releasing package livecd-rootfs version 2.664.12

All commits are cherrypicks from hirsute, and includes:

make-lxd-metadata: add riscv64 lxd architecture tag
control: install qemu-utils & snapd on riscv64.
disk-image.binary: actually skip building MBR image on EFI platforms.
disk-image.binary: skip building MBR image on riscv64.
disk-image.binary: however still build MBR image on amd64.
disk-image-uefi.binary: build riscv64 image without a bootloader.
disk-image-uefi: riscv64 add u-boot spl
disk-image-uefi: riscv64 add ubuntu:ubuntu login, without expiry.
riscv64: build preinstalled riscv64 image with uboot SPL and CIDATA.
riscv64: fixup subarch build, unbound variable
qcow2-image: unbreak builds without subarch.
disk-image-uefi: fix riscv64 subarch user-data.

LP: #1903034

debian/changelog

@@ -1,3 +1,123 @@
+livecd-rootfs (2.664.12) focal; urgency=medium
+
+  * riscv64: backport HiFive unleashed & cloud-image building support
+    (LP: #1903034)
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 15 Jan 2021 17:07:20 +0000
+
+livecd-rootfs (2.664.10) focal; urgency=medium
+
+  * Do not hard-code the UC20 amd64 image size to 8GB as now ubuntu-image
+    should be able to properly calculate the needed size itself.
+  * But per discussion, we might want to keep the UC20 images a bit bigger than
+    what's defined via the gadget/rootfs contents, to make sure writable is
+    comfortably big enough. Use the same hard-coded value as for UC16 and UC18.
+    (LP: #1905990)
+
+ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Fri, 27 Nov 2020 17:58:38 +0100
+
+livecd-rootfs (2.664.9) focal; urgency=medium
+
+   [ John Chittum]
+   * Backport Ensure toolsVersion set in vmdk header (LP: #1893898) 
+
+   [ Dimitri John Ledkov & Joshua Powers ]
+   * amd64: always install grub-pc with shim-signed (LP: #1901906), and
+     ensure to autoremove packages
+
+ -- Robert C Jennings <robert.jennings@canonical.com>  Fri, 20 Nov 2020 14:35:51 -0600
+
+livecd-rootfs (2.664.8) focal; urgency=medium
+
+  Backport snap-preseed work from groovy to focal LP: #1896755
+
+  [ Robert C Jennings ]
+  * Apply snap-preseed optimizations after seeding snaps
+
+  [ Dimitri John Ledkov ]
+  * live-server: remove duplicate snaps, due to overlayfs vs snap-preseed.
+  * apparmor: Add generic v5.4 kernel apparmor features
+  * apparmor: mount more up-to-date apparmor features in the chroot.
+  * seccomp: add more up-to-date seccomp actions
+  * seccomp: mount more up-to-date seccomp features
+  * apparmor: compile all profiles
+
+  [ Robert C Jennings ]
+  * Avoid rbind /sys for chroot snap pre-seeding (cgroups fail to unmount)
+
+  [ Dimitri John Ledkov ]
+  * auto/build: use setup|teardown_mountpoint to reduce duplication
+  * functions: provide nss_systemd-less nsswitch.conf in chroots.
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 05 Oct 2020 10:33:02 +0100
+
+livecd-rootfs (2.664.7) focal; urgency=medium
+
+  [ Stanislav German-Evtushenko <giner> / John Chittum ]
+  * Send Vagrant serial connection to NULL. (LP: #1874453)
+
+ -- Robert C Jennings <robert.jennings@canonical.com>  Wed, 23 Sep 2020 13:32:32 -0500
+
+livecd-rootfs (2.664.6) focal; urgency=medium
+
+  [ Patrick Wu ]
+  * Fix xrdp support in hyper-v images.  LP: #1890980.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 26 Aug 2020 14:06:31 -0700
+
+livecd-rootfs (2.664.5) focal; urgency=medium
+
+  [ Robert C Jennings ]
+  * Handle seeded lxd snap with channel name for ubuntu-cpc:minimized
+    (LP: #1889470)
+
+  [ Cody Shepherd ]
+  * Add dist-upgrade to bootable-buildd hook to ensure the built image
+    doesn't contain vulnerable kernels or other packages.  LP: #1891061.
+  * Don't explicitly install grub-efi-amd64-signed, it's a dependency of
+    shim-signed.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 04 Aug 2020 12:39:27 -0700
+
+livecd-rootfs (2.664.4) focal; urgency=medium
+
+  * snap_preseed: support channel specification with snap name (LP: #1882374)
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Thu, 23 Jul 2020 19:12:10 +0100
+
+livecd-rootfs (2.664.3) focal; urgency=medium
+
+  [ Łukasz 'sil2100' Zemczak ]
+  * Enable overrides of UC20 grade dangerous channels - as this is possible.
+    (LP: #1879350)
+
+  [ Iain Lane ]
+  * Hack seeding of linux kernel in ubuntustudio/focal
+    ubuntustudio-default-settings in focal release has a Recommends to this
+    kernel, which makes it impossible to update the kernel later on, since we
+    would install the -updates and release kernel, which isn't allowed and
+    causes FTBFS. Hack out the focal-release kernel and let the rest of the
+    build process pull in the right one. (LP: #1884915)
+
+ -- Iain Lane <iain.lane@canonical.com>  Tue, 21 Jul 2020 16:25:18 +0100
+
+livecd-rootfs (2.664.2) focal; urgency=medium
+
+  * Revert of initramfs package removal in KVM image (LP: #1880170)
+
+ -- Phil Roche <phil.roche@canonical.com>  Fri, 22 May 2020 13:03:20 +0100
+
+livecd-rootfs (2.664.1) focal; urgency=medium
+
+  * Bump only the UC20 pc image to 8GB, and keep Pi images as small as possible.
+    (LP: #1875430)
+  * ubuntu-image: fix focal+ pi images for armhf to use pi-armhf model name.
+    (LP: #1876358)
+  * ubuntu-image: drop ubuntu-image dep on riscv64, as not installable yet.
+    (LP: #1876359)
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 01 May 2020 20:08:23 +0100
+
 livecd-rootfs (2.664) focal; urgency=medium
 
   [ Patrick Viafore ]

debian/control

@@ -32,13 +32,13 @@ Depends: ${misc:Depends},
          python3-apt,
          python3-software-properties,
          python3-yaml,
-         qemu-utils [!i386 !riscv64],
+         qemu-utils [!i386],
          rsync,
-         snapd (>= 2.39) [!i386 !riscv64],
+         snapd (>= 2.39) [!i386],
          squashfs-tools (>= 1:3.3-1),
          sudo,
          u-boot-tools [armhf arm64],
-         ubuntu-image [!i386],
+         ubuntu-image [!i386 !riscv64],
          python3-vmdkstream [amd64 i386],
          xz-utils,
          zerofree

live-build/apparmor/generic.features

@@ -0,0 +1,78 @@
+query {label {multi_transaction {yes
+}
+data {yes
+}
+perms {allow deny audit quiet
+}
+}
+}
+dbus {mask {acquire send receive
+}
+}
+signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
+}
+}
+ptrace {mask {read trace
+}
+}
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xffffff
+}
+namespaces {pivot_root {no
+}
+profile {yes
+}
+}
+mount {mask {mount umount pivot_root
+}
+}
+network {af_unix {yes
+}
+af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
+}
+}
+network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
+}
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {version {1.2
+}
+attach_conditions {xattr {yes
+}
+}
+computed_longest_left {yes
+}
+post_nnp_subset {yes
+}
+fix_binfmt_elf_mmap {yes
+}
+stack {yes
+}
+change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+versions {v8 {yes
+}
+v7 {yes
+}
+v6 {yes
+}
+v5 {yes
+}
+}
+}

live-build/apparmor/generic/capability

@@ -0,0 +1 @@
+0xffffff

live-build/apparmor/generic/caps/mask

@@ -0,0 +1 @@
+chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read

live-build/apparmor/generic/dbus/mask

@@ -0,0 +1 @@
+acquire send receive

live-build/apparmor/generic/domain/attach_conditions/xattr

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/change_hat

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/change_hatv

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/change_onexec

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/change_profile

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/computed_longest_left

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/fix_binfmt_elf_mmap

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/post_nnp_subset

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/stack

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/domain/version

@@ -0,0 +1 @@
+1.2

live-build/apparmor/generic/file/mask

@@ -0,0 +1 @@
+create read write exec append mmap_exec link lock

live-build/apparmor/generic/mount/mask

@@ -0,0 +1 @@
+mount umount pivot_root

live-build/apparmor/generic/namespaces/pivot_root

@@ -0,0 +1 @@
+no

live-build/apparmor/generic/namespaces/profile

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/network/af_mask

@@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp

live-build/apparmor/generic/network/af_unix

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/network_v8/af_mask

@@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp

live-build/apparmor/generic/policy/set_load

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/policy/versions/v5

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/policy/versions/v6

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/policy/versions/v7

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/policy/versions/v8

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/ptrace/mask

@@ -0,0 +1 @@
+read trace

live-build/apparmor/generic/query/label/data

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/query/label/multi_transaction

@@ -0,0 +1 @@
+yes

live-build/apparmor/generic/query/label/perms

@@ -0,0 +1 @@
+allow deny audit quiet

live-build/apparmor/generic/rlimit/mask

@@ -0,0 +1 @@
+cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime

live-build/apparmor/generic/signal/mask

@@ -0,0 +1 @@
+hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost

live-build/auto/build

@@ -106,14 +106,17 @@ fi
 Setup_cleanup
 
 preinstall_snaps() {
-	lb chroot_resolv install
+	setup_mountpoint chroot
+
 	snap_prepare chroot
 
 	for snap in "$@"; do
 		SNAP_NO_VALIDATE_SEED=1 snap_preseed chroot "${snap}"
 	done
+
 	snap_validate_seed chroot
-	lb chroot_resolv remove
+
+	teardown_mountpoint chroot
 }
 
 rm -f binary.success

live-build/auto/config

@@ -359,8 +359,10 @@ case $IMAGEFORMAT in
 			CHANNEL="${CHANNEL:-edge}"
 			case $MODEL in
 				pc-amd64|pc-i386)
-					[ -z "${SUBARCH:-}" ] \
-					&& UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS --image-size 3700M"
+					if [ -z "${SUBARCH:-}" ]; then
+						# This is to make sure there's enough writable space
+						UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS --image-size 3700M"
+					fi
 					;;
 				*) ;;
 			esac
@@ -375,7 +377,9 @@ case $IMAGEFORMAT in
 					UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS -c $CHANNEL"
 					;;
 				*)
-					UBUNTU_IMAGE_ARGS="--image-size 10G"
+					if [ "${MODEL}" = "pi" ]; then
+						MODEL=pi-armhf
+					fi
 					# Ubuntu Core 20
 					# Currently uc20 assertions do not support global
 					# channel overrides, instead we have per-channel models
@@ -386,6 +390,15 @@ case $IMAGEFORMAT in
 						candidate|beta|edge|dangerous)
 							MODEL="ubuntu-core-20-${MODEL#pc-}-${CHANNEL}"
 							;;
+						dangerous-*)
+							# That being said, the dangerous grade *does*
+							# support channel overrides, so we can use the
+							# dangerous model assertion and override the channel
+							# freely.
+							MODEL="ubuntu-core-20-${MODEL#pc-}-dangerous"
+							CHANNEL=${CHANNEL#dangerous-}
+							UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS -c $CHANNEL"
+							;;
 						*)
 							echo "Unknown CHANNEL ${CHANNEL} specification for ${SUITE}"
 							exit 1
@@ -669,6 +682,23 @@ case $PROJECT in
 
 	ubuntustudio-dvd)
 		add_task install minimal standard ubuntustudio-desktop ubuntustudio-audio ubuntustudio-fonts ubuntustudio-graphics ubuntustudio-video ubuntustudio-publishing ubuntustudio-photography
+		case $SUITE in
+			focal)
+				# ubuntustudio-default-settings in focal
+				# release has a Recommends to this kernel,
+				# which makes it impossible to update the
+				# kernel later on, since we would install the
+				# -updates and release kernel, which isn't
+				# allowed and causes the squashfs to fail to
+				# build.  Hack out the focal-release kernel and
+				# let the rest of the build process pull in the
+				# right one. (See right below.)
+				for package in linux-lowlatency linux-image-lowlatency linux-headers-lowlatency linux-image-5.4.0-26-lowlatency linux-headers-5.4.0-26-lowlatency; do
+					sed -i "s/$/ -a --not -XFPackage ${package}/" \
+						"config/package-lists/livecd-rootfs.list.chroot_install"
+				done
+				;;
+		esac
 		COMPONENTS='main restricted universe multiverse'
 		case $ARCH in
 			amd64|i386)	KERNEL_FLAVOURS=lowlatency ;;
@@ -739,8 +769,7 @@ case $PROJECT in
 				add_package install grub-pc
 				;;
 			amd64)
-				add_package install grub-pc-bin
-				add_package install grub-efi-amd64-signed
+				add_package install grub-pc
 				add_package install shim-signed
 				;;
 		esac
@@ -790,6 +819,11 @@ case $PROJECT in
 			arm64)
 				add_package install flash-kernel
 				;;
+			riscv64)
+				if [ -n "$SUBARCH" ]; then
+					KERNEL_FLAVOURS=generic
+				fi
+				;;
 		esac
 		OPTS="${OPTS:+$OPTS }--system=normal"
 		OPTS="${OPTS:+$OPTS }--hdd-label=cloudimg-rootfs"
@@ -858,7 +892,7 @@ if [ "$PROJECT:${SUBPROJECT:-}" = ubuntu-cpc:minimized ]; then
 	# build if we see such a snap.
 	for snap in `cat config/seeded-snaps`; do
 		case $snap in
-			lxd)
+			lxd | lxd=*)
 				;;
 			*)
 				echo "Unexpected seeded snap for ubuntu-cpc:minimized build: $snap"

live-build/buildd/hooks/02-disk-image-uefi.binary

@@ -84,8 +84,7 @@ install_grub() {
             efi_target=arm-efi
             ;;
         amd64)
-            chroot mountpoint apt-get install -qqy grub-pc
-            chroot mountpoint apt-get install -qqy grub-efi-amd64-signed shim-signed
+            chroot mountpoint apt-get install -qqy grub-pc shim-signed
             efi_target=x86_64-efi
             ;;
     esac

live-build/buildd/hooks/52-linux-virtual-image.binary

@@ -39,6 +39,9 @@ trap cleanup_linux_virtual EXIT
 # Install dependencies
 env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \
     update --assume-yes
+# Perform a dist-upgrade to pull in package updates
+env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \
+    dist-upgrade --assume-yes
 env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \
     install -y lsb-release locales initramfs-tools busybox-initramfs \
                udev dbus netplan.io cloud-init openssh-server sudo snapd

live-build/cidata/meta-data.sample

@@ -0,0 +1,8 @@
+# NB! This is a sample, copy to "meta-data" and modify to take effect
+# NB! Also see user-data.sample and network-config.sample
+
+# This is the meta-data configuration file for cloud-init. Typically this just
+# contains the instance_id. Please refer to the cloud-init documentation for
+# more information:
+#
+# https://cloudinit.readthedocs.io/

live-build/cidata/network-config.sample

@@ -0,0 +1,52 @@
+# NB! This is a sample, copy to "network-config" and mofiy to take effect
+# NB! Also see user-data.sample and meta-data.sample
+
+# This file contains a netplan-compatible configuration which cloud-init will
+# apply on first-boot (note: it will *not* update the config after the first
+# boot). Please refer to the cloud-init documentation and the netplan reference
+# for full details:
+#
+# https://cloudinit.readthedocs.io/en/latest/topics/network-config.html
+# https://cloudinit.readthedocs.io/en/latest/topics/network-config-format-v2.html
+# https://netplan.io/reference
+#
+# Please note that the YAML format employed by this file is sensitive to
+# differences in whitespace; if you are editing this file in an editor (like
+# Notepad) which uses literal tabs, take care to only use spaces for
+# indentation. See the following link for more details:
+#
+# https://en.wikipedia.org/wiki/YAML
+#
+#
+# The image has stock nocloud-net configuration that will attemp dhcp
+# v4 on all ethernet devices, similar to zz-all-en / zz-all-eth
+# stanzas below. Hence this file is optional.
+#
+#version: 2
+#ethernets:
+#  zz-all-en:
+#    match:
+#      name: "en*"
+#    dhcp4: true
+#    optional: true
+#  zz-all-eth:
+#    match:
+#      name: "eth*"
+#    dhcp4: true
+#    optional: true
+#wifis:
+#  wlan0:
+#    dhcp4: true
+#    optional: true
+#    access-points:
+#      myhomewifi:
+#        password: "S3kr1t"
+#      myworkwifi:
+#        password: "correct battery horse staple"
+#      workssid:
+#        auth:
+#          key-management: eap
+#          method: peap
+#          identity: "me@example.com"
+#          password: "passw0rd"
+#          ca-certificate: /etc/my_ca.pem

live-build/cidata/user-data.sample

@@ -0,0 +1,84 @@
+#cloud-config
+
+# NB! This is a sample, copy to "user-data" and modify to take effect
+
+# NB! meta-data is required too! See "meta-data.sample"
+
+# NB! For networking see "network-config.sample"
+
+# This is the user-data configuration file for cloud-init. This image
+# has a default nocloud-net metadata available on the first
+# partition. By default it sets up an initial user called "ubuntu"
+# with password "ubuntu", which must be changed at first
+# login. However, one can override and provide many additional actions
+# to be initiated on first boot from this file. The cloud-init
+# documentation has more details: https://cloudinit.readthedocs.io/
+# Some additional examples are provided in comments below the default
+# configuration.
+
+# On first boot, set the (default) ubuntu user's password to "ubuntu" and
+# expire user passwords
+#chpasswd:
+#  expire: true
+#  list:
+#  - ubuntu:ubuntu
+
+# Enable password authentication with the SSH daemon
+#ssh_pwauth: true
+
+## On first boot, use ssh-import-id to give the specific users SSH access to
+## the default user
+#ssh_import_id:
+#- lp:my_launchpad_username
+#- gh:my_github_username
+
+## Add users and groups to the system, and import keys with the ssh-import-id
+## utility
+#groups:
+#- robot: [robot]
+#- robotics: [robot]
+#
+#users:
+#- default
+#- name: robot
+#  gecos: Mr. Robot
+#  primary_group: robot
+#  groups: users
+#  ssh_import_id: foobar
+#  lock_passwd: false
+#  passwd: $5$hkui88$nvZgIle31cNpryjRfO9uArF7DYiBcWEnjqq7L1AQNN3
+
+## Update apt database and upgrade packages on first boot
+#package_update: true
+#package_upgrade: true
+
+## Install additional packages on first boot
+#packages:
+#- pwgen
+#- pastebinit
+#- [libpython2.7, 2.7.3-0ubuntu3.1]
+
+## Write arbitrary files to the file-system (including binaries!)
+#write_files:
+#- path: /etc/default/keyboard
+#  content: |
+#    # KEYBOARD configuration file
+#    # Consult the keyboard(5) manual page.
+#    XKBMODEL="pc105"
+#    XKBLAYOUT="gb"
+#    XKBVARIANT=""
+#    XKBOPTIONS="ctrl: nocaps"
+#  permissions: '0644'
+#  owner: root:root
+#- encoding: gzip
+#  path: /usr/bin/hello
+#  content: !!binary |
+#    H4sIAIDb/U8C/1NW1E/KzNMvzuBKTc7IV8hIzcnJVyjPL8pJ4QIA6N+MVxsAAAA=
+#  owner: root:root
+#  permissions: '0755'
+
+## Run arbitrary commands at rc.local like time
+#runcmd:
+#- [ ls, -l, / ]
+#- [ sh, -xc, "echo $(date) ': hello world!'" ]
+#- [ wget, "http://ubuntu.com", -O, /run/mydir/index.html ]

live-build/functions

@@ -96,14 +96,25 @@ mount_image() {
 setup_mountpoint() {
     local mountpoint="$1"
 
+    if [ ! -c /dev/mem ]; then
+        mknod -m 660 /dev/mem c 1 1
+        chown root:kmem /dev/mem
+    fi
+
     mount --rbind /dev "$mountpoint/dev"
     mount proc-live -t proc "$mountpoint/proc"
     mount sysfs-live -t sysfs "$mountpoint/sys"
+    mount securityfs -t securityfs "$mountpoint/sys/kernel/security"
+    # Provide more up to date apparmor features, matching target kernel
+    mount -o bind /usr/share/livecd-rootfs/live-build/apparmor/generic "$mountpoint/sys/kernel/security/apparmor/features/"
+    mount -o bind /usr/share/livecd-rootfs/live-build/seccomp/generic.actions_avail "$mountpoint/proc/sys/kernel/seccomp/actions_avail"
     mount -t tmpfs none "$mountpoint/tmp"
     mount -t tmpfs none "$mountpoint/var/lib/apt"
     mount -t tmpfs none "$mountpoint/var/cache/apt"
     mv "$mountpoint/etc/resolv.conf" resolv.conf.tmp
     cp /etc/resolv.conf "$mountpoint/etc/resolv.conf"
+    mv "$mountpoint/etc/nsswitch.conf" nsswitch.conf.tmp
+    sed 's/systemd//g' nsswitch.conf.tmp > "$mountpoint/etc/nsswitch.conf"
     chroot "$mountpoint" apt-get update
 
 }
@@ -121,6 +132,7 @@ teardown_mountpoint() {
         umount $submount
     done
     mv resolv.conf.tmp "$mountpoint/etc/resolv.conf"
+    mv nsswitch.conf.tmp "$mountpoint/etc/nsswitch.conf"
 }
 
 mount_partition() {
@@ -230,28 +242,46 @@ modify_vmdk_header() {
 
     # Extract the vmdk header for manipulation
     dd if="${vmdk_name}" of="${descriptor}" bs=1 skip=512 count=1024
+    echo "Cat'ing original vmdk disk descriptor to console for debugging."
+    # cat header so we are aware of the original descriptor for debugging
+    cat $descriptor
+
+    # trim null bytes to treat as standard text file
+    tr -d '\000' < $descriptor > $newdescriptor
 
-    # The sed lines below is where the magic is. Specifically:
-    #   ddb.toolsVersion: sets the open-vm-tools so that VMware shows
-    #       the tooling as current
-    #   ddb.virtualHWVersion: set the version to 7, which covers most
-    #       current versions of VMware
-    #   createType: make sure its set to stream Optimized
     #   remove the vmdk-stream-converter comment and replace with
     #       # Disk DescriptorFile. This is needed for Virtualbox
     #   remove the comments from vmdk-stream-converter which causes
     #       VirtualBox and others to fail VMDK validation
-
-    sed -e 's|# Description file.*|# Disk DescriptorFile|' \
+    sed -i -e 's|# Description file.*|# Disk DescriptorFile|' \
         -e '/# Believe this is random*/d' \
         -e '/# Indicates no parent/d' \
         -e '/# The Disk Data Base/d' \
-        -e 's|ddb.comment.*|ddb.toolsVersion = "2147483647"|' \
-            "${descriptor}" > "${newdescriptor}"
+            ${newdescriptor}
 
-    # The header is cannot be bigger than 1024
-    expr $(stat --format=%s ${newdescriptor}) \< 1024 > /dev/null 2>&1 || {
-        echo "descriptor is too large, VMDK will be invalid!"; exit 1; }
+    # add newline to newdescriptor
+    echo "" >> $newdescriptor
+
+    # add required tools version
+    echo -n 'ddb.toolsVersion = "2147483647"' >> $newdescriptor
+
+    echo "Cat'ing modified descriptor for debugging."
+    cat $newdescriptor
+
+    # diff original descriptor and new descriptor for debugging
+    # diff exits 1 if difference. pipefail not set so piping diff
+    # to cat prints diff and swallows exit 1
+    echo "Printing diff of original and new descriptors."
+    diff --text $descriptor $newdescriptor | cat
+
+    # The header must be 1024 or less before padding
+    if ! expr $(stat --format=%s ${newdescriptor}) \< 1025 > /dev/null 2>&1; then
+        echo "descriptor is too large, VMDK will be invalid!"; 
+        exit 1
+    fi
+
+    # reset newdescriptor to be 1024
+    truncate --no-create --size=1K $newdescriptor
 
     # Overwrite the vmdk header with our new, modified one
     dd conv=notrunc,nocreat \
@@ -626,11 +656,31 @@ snap_prepare() {
 snap_preseed() {
     # Preseed a snap in the image (snap_prepare must be called once prior)
     local CHROOT_ROOT=$1
+    # $2 can be in the form of snap_name/classic=track/risk/branch
     local SNAP=$2
+    # strip CHANNEL specification
+    SNAP=${SNAP%=*}
+    # strip /classic confinement
     local SNAP_NAME=${SNAP%/*}
-    # Per Ubuntu policy, all seeded snaps (with the exception of the core
-    # snap) must pull from stable/ubuntu-$(release_ver) as their channel.
-    local CHANNEL=${3:-"stable/ubuntu-$(release_ver)"}
+    # Seed from the specified channel (e.g. core18 latest/stable)
+    # Or Channel endcoded in the snap name (e.g. lxd=4.0/stable/ubuntu-20.04)
+    # Or Ubuntu policy default channel latest/stable/ubuntu-$(release_ver)
+    local CHANNEL=${3:-}
+    if [ -z "$CHANNEL" ]; then
+        case $2 in
+            *=*)
+                CHANNEL=${2#*=}
+                ;;
+            *)
+                CHANNEL="stable/ubuntu-$(release_ver)"
+                ;;
+        esac
+    fi
+
+    # At this point:
+    # SNAP_NAME is just the snap name
+    # SNAP is either $SNAP_NAME or $SNAP_NAME/classic for classic confined
+    # CHANNEL is the channel
 
     if [ ! -e "$CHROOT_ROOT/var/lib/snapd/seed/assertions/model" ]; then
         echo "ERROR: Snap model assertion not present, snap_prepare must be called"
@@ -662,6 +712,9 @@ snap_validate_seed() {
 
     if [ -e "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml" ]; then
         snap debug validate-seed "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml"
+        /usr/lib/snapd/snap-preseed --reset $(realpath "${CHROOT_ROOT}")
+        /usr/lib/snapd/snap-preseed $(realpath "${CHROOT_ROOT}")
+        chroot "${CHROOT_ROOT}" apparmor_parser --skip-read-cache --write-cache --skip-kernel-load --verbose  -j `nproc` /etc/apparmor.d
     fi
 }
 
@@ -905,6 +958,19 @@ is_live_layer () {
     return 1
 }
 
+setup_cidata() {
+    local cidata_dev=$1
+    local mountpoint=$(mktemp -d)
+    mkfs.vfat -F 32 -n CIDATA ${cidata_dev}
+    mount ${cidata_dev} ${mountpoint}
+    cp /usr/share/livecd-rootfs/live-build/cidata/* ${mountpoint}
+    cat >>${mountpoint}/meta-data.sample <<END
+#instance-id: iid-$(openssl rand -hex 8)
+
+END
+    umount ${mountpoint}
+}
+
 replace_kernel () { 
     mountpoint=$1
     new_kernel=$2

live-build/make-lxd-metadata.py

@@ -17,6 +17,7 @@ lxd_arches = {
     "powerpc": "ppc",
     "ppc64el": "ppc64le",
     "s390x": "s390x",
+    "riscv64": "riscv64",
     }
 
 

live-build/seccomp/generic.actions_avail

@@ -0,0 +1 @@
+kill_process kill_thread trap errno user_notif trace log allow

live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary

@@ -33,6 +33,7 @@ install_grub() {
     chroot mountpoint apt-get -qqy update
     chroot mountpoint apt-get -qqy install grub-ieee1275
     chroot mountpoint apt-get -qqy remove --purge grub-legacy-ec2
+    chroot mountpoint apt-get autoremove --purge --assume-yes
 
     # set the kernel commandline to use hvc0
     mkdir -p mountpoint/etc/default/grub.d

live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary

@@ -1,7 +1,7 @@
 #!/bin/bash -eux
 
 case $ARCH in
-    amd64|arm64|armhf)
+    amd64|arm64|armhf|riscv64)
         ;;
     *)
         echo "We don't create EFI images for $ARCH."
@@ -21,6 +21,10 @@ case ${PROJECT:-} in
         ;;
 esac
 
+if [ "$ARCH" = "riscv64" ] && [ -n "${SUBARCH:-}" ]; then
+    IMAGE_SIZE=3758096384 # bump to 3.5G (3584*1024**2), due to linux-generic instead of virtual
+fi
+
 . config/binary
 
 . config/functions
@@ -35,6 +39,38 @@ create_partitions() {
                 --typecode=15:ef00 \
                 --new=1:
             ;;
+        riscv64)
+            # same as arm64/armhf, but set bit 2 legacy bios bootable
+            # on the first partition for uboot
+            # and have two loader partitions of uboot SPL & real one
+            # and have CIDATA partition for preinstalled image
+            if [ -z "${SUBARCH:-}" ]; then
+                # cloud-image
+                sgdisk "${disk_image}" \
+                       --set-alignment=2 \
+                       --new=15::+106M \
+                       --typecode=15:ef00 \
+                       --new=1:: \
+                       --attributes=1:set:2
+            else
+                # preinstalled server, currently FU540
+                # FU740 too in the future
+                sgdisk "${disk_image}" \
+                       --set-alignment=2 \
+                       --new=13:34:2081 \
+                       --change-name=13:loader1 \
+                       --typecode=13:5B193300-FC78-40CD-8002-E86C45580B47 \
+                       --new=14:2082:10273 \
+                       --change-name=14:loader2 \
+                       --typecode=14:2E54B353-1271-4842-806F-E436D6AF6985 \
+                       --new=15::+106M \
+                       --typecode=15:ef00 \
+                       --new=12::+4M \
+                       --change-name=12:CIDATA \
+                       --new=1:: \
+                       --attributes=1:set:2
+            fi
+            ;;
         amd64)
             sgdisk "${disk_image}" \
                 --new=14::+4M \
@@ -97,11 +133,72 @@ install_grub() {
             efi_target=arm-efi
             ;;
         amd64)
-            chroot mountpoint apt-get install -qqy grub-efi-amd64-signed shim-signed
+            chroot mountpoint apt-get install -qqy grub-pc shim-signed
             efi_target=x86_64-efi
             ;;
+        riscv64)
+            # TODO grub-efi-riscv64 does not exist yet on riscv64
+            chroot mountpoint apt-get install -qqy u-boot-menu #grub-efi-riscv64
+            efi_target=riscv64-efi
+
+            chroot mountpoint u-boot-update
+
+            if [ -n "${SUBARCH:-}" ]; then
+                chroot mountpoint apt-get install -qqy u-boot-sifive
+                # FSBL, which gets U-Boot SPL
+                loader1="/dev/mapper${loop_device///dev/}p13"
+                # The real U-Boot
+                loader2="/dev/mapper${loop_device///dev/}p14"
+                dd if=mountpoint/usr/lib/u-boot/sifive_fu540/u-boot-spl.bin of=$loader1
+                dd if=mountpoint/usr/lib/u-boot/sifive_fu540/u-boot.itb of=$loader2
+                # Provide end-user modifyable CIDATA
+                cidata_dev="/dev/mapper${loop_device///dev/}p12"
+                setup_cidata "${cidata_dev}"
+                # Provide stock nocloud datasource
+                # Allow interactive login on baremetal SiFive board,
+                # without a cloud datasource.
+                mkdir -p mountpoint/var/lib/cloud/seed/nocloud-net
+                cat <<EOF >mountpoint/var/lib/cloud/seed/nocloud-net/meta-data
+instance-id: iid-$(openssl rand -hex 8)
+EOF
+                cat <<EOF >mountpoint/var/lib/cloud/seed/nocloud-net/user-data
+#cloud-config
+chpasswd:
+    expire: True
+    list:
+        - ubuntu:ubuntu
+ssh_pwauth: True
+EOF
+                cat <<EOF >mountpoint/var/lib/cloud/seed/nocloud-net/network-config
+# This is the initial network config.
+# It can be overwritten by cloud-init.
+version: 2
+ethernets:
+  zz-all-en:
+    match:
+      name: "en*"
+    dhcp4: true
+    optional: true
+  zz-all-eth:
+    match:
+      name: "eth*"
+    dhcp4: true
+    optional: true
+EOF
+            fi
+            ## TODO remove below once we have grub-efi-riscv64
+            rm mountpoint/tmp/device.map
+            umount mountpoint/boot/efi
+            mount
+            umount_partition mountpoint
+            rmdir mountpoint
+            return
+            ##
+            ;;
     esac
 
+    chroot mountpoint apt-get autoremove --purge --assume-yes
+
     # This call to rewrite the debian package manifest is added here to capture
     # grub-efi packages that otherwise would not make it into the base
     # manifest. filesystem.packages is moved into place via symlinking to

live-build/ubuntu-cpc/hooks.d/base/disk-image.binary

@@ -19,10 +19,6 @@ case $ARCH:$SUBARCH in
 		echo "POWER disk images are handled separately"
 		exit 0
 		;;
-	amd64|arm64|armhf)
-		echo "We only create EFI images for $ARCH."
-		exit 0
-		;;
 	armhf:raspi2)
 		# matches the size of the snappy image
 		IMAGE_SIZE=$((4*1000*1000*1000))
@@ -31,6 +27,10 @@ case $ARCH:$SUBARCH in
 		BOOTPART_END=138M
 		BOOT_MOUNTPOINT=/boot/firmware
 		;;
+	arm64:*|armhf:*|riscv64:*)
+		echo "We only create EFI images for $ARCH."
+		exit 0
+		;;
 	*)
 		;;
 esac
@@ -136,6 +136,7 @@ fi
 if [ "$ARCH" = "s390x" ]; then
     # Do ZIPL install bits
     chroot mountpoint apt-get -qqy install s390-tools sysconfig-hardware
+    chroot mountpoint apt-get autoremove --purge --assume-yes
 
     # Write out cloudy zipl.conf for future kernel updates
     cat << EOF > mountpoint/etc/zipl.conf

live-build/ubuntu-cpc/hooks.d/base/kvm-image.binary

@@ -49,10 +49,6 @@ replace_kernel ${mount_d} "linux-kvm"
 chroot "${mount_d}" update-grub
 undivert_grub "${mount_d}"
 
-# Remove initramfs for kvm image
-env DEBIAN_FRONTEND=noninteractive chroot "${mount_d}" apt-get \
-    purge -y initramfs-tools busybox-initramfs
-
 env DEBIAN_FRONTEND=noninteractive chroot "${mount_d}" rm \
     -rf /boot/initrd.img-* /boot/initrd.img
 

live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary

@@ -7,6 +7,10 @@ case $ARCH:$SUBARCH in
 		xz -T4 -c binary/boot/disk.ext4 > livecd.ubuntu-cpc.disk1.img.xz
 	        exit 0
 		;;
+	riscv64:hifive)
+		xz -T4 -c binary/boot/disk-uefi.ext4 > livecd.ubuntu-cpc.disk1.img.xz
+	        exit 0
+		;;
 esac
 
 . config/functions

live-build/ubuntu-cpc/hooks.d/base/vagrant.binary

@@ -153,9 +153,17 @@ Vagrant.configure("2") do |config|
   config.vm.base_mac = "${macaddr}"
 
   config.vm.provider "virtualbox" do |vb|
-     vb.customize [ "modifyvm", :id, "--uart1", "0x3F8", "4" ]
-# Creating a console log file is not an expected behavior for vagrant boxes. LP #1777827
-#     vb.customize [ "modifyvm", :id, "--uartmode1", "file", File.join(Dir.pwd, "${prefix}-console.log") ]
+    vb.customize [ "modifyvm", :id, "--uart1", "0x3F8", "4" ]
+    # Create a NULL serial port to skip console logging by default
+    vb.customize [ "modifyvm", :id, "--uartmode1", "file", File::NULL ]
+    # If console logging is desired, uncomment this line and remove prior
+    # vb.customize [ "modifyvm", :id, "--uartmode1", "file", File.join(Dir.pwd, "${prefix}-console.log") ]
+    # Ubuntu cloud images, by default, enable console=ttyS0. This enables serial consoles to
+    # connect to the images. With the change related to LP #1777827, removing a serial
+    # file logger, Vagrant image boot times increased and now run greater than 5 minutes
+    # Creating a console log file is not an expected default behavior for vagrant boxes.
+    # As a workaround, we create a console connection to File:NULL. LP #1874453
+    # This is overrideable in user files to write to a local file
   end
 end
 EOF

live-build/ubuntu-cpc/hooks.d/base/wsl.binary

@@ -35,6 +35,7 @@ cp -a rootfs.dir $rootfs_dir
 setup_mountpoint $rootfs_dir
 
 env DEBIAN_FRONTEND=noninteractive chroot $rootfs_dir apt-get -y -qq install ubuntu-wsl
+env DEBIAN_FRONTEND=noninteractive chroot $rootfs_dir apt-get autoremove --purge --assume-yes
 
 create_manifest $rootfs_dir livecd.ubuntu-cpc.wsl.rootfs.manifest
 teardown_mountpoint $rootfs_dir

live-build/ubuntu-cpc/hooks.d/chroot/999-cpc-fixes.chroot

@@ -116,8 +116,8 @@ fi
 
 
 case $arch in
-	# ARM, ppc and s390 images are special
-	armhf|arm64|powerpc|ppc64el|s390x)
+	# ARM, ppc, riscv64 and s390x images are special
+	armhf|arm64|powerpc|ppc64el|s390x|riscv64)
 		exit 0
 		;;
 esac

live-build/ubuntu-server/hooks/032-installer-squashfs.binary

@@ -21,10 +21,9 @@ if [ -n "$SUBARCH" ]; then
 	exit 0
 fi
 
+. config/binary
 . config/functions
 . config/common
-# somehow i don't have LB_DISTRIBUTION set ?!
-. config/bootstrap
 
 FILESYSTEM_ROOT=binary/boot/squashfs.dir
 INSTALLER_ROOT=binary/boot/installer.squashfs.dir
@@ -84,6 +83,12 @@ sed -i -e'N;/name: lxd/,+2d' $INSTALLER_ROOT/var/lib/snapd/seed/seed.yaml
 
 teardown_mountpoint "$INSTALLER_ROOT"
 
+# Drop core/lxd/snapd that got copied up from base layer, due to
+# snap-preseed tool doing --reset & speedup
+find $OVERLAY_ROOT/var/lib/snapd/ -name 'core*.snap' -delete
+find $OVERLAY_ROOT/var/lib/snapd/ -name 'snapd_*.snap' -delete
+find $OVERLAY_ROOT/var/lib/snapd/ -name 'lxd_*.snap' -delete
+
 squashfs_f="${PWD}/livecd.${PROJECT}.installer.squashfs"
 
 (cd "$OVERLAY_ROOT/" &&

live-build/ubuntu/hooks/040-hyperv-desktop-images.binary

@@ -55,8 +55,8 @@ EOF
 
 CHANGED_FILE_SUFFIX=.replaced-by-desktop-img-build
 
-# use vsock transport.
-sed -i${CHANGED_FILE_SUFFIX} -e 's/use_vsock=false/use_vsock=true/g' "${scratch_d}/etc/xrdp/xrdp.ini"
+# use vsock transport
+sed -i${CHANGED_FILE_SUFFIX} -e 's/port=3389/port=vsock:\/\/-1:3389/g' "${scratch_d}/etc/xrdp/xrdp.ini"
 # use rdp security.
 sed -i${CHANGED_FILE_SUFFIX} -e 's/security_layer=negotiate/security_layer=rdp/g' "${scratch_d}/etc/xrdp/xrdp.ini"
 # remove encryption validation.
@@ -74,6 +74,9 @@ exec /etc/xrdp/startwm.sh
 EOF
 chmod a+x "${scratch_d}/etc/xrdp/startubuntu.sh"
 
+# set to use the system Window manager
+sed -i${CHANGED_FILE_SUFFIX} -e 's/EnableUserWindowManager=true/EnableUserWindowManager=0/g' "${scratch_d}/etc/xrdp/sesman.ini"
+
 # use the script to setup the ubuntu session
 sed -i${CHANGED_FILE_SUFFIX} -e 's/startwm/startubuntu/g' "${scratch_d}/etc/xrdp/sesman.ini"
 
@@ -100,6 +103,15 @@ ResultInactive=no
 ResultActive=yes
 EOF
 
+cat >${scratch_d}/etc/polkit-1/localauthority/50-local.d/46-allow-update-repo.pkla <<EOF
+[Allow Package Management all Users]
+Identity=unix-user:*
+Action=org.freedesktop.packagekit.system-sources-refresh
+ResultAny=yes
+ResultInactive=yes
+ResultActive=yes
+EOF
+
 sed -i${CHANGED_FILE_SUFFIX} -e 's|After=|ConditionPathExists=!/var/lib/oem-config/run\nAfter=|g' "${scratch_d}/lib/systemd/system/xrdp.service"
 
 # End xrdp customisation