#!/bin/bash # create the system seed for TPM-backed FDE in the live layer of the installer. set -eux case ${PASS:-} in *.live) ;; *) exit 0 ;; esac . config/binary . config/functions # Naive conversion from YAML to JSON. This is needed because yq is in universe # (but jq is not). yaml_to_json() { python3 -c ' import json import sys import yaml json.dump(yaml.safe_load(sys.stdin), sys.stdout, default=str) ' } # Use jq to retrieve a list of --snap options from a given *signed* model. get_snaps_args() { model=$1 # The model is signed and is not valid YAML unless we get rid of the # signature. Here we assume the only blank line is before the signature. sed '/^$/,$d' -- "$model" \ | yaml_to_json \ | jq --raw-output '.snaps[] | "--snap=" + .name + "=" + .["default-channel"]' } # Generation of the model: # * At https://github.com/canonical/models one can find a repo of raw, # unsigned, input .json files, and their signed .model equivalents. # * At least once per cycle, update the json for the new Ubuntu version. # To do this, take the previous cycle ubuntu-classic-$ver-amd64.json file, # rename for the new version, and do any necessary updates including fixing # the versions of tracks. # * When this is done, the json needs to be signed. This needs to be done by # a Canonical employee - try asking someone who has recently opened PRs on # https://github.com/canonical/models with the signed models. # * Ensure the signed and unsigned version of the models are updated in the # models repo. # * The signed model can then be placed here in livecd-rootfs at # live-build/${PROJECT}/ubuntu-classic-amd64.model # env SNAPPY_STORE_NO_CDN=1 snap known --remote model series=16 brand-id=canonical model=ubuntu-classic-2410-amd64 > config/classic-model.model # # model=/usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-classic-amd64.model # Normally we use the non-dangerous model here. Use the dangerous one for now # until we get snaps on stable 26.04 tracks and channels. model=/usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-classic-amd64-dangerous.model prepare_args=() # for the dangerous subproject, we need the dangerous model! if [ "$SUBPROJECT" = "dangerous" ]; then # As with the "classically" seeded snaps, snaps from the edge channel may # require different content snaps to be installed, so they must be # included in the system as well. We just use the same list as was # computed in snap_validate_seed. model=/usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-classic-amd64-dangerous.model while read snap; do prepare_args+=("--snap=${snap}=edge") done < config/missing-providers else # We're currently using the dangerous model for the non-dangerous ISO # because it allows us to override snaps. But we don't want all snaps from # edge like the dangerous model has, we want most of them from stable # (excluding pc-kernel). while read -r snap_arg; do prepare_args+=("$snap_arg") done < <(get_snaps_args /usr/share/livecd-rootfs/live-build/"${PROJECT}"/ubuntu-classic-amd64.model | grep -v -F pc-kernel) fi channel="" if [ -n "${CHANNEL:-}" ]; then channel="--channel $CHANNEL" fi # Set UBUNTU_STORE_COHORT_KEY="+" to force prepare-image to fetch the latest # snap versions regardless of phasing status env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \ --classic $model $channel "${prepare_args[@]}" chroot mv chroot/system-seed/systems/* chroot/system-seed/systems/enhanced-secureboot-desktop rsync -av chroot/system-seed/{systems,snaps} chroot/var/lib/snapd/seed rm -rf chroot/system-seed/