releasing package livecd-rootfs version 2.664.10

Backport vmtools version in vmdk (LP: #1893898)

Backport
LP: #1893898 describes missing vmtools version from the vmdk headers.
The version should be added as ddb.toolsVersion = "2147483647" however
the sed was no longer replacing a ddb.comment field with the tools
version. Rather than subbing ddb.comment with toolsVersion, this commit
deletes ddb.comment (which the comment mentions could cause errors),
and adds the correct value. There was no visibility into the descriptor
during hook creation, so debug statements were added. This allows us to
quickly verify in the logs that bad statements are removed (the possibly
offending comments), as well as ensuring that the toolsVersion is added

MP: https://code.launchpad.net/~jchittum/livecd-rootfs/+git/livecd-rootfs/+merge/394142

debian/changelog

@@ -1,3 +1,116 @@
+livecd-rootfs (2.664.10) focal; urgency=medium
+
+  * Do not hard-code the UC20 amd64 image size to 8GB as now ubuntu-image
+    should be able to properly calculate the needed size itself.
+  * But per discussion, we might want to keep the UC20 images a bit bigger than
+    what's defined via the gadget/rootfs contents, to make sure writable is
+    comfortably big enough. Use the same hard-coded value as for UC16 and UC18.
+    (LP: #1905990)
+
+ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Fri, 27 Nov 2020 17:58:38 +0100
+
+livecd-rootfs (2.664.9) focal; urgency=medium
+
+   [ John Chittum]
+   * Backport Ensure toolsVersion set in vmdk header (LP: #1893898) 
+
+   [ Dimitri John Ledkov & Joshua Powers ]
+   * amd64: always install grub-pc with shim-signed (LP: #1901906), and
+     ensure to autoremove packages
+
+ -- Robert C Jennings <robert.jennings@canonical.com>  Fri, 20 Nov 2020 14:35:51 -0600
+
+livecd-rootfs (2.664.8) focal; urgency=medium
+
+  Backport snap-preseed work from groovy to focal LP: #1896755
+
+  [ Robert C Jennings ]
+  * Apply snap-preseed optimizations after seeding snaps
+
+  [ Dimitri John Ledkov ]
+  * live-server: remove duplicate snaps, due to overlayfs vs snap-preseed.
+  * apparmor: Add generic v5.4 kernel apparmor features
+  * apparmor: mount more up-to-date apparmor features in the chroot.
+  * seccomp: add more up-to-date seccomp actions
+  * seccomp: mount more up-to-date seccomp features
+  * apparmor: compile all profiles
+
+  [ Robert C Jennings ]
+  * Avoid rbind /sys for chroot snap pre-seeding (cgroups fail to unmount)
+
+  [ Dimitri John Ledkov ]
+  * auto/build: use setup|teardown_mountpoint to reduce duplication
+  * functions: provide nss_systemd-less nsswitch.conf in chroots.
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 05 Oct 2020 10:33:02 +0100
+
+livecd-rootfs (2.664.7) focal; urgency=medium
+
+  [ Stanislav German-Evtushenko <giner> / John Chittum ]
+  * Send Vagrant serial connection to NULL. (LP: #1874453)
+
+ -- Robert C Jennings <robert.jennings@canonical.com>  Wed, 23 Sep 2020 13:32:32 -0500
+
+livecd-rootfs (2.664.6) focal; urgency=medium
+
+  [ Patrick Wu ]
+  * Fix xrdp support in hyper-v images.  LP: #1890980.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 26 Aug 2020 14:06:31 -0700
+
+livecd-rootfs (2.664.5) focal; urgency=medium
+
+  [ Robert C Jennings ]
+  * Handle seeded lxd snap with channel name for ubuntu-cpc:minimized
+    (LP: #1889470)
+
+  [ Cody Shepherd ]
+  * Add dist-upgrade to bootable-buildd hook to ensure the built image
+    doesn't contain vulnerable kernels or other packages.  LP: #1891061.
+  * Don't explicitly install grub-efi-amd64-signed, it's a dependency of
+    shim-signed.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 04 Aug 2020 12:39:27 -0700
+
+livecd-rootfs (2.664.4) focal; urgency=medium
+
+  * snap_preseed: support channel specification with snap name (LP: #1882374)
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Thu, 23 Jul 2020 19:12:10 +0100
+
+livecd-rootfs (2.664.3) focal; urgency=medium
+
+  [ Łukasz 'sil2100' Zemczak ]
+  * Enable overrides of UC20 grade dangerous channels - as this is possible.
+    (LP: #1879350)
+
+  [ Iain Lane ]
+  * Hack seeding of linux kernel in ubuntustudio/focal
+    ubuntustudio-default-settings in focal release has a Recommends to this
+    kernel, which makes it impossible to update the kernel later on, since we
+    would install the -updates and release kernel, which isn't allowed and
+    causes FTBFS. Hack out the focal-release kernel and let the rest of the
+    build process pull in the right one. (LP: #1884915)
+
+ -- Iain Lane <iain.lane@canonical.com>  Tue, 21 Jul 2020 16:25:18 +0100
+
+livecd-rootfs (2.664.2) focal; urgency=medium
+
+  * Revert of initramfs package removal in KVM image (LP: #1880170)
+
+ -- Phil Roche <phil.roche@canonical.com>  Fri, 22 May 2020 13:03:20 +0100
+
+livecd-rootfs (2.664.1) focal; urgency=medium
+
+  * Bump only the UC20 pc image to 8GB, and keep Pi images as small as possible.
+    (LP: #1875430)
+  * ubuntu-image: fix focal+ pi images for armhf to use pi-armhf model name.
+    (LP: #1876358)
+  * ubuntu-image: drop ubuntu-image dep on riscv64, as not installable yet.
+    (LP: #1876359)
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 01 May 2020 20:08:23 +0100
+
 livecd-rootfs (2.664) focal; urgency=medium
 
   [ Patrick Viafore ]

debian/control

@@ -38,7 +38,7 @@ Depends: ${misc:Depends},
          squashfs-tools (>= 1:3.3-1),
          sudo,
          u-boot-tools [armhf arm64],
-         ubuntu-image [!i386],
+         ubuntu-image [!i386 !riscv64],
          python3-vmdkstream [amd64 i386],
          xz-utils,
          zerofree

live-build/apparmor/generic.features

@@ -0,0 +1,78 @@
+query {label {multi_transaction {yes
+}
+data {yes
+}
+perms {allow deny audit quiet
+}
+}
+}
+dbus {mask {acquire send receive
+}
+}
+signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
+}
+}
+ptrace {mask {read trace
+}
+}
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xffffff
+}
+namespaces {pivot_root {no
+}
+profile {yes
+}
+}
+mount {mask {mount umount pivot_root
+}
+}
+network {af_unix {yes
+}
+af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
+}
+}
+network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
+}
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {version {1.2
+}
+attach_conditions {xattr {yes
+}
+}
+computed_longest_left {yes
+}
+post_nnp_subset {yes
+}
+fix_binfmt_elf_mmap {yes
+}
+stack {yes
+}
+change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+versions {v8 {yes
+}
+v7 {yes
+}
+v6 {yes
+}
+v5 {yes
+}
+}
+}

live-build/apparmor/generic/capability

@@ -0,0 +1 @@
+0xffffff

live-build/apparmor/generic/caps/mask

@@ -0,0 +1 @@
+chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read

live-build/apparmor/generic/dbus/mask

@@ -0,0 +1 @@
+acquire send receive

live-build/apparmor/generic/domain/attach_conditions/xattr

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/change_hat

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/change_hatv

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/change_onexec

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/change_profile

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/computed_longest_left

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/fix_binfmt_elf_mmap

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/post_nnp_subset

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/stack

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/version

@@ -0,0 +1 @@
+1.2

live-build/apparmor/generic/file/mask

@@ -0,0 +1 @@
+create read write exec append mmap_exec link lock

live-build/apparmor/generic/mount/mask

@@ -0,0 +1 @@
+mount umount pivot_root

live-build/apparmor/generic/namespaces/pivot_root

@@ -0,0 +1 @@
+no

live-build/apparmor/generic/namespaces/profile

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/network/af_mask

@@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp

live-build/apparmor/generic/network/af_unix

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/network_v8/af_mask

@@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp

live-build/apparmor/generic/policy/set_load

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/policy/versions/v5

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/policy/versions/v6

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/policy/versions/v7

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/policy/versions/v8

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/ptrace/mask

@@ -0,0 +1 @@
+read trace

live-build/apparmor/generic/query/label/data

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/query/label/multi_transaction

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/query/label/perms

@@ -0,0 +1 @@
+allow deny audit quiet

live-build/apparmor/generic/rlimit/mask

@@ -0,0 +1 @@
+cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime

live-build/apparmor/generic/signal/mask

@@ -0,0 +1 @@
+hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost

live-build/auto/build

@@ -106,14 +106,17 @@ fi
 Setup_cleanup
 
 preinstall_snaps() {
-	lb chroot_resolv install
+	setup_mountpoint chroot
+
 	snap_prepare chroot
 
 	for snap in "$@"; do
 		SNAP_NO_VALIDATE_SEED=1 snap_preseed chroot "${snap}"
 	done
+
 	snap_validate_seed chroot
-	lb chroot_resolv remove
+
+	teardown_mountpoint chroot
 }
 
 rm -f binary.success

live-build/auto/config

@@ -359,8 +359,12 @@ case $IMAGEFORMAT in
 			CHANNEL="${CHANNEL:-edge}"
 			case $MODEL in
 				pc-amd64|pc-i386)
-					[ -z "${SUBARCH:-}" ] \
+					if [ -z "${SUBARCH:-}" ]; then
-					&& UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS --image-size 3700M"
+						case $SUITE in
+							# This is to make sure there's enough writable space
+							UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS --image-size 3700M"
+						esac
+					fi
 					;;
 				*) ;;
 			esac
@@ -375,7 +379,9 @@ case $IMAGEFORMAT in
 					UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS -c $CHANNEL"
 					;;
 				*)
-					UBUNTU_IMAGE_ARGS="--image-size 10G"
+					if [ "${MODEL}" = "pi" ]; then
+						MODEL=pi-armhf
+					fi
 					# Ubuntu Core 20
 					# Currently uc20 assertions do not support global
 					# channel overrides, instead we have per-channel models
@@ -386,6 +392,15 @@ case $IMAGEFORMAT in
 						candidate|beta|edge|dangerous)
 							MODEL="ubuntu-core-20-${MODEL#pc-}-${CHANNEL}"
 							;;
+						dangerous-*)
+							# That being said, the dangerous grade *does*
+							# support channel overrides, so we can use the
+							# dangerous model assertion and override the channel
+							# freely.
+							MODEL="ubuntu-core-20-${MODEL#pc-}-dangerous"
+							CHANNEL=${CHANNEL#dangerous-}
+							UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS -c $CHANNEL"
+							;;
 						*)
 							echo "Unknown CHANNEL ${CHANNEL} specification for ${SUITE}"
 							exit 1
@@ -669,6 +684,23 @@ case $PROJECT in
 
 	ubuntustudio-dvd)
 		add_task install minimal standard ubuntustudio-desktop ubuntustudio-audio ubuntustudio-fonts ubuntustudio-graphics ubuntustudio-video ubuntustudio-publishing ubuntustudio-photography
+		case $SUITE in
+			focal)
+				# ubuntustudio-default-settings in focal
+				# release has a Recommends to this kernel,
+				# which makes it impossible to update the
+				# kernel later on, since we would install the
+				# -updates and release kernel, which isn't
+				# allowed and causes the squashfs to fail to
+				# build.  Hack out the focal-release kernel and
+				# let the rest of the build process pull in the
+				# right one. (See right below.)
+				for package in linux-lowlatency linux-image-lowlatency linux-headers-lowlatency linux-image-5.4.0-26-lowlatency linux-headers-5.4.0-26-lowlatency; do
+					sed -i "s/$/ -a --not -XFPackage ${package}/" \
+						"config/package-lists/livecd-rootfs.list.chroot_install"
+				done
+				;;
+		esac
 		COMPONENTS='main restricted universe multiverse'
 		case $ARCH in
 			amd64|i386)	KERNEL_FLAVOURS=lowlatency ;;
@@ -739,8 +771,7 @@ case $PROJECT in
 				add_package install grub-pc
 				;;
 			amd64)
-				add_package install grub-pc-bin
+				add_package install grub-pc
-				add_package install grub-efi-amd64-signed
 				add_package install shim-signed
 				;;
 		esac
@@ -858,7 +889,7 @@ if [ "$PROJECT:${SUBPROJECT:-}" = ubuntu-cpc:minimized ]; then
 	# build if we see such a snap.
 	for snap in `cat config/seeded-snaps`; do
 		case $snap in
-			lxd)
+			lxd | lxd=*)
 				;;
 			*)
 				echo "Unexpected seeded snap for ubuntu-cpc:minimized build: $snap"

live-build/buildd/hooks/02-disk-image-uefi.binary

@@ -84,8 +84,7 @@ install_grub() {
             efi_target=arm-efi
             ;;
         amd64)
-            chroot mountpoint apt-get install -qqy grub-pc
+            chroot mountpoint apt-get install -qqy grub-pc shim-signed
-            chroot mountpoint apt-get install -qqy grub-efi-amd64-signed shim-signed
             efi_target=x86_64-efi
             ;;
     esac

live-build/buildd/hooks/52-linux-virtual-image.binary

@@ -39,6 +39,9 @@ trap cleanup_linux_virtual EXIT
 # Install dependencies
 env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \
     update --assume-yes
+# Perform a dist-upgrade to pull in package updates
+env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \
+    dist-upgrade --assume-yes
 env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \
     install -y lsb-release locales initramfs-tools busybox-initramfs \
                udev dbus netplan.io cloud-init openssh-server sudo snapd

live-build/functions

@@ -96,14 +96,25 @@ mount_image() {
 setup_mountpoint() {
     local mountpoint="$1"
 
+    if [ ! -c /dev/mem ]; then
+        mknod -m 660 /dev/mem c 1 1
+        chown root:kmem /dev/mem
+    fi
+
     mount --rbind /dev "$mountpoint/dev"
     mount proc-live -t proc "$mountpoint/proc"
     mount sysfs-live -t sysfs "$mountpoint/sys"
+    mount securityfs -t securityfs "$mountpoint/sys/kernel/security"
+    # Provide more up to date apparmor features, matching target kernel
+    mount -o bind /usr/share/livecd-rootfs/live-build/apparmor/generic "$mountpoint/sys/kernel/security/apparmor/features/"
+    mount -o bind /usr/share/livecd-rootfs/live-build/seccomp/generic.actions_avail "$mountpoint/proc/sys/kernel/seccomp/actions_avail"
     mount -t tmpfs none "$mountpoint/tmp"
     mount -t tmpfs none "$mountpoint/var/lib/apt"
     mount -t tmpfs none "$mountpoint/var/cache/apt"
     mv "$mountpoint/etc/resolv.conf" resolv.conf.tmp
     cp /etc/resolv.conf "$mountpoint/etc/resolv.conf"
+    mv "$mountpoint/etc/nsswitch.conf" nsswitch.conf.tmp
+    sed 's/systemd//g' nsswitch.conf.tmp > "$mountpoint/etc/nsswitch.conf"
     chroot "$mountpoint" apt-get update
 
 }
@@ -121,6 +132,7 @@ teardown_mountpoint() {
         umount $submount
     done
     mv resolv.conf.tmp "$mountpoint/etc/resolv.conf"
+    mv nsswitch.conf.tmp "$mountpoint/etc/nsswitch.conf"
 }
 
 mount_partition() {
@@ -230,28 +242,46 @@ modify_vmdk_header() {
 
     # Extract the vmdk header for manipulation
     dd if="${vmdk_name}" of="${descriptor}" bs=1 skip=512 count=1024
+    echo "Cat'ing original vmdk disk descriptor to console for debugging."
+    # cat header so we are aware of the original descriptor for debugging
+    cat $descriptor
+
+    # trim null bytes to treat as standard text file
+    tr -d '\000' < $descriptor > $newdescriptor
 
-    # The sed lines below is where the magic is. Specifically:
-    #   ddb.toolsVersion: sets the open-vm-tools so that VMware shows
-    #       the tooling as current
-    #   ddb.virtualHWVersion: set the version to 7, which covers most
-    #       current versions of VMware
-    #   createType: make sure its set to stream Optimized
     #   remove the vmdk-stream-converter comment and replace with
     #       # Disk DescriptorFile. This is needed for Virtualbox
     #   remove the comments from vmdk-stream-converter which causes
     #       VirtualBox and others to fail VMDK validation
-
+    sed -i -e 's|# Description file.*|# Disk DescriptorFile|' \
-    sed -e 's|# Description file.*|# Disk DescriptorFile|' \
         -e '/# Believe this is random*/d' \
         -e '/# Indicates no parent/d' \
         -e '/# The Disk Data Base/d' \
-        -e 's|ddb.comment.*|ddb.toolsVersion = "2147483647"|' \
+            ${newdescriptor}
-            "${descriptor}" > "${newdescriptor}"
 
-    # The header is cannot be bigger than 1024
+    # add newline to newdescriptor
-    expr $(stat --format=%s ${newdescriptor}) \< 1024 > /dev/null 2>&1 || {
+    echo "" >> $newdescriptor
-        echo "descriptor is too large, VMDK will be invalid!"; exit 1; }
+
+    # add required tools version
+    echo -n 'ddb.toolsVersion = "2147483647"' >> $newdescriptor
+
+    echo "Cat'ing modified descriptor for debugging."
+    cat $newdescriptor
+
+    # diff original descriptor and new descriptor for debugging
+    # diff exits 1 if difference. pipefail not set so piping diff
+    # to cat prints diff and swallows exit 1
+    echo "Printing diff of original and new descriptors."
+    diff --text $descriptor $newdescriptor | cat
+
+    # The header must be 1024 or less before padding
+    if ! expr $(stat --format=%s ${newdescriptor}) \< 1025 > /dev/null 2>&1; then
+        echo "descriptor is too large, VMDK will be invalid!"; 
+        exit 1
+    fi
+
+    # reset newdescriptor to be 1024
+    truncate --no-create --size=1K $newdescriptor
 
     # Overwrite the vmdk header with our new, modified one
     dd conv=notrunc,nocreat \
@@ -626,11 +656,31 @@ snap_prepare() {
 snap_preseed() {
     # Preseed a snap in the image (snap_prepare must be called once prior)
     local CHROOT_ROOT=$1
+    # $2 can be in the form of snap_name/classic=track/risk/branch
     local SNAP=$2
+    # strip CHANNEL specification
+    SNAP=${SNAP%=*}
+    # strip /classic confinement
     local SNAP_NAME=${SNAP%/*}
-    # Per Ubuntu policy, all seeded snaps (with the exception of the core
+    # Seed from the specified channel (e.g. core18 latest/stable)
-    # snap) must pull from stable/ubuntu-$(release_ver) as their channel.
+    # Or Channel endcoded in the snap name (e.g. lxd=4.0/stable/ubuntu-20.04)
-    local CHANNEL=${3:-"stable/ubuntu-$(release_ver)"}
+    # Or Ubuntu policy default channel latest/stable/ubuntu-$(release_ver)
+    local CHANNEL=${3:-}
+    if [ -z "$CHANNEL" ]; then
+        case $2 in
+            *=*)
+                CHANNEL=${2#*=}
+                ;;
+            *)
+                CHANNEL="stable/ubuntu-$(release_ver)"
+                ;;
+        esac
+    fi
+
+    # At this point:
+    # SNAP_NAME is just the snap name
+    # SNAP is either $SNAP_NAME or $SNAP_NAME/classic for classic confined
+    # CHANNEL is the channel
 
     if [ ! -e "$CHROOT_ROOT/var/lib/snapd/seed/assertions/model" ]; then
         echo "ERROR: Snap model assertion not present, snap_prepare must be called"
@@ -662,6 +712,9 @@ snap_validate_seed() {
 
     if [ -e "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml" ]; then
         snap debug validate-seed "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml"
+        /usr/lib/snapd/snap-preseed --reset $(realpath "${CHROOT_ROOT}")
+        /usr/lib/snapd/snap-preseed $(realpath "${CHROOT_ROOT}")
+        chroot "${CHROOT_ROOT}" apparmor_parser --skip-read-cache --write-cache --skip-kernel-load --verbose  -j `nproc` /etc/apparmor.d
     fi
 }
 

live-build/seccomp/generic.actions_avail

@@ -0,0 +1 @@
+kill_process kill_thread trap errno user_notif trace log allow

live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary

@@ -33,6 +33,7 @@ install_grub() {
     chroot mountpoint apt-get -qqy update
     chroot mountpoint apt-get -qqy install grub-ieee1275
     chroot mountpoint apt-get -qqy remove --purge grub-legacy-ec2
+    chroot mountpoint apt-get autoremove --purge --assume-yes
 
     # set the kernel commandline to use hvc0
     mkdir -p mountpoint/etc/default/grub.d

live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary

@@ -97,11 +97,13 @@ install_grub() {
             efi_target=arm-efi
             ;;
         amd64)
-            chroot mountpoint apt-get install -qqy grub-efi-amd64-signed shim-signed
+            chroot mountpoint apt-get install -qqy grub-pc shim-signed
             efi_target=x86_64-efi
             ;;
     esac
 
+    chroot mountpoint apt-get autoremove --purge --assume-yes
+
     # This call to rewrite the debian package manifest is added here to capture
     # grub-efi packages that otherwise would not make it into the base
     # manifest. filesystem.packages is moved into place via symlinking to

live-build/ubuntu-cpc/hooks.d/base/disk-image.binary

@@ -136,6 +136,7 @@ fi
 if [ "$ARCH" = "s390x" ]; then
     # Do ZIPL install bits
     chroot mountpoint apt-get -qqy install s390-tools sysconfig-hardware
+    chroot mountpoint apt-get autoremove --purge --assume-yes
 
     # Write out cloudy zipl.conf for future kernel updates
     cat << EOF > mountpoint/etc/zipl.conf

live-build/ubuntu-cpc/hooks.d/base/kvm-image.binary

@@ -49,10 +49,6 @@ replace_kernel ${mount_d} "linux-kvm"
 chroot "${mount_d}" update-grub
 undivert_grub "${mount_d}"
 
-# Remove initramfs for kvm image
-env DEBIAN_FRONTEND=noninteractive chroot "${mount_d}" apt-get \
-    purge -y initramfs-tools busybox-initramfs
-
 env DEBIAN_FRONTEND=noninteractive chroot "${mount_d}" rm \
     -rf /boot/initrd.img-* /boot/initrd.img
 

live-build/ubuntu-cpc/hooks.d/base/vagrant.binary

@@ -153,9 +153,17 @@ Vagrant.configure("2") do |config|
   config.vm.base_mac = "${macaddr}"
 
   config.vm.provider "virtualbox" do |vb|
-     vb.customize [ "modifyvm", :id, "--uart1", "0x3F8", "4" ]
+    vb.customize [ "modifyvm", :id, "--uart1", "0x3F8", "4" ]
-# Creating a console log file is not an expected behavior for vagrant boxes. LP #1777827
+    # Create a NULL serial port to skip console logging by default
-#     vb.customize [ "modifyvm", :id, "--uartmode1", "file", File.join(Dir.pwd, "${prefix}-console.log") ]
+    vb.customize [ "modifyvm", :id, "--uartmode1", "file", File::NULL ]
+    # If console logging is desired, uncomment this line and remove prior
+    # vb.customize [ "modifyvm", :id, "--uartmode1", "file", File.join(Dir.pwd, "${prefix}-console.log") ]
+    # Ubuntu cloud images, by default, enable console=ttyS0. This enables serial consoles to
+    # connect to the images. With the change related to LP #1777827, removing a serial
+    # file logger, Vagrant image boot times increased and now run greater than 5 minutes
+    # Creating a console log file is not an expected default behavior for vagrant boxes.
+    # As a workaround, we create a console connection to File:NULL. LP #1874453
+    # This is overrideable in user files to write to a local file
   end
 end
 EOF

live-build/ubuntu-cpc/hooks.d/base/wsl.binary

@@ -35,6 +35,7 @@ cp -a rootfs.dir $rootfs_dir
 setup_mountpoint $rootfs_dir
 
 env DEBIAN_FRONTEND=noninteractive chroot $rootfs_dir apt-get -y -qq install ubuntu-wsl
+env DEBIAN_FRONTEND=noninteractive chroot $rootfs_dir apt-get autoremove --purge --assume-yes
 
 create_manifest $rootfs_dir livecd.ubuntu-cpc.wsl.rootfs.manifest
 teardown_mountpoint $rootfs_dir

live-build/ubuntu-server/hooks/032-installer-squashfs.binary

@@ -21,10 +21,9 @@ if [ -n "$SUBARCH" ]; then
 	exit 0
 fi
 
+. config/binary
 . config/functions
 . config/common
-# somehow i don't have LB_DISTRIBUTION set ?!
-. config/bootstrap
 
 FILESYSTEM_ROOT=binary/boot/squashfs.dir
 INSTALLER_ROOT=binary/boot/installer.squashfs.dir
@@ -84,6 +83,12 @@ sed -i -e'N;/name: lxd/,+2d' $INSTALLER_ROOT/var/lib/snapd/seed/seed.yaml
 
 teardown_mountpoint "$INSTALLER_ROOT"
 
+# Drop core/lxd/snapd that got copied up from base layer, due to
+# snap-preseed tool doing --reset & speedup
+find $OVERLAY_ROOT/var/lib/snapd/ -name 'core*.snap' -delete
+find $OVERLAY_ROOT/var/lib/snapd/ -name 'snapd_*.snap' -delete
+find $OVERLAY_ROOT/var/lib/snapd/ -name 'lxd_*.snap' -delete
+
 squashfs_f="${PWD}/livecd.${PROJECT}.installer.squashfs"
 
 (cd "$OVERLAY_ROOT/" &&

live-build/ubuntu/hooks/040-hyperv-desktop-images.binary

@@ -55,8 +55,8 @@ EOF
 
 CHANGED_FILE_SUFFIX=.replaced-by-desktop-img-build
 
-# use vsock transport.
+# use vsock transport
-sed -i${CHANGED_FILE_SUFFIX} -e 's/use_vsock=false/use_vsock=true/g' "${scratch_d}/etc/xrdp/xrdp.ini"
+sed -i${CHANGED_FILE_SUFFIX} -e 's/port=3389/port=vsock:\/\/-1:3389/g' "${scratch_d}/etc/xrdp/xrdp.ini"
 # use rdp security.
 sed -i${CHANGED_FILE_SUFFIX} -e 's/security_layer=negotiate/security_layer=rdp/g' "${scratch_d}/etc/xrdp/xrdp.ini"
 # remove encryption validation.
@@ -74,6 +74,9 @@ exec /etc/xrdp/startwm.sh
 EOF
 chmod a+x "${scratch_d}/etc/xrdp/startubuntu.sh"
 
+# set to use the system Window manager
+sed -i${CHANGED_FILE_SUFFIX} -e 's/EnableUserWindowManager=true/EnableUserWindowManager=0/g' "${scratch_d}/etc/xrdp/sesman.ini"
+
 # use the script to setup the ubuntu session
 sed -i${CHANGED_FILE_SUFFIX} -e 's/startwm/startubuntu/g' "${scratch_d}/etc/xrdp/sesman.ini"
 
@@ -100,6 +103,15 @@ ResultInactive=no
 ResultActive=yes
 EOF
 
+cat >${scratch_d}/etc/polkit-1/localauthority/50-local.d/46-allow-update-repo.pkla <<EOF
+[Allow Package Management all Users]
+Identity=unix-user:*
+Action=org.freedesktop.packagekit.system-sources-refresh
+ResultAny=yes
+ResultInactive=yes
+ResultActive=yes
+EOF
+
 sed -i${CHANGED_FILE_SUFFIX} -e 's|After=|ConditionPathExists=!/var/lib/oem-config/run\nAfter=|g' "${scratch_d}/lib/systemd/system/xrdp.service"
 
 # End xrdp customisation