releasing package livecd-rootfs version 2.664.8

functions: provide nss_systemd-less nsswitch.conf in chroots.
(cherry picked from commit 4d4f113f42d6c3a58a484582af4d2c02f96a42bf)
2025-08-21 05:34:08 +00:00 · 2020-10-22 16:01:34 +01:00 · 2020-10-05 10:32:16 +01:00 · 2020-10-05 10:32:15 +01:00 · 2020-10-05 10:32:14 +01:00 · 2020-10-05 10:32:13 +01:00
44 changed files with 321 additions and 23 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,94 @@
+livecd-rootfs (2.664.8) focal; urgency=medium
+
+  Backport snap-preseed work from groovy to focal LP: #1896755
+
+  [ Robert C Jennings ]
+  * Apply snap-preseed optimizations after seeding snaps
+
+  [ Dimitri John Ledkov ]
+  * live-server: remove duplicate snaps, due to overlayfs vs snap-preseed.
+  * apparmor: Add generic v5.4 kernel apparmor features
+  * apparmor: mount more up-to-date apparmor features in the chroot.
+  * seccomp: add more up-to-date seccomp actions
+  * seccomp: mount more up-to-date seccomp features
+  * apparmor: compile all profiles
+
+  [ Robert C Jennings ]
+  * Avoid rbind /sys for chroot snap pre-seeding (cgroups fail to unmount)
+
+  [ Dimitri John Ledkov ]
+  * auto/build: use setup|teardown_mountpoint to reduce duplication
+  * functions: provide nss_systemd-less nsswitch.conf in chroots.
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 05 Oct 2020 10:33:02 +0100
+
+livecd-rootfs (2.664.7) focal; urgency=medium
+
+  [ Stanislav German-Evtushenko <giner> / John Chittum ]
+  * Send Vagrant serial connection to NULL. (LP: #1874453)
+
+ -- Robert C Jennings <robert.jennings@canonical.com>  Wed, 23 Sep 2020 13:32:32 -0500
+
+livecd-rootfs (2.664.6) focal; urgency=medium
+
+  [ Patrick Wu ]
+  * Fix xrdp support in hyper-v images.  LP: #1890980.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 26 Aug 2020 14:06:31 -0700
+
+livecd-rootfs (2.664.5) focal; urgency=medium
+
+  [ Robert C Jennings ]
+  * Handle seeded lxd snap with channel name for ubuntu-cpc:minimized
+    (LP: #1889470)
+
+  [ Cody Shepherd ]
+  * Add dist-upgrade to bootable-buildd hook to ensure the built image
+    doesn't contain vulnerable kernels or other packages.  LP: #1891061.
+  * Don't explicitly install grub-efi-amd64-signed, it's a dependency of
+    shim-signed.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 04 Aug 2020 12:39:27 -0700
+
+livecd-rootfs (2.664.4) focal; urgency=medium
+
+  * snap_preseed: support channel specification with snap name (LP: #1882374)
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Thu, 23 Jul 2020 19:12:10 +0100
+
+livecd-rootfs (2.664.3) focal; urgency=medium
+
+  [ Łukasz 'sil2100' Zemczak ]
+  * Enable overrides of UC20 grade dangerous channels - as this is possible.
+    (LP: #1879350)
+
+  [ Iain Lane ]
+  * Hack seeding of linux kernel in ubuntustudio/focal
+    ubuntustudio-default-settings in focal release has a Recommends to this
+    kernel, which makes it impossible to update the kernel later on, since we
+    would install the -updates and release kernel, which isn't allowed and
+    causes FTBFS. Hack out the focal-release kernel and let the rest of the
+    build process pull in the right one. (LP: #1884915)
+
+ -- Iain Lane <iain.lane@canonical.com>  Tue, 21 Jul 2020 16:25:18 +0100
+
+livecd-rootfs (2.664.2) focal; urgency=medium
+
+  * Revert of initramfs package removal in KVM image (LP: #1880170)
+
+ -- Phil Roche <phil.roche@canonical.com>  Fri, 22 May 2020 13:03:20 +0100
+
+livecd-rootfs (2.664.1) focal; urgency=medium
+
+  * Bump only the UC20 pc image to 8GB, and keep Pi images as small as possible.
+    (LP: #1875430)
+  * ubuntu-image: fix focal+ pi images for armhf to use pi-armhf model name.
+    (LP: #1876358)
+  * ubuntu-image: drop ubuntu-image dep on riscv64, as not installable yet.
+    (LP: #1876359)
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 01 May 2020 20:08:23 +0100
+
 livecd-rootfs (2.664) focal; urgency=medium

  [ Patrick Viafore ]
--- a/debian/control
+++ b/debian/control
@ -38,7 +38,7 @@ Depends: ${misc:Depends},
         squashfs-tools (>= 1:3.3-1),
         sudo,
         u-boot-tools [armhf arm64],
-         ubuntu-image [!i386],
+         ubuntu-image [!i386 !riscv64],
         python3-vmdkstream [amd64 i386],
         xz-utils,
         zerofree
--- a/live-build/apparmor/generic.features
+++ b/live-build/apparmor/generic.features
@ -0,0 +1,78 @@
+query {label {multi_transaction {yes
+}
+data {yes
+}
+perms {allow deny audit quiet
+}
+}
+}
+dbus {mask {acquire send receive
+}
+}
+signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
+}
+}
+ptrace {mask {read trace
+}
+}
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xffffff
+}
+namespaces {pivot_root {no
+}
+profile {yes
+}
+}
+mount {mask {mount umount pivot_root
+}
+}
+network {af_unix {yes
+}
+af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
+}
+}
+network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
+}
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {version {1.2
+}
+attach_conditions {xattr {yes
+}
+}
+computed_longest_left {yes
+}
+post_nnp_subset {yes
+}
+fix_binfmt_elf_mmap {yes
+}
+stack {yes
+}
+change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+versions {v8 {yes
+}
+v7 {yes
+}
+v6 {yes
+}
+v5 {yes
+}
+}
+}
--- a/live-build/apparmor/generic/capability
+++ b/live-build/apparmor/generic/capability
@ -0,0 +1 @@
+0xffffff
--- a/live-build/apparmor/generic/caps/mask
+++ b/live-build/apparmor/generic/caps/mask
@ -0,0 +1 @@
+chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
--- a/live-build/apparmor/generic/dbus/mask
+++ b/live-build/apparmor/generic/dbus/mask
@ -0,0 +1 @@
+acquire send receive
--- a/live-build/apparmor/generic/domain/attach_conditions/xattr
+++ b/live-build/apparmor/generic/domain/attach_conditions/xattr
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/generic/domain/change_hat
+++ b/live-build/apparmor/generic/domain/change_hat
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/generic/domain/change_hatv
+++ b/live-build/apparmor/generic/domain/change_hatv
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/generic/domain/change_onexec
+++ b/live-build/apparmor/generic/domain/change_onexec
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/generic/domain/change_profile
+++ b/live-build/apparmor/generic/domain/change_profile
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/generic/domain/computed_longest_left
+++ b/live-build/apparmor/generic/domain/computed_longest_left
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/generic/domain/fix_binfmt_elf_mmap
+++ b/live-build/apparmor/generic/domain/fix_binfmt_elf_mmap
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/generic/domain/post_nnp_subset
+++ b/live-build/apparmor/generic/domain/post_nnp_subset
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/generic/domain/stack
+++ b/live-build/apparmor/generic/domain/stack
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/generic/domain/version
+++ b/live-build/apparmor/generic/domain/version
@ -0,0 +1 @@
+1.2
--- a/live-build/apparmor/generic/file/mask
+++ b/live-build/apparmor/generic/file/mask
@ -0,0 +1 @@
+create read write exec append mmap_exec link lock
--- a/live-build/apparmor/generic/mount/mask
+++ b/live-build/apparmor/generic/mount/mask
@ -0,0 +1 @@
+mount umount pivot_root
--- a/live-build/apparmor/generic/namespaces/pivot_root
+++ b/live-build/apparmor/generic/namespaces/pivot_root
@ -0,0 +1 @@
+no
--- a/live-build/apparmor/generic/namespaces/profile
+++ b/live-build/apparmor/generic/namespaces/profile
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/generic/network/af_mask
+++ b/live-build/apparmor/generic/network/af_mask
@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
--- a/live-build/apparmor/generic/network/af_unix
+++ b/live-build/apparmor/generic/network/af_unix
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/generic/network_v8/af_mask
+++ b/live-build/apparmor/generic/network_v8/af_mask
@ -0,0 +1 @@
+unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
--- a/live-build/apparmor/generic/policy/set_load
+++ b/live-build/apparmor/generic/policy/set_load
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/generic/policy/versions/v5
+++ b/live-build/apparmor/generic/policy/versions/v5
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/generic/policy/versions/v6
+++ b/live-build/apparmor/generic/policy/versions/v6
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/generic/policy/versions/v7
+++ b/live-build/apparmor/generic/policy/versions/v7
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/generic/policy/versions/v8
+++ b/live-build/apparmor/generic/policy/versions/v8
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/generic/ptrace/mask
+++ b/live-build/apparmor/generic/ptrace/mask
@ -0,0 +1 @@
+read trace
--- a/live-build/apparmor/generic/query/label/data
+++ b/live-build/apparmor/generic/query/label/data
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/generic/query/label/multi_transaction
+++ b/live-build/apparmor/generic/query/label/multi_transaction
@ -0,0 +1 @@
+yes
--- a/live-build/apparmor/generic/query/label/perms
+++ b/live-build/apparmor/generic/query/label/perms
@ -0,0 +1 @@
+allow deny audit quiet
--- a/live-build/apparmor/generic/rlimit/mask
+++ b/live-build/apparmor/generic/rlimit/mask
@ -0,0 +1 @@
+cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
--- a/live-build/apparmor/generic/signal/mask
+++ b/live-build/apparmor/generic/signal/mask
@ -0,0 +1 @@
+hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
--- a/live-build/auto/build
+++ b/live-build/auto/build
@ -106,14 +106,17 @@ fi
 Setup_cleanup

 preinstall_snaps() {
-	lb chroot_resolv install
+	setup_mountpoint chroot
+
 	snap_prepare chroot

 	for snap in "$@"; do
 		SNAP_NO_VALIDATE_SEED=1 snap_preseed chroot "${snap}"
 	done
+
 	snap_validate_seed chroot
-	lb chroot_resolv remove
+
+	teardown_mountpoint chroot
 }

 rm -f binary.success
--- a/live-build/auto/config
+++ b/live-build/auto/config
@ -359,8 +359,16 @@ case $IMAGEFORMAT in
 			CHANNEL="${CHANNEL:-edge}"
 			case $MODEL in
 				pc-amd64|pc-i386)
-					[ -z "${SUBARCH:-}" ] \
-					&& UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS --image-size 3700M"
+					if [ -z "${SUBARCH:-}" ]; then
+						case $SUITE in
+							xenial|bionic)
+								UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS --image-size 3700M"
+								;;
+							*)
+								UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS --image-size 8G"
+								;;
+						esac
+					fi
 					;;
 				*) ;;
 			esac
@ -375,7 +383,9 @@ case $IMAGEFORMAT in
 					UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS -c $CHANNEL"
 					;;
 				*)
-					UBUNTU_IMAGE_ARGS="--image-size 10G"
+					if [ "${MODEL}" = "pi" ]; then
+						MODEL=pi-armhf
+					fi
 					# Ubuntu Core 20
 					# Currently uc20 assertions do not support global
 					# channel overrides, instead we have per-channel models
@ -386,6 +396,15 @@ case $IMAGEFORMAT in
 						candidate|beta|edge|dangerous)
 							MODEL="ubuntu-core-20-${MODEL#pc-}-${CHANNEL}"
 							;;
+						dangerous-*)
+							# That being said, the dangerous grade *does*
+							# support channel overrides, so we can use the
+							# dangerous model assertion and override the channel
+							# freely.
+							MODEL="ubuntu-core-20-${MODEL#pc-}-dangerous"
+							CHANNEL=${CHANNEL#dangerous-}
+							UBUNTU_IMAGE_ARGS="$UBUNTU_IMAGE_ARGS -c $CHANNEL"
+							;;
 						*)
 							echo "Unknown CHANNEL ${CHANNEL} specification for ${SUITE}"
 							exit 1
@ -669,6 +688,23 @@ case $PROJECT in

 	ubuntustudio-dvd)
 		add_task install minimal standard ubuntustudio-desktop ubuntustudio-audio ubuntustudio-fonts ubuntustudio-graphics ubuntustudio-video ubuntustudio-publishing ubuntustudio-photography
+		case $SUITE in
+			focal)
+				# ubuntustudio-default-settings in focal
+				# release has a Recommends to this kernel,
+				# which makes it impossible to update the
+				# kernel later on, since we would install the
+				# -updates and release kernel, which isn't
+				# allowed and causes the squashfs to fail to
+				# build.  Hack out the focal-release kernel and
+				# let the rest of the build process pull in the
+				# right one. (See right below.)
+				for package in linux-lowlatency linux-image-lowlatency linux-headers-lowlatency linux-image-5.4.0-26-lowlatency linux-headers-5.4.0-26-lowlatency; do
+					sed -i "s/$/ -a --not -XFPackage ${package}/" \
+						"config/package-lists/livecd-rootfs.list.chroot_install"
+				done
+				;;
+		esac
 		COMPONENTS='main restricted universe multiverse'
 		case $ARCH in
 			amd64|i386)	KERNEL_FLAVOURS=lowlatency ;;
@ -858,7 +894,7 @@ if [ "$PROJECT:${SUBPROJECT:-}" = ubuntu-cpc:minimized ]; then
 	# build if we see such a snap.
 	for snap in `cat config/seeded-snaps`; do
 		case $snap in
-			lxd)
+			lxd | lxd=*)
 				;;
 			*)
 				echo "Unexpected seeded snap for ubuntu-cpc:minimized build: $snap"
--- a/live-build/buildd/hooks/02-disk-image-uefi.binary
+++ b/live-build/buildd/hooks/02-disk-image-uefi.binary
@ -84,8 +84,7 @@ install_grub() {
            efi_target=arm-efi
            ;;
        amd64)
-            chroot mountpoint apt-get install -qqy grub-pc
-            chroot mountpoint apt-get install -qqy grub-efi-amd64-signed shim-signed
+            chroot mountpoint apt-get install -qqy grub-pc shim-signed
            efi_target=x86_64-efi
            ;;
    esac
--- a/live-build/buildd/hooks/52-linux-virtual-image.binary
+++ b/live-build/buildd/hooks/52-linux-virtual-image.binary
@ -39,6 +39,9 @@ trap cleanup_linux_virtual EXIT
 # Install dependencies
 env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \
    update --assume-yes
+# Perform a dist-upgrade to pull in package updates
+env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \
+    dist-upgrade --assume-yes
 env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \
    install -y lsb-release locales initramfs-tools busybox-initramfs \
               udev dbus netplan.io cloud-init openssh-server sudo snapd
--- a/live-build/functions
+++ b/live-build/functions
@ -96,14 +96,25 @@ mount_image() {
 setup_mountpoint() {
    local mountpoint="$1"

+    if [ ! -c /dev/mem ]; then
+        mknod -m 660 /dev/mem c 1 1
+        chown root:kmem /dev/mem
+    fi
+
    mount --rbind /dev "$mountpoint/dev"
    mount proc-live -t proc "$mountpoint/proc"
    mount sysfs-live -t sysfs "$mountpoint/sys"
+    mount securityfs -t securityfs "$mountpoint/sys/kernel/security"
+    # Provide more up to date apparmor features, matching target kernel
+    mount -o bind /usr/share/livecd-rootfs/live-build/apparmor/generic "$mountpoint/sys/kernel/security/apparmor/features/"
+    mount -o bind /usr/share/livecd-rootfs/live-build/seccomp/generic.actions_avail "$mountpoint/proc/sys/kernel/seccomp/actions_avail"
    mount -t tmpfs none "$mountpoint/tmp"
    mount -t tmpfs none "$mountpoint/var/lib/apt"
    mount -t tmpfs none "$mountpoint/var/cache/apt"
    mv "$mountpoint/etc/resolv.conf" resolv.conf.tmp
    cp /etc/resolv.conf "$mountpoint/etc/resolv.conf"
+    mv "$mountpoint/etc/nsswitch.conf" nsswitch.conf.tmp
+    sed 's/systemd//g' nsswitch.conf.tmp > "$mountpoint/etc/nsswitch.conf"
    chroot "$mountpoint" apt-get update

 }
@ -121,6 +132,7 @@ teardown_mountpoint() {
        umount $submount
    done
    mv resolv.conf.tmp "$mountpoint/etc/resolv.conf"
+    mv nsswitch.conf.tmp "$mountpoint/etc/nsswitch.conf"
 }

 mount_partition() {
@ -626,11 +638,31 @@ snap_prepare() {
 snap_preseed() {
    # Preseed a snap in the image (snap_prepare must be called once prior)
    local CHROOT_ROOT=$1
+    # $2 can be in the form of snap_name/classic=track/risk/branch
    local SNAP=$2
+    # strip CHANNEL specification
+    SNAP=${SNAP%=*}
+    # strip /classic confinement
    local SNAP_NAME=${SNAP%/*}
-    # Per Ubuntu policy, all seeded snaps (with the exception of the core
-    # snap) must pull from stable/ubuntu-$(release_ver) as their channel.
-    local CHANNEL=${3:-"stable/ubuntu-$(release_ver)"}
+    # Seed from the specified channel (e.g. core18 latest/stable)
+    # Or Channel endcoded in the snap name (e.g. lxd=4.0/stable/ubuntu-20.04)
+    # Or Ubuntu policy default channel latest/stable/ubuntu-$(release_ver)
+    local CHANNEL=${3:-}
+    if [ -z "$CHANNEL" ]; then
+        case $2 in
+            *=*)
+                CHANNEL=${2#*=}
+                ;;
+            *)
+                CHANNEL="stable/ubuntu-$(release_ver)"
+                ;;
+        esac
+    fi
+
+    # At this point:
+    # SNAP_NAME is just the snap name
+    # SNAP is either $SNAP_NAME or $SNAP_NAME/classic for classic confined
+    # CHANNEL is the channel

    if [ ! -e "$CHROOT_ROOT/var/lib/snapd/seed/assertions/model" ]; then
        echo "ERROR: Snap model assertion not present, snap_prepare must be called"
@ -662,6 +694,9 @@ snap_validate_seed() {

    if [ -e "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml" ]; then
        snap debug validate-seed "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml"
+        /usr/lib/snapd/snap-preseed --reset $(realpath "${CHROOT_ROOT}")
+        /usr/lib/snapd/snap-preseed $(realpath "${CHROOT_ROOT}")
+        chroot "${CHROOT_ROOT}" apparmor_parser --skip-read-cache --write-cache --skip-kernel-load --verbose  -j `nproc` /etc/apparmor.d
    fi
 }

--- a/live-build/seccomp/generic.actions_avail
+++ b/live-build/seccomp/generic.actions_avail
@ -0,0 +1 @@
+kill_process kill_thread trap errno user_notif trace log allow
--- a/live-build/ubuntu-cpc/hooks.d/base/kvm-image.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/kvm-image.binary
@ -49,10 +49,6 @@ replace_kernel ${mount_d} "linux-kvm"
 chroot "${mount_d}" update-grub
 undivert_grub "${mount_d}"

-# Remove initramfs for kvm image
-env DEBIAN_FRONTEND=noninteractive chroot "${mount_d}" apt-get \
-    purge -y initramfs-tools busybox-initramfs
-
 env DEBIAN_FRONTEND=noninteractive chroot "${mount_d}" rm \
    -rf /boot/initrd.img-* /boot/initrd.img

--- a/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary
@ -153,9 +153,17 @@ Vagrant.configure("2") do |config|
  config.vm.base_mac = "${macaddr}"

  config.vm.provider "virtualbox" do |vb|
-     vb.customize [ "modifyvm", :id, "--uart1", "0x3F8", "4" ]
-# Creating a console log file is not an expected behavior for vagrant boxes. LP #1777827
-#     vb.customize [ "modifyvm", :id, "--uartmode1", "file", File.join(Dir.pwd, "${prefix}-console.log") ]
+    vb.customize [ "modifyvm", :id, "--uart1", "0x3F8", "4" ]
+    # Create a NULL serial port to skip console logging by default
+    vb.customize [ "modifyvm", :id, "--uartmode1", "file", File::NULL ]
+    # If console logging is desired, uncomment this line and remove prior
+    # vb.customize [ "modifyvm", :id, "--uartmode1", "file", File.join(Dir.pwd, "${prefix}-console.log") ]
+    # Ubuntu cloud images, by default, enable console=ttyS0. This enables serial consoles to
+    # connect to the images. With the change related to LP #1777827, removing a serial
+    # file logger, Vagrant image boot times increased and now run greater than 5 minutes
+    # Creating a console log file is not an expected default behavior for vagrant boxes.
+    # As a workaround, we create a console connection to File:NULL. LP #1874453
+    # This is overrideable in user files to write to a local file
  end
 end
 EOF
--- a/live-build/ubuntu-server/hooks/032-installer-squashfs.binary
+++ b/live-build/ubuntu-server/hooks/032-installer-squashfs.binary
@ -21,10 +21,9 @@ if [ -n "$SUBARCH" ]; then
 	exit 0
 fi

+. config/binary
 . config/functions
 . config/common
-# somehow i don't have LB_DISTRIBUTION set ?!
-. config/bootstrap

 FILESYSTEM_ROOT=binary/boot/squashfs.dir
 INSTALLER_ROOT=binary/boot/installer.squashfs.dir
@ -84,6 +83,12 @@ sed -i -e'N;/name: lxd/,+2d' $INSTALLER_ROOT/var/lib/snapd/seed/seed.yaml

 teardown_mountpoint "$INSTALLER_ROOT"

+# Drop core/lxd/snapd that got copied up from base layer, due to
+# snap-preseed tool doing --reset & speedup
+find $OVERLAY_ROOT/var/lib/snapd/ -name 'core*.snap' -delete
+find $OVERLAY_ROOT/var/lib/snapd/ -name 'snapd_*.snap' -delete
+find $OVERLAY_ROOT/var/lib/snapd/ -name 'lxd_*.snap' -delete
+
 squashfs_f="${PWD}/livecd.${PROJECT}.installer.squashfs"

 (cd "$OVERLAY_ROOT/" &&
--- a/live-build/ubuntu/hooks/040-hyperv-desktop-images.binary
+++ b/live-build/ubuntu/hooks/040-hyperv-desktop-images.binary
@ -55,8 +55,8 @@ EOF

 CHANGED_FILE_SUFFIX=.replaced-by-desktop-img-build

-# use vsock transport.
-sed -i${CHANGED_FILE_SUFFIX} -e 's/use_vsock=false/use_vsock=true/g' "${scratch_d}/etc/xrdp/xrdp.ini"
+# use vsock transport
+sed -i${CHANGED_FILE_SUFFIX} -e 's/port=3389/port=vsock:\/\/-1:3389/g' "${scratch_d}/etc/xrdp/xrdp.ini"
 # use rdp security.
 sed -i${CHANGED_FILE_SUFFIX} -e 's/security_layer=negotiate/security_layer=rdp/g' "${scratch_d}/etc/xrdp/xrdp.ini"
 # remove encryption validation.
@ -74,6 +74,9 @@ exec /etc/xrdp/startwm.sh
 EOF
 chmod a+x "${scratch_d}/etc/xrdp/startubuntu.sh"

+# set to use the system Window manager
+sed -i${CHANGED_FILE_SUFFIX} -e 's/EnableUserWindowManager=true/EnableUserWindowManager=0/g' "${scratch_d}/etc/xrdp/sesman.ini"
+
 # use the script to setup the ubuntu session
 sed -i${CHANGED_FILE_SUFFIX} -e 's/startwm/startubuntu/g' "${scratch_d}/etc/xrdp/sesman.ini"

@ -100,6 +103,15 @@ ResultInactive=no
 ResultActive=yes
 EOF

+cat >${scratch_d}/etc/polkit-1/localauthority/50-local.d/46-allow-update-repo.pkla <<EOF
+[Allow Package Management all Users]
+Identity=unix-user:*
+Action=org.freedesktop.packagekit.system-sources-refresh
+ResultAny=yes
+ResultInactive=yes
+ResultActive=yes
+EOF
+
 sed -i${CHANGED_FILE_SUFFIX} -e 's|After=|ConditionPathExists=!/var/lib/oem-config/run\nAfter=|g' "${scratch_d}/lib/systemd/system/xrdp.service"

 # End xrdp customisation
Author	SHA1	Message	Date
Dimitri John Ledkov	430a6f2ae8	releasing package livecd-rootfs version 2.664.8	2020-10-22 16:01:34 +01:00
Dimitri John Ledkov	558bcbc47e	functions: provide nss_systemd-less nsswitch.conf in chroots. (cherry picked from commit 4d4f113f42d6c3a58a484582af4d2c02f96a42bf)	2020-10-05 10:32:16 +01:00
Dimitri John Ledkov	2be2852ee0	auto/build: use setup\|teardown_mountpoint to reduce duplication (cherry picked from commit 109e6c6613aae4cbd4e8793709ab52c3cbce214c)	2020-10-05 10:32:15 +01:00
Robert C Jennings	e2ae9c245d	Avoid rbind /sys for chroot snap pre-seeding (cgroups fail to unmount) Builds in LP with the Xenial kernel were happy with the recursive mount of /sys inside the chroot while performing snap-preseeding but autopkgtests with the groovy kernel failed. With the groovy kernel the build was unable to unmount sys/kernel/slab//cgroup/ (Operation not permitted). This patch mounts /sys and /sys/kernel/security in the chroot in the same way we've added for binary hooks. This provides the paths under /sys needed for snap-preseed while avoiding issues unmounting other paths. (cherry picked from commit 84397b50989670c2cfff01de23a5a73e67cd4088)	2020-10-05 10:32:14 +01:00
Dimitri John Ledkov	260c051032	apparmor: compile all profiles (cherry picked from commit b14f79ce2e9a18b5832c5488146dbdd7edcd65dd)	2020-10-05 10:32:13 +01:00
Dimitri John Ledkov	ce5a138c79	seccomp: mount more up-to-date seccomp features (cherry picked from commit 31861fd40dabd62e789aeb6d9e64b1ada7b908d8)	2020-10-05 10:32:12 +01:00
Dimitri John Ledkov	c95652e47d	seccomp: add more up-to-date seccomp actions (cherry picked from commit bc4d32a422c4558656576cb0d3a1e4f3d0c42f76)	2020-10-05 10:32:11 +01:00
Dimitri John Ledkov	acc7e97f38	apparmor: mount more up-to-date apparmor features in the chroot. (cherry picked from commit a14a31b7514e3f602f29f9af61e6b7bc97662dc2)	2020-10-05 10:32:10 +01:00
Dimitri John Ledkov	d724069fab	apparmor: Add generic v5.4 kernel apparmor features (cherry picked from commit 37be000f39a1713c095d6758b41d9dc087079ddb)	2020-10-05 10:32:09 +01:00
Dimitri John Ledkov	56a7169ebe	live-server: remove duplicate snaps, due to overlayfs vs snap-preseed. (cherry picked from commit 6e6ab16bf268c038392e9f4aa7b8398a53af65d5)	2020-10-05 10:32:08 +01:00
Robert C Jennings	39ebdf6902	Apply snap-preseed optimizations after seeding snaps The snap-preseed command can do a number of things during the build that are currently performed at first boot (apparmor profiles, systemd unit generation, etc). This patch adds a call to reset the seeding and apply these optimizations when adding a seeded snap. As a prerequisite to calling snap-preseed we need to make /dev/mem available as well as mounts from the host to perform this work, so those are also added here. (cherry picked from commit 1ca11c979505ae1b8c4621f034d28070a2715293)	2020-10-05 10:32:07 +01:00
Robert C Jennings	bac2570518	releasing package livecd-rootfs version 2.664.7	2020-09-23 13:33:37 -05:00
John Chittum	3241df930b	Update changelog for SRU	2020-09-22 15:58:17 -05:00
John Chittum	05bba4cbbd	ubuntu-cpc:Vagrant Serial to Null (LP: #1874453 ) Original fix proposed by Stanislav German-Evtushenko (giner) CPC Ubuntu cloud images default to enabling a serial console connection via the kernel commandline option `console=ttyS0`. Many clouds support the serial connection, and utilize it for debugging purposes. Virtualbox supports the serial connection as well. In Bionic and earlier images, Vagrant boxes created a serial log file in the directory of the Vagrantfile by default. However this is not standard behaviour for Vagrant images, and so it was removed in Eoan onwards. Starting in Eoan, there were reports of image booting slowdown (1874453 is a single example). After testing, it was determined that the serial connection starting, without a device attached, was the cause of the slow down. However, we did not want to revert to the old functionality of creating a file. Much thanks to <giner> for providing the Ruby syntax for sending to File::NULL. This option will not create a local file, however, the default Vagrantfile configuration is overwritable via a users Vagrantfile. The original syntax for creating a file local to the users Vagrantfile has been included as an example.	2020-09-22 15:57:52 -05:00
Steve Langasek	f400d7f718	Changelog update for revert of azure change	2020-09-01 15:04:15 -07:00
Jinming Wu, Patrick	a58b91da5f	Revert azure kernel change	2020-09-02 05:48:42 +08:00
Jinming Wu, Patrick	750d52b504	Merge remote-tracking branch 'upstream/ubuntu/focal' into ubuntu/focal	2020-09-02 05:39:18 +08:00
Jinming Wu, Patrick	3b0439208e	xRDP fixes for Hyper-V build - xRDP configuration changes due to the config changes in this version compared to 18.04. - 46-allow-update-repo.pkla inclusion to aviod "Authentication required to refresh system repositories" bug in xRDP	2020-09-02 05:36:26 +08:00
Steve Langasek	ab20f18c2e	releasing package livecd-rootfs version 2.664.6	2020-08-26 14:06:35 -07:00
Steve Langasek	9b804b02e9	* Fix xrdp support in hyper-v images. * Use the linux-azure kernel in hyper-v images instead of linux-virtual. * LP: #1890980.	2020-08-26 14:06:01 -07:00
Jinming Wu, Patrick	419a21205c	Fix a mistake on the location of policy file	2020-08-26 14:06:01 -07:00
Jinming Wu, Patrick	5a0e23fefe	Update linux-tools/linux-cloud-tools to use Azure	2020-08-26 14:06:01 -07:00
Jinming Wu, Patrick	92dd127d83	xRDP fixes for Hyper-V build - use of linux-azure, which is the optimized kernel for Hyper-V by Microsoft - xRDP configuration changes due to the config changes in this version compared to 18.04. - 46-allow-update-repo.pkla inclusion to aviod "Authentication required to refresh system repositories" bug in xRDP	2020-08-26 14:06:01 -07:00
Steve Langasek	4e3289d0b8	Add SRU bug link	2020-08-10 12:58:37 -07:00
Steve Langasek	2404d27f5b	Merge remote-tracking branch 'codyshepherd/bootable-buildd/dist-upgrade/focal' into ubuntu/focal	2020-08-04 12:40:29 -07:00
Robert C Jennings	136562b837	Handle seeded lxd snap with channel name for ubuntu-cpc:minimized (LP: #1889470 ) The seed now specifies the lxd snap in focal as 'lxd=4.0/stable/ubuntu-20.04' which doesn't match the expectations of the code with looks for lxd as the only snap in the seed for minimized images. This patch updates the pattern to accept 'lxd' or 'lxd=*'.	2020-07-29 14:55:19 -05:00
Dimitri John Ledkov	e9f4e97155	releasing package livecd-rootfs version 2.664.4	2020-07-23 19:12:30 +01:00
Dimitri John Ledkov	896b5962db	snap_preseed: support channel specification with snap name snap_name[/classic]=track/risk/branch is now the supported snap name specification, which allows to specify the full default track and optional classic confinemnt. Supporting such specification in the seedtext allows one to specify a better default channel. For example, this will allow lxd to switch from latest/stable/ubuntu-20.04 to 4.0/stable/ubuntu-20.04 as 4.0 is the LTS track matching 20.04 support timeframe. LP: #1882374 (cherry picked from commit 7bae9201d20822d6875bcf5949e1fff839b8774c) (cherry picked from commit 2976a99f292c500f39aace25ad08de21b37d7b31) (cherry picked from commit d542e8e4a08467ef9b6237b9fcbd9166c8c99e8b)	2020-07-23 19:06:57 +01:00
Łukasz 'sil2100' Zemczak	e39a40e2a5	releasing package livecd-rootfs version 2.664.3	2020-07-23 14:02:40 +02:00
Łukasz 'sil2100' Zemczak	8284a1c680	Sync changelog	2020-07-23 14:02:07 +02:00
Iain Lane	54508e6583	Hack seeding of linux kernel in ubuntustudio/focal ubuntustudio-default-settings in focal release has a Recommends to this kernel, which makes it impossible to update the kernel later on, since we would install the -updates and release kernel, which isn't allowed and causes FTBFS. Hack out the focal-release kernel and let the rest of the build process pull in the right one. LP: #1884915	2020-07-21 16:23:39 +01:00
Cody Shepherd	690522e89b	Remove explicit install of grub-efi-* package as it is not necessary, and potentially overexplicit	2020-07-13 09:10:05 -07:00
Cody Shepherd	315a453ba6	Perform a dist-upgrade prior to installing packages for bootable-buildd image in order to pull in package updates	2020-07-08 14:03:56 -07:00
Łukasz 'sil2100' Zemczak	e611dfc1c4	Enable overrides of UC20 grade dangerous channels	2020-05-25 18:44:08 +02:00
Philip Roche	cd098e7c41	Revert of initramfs package removal in KVM image (LP: #1880170 ) It was reported and confirmed in LP bug #1875400 (https://bugs.launchpad.net/cloud-images/+bug/1875400) that on the public KVM cloud image there exists a large list of packages marked for auto-removal. This should never be the case on a released cloud image. These packages are marked for auto-removal because in the KVM image binary hook we removed both initramfs-tools and busybox-initramfs packages. Due to package dependencies this also removed: busybox-initramfs* cloud-initramfs-copymods* cloud-initramfs-dyn-netconf* cryptsetup-initramfs* initramfs-tools* initramfs-tools-core* multipath-tools* overlayroot* sg3-utils-udev* ubuntu-server* But it did not remove all the packages that the above list depended on. This resulted in all those packages being marked for auto-removal because they were not manually installed nor did they have any manually installed packages that depended on them. The removal of initramfs-tools and busybox-initramfs was to avoid the generation of initramfs in images that should boot initramfsless. This requirement is obsolete now because the initramfsless boot handling is now handled via setting GRUB_FORCE_PARTUUID in /etc/default/grub.d/40-force-partuuid.cfg. In test images I have verified that GRUB_FORCE_PARTUUID is set and that boot speeds have not regressed. LP: #1880170	2020-05-22 13:38:22 +01:00
Łukasz 'sil2100' Zemczak	225f2fe504	Fix indentation.	2020-05-07 10:48:51 +02:00
Dimitri John Ledkov	0a2fbb8b99	releasing package livecd-rootfs version 2.664.1	2020-05-01 20:09:06 +01:00
Dimitri John Ledkov	54b8e73a15	ubuntu-image: drop ubuntu-image dep on riscv64, as not installable yet. LP: #1876359 (cherry picked from commit 282c5a5bd50f9844cc077823b39550c663a013c3)	2020-05-01 20:08:14 +01:00
Dimitri John Ledkov	2d5f9581db	ubuntu-image: fix focal+ pi images for armhf to use pi-armhf model name. LP: #1876358 (cherry picked from commit 6e8b5b94c4a9f8db4afbaf566ebdb36110f08592)	2020-05-01 20:07:58 +01:00
Dimitri John Ledkov	dc456c240d	Bump only the UC20 pc image to 8GB, and keep Pi images as small as possible. LP: #1875430 (cherry picked from commit 668898d92c1a48ac4901661d0e5d7e4b117b09c0)	2020-05-01 20:07:46 +01:00
				`@ -0,0 +1 @@`
				`chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read`
				`@ -0,0 +1 @@`
				`create read write exec append mmap_exec link lock`
				`@ -0,0 +1 @@`
				`unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp`
				`@ -0,0 +1 @@`
				`cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime`
				`@ -0,0 +1 @@`
				`hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost`
				`@ -0,0 +1 @@`
				`kill_process kill_thread trap errno user_notif trace log allow`