add debian/changelog entry

feat(ubuntu-cpc): sbom generation everywhere
patch create_manifest to produce an sbom when called by an ubuntu-cpc project. Patch all the ubuntu-cpc hooks and series files to include the newly generated manifests, filelists, and sboms. Generates a number of new artifacts in the builds. the snap utilized, cpc-sbom, is an open source repo and a provided via a hidden snap. there is no intention of publisizing the snap or how we generate sboms, however partners require the ability to audit if required. defensively checks if the snap is already installed, in the case of multiple hooks being called in a single build (thus sharing a build host), and only if called in an ubuntu-cpc project. (cherry picked from commit 7c7b7df89dc96169db1f255d6bba901ebb63a43c)
2025-08-15 02:34:08 +00:00 · 2025-02-26 14:02:56 +01:00 · 2025-02-26 14:02:03 +01:00 · 2024-11-08 11:46:49 +13:00 · 2024-11-08 11:46:31 +13:00 · 2024-11-07 08:11:21 -05:00
19 changed files with 91 additions and 8 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,20 @@
+livecd-rootfs (24.10.29) oracular; urgency=medium
+
+  * add cpc-sbom to create_manifest calls to generate sboms (LP: #2077105)
+
+ -- Thomas Bechtold <thomasbechtold@jpberlin.de>  Wed, 26 Feb 2025 14:02:13 +0100
+
+livecd-rootfs (24.10.28) oracular; urgency=medium
+
+  [ jchittum ]
+  * Explicitly create home directory for buildd system user to avoid issues
+    with installing and running snaps. (LP: #2083240)
+
+  [ Łukasz 'sil2100' Zemczak ]
+  * Add comment re: the cohort key in prepare-image.
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Fri, 08 Nov 2024 11:46:38 +1300
+
 livecd-rootfs (24.10.27) oracular; urgency=medium

  * Set UBUNTU_STORE_COHORT_KEY="+" to prepare-image to make sure we simply
--- a/live-build/buildd/hooks/02-user.chroot
+++ b/live-build/buildd/hooks/02-user.chroot
@ -4,6 +4,7 @@ set -e
 # Create the buildd user and group.
 addgroup --gid 2501 buildd
 adduser --system --disabled-password --gecos 'Build Daemon user' \
-	--ingroup buildd --uid 2001 --shell /bin/bash buildd
+	--ingroup buildd --uid 2001 --shell /bin/bash --home /home/buildd \
+	buildd
 mkdir -p /build/buildd
 chown buildd:buildd /build/buildd
--- a/live-build/functions
+++ b/live-build/functions
@ -39,6 +39,10 @@ create_empty_disk_image() {
 create_manifest() {
    local chroot_root=${1}
    local target_file=${2}
+    local base_default_sbom_name="ubuntu-cloud-image-$(grep "VERSION_ID" $chroot_root/etc/os-release | cut --delimiter "=" --field 2 | tr -d '"')-${ARCH}-$(date +%Y%m%dT%H:%M:%S)"
+    local sbom_file_name=${3:-"${base_default_sbom_name}.spdx"}
+    local sbom_document_name=${4:-"${base_default_sbom_name}"}
+    local sbom_log=${sbom_document_name}.log
    echo "create_manifest chroot_root: ${chroot_root}"
    dpkg-query --show --admindir="${chroot_root}/var/lib/dpkg" > ${target_file}
    echo "create_manifest call to dpkg-query finished."
@ -48,6 +52,22 @@ create_manifest() {
        echo "create_manifest creating file listing."
        local target_filelist=${2%.manifest}.filelist
        (cd "${chroot_root}" && find -xdev) | sort > "${target_filelist}"
+        # only creating sboms for CPC project at this time
+        if [[ ! $(which cpc-sbom) ]]; then
+            # ensure the tool is installed
+            sudo snap install --classic --edge cpc-sbom
+        fi
+        # generate the SBOM
+        cpc-sbom --rootdir ${chroot_root} --ignore-copyright-parsing-errors --ignore-copyright-file-not-found-errors --document-name ${sbom_document_name} >"${sbom_file_name}" 2>"${sbom_log}"
+        SBOM_GENERATION_EXIT_CODE=$?
+        if [[ ${SBOM_GENERATION_EXIT_CODE} !=  "0" ]]; then
+        # check for failure and print log
+            echo "ERROR: SBOM generation failed. See ${sbom_log}"
+            cat "$sbom_log"
+            exit 1
+        else
+            echo "SBOM generation succeeded. see ${sbom_log} for details"
+        fi    
    fi
    echo "create_manifest finished"
 }
--- a/live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/create-root-dir.binary
@ -24,6 +24,6 @@ rm -rf $rootfs_dir/boot/grub
 # Keep this as some derivatives mount a tempfs here
 mkdir -p $rootfs_dir/lib/modules

-teardown_mountpoint $rootfs_dir
+create_manifest $rootfs_dir "livecd.ubuntu-cpc.rootfs.manifest" "livecd.ubuntu-cpc.rootfs.spdx"  "cloud-image-rootfs-$ARCH-$(date +%Y%m%dT%H:%M:%S)"

-create_manifest "${rootfs_dir}" "${rootfs_dir}.manifest"
+teardown_mountpoint $rootfs_dir
--- a/live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/disk-image-ppc64el.binary
@ -80,6 +80,8 @@ cp -a chroot/* mountpoint/
 chroot mountpoint dpkg-query -W > binary/boot/filesystem.packages
 (cd mountpoint && find -xdev) | sort > binary/boot/filesystem.filelist

+create_manifest  "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-image.manifest" "$PWD/livecd.ubuntu-cpc.disk-image.spdx"  "cloud-image-$ARCH-$(date +Y%m%dT%H:%M:%S)"
+
 umount mountpoint
 rmdir mountpoint

--- a/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/disk-image-uefi.binary
@ -184,7 +184,8 @@ install_grub() {
    mount

    # create sorted filelist as the very last step before unmounting
-    (cd mountpoint && find -xdev) | sort > binary/boot/filesystem.filelist
+    # explicitly generate manifest and sbom
+    create_manifest  "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-uefi.manifest" "$PWD/livecd.ubuntu-cpc.disk-uefi.spdx"  "cloud-image-$ARCH-$(date +%Y%m%dT%H:%M:%S)"

    umount_partition mountpoint
    rmdir mountpoint
@ -201,6 +202,7 @@ make_ext4_partition "${rootfs_dev_mapper}"
 mkdir mountpoint
 mount "${rootfs_dev_mapper}" mountpoint
 cp -a chroot/* mountpoint/
+
 umount mountpoint
 rmdir mountpoint

--- a/live-build/ubuntu-cpc/hooks.d/base/disk-image.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/disk-image.binary
@ -158,6 +158,8 @@ EOF
        $ZIPL_EXTRA_PARAMS
 fi

+create_manifest  "mountpoint/" "$PWD/livecd.ubuntu-cpc.disk-image.manifest" "$PWD/livecd.ubuntu-cpc.disk-image.spdx"  "cloud-image-$ARCH-$(date +%Y%m%dT%H:%M:%S)"
+
 if [ -n "$BOOT_MOUNTPOINT" ]; then
 	umount "mountpoint/$BOOT_MOUNTPOINT"
 fi
--- a/live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/qcow2-image.binary
@ -2,8 +2,17 @@

 . config/functions

+qcow_file=${PWD}/livecd.ubuntu-cpc.qcow
 if [ -f binary/boot/disk-uefi.ext4 ]; then
    convert_to_qcow2 binary/boot/disk-uefi.ext4 livecd.ubuntu-cpc.img
+    uefi_file="livecd.ubuntu-cpc.disk-uefi"
+    cp ${uefi_file}.manifest ${qcow_file}.manifest
+    cp ${uefi_file}.filelist ${qcow_file}.filelist
+    cp ${uefi_file}.spdx ${qcow_file}.spdx
 elif [ -f binary/boot/disk.ext4 ]; then
    convert_to_qcow2 binary/boot/disk.ext4 livecd.ubuntu-cpc.img
+    disk_file="livecd.ubuntu-cpc.disk-image"
+    cp ${disk_file}.manifest ${qcow_file}.manifest
+    cp ${disk_file}.filelist ${qcow_file}.filelist
+    cp ${disk_file}.spdx ${qcow_file}.spdx
 fi
--- a/live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/root-squashfs.binary
@ -15,8 +15,11 @@ rootfs_dir=rootfs.dir

 squashfs_f="$PWD/livecd.ubuntu-cpc.squashfs"

-cp $rootfs_dir.manifest $squashfs_f.manifest
+cp livecd.ubuntu-cpc.rootfs.manifest ${squashfs_f}.manifest
+cp livecd.ubuntu-cpc.rootfs.filelist ${squashfs_f}.filelist
+cp livecd.ubuntu-cpc.rootfs.spdx ${squashfs_f}.spdx
+
 # fstab is omitted from the squashfs
-grep -v '^/etc/fstab$' $rootfs_dir.filelist >$squashfs_f.filelist
+grep -v '^/etc/fstab$' livecd.ubuntu-cpc.rootfs.filelist >$squashfs_f.filelist

 create_squashfs $rootfs_dir $squashfs_f
--- a/live-build/ubuntu-cpc/hooks.d/base/root-xz.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/root-xz.binary
@ -11,6 +11,4 @@ fi
 # This is the directory created by create-root-dir.binary
 rootfs_dir=rootfs.dir

-cp $rootfs_dir.manifest livecd.ubuntu-cpc.rootfs.manifest
-cp $rootfs_dir.filelist livecd.ubuntu-cpc.rootfs.filelist
 (cd $rootfs_dir/ && tar -c --sort=name --xattrs *) | xz > livecd.ubuntu-cpc.rootfs.tar.xz
--- a/live-build/ubuntu-cpc/hooks.d/base/series/disk-image
+++ b/live-build/ubuntu-cpc/hooks.d/base/series/disk-image
@ -6,3 +6,6 @@ provides livecd.ubuntu-cpc.initrd-generic
 provides livecd.ubuntu-cpc.kernel-generic
 provides livecd.ubuntu-cpc.manifest
 provides livecd.ubuntu-cpc.filelist
+provides livecd.ubuntu-cpc.disk-image.manifest
+provides livecd.ubuntu-cpc.disk-image.filelist
+provides livecd.ubuntu-cpc.disk-image.spdx
--- a/live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi
+++ b/live-build/ubuntu-cpc/hooks.d/base/series/disk-image-uefi
@ -4,3 +4,6 @@ provides livecd.ubuntu-cpc.initrd-generic
 provides livecd.ubuntu-cpc.kernel-generic
 provides livecd.ubuntu-cpc.manifest
 provides livecd.ubuntu-cpc.filelist
+provides livecd.ubuntu-cpc.disk-uefi.manifest
+provides livecd.ubuntu-cpc.disk-uefi.filelist
+provides livecd.ubuntu-cpc.disk-uefi.spdx
--- a/live-build/ubuntu-cpc/hooks.d/base/series/qcow2
+++ b/live-build/ubuntu-cpc/hooks.d/base/series/qcow2
@ -1,3 +1,6 @@
 depends disk-image
 base/qcow2-image.binary
 provides livecd.ubuntu-cpc.img
+provides livecd.ubuntu-cpc.qcow.manifest
+provides livecd.ubuntu-cpc.qcow.filelist
+provides livecd.ubuntu-cpc.qcow.spdx
--- a/live-build/ubuntu-cpc/hooks.d/base/series/squashfs
+++ b/live-build/ubuntu-cpc/hooks.d/base/series/squashfs
@ -3,3 +3,4 @@ base/root-squashfs.binary
 provides livecd.ubuntu-cpc.squashfs
 provides livecd.ubuntu-cpc.squashfs.manifest
 provides livecd.ubuntu-cpc.squashfs.filelist
+provides livecd.ubuntu-cpc.squashfs.spdx
--- a/live-build/ubuntu-cpc/hooks.d/base/series/tarball
+++ b/live-build/ubuntu-cpc/hooks.d/base/series/tarball
@ -3,3 +3,4 @@ base/root-xz.binary
 provides livecd.ubuntu-cpc.rootfs.tar.xz
 provides livecd.ubuntu-cpc.rootfs.manifest
 provides livecd.ubuntu-cpc.rootfs.filelist
+provides livecd.ubuntu-cpc.rootfs.spdx
--- a/live-build/ubuntu-cpc/hooks.d/base/series/vagrant
+++ b/live-build/ubuntu-cpc/hooks.d/base/series/vagrant
@ -1,3 +1,6 @@
 depends disk-image
 base/vagrant.binary
 provides livecd.ubuntu-cpc.vagrant.box
+provides livecd.ubuntu-cpc.vagrant.manifest
+provides livecd.ubuntu-cpc.vagrant.filelist
+provides livecd.ubuntu-cpc.vagrant.spdx
--- a/live-build/ubuntu-cpc/hooks.d/base/series/vmdk
+++ b/live-build/ubuntu-cpc/hooks.d/base/series/vmdk
@ -3,3 +3,6 @@ base/vmdk-image.binary
 base/vmdk-ova-image.binary
 provides livecd.ubuntu-cpc.vmdk
 provides livecd.ubuntu-cpc.ova
+provides livecd.ubuntu-cpc.vmdk.manifest
+provides livecd.ubuntu-cpc.vmdk.filelist
+provides livecd.ubuntu-cpc.vmdk.spdx
--- a/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/vagrant.binary
@ -93,6 +93,8 @@ EOF
 chroot ${mount_d} chown -R vagrant:vagrant /home/vagrant/.ssh
 chroot ${mount_d} chmod 700 /home/vagrant/.ssh

+create_manifest $mount_d "livecd.ubuntu-cpc.vagrant.manifest" "livecd.ubuntu-cpc.vagrant.spdx"  "cloud-image-vagrant-$ARCH-$(date +%Y%m%dT%H:%M:%S)"
+
 umount_disk_image "$mount_d"
 rmdir "$mount_d"

--- a/live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary
+++ b/live-build/ubuntu-cpc/hooks.d/base/vmdk-image.binary
@ -20,8 +20,18 @@ esac

 . config/functions

+vmdk_file="$PWD/livecd.ubuntu-cpc.vmdk"
+
 if [ -e binary/boot/disk-uefi.ext4 ]; then
    create_vmdk binary/boot/disk-uefi.ext4 livecd.ubuntu-cpc.vmdk
+    uefi_file="livecd.ubuntu-cpc.disk-uefi"
+    cp ${uefi_file}.manifest ${vmdk_file}.manifest
+    cp ${uefi_file}.filelist ${vmdk_file}.filelist
+    cp ${uefi_file}.spdx ${vmdk_file}.spdx
 elif [ -f binary/boot/disk.ext4 ]; then
    create_vmdk binary/boot/disk.ext4 livecd.ubuntu-cpc.vmdk
+    disk_file="livecd.ubuntu-cpc.disk-image"
+    cp ${disk_file}.manifest ${vmdk_file}.manifest
+    cp ${disk_file}.filelist ${vmdk_file}.filelist
+    cp ${disk_file}.spdx ${vmdk_file}.spdx
 fi
Author	SHA1	Message	Date
Thomas Bechtold	d2622d74f3	add debian/changelog entry	2025-02-26 14:02:56 +01:00
John Chittum	99c8c820ab	feat(ubuntu-cpc): sbom generation everywhere patch create_manifest to produce an sbom when called by an ubuntu-cpc project. Patch all the ubuntu-cpc hooks and series files to include the newly generated manifests, filelists, and sboms. Generates a number of new artifacts in the builds. the snap utilized, cpc-sbom, is an open source repo and a provided via a hidden snap. there is no intention of publisizing the snap or how we generate sboms, however partners require the ability to audit if required. defensively checks if the snap is already installed, in the case of multiple hooks being called in a single build (thus sharing a build host), and only if called in an ubuntu-cpc project. (cherry picked from commit 7c7b7df89dc96169db1f255d6bba901ebb63a43c)	2025-02-26 14:02:03 +01:00
Michael Hudson-Doyle	8d6ec18132	releasing package livecd-rootfs version 24.10.28	2024-11-08 11:46:49 +13:00
Michael Hudson-Doyle	945b6ef352	include comment change in changelog	2024-11-08 11:46:31 +13:00
John Chittum	7877496010	changelog	2024-11-07 08:11:21 -05:00
John Chittum	d1febadd37	fix(buildd): create buildd homedir LP:2083240 starting in noble, adduser no longer creates a homedir for system users. The buildd user then does not have a home directory, causing snaps to be unable to run, as well as possibly other issues from a missing assumed homedir. Explicitly create /home/buildd	2024-11-06 07:35:09 -05:00