livecd-rootfs/live-build/ubuntu/hooks/030-ubuntu-live-system-seed.binary

#!/bin/bash

# create the system seed for TPM-backed FDE in the live layer of the installer.

set -eux

case ${PASS:-} in
    *.live)
        ;;
    *)
        exit 0
        ;;
esac

. config/binary
. config/functions


# Naive conversion from YAML to JSON. This is needed because yq is in universe
# (but jq is not).
yaml_to_json()
{
    python3 -c '
import json
import sys
import yaml

json.dump(yaml.safe_load(sys.stdin), sys.stdout, default=str)
'
}


# Use jq to retrieve a list of --snap options from a given *signed* model.
get_snaps_args()
{
    model=$1

    # The model is signed and is not valid YAML unless we get rid of the
    # signature. Here we assume the only blank line is before the signature.
    sed '/^$/,$d' -- "$model" \
     | yaml_to_json \
     | jq --raw-output '.snaps[] | "--snap=" + .name + "=" + .["default-channel"]'
}

# Generation of the model:
# * At https://github.com/canonical/models one can find a repo of raw,
#   unsigned, input .json files, and their signed .model equivalents.
# * At least once per cycle, update the json for the new Ubuntu version.
#   To do this, take the previous cycle ubuntu-classic-$ver-amd64.json file,
#   rename for the new version, and do any necessary updates including fixing
#   the versions of tracks.
# * When this is done, the json needs to be signed.  This needs to be done by
#   a Canonical employee - try asking someone who has recently opened PRs on
#   https://github.com/canonical/models with the signed models.
# * Ensure the signed and unsigned version of the models are updated in the
#   models repo.
# * The signed model can then be placed here in livecd-rootfs at
#   live-build/${PROJECT}/ubuntu-classic-amd64.model

# env SNAPPY_STORE_NO_CDN=1 snap known --remote model series=16 brand-id=canonical model=ubuntu-classic-2410-amd64 > config/classic-model.model
#
# model=/usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-classic-amd64.model
# Normally we use the non-dangerous model here.  Use the dangerous one for now
# until we get snaps on stable 26.04 tracks and channels.
model=/usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-classic-amd64-dangerous.model

prepare_args=()

# for the dangerous subproject, we need the dangerous model!
if [ "$SUBPROJECT" = "dangerous" ]; then
    # As with the "classically" seeded snaps, snaps from the edge channel may
    # require different content snaps to be installed, so they must be
    # included in the system as well. We just use the same list as was
    # computed in snap_validate_seed.
    model=/usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-classic-amd64-dangerous.model
    while read snap; do
        prepare_args+=("--snap=${snap}=edge")
    done < config/missing-providers
else
    # We're currently using the dangerous model for the non-dangerous ISO
    # because it allows us to override snaps. But we don't want all snaps from
    # edge like the dangerous model has, we want most of them from stable
    # excluding:
    # * pc-kernel - which currently does not exist on stable
    # * snapd (for TPM/FDE)
    # * firmware-updater (for TPM/FDE)
    # * desktop-security-center-center (for TPM/FDE)
    while read -r snap_arg; do
        prepare_args+=("$snap_arg")
    done < <(get_snaps_args /usr/share/livecd-rootfs/live-build/"${PROJECT}"/ubuntu-classic-amd64.model \
    | grep -v -F -e pc-kernel -e snapd -e firmware-updater -e desktop-security-center)
fi

channel=""
if [ -n "${CHANNEL:-}" ]; then
    channel="--channel $CHANNEL"
fi

# Set UBUNTU_STORE_COHORT_KEY="+" to force prepare-image to fetch the latest
# snap versions regardless of phasing status

env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
    --classic $model $channel "${prepare_args[@]}" chroot

mv chroot/system-seed/systems/* chroot/system-seed/systems/enhanced-secureboot-desktop
rsync -av chroot/system-seed/{systems,snaps} chroot/var/lib/snapd/seed
rm -rf chroot/system-seed/