releasing package livecd-rootfs version 26.04.32

Commit 51624c1b444d034ac06d9d0d6e2c02f73e856aa1 introduced a regression, changing kernel name from vmlinux to vmlinux (default) on riscv64. This fixes the regression and the bug in recent riscv64 iso images (preventing boot).

Fixes: 51624c1b444d ("Place ISO artifacts directly into the ISO tree")

Signed-off-by: Valentin Haudiquet <valentin.haudiquet@canonical.com>

README.local

@@ -0,0 +1,106 @@
+# Running livecd-rootfs builds locally
+
+`livecd-rootfs` is notoriously known to be... difficult?
+One question that often comes back is "how do I run that locally?".
+Brace yourself, here is a short guide to help you through this.
+
+## Where to run?
+
+While you could do that directly on your host machine, likely your development
+laptop, that would mean installing all the needed dependencies, and running
+livecd-rootfs as root (because of some `mount` steps, `chroot`, etc...).
+Not ideal.
+What you more likely want, and is documented here, is to run that in a LXD VM
+instead.
+
+## Prerequisites
+
+You need to have LXD installed and configured: https://canonical.com/lxd/install
+A clone of this repository, that will be used directly in the VM so that
+you can iterate and test changes easily before submitting them:
+```
+git clone https://git.launchpad.net/livecd-rootfs
+```
+
+## Build images
+
+All the magic is done by the `./live-build/build-livefs-lxd` script. It will
+basically perform the following actions for you:
+  * Launch (or re-start) a LXD VM on the `series` you're targetting.
+  * Install in there `livecd-rootfs` from the archive, to make sure all
+    dependencies are here and ready to use.
+  * Mount the `livecd-rootfs` sources in `/srv/livecd-rootfs`.
+  * Run `./live-build/build-livefs` with all the additional arguments you give.
+    That's what will build the ISO for you, take a lot of time, and bring your
+    machine down.
+
+Depending on what you want to work on, the iteration time can be quite long.
+Fortunately `livecd-rootfs` provides many different projects to work with,
+providing various experiences in terms of load, space, bandwidth and running
+time.
+
+Very fast and lightweight "fake" ISO:
+```
+❯ ./live-build/build-livefs-lxd --suite resolute --arch amd64 --project ubuntu-test-iso
+```
+
+Ubuntu Desktop, the main flagship, and probably most complex ISO:
+```
+❯ ./live-build/build-livefs-lxd --suite resolute --arch amd64 --project ubuntu
+```
+
+Ubuntu Server Live, lighter ISO:
+```
+❯ ./live-build/build-livefs-lxd --suite resolute --arch amd64 --project ubuntu-server --subproject live
+```
+
+Xubuntu Minimal, lighter desktop ISO:
+```
+❯ ./live-build/build-livefs-lxd --suite resolute --arch amd64 --project xubuntu --subproject minimal
+```
+
+## Fetching the image
+
+Obviously, the image has been built inside the LXD VM, so you then need to extract it. Examples:
+```
+❯ lxc file pull livefs-builder-resolute/root/livecd.ubuntu-test-iso.iso my_ubuntu-test-iso.iso
+❯ lxc file pull livefs-builder-resolute/root/livecd.ubuntu.iso my_ubuntu.iso
+❯ lxc file pull livefs-builder-resolute/root/livecd.ubuntu-server.iso my_ubuntu-server.iso
+❯ lxc file pull livefs-builder-resolute/root/livecd.xubuntu.iso my_xubuntu.iso
+```
+
+The fetched ISO should normally boot and work just fine. For example with QEMU:
+```
+❯ kvm -m 3G -smp 2 -cdrom ./my_xubuntu.iso
+```
+
+## Clean up
+
+This will leave you with a running VM eating some precious 8GB from your host.
+You can stop and/or delete that VM with these:
+```
+❯ lxc stop livefs-builder-resolute
+❯ lxc delete livefs-builder-resolute
+```
+
+## Speeding things up with `apt-cacher-ng`
+
+All the previous steps work just fine, but when iterating, it's often very
+useful to cache all the package downloads, which can speed things up a lot,
+particularly if you don't live in one of Canonical's datacenters.
+
+Basically, on your host:
+```
+❯ sudo apt install apt-cacher-ng
+❯ cat ~/.config/livecd-rootfs/build-livefs.conf
+[defaults]
+mirror =  http://192.168.0.42:3142/archive.ubuntu.com/ubuntu
+```
+
+`~/.config/livecd-rootfs/build-livefs.conf` is indeed stored on your host, but
+will be copied automatically at the right place if it exists.
+
+There, `192.168.0.42` is your local network IP, reachable from the LXD VM, on
+which `apt-cacher-ng` is listening.
+Other `apt` caching solutions might be working, but are untested.
+

debian/changelog

@@ -1,3 +1,47 @@
+livecd-rootfs (26.04.32) resolute; urgency=medium
+
+  [ Alfonso Sanchez-Beato ]
+  * Add support for building Ubuntu Core 26 images.
+
+  [ Valentin Haudiquet ]
+  * Make sure kernel is 'vmlinux' on riscv64, and not 'vmlinuz'
+
+  [ Michael Hudson-Doyle & Simon Poirier ]
+  * Add a hook 03-initramfs-enforcement.chroot to many ISO builds to ensure
+    that the live layer gets an initramfs built with casper and
+    initramfs-tools. (LP: #2146567)
+
+  [ Aaron Rainbolt ]
+  * Disable Apparmor restrictions in the live environment for Kubuntu and
+    Ubuntu Unity. (LP: #2146196, #2146369)
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Thu, 16 Apr 2026 09:23:08 +1200
+
+livecd-rootfs (26.04.31) resolute; urgency=medium
+
+  [ Ryan Hill ]
+  * Add additional 7.0 kernel apparmor features for
+    successful image preseeding. 
+
+ -- Chloé 'kajiya' Smith <chloe.smith@canonical.com>  Mon, 13 Apr 2026 15:45:19 +0100
+
+livecd-rootfs (26.04.30) resolute; urgency=medium
+
+  [ Florent 'Skia' Jacquet]
+  * Pick a better manifest by using the live pass for layered images (LP: #2147921)
+
+  [ Dan Bungert ]
+  * Exclude boot/grub/i386-pc/eltorito.img from md5sum.txt, as it is expected
+    to change in xorriso output.  (LP: #2147162)
+
+ -- Florent 'Skia' Jacquet <skia@ubuntu.com>  Mon, 13 Apr 2026 15:16:01 +0200
+
+livecd-rootfs (26.04.29) resolute; urgency=medium
+
+  * Make sure to produce a manifest for all images (LP: #2147522)
+
+ -- Florent 'Skia' Jacquet <skia@ubuntu.com>  Wed, 08 Apr 2026 16:12:59 +0200
+
 livecd-rootfs (26.04.28) resolute; urgency=medium
 
   * Switch arm64 mirror from ports to archive. (LP: #2147101)

live-build/apparmor/7.0/network_v9_skb/af_mask

@@ -0,0 +1 @@
+inet inet6

live-build/apparmor/7.0/network_v9_skb/iface

@@ -0,0 +1 @@
+receive connect, secmark_postroute

live-build/apparmor/7.0/network_v9_skb/localout

@@ -0,0 +1 @@
+secmark_set

live-build/apparmor/7.0/network_v9_skb/postroute

@@ -0,0 +1 @@
+secmark_send

live-build/apparmor/7.0/network_v9_skb/rcv_skb

@@ -0,0 +1 @@
+secmark_receive

live-build/apparmor/7.0/network_v9_skb/relabel

@@ -0,0 +1 @@
+setcred

live-build/auto/build

@@ -559,13 +559,16 @@ fi
 # Create manifest unconditionally (needed for both ISO and non-ISO builds).
 if [ -e "binary/$INITFS/filesystem.manifest" ]; then
 	ln "binary/$INITFS/filesystem.manifest" "$PREFIX.manifest"
-	chmod 644 "$PREFIX.manifest"
-fi
+elif [ -e "binary/$INITFS/filesystem.packages" ]; then
 	# '--initramfs none' produces different manifest names.
-if [ -e "binary/$INITFS/filesystem.packages" ]; then
 	ln "binary/$INITFS/filesystem.packages" "$PREFIX.manifest"
-	chmod 644 "$PREFIX.manifest"
+elif [ -n "$LIVE_PASSES" ]; then
+	# For layered images, keep the manifest of the last (only?) live pass
+	for _PASS in $LIVE_PASSES; do
+		ln -f "${CASPER_DIR}/$_PASS.manifest.full" "$PREFIX.manifest"
+	done
 fi
+chmod 644 "$PREFIX.manifest"
 # Since snaps are now Ubuntu first-class citizen, so always try fetching the
 # list of seeded snaps into the manifest.  In case of layered images we skip
 # this step, as we assume they're doing it on their own at some earlier stage.

live-build/auto/config

@@ -491,31 +491,23 @@ case $IMAGEFORMAT in
 				*) ;;
 			esac
 
-			# Ubuntu Core 24
+			# Ubuntu Core 26
 			# For now we stick to updating this by hand, but a more tasteful solution
 			# will follow
-			CORE_MAJOR=24
+			CORE_MAJOR=26
 
-			# Currently uc24 assertions do not support global channel overrides,
-			# instead we have per-channel models
+			# For UC26+ we build only images using stable channels,
+			# for either signed or dangerous grade.
 			case $CHANNEL in
 				stable)
 					MODEL="ubuntu-core-${CORE_MAJOR}-${MODEL#pc-}"
 					;;
-				candidate|beta|edge|dangerous)
-					MODEL="ubuntu-core-${CORE_MAJOR}-${MODEL#pc-}-${CHANNEL}"
-					;;
-				dangerous-*)
-					# That being said, the dangerous grade *does*
-					# support channel overrides, so we can use the
-					# dangerous model assertion and override the channel
-					# freely.
+				dangerous-stable)
 					MODEL="ubuntu-core-${CORE_MAJOR}-${MODEL#pc-}-dangerous"
 					CHANNEL=${CHANNEL#dangerous-}
-					UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS -c $CHANNEL"
 					;;
 				*)
-					echo "Unknown CHANNEL ${CHANNEL} specification for ${SUITE}"
+					echo "Unsupported CHANNEL ${CHANNEL} specification for ${SUITE}"
 					exit 1
 					;;
 			esac
@@ -525,7 +517,7 @@ case $IMAGEFORMAT in
 					EXTRA_SNAPS="$EXTRA_SNAPS core bluez alsa-utils"
 					;;
 				*)
-					# For all Ubuntu Core 24 reference images, add console-conf
+					# For all Ubuntu Core reference images, add console-conf
 					EXTRA_SNAPS="$EXTRA_SNAPS console-conf"
 					;;
 			esac
@@ -1568,7 +1560,8 @@ case $PROJECT:${SUBPROJECT:-} in
 	ubuntu-cpc:*|ubuntu-server:live|ubuntu:desktop-preinstalled| \
 		ubuntu-wsl:*|ubuntu-mini-iso:*|ubuntu-test-iso:*|ubuntu:|ubuntu:dangerous|ubuntu-oem:*| \
 		ubuntustudio:*|edubuntu:*|ubuntu-budgie:*|ubuntucinnamon:*|xubuntu:*| \
-	        ubuntukylin:*|ubuntu-mate:*|ubuntu-core-installer:*|lubuntu:*)
+		ubuntukylin:*|ubuntu-mate:*|ubuntu-core-installer:*|lubuntu:*|kubuntu:*| \
+		ubuntu-unity:*)
 		# Ensure that most things e.g. includes.chroot are copied as is
 		for entry in ${LIVECD_ROOTFS_ROOT}/live-build/${PROJECT}/*; do
 			case $entry in

live-build/edubuntu/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot

live-build/functions

@@ -1464,7 +1464,7 @@ CASPER_DIR=config/iso-dir/iso-root/casper
 iso_install_kernel() {
     local flavor=$1 kernel=$2 initrd=$3
     local kernel_name=vmlinuz
-    case $ARCH in ppc64el) kernel_name=vmlinux ;; esac
+    case $ARCH in ppc64el|riscv64) kernel_name=vmlinux ;; esac
     local prefix=""
     case $flavor in *-hwe) prefix="hwe-" ;; esac
     cp "$kernel" "$CASPER_DIR/${prefix}${kernel_name}"

live-build/isobuilder/builder.py

@@ -273,11 +273,14 @@ class ISOBuilder:
     def checksum(self):
         # Generate md5sum.txt for ISO integrity verification.
         # - Symlinks are excluded because their targets are already checksummed
+        # - eltorito.img is excluded because xorriso will modify it in output ISO
         # - Files are sorted for deterministic, reproducible output across builds
         # - Paths use "./" prefix and we run md5sum from iso_root so the output
         #   matches what users get when they verify with "md5sum -c" from the ISO
         all_files = []
+        exclusions = ["eltorito.img"]
         for dirpath, dirnames, filenames in self.iso_root.walk():
+            filenames = [fn for fn in filenames if fn not in exclusions]
             filepaths = [dirpath.joinpath(filename) for filename in filenames]
             all_files.extend(
                 "./" + str(filepath.relative_to(self.iso_root))

live-build/kubuntu/hooks/020-kubuntu-live.chroot_early

@@ -0,0 +1,11 @@
+#! /bin/sh
+
+set -eu
+
+cat <<EOF > /etc/sysctl.d/20-apparmor.conf
+# AppArmor restrictions of unprivileged user namespaces
+
+# Disables AppArmor user namespace restrictions on the live ISO.
+kernel.apparmor_restrict_unprivileged_userns = 0
+kernel.apparmor_restrict_unprivileged_unconfined = 1
+EOF

live-build/kubuntu/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot

live-build/lubuntu/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot

live-build/ubuntu-budgie/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot

live-build/ubuntu-mate/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot

live-build/ubuntu-server/hooks/05-netboot-tarball.binary

@@ -34,7 +34,7 @@ PROJECT=$PROJECT${SUBARCH:+-$SUBARCH}
 # Read kernel/initrd from the ISO casper directory where iso_install_kernel
 # placed them.
 kernel_name=vmlinuz
-case $ARCH in ppc64el) kernel_name=vmlinux ;; esac
+case $ARCH in ppc64el|riscv64) kernel_name=vmlinux ;; esac
 casper_prefix=""
 case $flavor in *-hwe) casper_prefix="hwe-" ;; esac
 KERNEL=${CASPER_DIR}/${casper_prefix}${kernel_name}

live-build/ubuntu-server/includes.chroot.ubuntu-server-minimal.ubuntu-server.installer/etc/sysctl.d/20-apparmor.conf

@@ -1,16 +1,5 @@
 # AppArmor restrictions of unprivileged user namespaces
 
-# Allows to restrict the use of unprivileged user namespaces to applications
-# which have an AppArmor profile loaded which specifies the userns
-# permission. All other applications (whether confined by AppArmor or not) will
-# be denied the use of unprivileged user namespaces.
-#
-# See
-# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
-# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined
-#
-# If it is desired to disable this restriction, it is preferable to create an
-# additional file named /etc/sysctl.d/20-apparmor.conf which will override this
-# current file and sets this value to 0 rather than editing this current file
+# Disables AppArmor user namespace restrictions on the live ISO.
 kernel.apparmor_restrict_unprivileged_userns = 0
 kernel.apparmor_restrict_unprivileged_unconfined = 1

live-build/ubuntu-unity/hooks/020-ubuntu-unity-live.chroot_early

@@ -0,0 +1,11 @@
+#! /bin/sh
+
+set -eu
+
+cat <<EOF > /etc/sysctl.d/20-apparmor.conf
+# AppArmor restrictions of unprivileged user namespaces
+
+# Disables AppArmor user namespace restrictions on the live ISO.
+kernel.apparmor_restrict_unprivileged_userns = 0
+kernel.apparmor_restrict_unprivileged_unconfined = 1
+EOF

live-build/ubuntu/hooks/020-ubuntu-live.chroot_early

@@ -18,18 +18,7 @@ EOF
 cat <<EOF > /etc/sysctl.d/20-apparmor.conf
 # AppArmor restrictions of unprivileged user namespaces
 
-# Allows to restrict the use of unprivileged user namespaces to applications
-# which have an AppArmor profile loaded which specifies the userns
-# permission. All other applications (whether confined by AppArmor or not) will
-# be denied the use of unprivileged user namespaces.
-#
-# See
-# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
-# https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_unconfined
-#
-# If it is desired to disable this restriction, it is preferable to create an
-# additional file named /etc/sysctl.d/20-apparmor.conf which will override this
-# current file and sets this value to 0 rather than editing this current file
+# Disables AppArmor user namespace restrictions on the live ISO.
 kernel.apparmor_restrict_unprivileged_userns = 0
 kernel.apparmor_restrict_unprivileged_unconfined = 1
 EOF

live-build/ubuntucinnamon/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot

live-build/ubuntukylin/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot

live-build/ubuntustudio/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1 @@
+../../xubuntu/hooks/03-initramfs-enforcement.chroot

live-build/xubuntu/hooks/03-initramfs-enforcement.chroot

@@ -0,0 +1,34 @@
+#!/bin/bash -e
+# vi: ts=4 noexpandtab
+
+# In a kernel layer, we need a freshly updated initrd (to ensure it
+# has been casperized with an appropriate config). A binary hook will
+# pull this out to be a separate build artifact to eventually end up
+# in /casper on the generated ISO.
+
+# In all lower layers, having an initrd just wastes space, as curtin
+# will always call update-initramfs after the layer has been copied to
+# the target system.
+
+# The netboot "layers" are not made into squashfses so there's no need
+# to do anything in those.
+
+. /root/config/common
+. /root/config/functions
+
+set -x
+
+if ! is_live_layer "${PASS}"; then
+	rm -f /boot/initrd.img-*
+	exit 0
+fi
+
+cat <<EOF > /etc/initramfs-tools/conf.d/casperize.conf
+export CASPER_GENERATE_UUID=1
+EOF
+cat <<EOF > /etc/initramfs-tools/conf.d/default-layer.conf
+LAYERFS_PATH=${PASS}.squashfs
+EOF
+# As this hook has deleted the initrds from lower layers we need to
+# pass -c -k all to update-initramfs here (-u will do nothing)
+update-initramfs -c -k all