine, but when iterating, it's often very
+useful to cache all the package downloads, which can speed things up a lot,
+particularly if you don't live in one of Canonical's datacenters.
+
+Basically, on your host:
+```
+❯ sudo apt install apt-cacher-ng
+❯ cat ~/.config/livecd-rootfs/build-livefs.conf
+[defaults]
+mirror =  http://192.168.0.42:3142/archive.ubuntu.com/ubuntu
+```
+
+`~/.config/livecd-rootfs/build-livefs.conf` is indeed stored on your host, but
+will be copied automatically at the right place if it exists.
+
+There, `192.168.0.42` is your local network IP, reachable from the LXD VM, on
+which `apt-cacher-ng` is listening.
+Other `apt` caching solutions might be working, but are untested.
+

debian/changelog

@@ -1,3 +1,77 @@
+livecd-rootfs (26.04.34) resolute; urgency=medium
+
+  * Set build type to Release for final ISO builds.
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Sat, 18 Apr 2026 08:21:53 +1200
+
+livecd-rootfs (26.04.33) resolute; urgency=medium
+
+  [ Matthew Stepan ]
+  * Hyper-V: Migrate .pkla files to .rules files following the removal of the
+    polkit-pkla package from the archive.
+  * Hyper-V: Add dracut `hostonly=no` config to fix image boot hanging while 
+    trying to find the rootfs.
+  * Hyper-V: Fix sed to correctly set GDM `InitialSetupEnable=false`.
+
+  [ Michael Hudson-Doyle ]
+  * Do not run 03-initramfs-enforcement.chroot for kubuntu, which is not a
+    layered build.
+
+  [ Denis Lalaj ]
+  * feat(buildd): Set dracut as the default initrd generator
+
+ -- Florent 'Skia' Jacquet <skia@ubuntu.com>  Fri, 17 Apr 2026 12:22:45 +0200
+
+livecd-rootfs (26.04.32) resolute; urgency=medium
+
+  [ Alfonso Sanchez-Beato ]
+  * Add support for building Ubuntu Core 26 images.
+
+  [ Valentin Haudiquet ]
+  * Make sure kernel is 'vmlinux' on riscv64, and not 'vmlinuz'
+
+  [ Michael Hudson-Doyle & Simon Poirier ]
+  * Add a hook 03-initramfs-enforcement.chroot to many ISO builds to ensure
+    that the live layer gets an initramfs built with casper and
+    initramfs-tools. (LP: #2146567)
+
+  [ Aaron Rainbolt ]
+  * Disable Apparmor restrictions in the live environment for Kubuntu and
+    Ubuntu Unity. (LP: #2146196, #2146369)
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Thu, 16 Apr 2026 09:23:08 +1200
+
+livecd-rootfs (26.04.31) resolute; urgency=medium
+
+  [ Ryan Hill ]
+  * Add additional 7.0 kernel apparmor features for
+    successful image preseeding. 
+
+ -- Chloé 'kajiya' Smith <chloe.smith@canonical.com>  Mon, 13 Apr 2026 15:45:19 +0100
+
+livecd-rootfs (26.04.30) resolute; urgency=medium
+
+  [ Florent 'Skia' Jacquet]
+  * Pick a better manifest by using the live pass for layered images (LP: #2147921)
+
+  [ Dan Bungert ]
+  * Exclude boot/grub/i386-pc/eltorito.img from md5sum.txt, as it is expected
+    to change in xorriso output.  (LP: #2147162)
+
+ -- Florent 'Skia' Jacquet <skia@ubuntu.com>  Mon, 13 Apr 2026 15:16:01 +0200
+
+livecd-rootfs (26.04.29) resolute; urgency=medium
+
+  * Make sure to produce a manifest for all images (LP: #2147522)
+
+ -- Florent 'Skia' Jacquet <skia@ubuntu.com>  Wed, 08 Apr 2026 16:12:59 +0200
+
+livecd-rootfs (26.04.28) resolute; urgency=medium
+
+  * Switch arm64 mirror from ports to archive. (LP: #2147101)
+
+ -- Utkarsh Gupta <utkarsh@ubuntu.com>  Thu, 02 Apr 2026 18:34:10 +0530
+
 livecd-rootfs (26.04.27) resolute; urgency=medium
 
   [ Michael Hudson-Doyle ]

live-build/apparmor/7.0/network_v9_skb/af_mask

@@ -0,0 +1 @@
+inet inet6

live-build/apparmor/7.0/network_v9_skb/iface

@@ -0,0 +1 @@
+receive connect, secmark_postroute

live-build/apparmor/7.0/network_v9_skb/localout

@@ -0,0 +1 @@
+secmark_set

live-build/apparmor/7.0/network_v9_skb/postroute

@@ -0,0 +1 @@
+secmark_send

live-build/apparmor/7.0/network_v9_skb/rcv_skb

@@ -0,0 +1 @@
+secmark_receive

live-build/apparmor/7.0/network_v9_skb/relabel

@@ -0,0 +1 @@
+setcred

live-build/auto/build

@@ -559,13 +559,16 @@ fi
 # Create manifest unconditionally (needed for both ISO and non-ISO builds).
 if [ -e "binary/$INITFS/filesystem.manifest" ]; then
 	ln "binary/$INITFS/filesystem.manifest" "$PREFIX.manifest"
-	chmod 644 "$PREFIX.manifest"
-fi
-# '--initramfs none' produces different manifest names.
-if [ -e "binary/$INITFS/filesystem.packages" ]; then
+elif [ -e "binary/$INITFS/filesystem.packages" ]; then
+	# '--initramfs none' produces different manifest names.
 	ln "binary/$INITFS/filesystem.packages" "$PREFIX.manifest"
-	chmod 644 "$PREFIX.manifest"
+elif [ -n "$LIVE_PASSES" ]; then
+	# For layered images, keep the manifest of the last (only?) live pass
+	for _PASS in $LIVE_PASSES; do
+		ln -f "${CASPER_DIR}/$_PASS.manifest.full" "$PREFIX.manifest"
+	done
 fi
+chmod 644 "$PREFIX.manifest"
 # Since snaps are now Ubuntu first-class citizen, so always try fetching the
 # list of seeded snaps into the manifest.  In case of layered images we skip
 # this step, as we assume they're doing it on their own at some earlier stage.

live-build/auto/config

@@ -41,7 +41,7 @@ if [ -z "$MIRROR" ]; then
 			;;
 		*)
 			case $ARCH in
-				i386|amd64)	MIRROR=http://archive.ubuntu.com/ubuntu/ ;;
+				i386|amd64|arm64)	MIRROR=http://archive.ubuntu.com/ubuntu/ ;;
 				*)			MIRROR=http://ports.ubuntu.com/ubuntu-ports/ ;;
 			esac
 			;;
@@ -491,31 +491,23 @@ case $IMAGEFORMAT in
 				*) ;;
 			esac
 
-			# Ubuntu Core 24
+			# Ubuntu Core 26
 			# For now we stick to updating this by hand, but a more tasteful solution
 			# will follow
-			CORE_MAJOR=24
+			CORE_MAJOR=26
 
-			# Currently uc24 assertions do not support global channel overrides,
-			# instead we have per-channel models
+			# For UC26+ we build only images using stable channels,
+			# for either signed or dangerous grade.
 			case $CHANNEL in
 				stable)
 					MODEL="ubuntu-core-${CORE_MAJOR}-${MODEL#pc-}"
 					;;
-				candidate|beta|edge|dangerous)
-					MODEL="ubuntu-core-${CORE_MAJOR}-${MODEL#pc-}-${CHANNEL}"
-					;;
-				dangerous-*)
-					# That being said, the dangerous grade *does*
-					# support channel overrides, so we can use the
-					# dangerous model assertion and override the channel
-					# freely.
+				dangerous-stable)
 					MODEL="ubuntu-core-${CORE_MAJOR}-${MODEL#pc-}-dangerous"
 					CHANNEL=${CHANNEL#dangerous-}
-					UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS -c $CHANNEL"
 					;;
 				*)
-					echo "Unknown CHANNEL ${CHANNEL} specification for ${SUITE}"
+					echo "Unsupported CHANNEL ${CHANNEL} specification for ${SUITE}"
 					exit 1
 					;;
 			esac
@@ -525,7 +517,7 @@ case $IMAGEFORMAT in
 					EXTRA_SNAPS="$EXTRA_SNAPS core bluez alsa-utils"
 					;;
 				*)
-					# For all Ubuntu Core 24 reference images, add console-conf
+					# For all Ubuntu Core reference images, add console-conf
 					EXTRA_SNAPS="$EXTRA_SNAPS console-conf"
 					;;
 			esac
@@ -1568,7 +1560,8 @@ case $PROJECT:${SUBPROJECT:-} in
 	ubuntu-cpc:*|ubuntu-server:live|ubuntu:desktop-preinstalled| \
 		ubuntu-wsl:*|ubuntu-mini-iso:*|ubuntu-test-iso:*|ubuntu:|ubuntu:dangerous|ubuntu-oem:*| \
 		ubuntustudio:*|edubuntu:*|ubuntu-budgie:*|ubuntucinnamon:*|xubuntu:*| \
-	        ubuntukylin:*|ubuntu-mate:*|ubuntu-core-installer:*|lubuntu:*)
+		ubuntukylin:*|ubuntu-mate:*|ubuntu-core-installer:*|lubuntu:*|kubuntu:*| \
+		ubuntu-unity:*)
 		# Ensure that most things e.g. includes.chroot are copied as is
 		for entry in ${LIVECD_ROOTFS_ROOT}/live-build/${PROJECT}/*; do
 			case $entry in
@@ -1738,9 +1731,12 @@ EOF
 fi
 
 if [ "${MAKE_ISO}" = "yes" ]; then
-	# XXX should pass --build-type here.
+	# XXX --build-type should be passed via build args once
+	# https://code.launchpad.net/~mwhudson/launchpad-buildd/+git/launchpad-buildd/+merge/497089
+	# is merged.
 	${LIVECD_ROOTFS_ROOT}/live-build/gen-iso-ids \
 		--project $PROJECT ${SUBPROJECT:+--subproject $SUBPROJECT} \
+		--build-type Release \
 		--arch $ARCH ${SUBARCH:+--subarch $SUBARCH} ${NOW+--serial $NOW} \
 		--output-dir config/iso-ids/
 fi

live-build/buildd/hooks/52-linux-virtual-image.binary

@@ -50,7 +50,7 @@ env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \
 
 # Install dependencies
 env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \
-    install -y lsb-release locales initramfs-tools busybox-initramfs \
+    install -y lsb-release locales dracut busybox-initramfs \
                udev dbus netplan.io cloud-init openssh-server sudo snapd \
                lxd-agent-loader
 

live-build/edubuntu/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot

live-build/functions

@@ -1464,7 +1464,7 @@ CASPER_DIR=config/iso-dir/iso-root/casper
 iso_install_kernel() {
     local flavor=$1 kernel=$2 initrd=$3
     local kernel_name=vmlinuz
-    case $ARCH in ppc64el) kernel_name=vmlinux ;; esac
+    case $ARCH in ppc64el|riscv64) kernel_name=vmlinux ;; esac
     local prefix=""
     case $flavor in *-hwe) prefix="hwe-" ;; esac
     cp "$kernel" "$CASPER_DIR/${prefix}${kernel_name}"

live-build/isobuilder/builder.py

@@ -273,11 +273,14 @@ class ISOBuilder:
     def checksum(self):
         # Generate md5sum.txt for ISO integrity verification.
         # - Symlinks are excluded because their targets are already checksummed
+        # - eltorito.img is excluded because xorriso will modify it in output ISO
         # - Files are sorted for deterministic, reproducible output across builds
         # - Paths use "./" prefix and we run md5sum from iso_root so the output
         #   matches what users get when they verify with "md5sum -c" from the ISO
         all_files = []
+        exclusions = ["eltorito.img"]
         for dirpath, dirnames, filenames in self.iso_root.walk():
+            filenames = [fn for fn in filenames if fn not in exclusions]
             filepaths = [dirpath.joinpath(filename) for filename in filenames]
             all_files.extend(
                 "./" + str(filepath.relative_to(self.iso_root))

live-build/kubuntu/hooks/020-kubuntu-live.chroot_early

@@ -0,0 +1,11 @@
+#! /bin/sh
+
+set -eu
+
+cat <<EOF > /etc/sysctl.d/20-apparmor.conf
+# AppArmor restrictions of unprivileged user namespaces
+
+# Disables AppArmor user namespace restrictions on the live ISO.
+kernel.apparmor_restrict_unprivileged_userns = 0
+kernel.apparmor_restrict_unprivileged_unconfined = 1
+EOF

live-build/lubuntu/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot

live-build/ubuntu-budgie/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot

live-build/ubuntu-core-installer/includes.chroot.base.live/etc/cloud/cloud.cfg

@@ -76,7 +76,7 @@ system_info:
       templates_dir: /etc/cloud/templates/
       upstart_dir: /etc/init/
    package_mirrors:
-     - arches: [i386, amd64]
+     - arches: [i386, amd64, arm64]
        failsafe:
          primary: http://archive.ubuntu.com/ubuntu
          security: http://security.ubuntu.com/ubuntu
@@ -86,7 +86,7 @@ system_info:
            - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
            - http://%(region)s.clouds.archive.ubuntu.com/ubuntu/
          security: []
-     - arches: [arm64, armel, armhf]
+     - arches: [armel, armhf]
        failsafe:
          primary: http://ports.ubuntu.com/ubuntu-ports
          security: http://ports.ubuntu.com/ubuntu-ports

live-build/ubuntu-mate/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot

live-build/ubuntu-server/hooks/05-netboot-tarball.binary

@@ -34,7 +34,7 @@ PROJECT=$PROJECT${SUBARCH:+-$SUBARCH}
 # Read kernel/initrd from the ISO casper directory where iso_install_kernel
 # placed them.
 kernel_name=vmlinuz
-case $ARCH in ppc64el) kernel_name=vmlinux ;; esac
+case $ARCH in ppc64el|riscv64) kernel_name=vmlinux ;; esac
 casper_prefix=""
 case $flavor in *-hwe) casper_prefix="hwe-" ;; esac
 KERNEL=${CASPER_DIR}/${casper_prefix}${kernel_name}

live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/cloud/cloud.cfg

@@ -76,7 +76,7 @@ system_info:
       templates_dir: /etc/cloud/templates/
       upstart_dir: /etc/init/
    package_mirrors:
-     - arches: [i386, amd64]
+     - arches: [i386, amd64, arm64]
        failsafe:
          primary: http://archive.ubuntu.com/ubuntu
          security: http://security.ubuntu.com/ubuntu
@@ -86,7 +86,7 @@ system_info:
            - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
            - http://%(region)s.clouds.archive.ubuntu.com/ubuntu/
          security: []
-     - arches: [arm64, armel, armhf]
+     - arches: [armel, armhf]
        failsafe:
          primary: http://ports.ubuntu.com/ubuntu-ports
          security: http://ports.ubuntu.com/ubuntu-ports

live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/sysctl.d/20-apparmor.conf

@@ -1,16 +1,5 @@
 # AppArmor restrictions of unprivileged user namespaces
 
-# Allows to restrict the use of unprivileged user namespaces to applications
-# which have an AppArmor profile loaded which specifies the userns
-# permission. All other applications (whether confined by AppArmor or not) will
-# be denied the use of unprivileged user namespaces.
-#
-# See
-# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
-# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined
-#
-# If it is desired to disable this restriction, it is preferable to create an
-# additional file named /etc/sysctl.d/20-apparmor.conf which will override this
-# current file and sets this value to 0 rather than editing this current file
+# Disables AppArmor user namespace restrictions on the live ISO.
 kernel.apparmor_restrict_unprivileged_userns = 0
 kernel.apparmor_restrict_unprivileged_unconfined = 1

live-build/ubuntu-unity/hooks/020-ubuntu-unity-live.chroot_early

@@ -0,0 +1,11 @@
+#! /bin/sh
+
+set -eu
+
+cat <<EOF > /etc/sysctl.d/20-apparmor.conf
+# AppArmor restrictions of unprivileged user namespaces
+
+# Disables AppArmor user namespace restrictions on the live ISO.
+kernel.apparmor_restrict_unprivileged_userns = 0
+kernel.apparmor_restrict_unprivileged_unconfined = 1
+EOF

live-build/ubuntu/hooks/020-ubuntu-live.chroot_early

@@ -18,18 +18,7 @@ EOF
 cat <<EOF > /etc/sysctl.d/20-apparmor.conf
 # AppArmor restrictions of unprivileged user namespaces
 
-# Allows to restrict the use of unprivileged user namespaces to applications
-# which have an AppArmor profile loaded which specifies the userns
-# permission. All other applications (whether confined by AppArmor or not) will
-# be denied the use of unprivileged user namespaces.
-#
-# See
-# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
-# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined
-#
-# If it is desired to disable this restriction, it is preferable to create an
-# additional file named /etc/sysctl.d/20-apparmor.conf which will override this
-# current file and sets this value to 0 rather than editing this current file
+# Disables AppArmor user namespace restrictions on the live ISO.
 kernel.apparmor_restrict_unprivileged_userns = 0
 kernel.apparmor_restrict_unprivileged_unconfined = 1
 EOF

live-build/ubuntu/hooks/040-hyperv-desktop-images.binary

@@ -44,9 +44,13 @@ trap cleanup_hyperv EXIT
 # use it if they want.
 touch "${scratch_d}/etc/cloud/cloud-init.disabled"
 
+mkdir -p "${scratch_d}/etc/dracut.conf.d"
+cat > "${scratch_d}/etc/dracut.conf.d/hyperv.conf" << EOF
+hostonly=no
+EOF
 
 chroot "${scratch_d}" apt-get update -y
-chroot "${scratch_d}" apt-get -y install xrdp linux-azure linux-tools-azure linux-cloud-tools-azure polkitd-pkla oem-config-gtk language-pack-en-base oem-config-slideshow-ubuntu
+chroot "${scratch_d}" apt-get -y install xrdp linux-azure linux-tools-azure linux-cloud-tools-azure oem-config-gtk language-pack-en-base oem-config-slideshow-ubuntu
 
 cat > ${scratch_d}/etc/modules-load.d/hyperv.conf << EOF
 ${IMAGE_STR}
@@ -99,23 +103,30 @@ blacklist vmw_vsock_vmci_transport
 EOF
 
 # Configure the policy xrdp session
-cat > ${scratch_d}/etc/polkit-1/localauthority/50-local.d/45-allow-colord.pkla << EOF
-${IMAGE_STR}
-[Allow Colord all Users]
-Identity=unix-user:*
-Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;org.freedesktop.color-manager.delete-device;org.freedesktop.color-manager.delete-profile;org.freedesktop.color-manager.modify-device;org.freedesktop.color-manager.modify-profile
-ResultAny=no
-ResultInactive=no
-ResultActive=yes
+cat > ${scratch_d}/etc/polkit-1/rules.d/45-allow-colord.rules << EOF
+// ${IMAGE_STR}
+// Allow Colord all Users
+polkit.addRule(function(action, subject) {
+    if ((action.id == "org.freedesktop.color-manager.create-device" ||
+         action.id == "org.freedesktop.color-manager.create-profile" ||
+         action.id == "org.freedesktop.color-manager.delete-device" ||
+         action.id == "org.freedesktop.color-manager.delete-profile" ||
+         action.id == "org.freedesktop.color-manager.modify-device" ||
+         action.id == "org.freedesktop.color-manager.modify-profile") &&
+        subject.active) {
+        return polkit.Result.YES;
+    }
+});
 EOF
 
-cat >${scratch_d}/etc/polkit-1/localauthority/50-local.d/46-allow-update-repo.pkla <<EOF
-[Allow Package Management all Users]
-Identity=unix-user:*
-Action=org.freedesktop.packagekit.system-sources-refresh
-ResultAny=yes
-ResultInactive=yes
-ResultActive=yes
+cat >${scratch_d}/etc/polkit-1/rules.d/46-allow-update-repo.rules <<EOF
+// ${IMAGE_STR}
+// Allow Package Management all Users
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.freedesktop.packagekit.system-sources-refresh") {
+        return polkit.Result.YES;
+    }
+});
 EOF
 
 sed -i${CHANGED_FILE_SUFFIX} -e 's|After=|ConditionPathExists=!/var/lib/oem-config/run\nAfter=|g' "${scratch_d}/lib/systemd/system/xrdp.service"
@@ -123,7 +134,7 @@ sed -i${CHANGED_FILE_SUFFIX} -e 's|After=|ConditionPathExists=!/var/lib/oem-conf
 # End xrdp customisation
 
 # Don't run gnome-initial-setup from gdm
-sed -i${CHANGED_FILE_SUFFIX} "s|#WaylandEnable=false|#WaylandEnable=false\nInitialSetupEnable=false|" "${scratch_d}/etc/gdm3/custom.conf"
+sed -i${CHANGED_FILE_SUFFIX} "s|\[daemon\]|[daemon]\nInitialSetupEnable=false|" "${scratch_d}/etc/gdm3/custom.conf"
 chroot "${scratch_d}" /usr/sbin/useradd -d /home/oem -m -N -u 29999 oem
 chroot "${scratch_d}" /usr/sbin/oem-config-prepare --quiet
 touch "${scratch_d}/var/lib/oem-config/run"

live-build/ubuntu/includes.chroot.minimal.standard.live/etc/cloud/cloud.cfg

@@ -76,7 +76,7 @@ system_info:
       templates_dir: /etc/cloud/templates/
       upstart_dir: /etc/init/
    package_mirrors:
-     - arches: [i386, amd64]
+     - arches: [i386, amd64, arm64]
        failsafe:
          primary: http://archive.ubuntu.com/ubuntu
          security: http://security.ubuntu.com/ubuntu
@@ -86,7 +86,7 @@ system_info:
            - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
            - http://%(region)s.clouds.archive.ubuntu.com/ubuntu/
          security: []
-     - arches: [arm64, armel, armhf]
+     - arches: [armel, armhf]
        failsafe:
          primary: http://ports.ubuntu.com/ubuntu-ports
          security: http://ports.ubuntu.com/ubuntu-ports

live-build/ubuntucinnamon/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot

live-build/ubuntukylin/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot

live-build/ubuntustudio/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot

live-build/xubuntu/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1,34 @@
+#!/bin/bash -e
+# vi: ts=4 noexpandtab
+
+# In a kernel layer, we need a freshly updated initrd (to ensure it
+# has been casperized with an appropriate config). A binary hook will
+# pull this out to be a separate build artifact to eventually end up
+# in /casper on the generated ISO.
+
+# In all lower layers, having an initrd just wastes space, as curtin
+# will always call update-initramfs after the layer has been copied to
+# the target system.
+
+# The netboot "layers" are not made into squashfses so there's no need
+# to do anything in those.
+
+. /root/config/common
+. /root/config/functions
+
+set -x
+
+if ! is_live_layer "${PASS}"; then
+	rm -f /boot/initrd.img-*
+	exit 0
+fi
+
+cat <<EOF > /etc/initramfs-tools/conf.d/casperize.conf
+export CASPER_GENERATE_UUID=1
+EOF
+cat <<EOF > /etc/initramfs-tools/conf.d/default-layer.conf
+LAYERFS_PATH=${PASS}.squashfs
+EOF
+# As this hook has deleted the initrds from lower layers we need to
+# pass -c -k all to update-initramfs here (-u will do nothing)
+update-initramfs -c -k all