[neon/snap-packaging/plasma-core-desktop] /: Merge upstream changes from core22 snap (#62)
Kevin Ottens
null at kde.org
Tue Jul 23 16:07:17 BST 2024
Git commit da0ff20b608f06cb45840da9909b86e94b5db58f by Kevin Ottens, on behalf of James Henstridge.
Committed on 23/07/2024 at 09:42.
Pushed by ervin into branch 'master'.
Merge upstream changes from core22 snap (#62)
* doc: remove reference to using the impish rootfs
As the core22 is now based on the 22.04 rootfs, this TODO can be
removed.
Signed-off-by: Isaac True <isaac.true at canonical.com>
* pam: Add optional faillock
When `/etc/writable/faillock.enabled` is present, then we use
`pam_faillock` which can lock accounts for 900 seconds after 3 wrong
password.
* Remove some unmounting errors on shutdown
Because `/` is a squashfs from `/run/mnt/data`, we cannot unmount
`/run/mnt/data`. (Or `/run/mnt/ubuntu-seed` during install/recovery).
So we need to disable `/run/mnt/data` by adding it to
`shutdown.target`. However we need also to remount read-only. To avoid
with writable bind mounts, we need to do it after `umount.target`.
`/usr/lib/modules` is usually kept busy by systemd-udevd which keeps
running during shutdown. `/usr/lib/modules` is a bind mount of
`/run/mnt/kernel`. So those two mounts also need to be kept alive.
This does not remove errors from finalrd which will be fixed in a
different PR.
Note for testing: this happens after journald has stopped writing to
logs. So you need to use serial port to properly log the errors.
* hooks: Add symlinks for bash completions of snap and snaps
Completion for `snap` must be present in
`/usr/share/bash-completion/completions/` and it must point to the
file in the active Snapd.
Other completion will be added in
`/var/lib/snapd/desktop/bash-completion/completions/` by Snapd. To be
able to access those `XDG_DATA_DIRS` has to be set by Snapd's
`profile.d` file.
This commits also adds snap's `environment.d` file which is used
by user services rather than interactive users.
* Fix mount propagation
To switch root, systemd has to recursively make all mounts private,
then after it recursively make all mounts shared.
However `/run/mnt/*` and `/writable` are used to be bind mounted in
the rest of the file system. For example, there is no reason for mount
`/snap/hello/42` to also show up as
`/writable/system-data/snap/hello/42` and
`/run/mnt/data/system-data/snap/hello/42`.
* Remove polkit policies and rules
Since we do not distribute the polkit daemon, those files are useless.
* Revert "Remove polkit policies and rules"
This reverts commit bb8b56629c87eafe019a2975d65756d5c584b2e1.
* snapd.sshd-keygen.service: fix unit dependency to sshd
The correct name is `ssh.service`
* Rework disabling of unmounts
Some mounts cannot be unmounted during `shutdown.target`. We have
tried make them part of `shutdown.target` so they are kept alive. But
because they depend on `system-systemd\\x2dfsck.slice` and
`systemd-fsck at .service` which both conflict with `shutdown.target`, it
confuses systemd, and the result of what gets scheduled is not
deterministic.
Instead we remove conflicts of `system-systemd\\x2dfsck.slice` and
`systemd-fsck at .service`. Then `DefaultDependencies=no` on mounts is
enough to disable unmounts.
* static: Add generic nvidia udev rules
These integrate nvidia graphics cards with logind and enable power
management.
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
* Fix release branch selection in workflow for pull/push
* Enable 001-extra-packages.test
* hooks: include ppa:ubuntu-security/fde-ice as part of the builds
The security team maintains a PPA with the user-space parts of
cryptsetup support for the Inline Crypto Engine (ICE) code.
This needs to be included in the core build so that FDE on ICE
is supported.
The full ICE implementation uses:
https://github.com/chrisccoulson/linux/tree/dm-blk-crypto
https://github.com/chrisccoulson/cryptsetup/tree/ice-wip
and is getting upstreamed by the kernel and security teams.
* Make all supported locale aliases to C
This is needed for `ln_langinfo(CODESET)` to return the right
encoding.
* static: correct service name used in hctosys rtc fix rule
* static: correct clock epoch file in script fix-hctosys
* snapcraft.yaml: update subiquity version
Signed-off-by: Ondrej Kubik <ondrej.kubik at canonical.com>
* Remove cleanup-timesyncd hack
It always removes the clock stamp so it breaks timesyncd ability to
put forward the clock to a time further than when system was last
powered down, when no rtc is available.
* bootchart: read mode from modeenv instead of kernel command line
Also use a generator to enable it instead of disabling it with
conditions.
* Accept ubuntu_core.bootchart as alias for core.bootchart
To keep consistency with other kernel command line settings.
* get-arg: fix call to printf
Anything with and "A" or a "0" in the name was not parsed correctly
and interpreted as a space instead.
* static/usr/lib: added more deterministic system time to rtc time sync activated by kernel cmdline
* static/usr/lib: remove unused fix-hctosys.service
* static/usr/lib: rtc-sys-time-init at .service must remain after exit
* 90-rtc-sys-time-init.rules: Optimize
* 90-rtc-sys-time-init.rules: do not call systemd-escape
* hooks: enable polkit for unconfined processes
polkit is needed in some cases for communication between services
shipped in the base, for instance when systemd-networkd talks to
systemd-hostnamed to set the hostname. Enable to fix these use cases.
Note that this does not help yet if we want to use it from a snap.
Backported from https://github.com/snapcore/core-base/pull/161
* 66-snapd-autoimport.rules: filter out non filesystem blocks
Because we might run `snap auto-import --mount` on a partition table
block and its partition blocks at the same time, it might cause a
conflict. We then get an error like `/dev/sda1 already mounted or
mount point busy.`.
To go around this issue, we trigger the service only for devices that
are identified as filesystems.
* snapd.autoimport-device at .service: do not run along snapd.autoimport.service
There is a conflict between snapd.autoimport.service and
snapd.autoimport-device at .service. This causes error messages because
both cannot mount in the same time. So they cannot be run at the same
time.
* run-snapd-from-snap: set the current symlink before bootstrapping
* hooks: create journald drop-in directory
* snapcraft.yaml: move or remove extra files from plymouth theme
Fixes #205
* bump subiquity and probert
* hooks: remove duplication of apps-bin-path.sh symlink in 022-setup-path.chroot
* hooks: remove 009-locale-archive.chroot script, as we ship locales-all
---------
Signed-off-by: Isaac True <isaac.true at canonical.com>
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
Signed-off-by: Ondrej Kubik <ondrej.kubik at canonical.com>
Co-authored-by: Isaac True <isaac.true at canonical.com>
Co-authored-by: Valentin David <valentin.david at canonical.com>
Co-authored-by: Michael Vogt <mvo at ubuntu.com>
Co-authored-by: alfonsosanchezbeato <alfonso.sanchez-beato at canonical.com>
Co-authored-by: Valentin David <me at valentindavid.com>
Co-authored-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
Co-authored-by: Ernest Lotter <ernest.lotter at canonical.com>
Co-authored-by: Ondrej Kubik <ondrej.kubik at canonical.com>
Co-authored-by: Philip Meulengracht <the_meulengracht at hotmail.com>
Co-authored-by: Michael Hudson-Doyle <michael.hudson at canonical.com>
M +2 -0 .github/workflows/tests.yaml
M +5 -7 README.md
R +4 -3 hook-tests/001-extra-packages.test [from: hook-tests/001-extra-packages.disabled - 091% similarity]
D +0 -11 hook-tests/024-configure-bootchart.test
A +5 -0 hook-tests/031-faillock.test
M +22 -0 hooks/001-extra-packages.chroot
M +0 -3 hooks/022-setup-path.chroot
D +0 -79 hooks/024-configure-bootchart.chroot
A +5 -0 hooks/031-faillock.chroot
M +9 -0 hooks/050-snap-symlink.chroot
A +7 -0 hooks/101-systemd-fsck.chroot
D +0 -17 hooks/901-cleanup-timesyncd.chroot
M +7 -4 snapcraft.yaml
D +0 -50 static/usr/lib/core/fix-hctosys
A +7 -0 static/usr/lib/core/lockout-not-enabled.sh
A +19 -0 static/usr/lib/core/remount-core-fs
A +114 -0 static/usr/lib/core/rtc-sys-time-init
M +7 -0 static/usr/lib/core/run-snapd-from-snap
A +9 -0 static/usr/lib/systemd/bootchart.conf.d/ubuntu-core.conf
A +42 -0 static/usr/lib/systemd/system-generators/bootchart
A +54 -0 static/usr/lib/systemd/system-generators/rtc-sys-time-init-generator
D +0 -6 static/usr/lib/systemd/system/fix-hctosys.service
A +1 -0 static/usr/lib/systemd/system/local-fs.target.wants/remount-core-fs.service
A +16 -0 static/usr/lib/systemd/system/remount-core-fs.service
A +10 -0 static/usr/lib/systemd/system/remount-data.service
A +10 -0 static/usr/lib/systemd/system/remount-seed.service
A +29 -0 static/usr/lib/systemd/system/rtc-sys-time-init at .service
A +3 -0 static/usr/lib/systemd/system/run-mnt-data.mount.d/late-umount.conf
A +3 -0 static/usr/lib/systemd/system/run-mnt-kernel.mount.d/late-umount.conf
A +3 -0 static/usr/lib/systemd/system/run-mnt-ubuntu\x2dseed.mount.d/late-umount.conf
A +1 -0 static/usr/lib/systemd/system/shutdown.target.wants/remount-data.service
A +1 -0 static/usr/lib/systemd/system/shutdown.target.wants/remount-seed.service
M +2 -0 static/usr/lib/systemd/system/snapd.autoimport-device at .service
M +1 -1 static/usr/lib/systemd/system/snapd.sshd-keygen.service
A +6 -0 static/usr/lib/systemd/system/system-systemd\x2dfsck.slice
A +8 -0 static/usr/lib/systemd/system/systemd-bootchart-quit.service
A +15 -0 static/usr/lib/systemd/system/systemd-bootchart.service.d/ubuntu-core.conf
A +3 -0 static/usr/lib/systemd/system/usr-lib-modules.mount.d/late-umount.conf
A +36 -0 static/usr/lib/systemd/systemd-bootchart-poststop.sh
A +5 -0 static/usr/lib/tmpfiles.d/journald-conf-d.conf
M +1 -1 static/usr/lib/udev/rules.d/66-snapd-autoimport.rules
A +17 -0 static/usr/lib/udev/rules.d/71-nvidia.rules
D +0 -3 static/usr/lib/udev/rules.d/90-fix-hctosys.rules
A +18 -0 static/usr/lib/udev/rules.d/90-rtc-sys-time-init.rules
A +84 -0 static/usr/libexec/core/get-arg
A +35 -0 static/usr/libexec/core/get-mode
A +7 -0 static/usr/share/pam-configs/optional-lockout
A +7 -0 static/usr/share/pam-configs/optional-lockout-authsucc
A +7 -0 static/usr/share/pam-configs/optional-lockout-preauth
M +2 -2 static/usr/share/pam-configs/snappy-extrausers
https://invent.kde.org/neon/snap-packaging/plasma-core-desktop/-/commit/da0ff20b608f06cb45840da9909b86e94b5db58f
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index 7887878..0de16d4 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -6,9 +6,11 @@ on:
push:
branches:
- main
+ - 'core[0-9][0-9]'
pull_request:
branches:
- main
+ - 'core[0-9][0-9]'
jobs:
build:
diff --git a/README.md b/README.md
index 40d6459..312009f 100644
--- a/README.md
+++ b/README.md
@@ -2,8 +2,6 @@
This is a base snap for snapd & Ubuntu Core that is based on Ubuntu 22.04
-TODO: Not 22.04 actually yet, it will first build with impish rootfs and then we will switch to JJ when rootfs released.
-
# Building locally
To build this snap locally you need snapcraft. The project must be built as real root.
@@ -152,11 +150,11 @@ VM image.
# Bootchart
-It is possible to enable bootcharts by adding `core.bootchart` to the
-kernel command line. The sample collector will run until the system is
-seeded (it will stop when the `snapd.seeded.service` stops). The
-bootchart will be saved in the `ubuntu-data` partition, under
-`/var/log/debug/boot<N>/`, `<N>` being the boot number since
+It is possible to enable bootcharts by adding `ubuntu_core.bootchart`
+to the kernel command line. The sample collector will run until the
+system is seeded (it will stop when the `snapd.seeded.service`
+stops). The bootchart will be saved in the `ubuntu-data` partition,
+under `/var/log/debug/boot<N>/`, `<N>` being the boot number since
bootcharts were enabled. If a chart has been collected by the
initramfs, it will be also saved in that folder.
diff --git a/hook-tests/001-extra-packages.disabled b/hook-tests/001-extra-packages.test
similarity index 91%
rename from hook-tests/001-extra-packages.disabled
rename to hook-tests/001-extra-packages.test
index 915715e..16d3335 100755
--- a/hook-tests/001-extra-packages.disabled
+++ b/hook-tests/001-extra-packages.test
@@ -40,7 +40,6 @@ dbus-user-session
e2fsprogs
fdisk
findutils
-gcc-11-base:amd64
gpgv
grep
gzip
@@ -93,8 +92,6 @@ libprocps8:amd64
libseccomp2:amd64
libselinux1:amd64
libsemanage-common
-libsemanage1:amd64
-libsepol1:amd64
libsmartcols1:amd64
libss2:amd64
libstdc++6:amd64
@@ -134,3 +131,7 @@ if [ -n "$DIFF" ]; then
echo "test_pkg_removal.sh test."
exit 1
fi
+
+# TODO: test is not ideal but at this point we have no apt/dpkg db anymore
+echo "Ensure that the cryptsetup version is pulled from the fde-ice ppa"
+grep -E 'cryptsetup.*+ice' usr/share/snappy/dpkg.list
diff --git a/hook-tests/024-configure-bootchart.test b/hook-tests/024-configure-bootchart.test
deleted file mode 100755
index 570a5c6..0000000
--- a/hook-tests/024-configure-bootchart.test
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/sh -ex
-
-if [ "$(dpkg --print-architecture)" = "riscv64" ]; then
- echo "riscv64 does not support this functionality"
- exit 0
-fi
-
-test -f usr/lib/systemd/bootchart.conf.d/ubuntu-core.conf
-test -f lib/systemd/system/systemd-bootchart.service
-test -x lib/systemd/systemd-bootchart-poststop.sh
-test -f lib/systemd/system/stop-systemd-bootchart.service
diff --git a/hook-tests/031-faillock.test b/hook-tests/031-faillock.test
new file mode 100755
index 0000000..c3a944b
--- /dev/null
+++ b/hook-tests/031-faillock.test
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -eu
+
+grep pam_faillock.so etc/pam.d/common-auth
diff --git a/hooks/001-extra-packages.chroot b/hooks/001-extra-packages.chroot
index 0c00d69..2c0246d 100755
--- a/hooks/001-extra-packages.chroot
+++ b/hooks/001-extra-packages.chroot
@@ -80,6 +80,25 @@ Pin-Priority: 1002
EOF
+# enable security ICE ppa
+echo "deb http://ppa.launchpadcontent.net/ubuntu-security/fde-ice/ubuntu $CODENAME main" > /etc/apt/sources.list.d/fde-ice.list
+
+cat >/etc/apt/trusted.gpg.d/canonical-security-fde-ice.asc <<'EOF'
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xo0ESXbhhAEEAMgPw5cjuQparAFSRh4v/yrXGefOE4KzlV+OudbHPn/nxfhgXn1d
+RaF47lO+HLeBGd6X5UJzai//WoJcOPUBqLoiHIHgNr2pIi5iN29uZYnpEaN+LZyx
+pgM0db/jRzLFtBHM61ocKHflk/F9WeWMkSModxivBFK4NDpucEQzMzR1ABEBAAHN
+LkxhdW5jaHBhZCBQcml2YXRlIFBQQSBmb3IgVWJ1bnR1IFNlY3VyaXR5IFRlYW3C
+tgQTAQIAIAUCSXbhhAIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEGjrQbzZ
+Mk9xo2kEAJCFZlNeFPiWUXpaOOVLsi5ZWST5RLIHiXJQgNHd+pqcxy9MpSUYZC/+
+J4rBYeOdB1v4qgJqVrks8b0Nixcvu0p7+ieZYP10fNt2uuNlj56eSV2v3z64VmZz
+ebrtrD1Hrw3BetRY4aQ0ysRSugvbTwqS0d17zepomYJS49Jy2w2D
+=ALlI
+-----END PGP PUBLIC KEY BLOCK-----
+
+EOF
+
# enable desktop-snappers PPA
cat << \EOF > /etc/apt/trusted.gpg.d/desktop-snappers-core-desktop.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
@@ -115,6 +134,7 @@ EOF
echo "deb http://ppa.launchpad.net/desktop-snappers/core-desktop/ubuntu jammy main" > /etc/apt/sources.list.d/desktop-snappers.list
echo "deb http://ppa.launchpad.net/desktop-snappers/core-desktop-backports/ubuntu jammy main" >> /etc/apt/sources.list.d/desktop-snappers.list
+
# install some packages we need
apt update
apt dist-upgrade -y --allow-downgrades
@@ -153,6 +173,7 @@ PACKAGES=(
p11-kit
p11-kit-modules
plymouth-label-ft
+ polkitd
rfkill
squashfs-tools
sudo
@@ -163,6 +184,7 @@ PACKAGES=(
udev
vim-tiny
wpasupplicant
+ locales
xdg-utils
xkb-data
)
diff --git a/hooks/022-setup-path.chroot b/hooks/022-setup-path.chroot
index db8a602..c704531 100755
--- a/hooks/022-setup-path.chroot
+++ b/hooks/022-setup-path.chroot
@@ -15,6 +15,3 @@ echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/ga
echo "Ensure /etc/login.defs contains /snap/bin"
sed -i 's#\(.*\)PATH=\(.*\)#\1 PATH=\2:/snap/bin#' /etc/login.defs
grep 'PATH=.*:/snap/bin' /etc/login.defs
-
-# Include profile script fragment from snapd snap
-ln -s /snap/snapd/current/etc/profile.d/apps-bin-path.sh /etc/profile.d/apps-bin-path.sh
diff --git a/hooks/024-configure-bootchart.chroot b/hooks/024-configure-bootchart.chroot
deleted file mode 100755
index 1fe502d..0000000
--- a/hooks/024-configure-bootchart.chroot
+++ /dev/null
@@ -1,79 +0,0 @@
-#! /bin/sh -ex
-
-if [ "$(dpkg --print-architecture)" = "riscv64" ]; then
- echo "core22 riscv64 does not support this functionality"
- exit 0
-fi
-
-# Rewrite unit that came with the systemd-bootchart package
-
-cat << 'EOF' > /lib/systemd/system/systemd-bootchart.service
-[Unit]
-Description=Boot Process Profiler
-Documentation=man:systemd-bootchart.service(1) man:bootchart.conf(5)
-DefaultDependencies=no
-Conflicts=shutdown.target
-Before=shutdown.target
-Requires=stop-systemd-bootchart.service
-ConditionKernelCommandLine=core.bootchart
-
-[Service]
-ExecStartPre=/usr/bin/mkdir -p /run/log/base
-ExecStart=/lib/systemd/systemd-bootchart -r
-KillSignal=SIGHUP
-ExecStopPost=/lib/systemd/systemd-bootchart-poststop.sh
-
-[Install]
-WantedBy=sysinit.target
-EOF
-
-systemctl enable systemd-bootchart.service
-
-# Creating these files could go to static folder, but it seems cleaner to have
-# everything together in one place.
-
-mkdir -p /usr/lib/systemd/bootchart.conf.d
-cat << 'EOF' > /usr/lib/systemd/bootchart.conf.d/ubuntu-core.conf
-[Bootchart]
-Samples=36000
-Frequency=20
-Relative=yes
-Filter=no
-# Memory usage produces a bad overlay in the svg
-#PlotMemoryUsage=yes
-Cmdline=yes
-Output=/run/log/base
-EOF
-
-cat << 'EOF' > /lib/systemd/systemd-bootchart-poststop.sh
-#!/bin/sh -ex
-
-save_d=/run/mnt/data/system-data/var/log/debug
-last_d=$(find $save_d/ -type d -name boot\* | sort | tail -n1)
-if [ -z "$last_d" ]; then last_d=0; fi
-next_d=$save_d/boot$((${last_d##*boot} + 1))
-mkdir -p $next_d
-mv /run/log/base/*.svg $next_d
-
-initrd_f=$(find /run/log -maxdepth 1 -name \*.svg -printf "%f" -quit)
-if [ -n "$initrd_f" ]; then
- mv /run/log/"$initrd_f" $next_d/initrd-"$initrd_f"
-fi
-EOF
-
-cat << 'EOF' > /lib/systemd/system/stop-systemd-bootchart.service
-[Unit]
-Description=Unit to stop systemd-bootchart
-After=snapd.seeded.service
-Requisite=snapd.seeded.service
-ConditionKernelCommandLine=snapd_recovery_mode=run
-
-[Service]
-Type=oneshot
-ExecStart=/usr/bin/systemctl stop systemd-bootchart.service
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-chmod +x /lib/systemd/systemd-bootchart-poststop.sh
diff --git a/hooks/031-faillock.chroot b/hooks/031-faillock.chroot
new file mode 100755
index 0000000..bd8a8d7
--- /dev/null
+++ b/hooks/031-faillock.chroot
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -eu
+
+pam-auth-update --enable optional-faillock optional-faillock-preauth optional-faillock-authsucc
diff --git a/hooks/050-snap-symlink.chroot b/hooks/050-snap-symlink.chroot
index a545f73..ed93032 100755
--- a/hooks/050-snap-symlink.chroot
+++ b/hooks/050-snap-symlink.chroot
@@ -3,5 +3,14 @@
echo "Creating the snap binary symlink"
ln -s /snap/snapd/current/usr/bin/snap /usr/bin/snap
+echo "Creating the symlink to snap's bash completion"
+ln -s /snap/snapd/current/usr/share/bash-completion/completions/snap /usr/share/bash-completion/completions/snap
+
+echo "Creating the symlink snap's shell environment configuration"
+ln -s /snap/snapd/current/etc/profile.d/apps-bin-path.sh /etc/profile.d/apps-bin-path.sh
+
+echo "Creating the symlink snap's user services' environment configuration"
+ln -s /snap/snapd/current/usr/lib/environment.d/990-snapd.conf /usr/lib/environment.d/990-snapd.conf
+
echo "Creating snap polkit policy symlink"
ln -s /snap/snapd/current/usr/share/polkit-1/actions/io.snapcraft.snapd.policy /usr/share/polkit-1/actions/io.snapcraft.snapd.policy
diff --git a/hooks/101-systemd-fsck.chroot b/hooks/101-systemd-fsck.chroot
new file mode 100755
index 0000000..ebc4fbb
--- /dev/null
+++ b/hooks/101-systemd-fsck.chroot
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -eux
+
+echo "Remove conflict from systemd-fsck to shutdown"
+sed -i "/^Conflicts=shutdown.target$/d" lib/systemd/system/systemd-fsck at .service
+
diff --git a/hooks/901-cleanup-timesyncd.chroot b/hooks/901-cleanup-timesyncd.chroot
deleted file mode 100755
index de80818..0000000
--- a/hooks/901-cleanup-timesyncd.chroot
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/bin/sh
-
-set -e
-
-# With newer systemd, systemd-timesyncd switched from a regular user usage to
-# dynamic users. In cases of upgrades from an older core22 system or in some
-# other weird situations the old timesync directory needs removal as otherwise
-# systemd will fail creating dynamic user symlink and fail to start timesyncd.
-# XXX: This might not be needed in the end, but certainly useful now
-echo "Clean up systemd-timesyncd leftover directory"
-
-mkdir -p /lib/systemd/system/systemd-tmpfiles-setup.service.d
-cat >/lib/systemd/system/systemd-tmpfiles-setup.service.d/fixup-timesyncd.conf<<EOF
-[Service]
-ExecStartPost=/bin/sh -c "[ ! -L /var/lib/systemd/timesync ] && rm -rf /var/lib/systemd/timesync || true"
-EOF
-
diff --git a/snapcraft.yaml b/snapcraft.yaml
index a3a8192..d2e08a6 100644
--- a/snapcraft.yaml
+++ b/snapcraft.yaml
@@ -22,8 +22,8 @@ parts:
- devscripts
source: https://github.com/canonical/probert.git
source-type: git
- # following branch server/jammy
- source-commit: 253acbe1480fba69d12d6e72f53412da79e27410
+ # following branch core/jammy
+ source-commit: 94be2fa3f45e766ecee526fdc0c15f65a78667e6
override-pull: |
"${CRAFT_PROJECT_DIR}/build-package.sh" pull
override-build: |
@@ -40,8 +40,8 @@ parts:
plugin: nil
source: https://github.com/canonical/subiquity.git
source-type: git
- # following branch server/jammy
- source-commit: abc053508fa27656f1016e32585077ef567ad591
+ # following branch core/jammy
+ source-commit: c6452b904798d94d8dea7d00bb84cefbb98e3238
override-pull: |
"${CRAFT_PROJECT_DIR}/build-package.sh" pull
override-build: |
@@ -84,6 +84,9 @@ parts:
source-type: git
organize:
ubuntu-core: usr/share/plymouth/themes/ubuntu-core
+ copyright: usr/share/doc/plymouth-theme-ubuntu-core/copyright
+ stage:
+ - -README.md
bootstrap:
after:
- probert-deb
diff --git a/static/usr/lib/core/fix-hctosys b/static/usr/lib/core/fix-hctosys
deleted file mode 100755
index 927bb8d..0000000
--- a/static/usr/lib/core/fix-hctosys
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/bin/sh
-#
-# This script is a workaround for the issue that when an rtc module is inserted
-# the clock gets reset to whatever time the RTC has regardless of system time.
-# See https://github.com/snapcore/core20/pull/136 for more details
-
-
-# Debugging udev scripts is hard, if debugging is needed uncomment the following
-# lines and rebuild core with that.
-#set -x
-#if [ -e /run/mnt/ubuntu-seed ]; then
-# LOG=/run/mnt/ubuntu-seed/fix-hctosys.log
-#else
-# LOG=/run/fix-hctosys.log
-#fi
-#exec >> "$LOG"
-#exec 2>&1
-#printf "%s\n" "Starting $(date)"
-
-TIMESYNC_CLOCK=/var/lib/systemd/timesync/clock
-CLOCK_EPOCH=/var/lib/clock-epoch
-SELF=$(readlink -f "$0")
-
-NOW="$(date +'%s')"
-
-# Get the mtime of this script
-# Note that we cannot just "stat /proc/self/exe" here, this resolves to the
-# /usr/bin/stat binary
-MTIME_SELF="$(stat -L "$SELF" -c '%Y')"
-
-# Get the mtime of the /usr/lib/clock-epoch file
-MTIME_CLOCK_EPOCH=0
-if [ -e $CLOCK_EPOCH ]; then
- MTIME_CLOCK_EPOCH="$(stat -L $CLOCK_EPOCH -c '%Y')"
-fi
-
-# Get the mtime from timesyncd that is written every 60s
-MTIME_TIMESYNC_CLOCK=0
-if [ -e $TIMESYNC_CLOCK ]; then
- MTIME_TIMESYNC_CLOCK="$(stat -L $TIMESYNC_CLOCK -c '%Y')"
-fi
-
-# find the highest MTIME from the two filesystem references
-MTIME=$(echo "$MTIME_SELF $MTIME_CLOCK_EPOCH $MTIME_TIMESYNC_CLOCK" | tr ' ' '\n' | sort -rn | head -1)
-
-# set to the highest mtime found if the current time is too old
-if [ "$NOW" -lt "$MTIME" ]; then
- echo "Time needs updating because $NOW < $MTIME"
- date -s @"$MTIME"
-fi
diff --git a/static/usr/lib/core/lockout-not-enabled.sh b/static/usr/lib/core/lockout-not-enabled.sh
new file mode 100755
index 0000000..d16e714
--- /dev/null
+++ b/static/usr/lib/core/lockout-not-enabled.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -eu
+
+# This marker file is created by:
+# snap set system users.lockout=true
+! [ -f /etc/writable/account-locked.enable ]
diff --git a/static/usr/lib/core/remount-core-fs b/static/usr/lib/core/remount-core-fs
new file mode 100755
index 0000000..ac5ac4a
--- /dev/null
+++ b/static/usr/lib/core/remount-core-fs
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+FILESYSTEMS=(
+ /run/mnt/base
+ /run/mnt/data
+ /run/mnt/gadget
+ /run/mnt/kernel
+ /run/mnt/snapd
+ /run/mnt/ubuntu-boot
+ /run/mnt/ubuntu-save
+ /run/mnt/ubuntu-seed
+ /writable
+)
+
+for fs in "${FILESYSTEMS[@]}"; do
+ if mountpoint -q "${fs}"; then
+ mount --make-private "${fs}"
+ fi
+done
diff --git a/static/usr/lib/core/rtc-sys-time-init b/static/usr/lib/core/rtc-sys-time-init
new file mode 100755
index 0000000..c1a22d1
--- /dev/null
+++ b/static/usr/lib/core/rtc-sys-time-init
@@ -0,0 +1,114 @@
+#!/bin/sh
+
+# Adjust system time for the following reasons:
+# 1) Sync system time to RTC time
+# - On older kernel versions, RTC modules with HCTOSYS enabled cannot sync system time with
+# RTC time (attribute hctosys==0)
+# 2) Correct driver/module system time sync to invalid time (earlier than most recent time stamp)
+# - Built-in/loadable RTC driver with HCTOSYS enabled may set invalid time due to .e.g
+# uninitialized RTC or bad battery
+#
+# If the RTC time is not valid, or cannot be set, forward the system time to most recent timestamp
+
+set -eu
+
+journal() {
+ pri=$1
+ shift
+ lvl=
+ case "$pri" in
+ "error")
+ lvl="<3>"
+ ;;
+ "warning")
+ lvl="<4>"
+ ;;
+ "debug")
+ lvl="<7>"
+ ;;
+ *)
+ lvl="<6>"
+ ;;
+ esac
+
+ # Apply priority level to all lines
+ printf "%s\n" "$@" | while IFS= read -r line; do
+ printf "%s\n" "$lvl$line"
+ done
+}
+
+# Expects single argument RTC device node /dev/rtc* (instance name dev-rtc* with escaping undone)
+dev_node=$1
+
+# ... or a path in /sys
+if ! [ -c "${dev_node}" ]; then
+ dev_node="$(udevadm info --query=property --path "${dev_node}" | sed "/^DEVNAME=/{;s///;q};d")"
+fi
+
+# Get systemd timestamp file created during core build
+clock_epoch_stamp=0
+if [ -e "/usr/lib/clock-epoch" ]; then
+ clock_epoch_stamp=$(stat -L "/usr/lib/clock-epoch" -c '%Y')
+else
+ journal warning "Warning: cannot stat /usr/lib/clock-epoch"
+fi
+clock_epoch_date=$(date -d @"$clock_epoch_stamp")
+journal debug "core/systemd build timetamp: $clock_epoch_date"
+
+# Get systemd-timesyncd timestamp file initialized to systemd build time and updated periodically
+# (default 60s) and at shutdown
+timesync_clock_stamp=0
+if [ -e "/var/lib/systemd/timesync/clock" ]; then
+ timesync_clock_stamp="$(stat -L "/var/lib/systemd/timesync/clock" -c '%Y')"
+else
+ journal warning "Warning: cannot stat /var/lib/systemd/timesync/clock (expected on first boot only)"
+fi
+timesync_clock_date=$(date -d @"$timesync_clock_stamp")
+journal debug "timesyncd timestamp: $timesync_clock_date"
+
+most_recent_stamp=$((clock_epoch_stamp > timesync_clock_stamp ? clock_epoch_stamp : timesync_clock_stamp))
+
+sys_time_set_res=1
+if udevadm info --attribute-walk --name="$dev_node" | grep -q 'ATTR{hctosys}=="1"'; then
+ sys_time_set_res=0
+ echo "Kernel synced system time to RTC $dev_node time"
+else
+ echo "Reading RTC $dev_node time..."
+ if ! rtc_stamp=$(hwclock -r -u -f "$dev_node" 2>/dev/null); then
+ journal error "Error: cannot read RTC $dev_node"
+ else
+ rtc_stamp=$(date -d "$rtc_stamp" +%s)
+ rtc_date=$(date -d @"$rtc_stamp")
+ echo "Successfully read RTC time: $rtc_date"
+
+ if [ "$rtc_stamp" -gt "$most_recent_stamp" ]; then
+ echo "RTC time is valid, syncing system time..."
+ if hwclock -s --noadjfile -u -f "$dev_node" 2>/dev/null; then
+ echo "Successfully synced system time"
+ exit 0
+ else
+ journal error "Error: cannot sync system time"
+ fi
+ else
+ journal error "Error: RTC time invalid, skipping system time sync"
+ fi
+ fi
+fi
+
+# At this point either (1) the RTC module synced the system time or (2) this script failed
+# to sync system time. In both cases we need to ensure that system time is not behind the
+# most recent timestamp.
+now_stamp=$(date +'%s')
+if [ "$now_stamp" -lt "$most_recent_stamp" ]; then
+ echo "Moving system time forward to most recent timestamp..."
+ if date -s @"$most_recent_stamp" >/dev/null 2>&1; then
+ echo "Successfully moved system time forward"
+ else
+ journal error "Error: cannot forward system time"
+ exit 1
+ fi
+else
+ echo "System time is ahead of most recent timestamp, skipping fixup"
+fi
+
+exit $sys_time_set_res
diff --git a/static/usr/lib/core/run-snapd-from-snap b/static/usr/lib/core/run-snapd-from-snap
index 5007ae1..f8c60bc 100755
--- a/static/usr/lib/core/run-snapd-from-snap
+++ b/static/usr/lib/core/run-snapd-from-snap
@@ -9,6 +9,13 @@ set -eux
run_on_unseeded() {
SNAPD_BASE_DIR="/run/mnt/snapd"
+ # We need to initialize /snap/snapd/current symlink so that the
+ # dynanic linker
+ # /snap/snapd/current/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
+ # is available to run snapd.
+ [ -d /snap/snapd ] || mkdir -p /snap/snapd
+ ln -sf "${SNAPD_BASE_DIR}" /snap/snapd/current
+
# snapd will write all its needed snapd.{service,socket}
# units and restart once it seeded the snapd snap. We create
# a systemd socket unit so that systemd own the socket, otherwise
diff --git a/static/usr/lib/systemd/bootchart.conf.d/ubuntu-core.conf b/static/usr/lib/systemd/bootchart.conf.d/ubuntu-core.conf
new file mode 100644
index 0000000..829b32d
--- /dev/null
+++ b/static/usr/lib/systemd/bootchart.conf.d/ubuntu-core.conf
@@ -0,0 +1,9 @@
+[Bootchart]
+Samples=36000
+Frequency=20
+Relative=yes
+Filter=no
+# Memory usage produces a bad overlay in the svg
+#PlotMemoryUsage=yes
+Cmdline=yes
+Output=/run/log/base
diff --git a/static/usr/lib/systemd/system-generators/bootchart b/static/usr/lib/systemd/system-generators/bootchart
new file mode 100755
index 0000000..67176e8
--- /dev/null
+++ b/static/usr/lib/systemd/system-generators/bootchart
@@ -0,0 +1,42 @@
+#!/bin/sh
+
+set -eu
+
+[ -d /run/bootchart-debug ] || mkdir -p /run/bootchart-debug
+
+case "${SYSTEMD_ARCHITECTURE-}" in
+ riscv64)
+ exit 0
+ ;;
+esac
+
+if ! /usr/libexec/core/get-arg core.bootchart >/dev/null &&
+ ! /usr/libexec/core/get-arg ubuntu_core.bootchart >/dev/null; then
+ exit 0
+fi
+
+# /var/lib/snapd is bind mounted by a unit from fstab-generator
+# It is not mounted yet.
+modeenv=/run/mnt/data/system-data/var/lib/snapd/modeenv
+mode="$(/usr/libexec/core/get-mode mode "${modeenv}")" || mode="unknown"
+
+normal_dir=$1
+early_dir=$2
+late_dir=$3
+
+enable() {
+ unit="${1}"
+ target="${2}"
+ type="${3}"
+ target_dir="${normal_dir}/${target}.${type}"
+ [ -d "${target_dir}" ] || mkdir -p "${target_dir}"
+ ln -sf "${unit}" "${target_dir}/"
+}
+
+enable /lib/systemd/system/systemd-bootchart.service sysinit.target wants
+
+if [ "${mode}" = run ]; then
+ enable /lib/systemd/system/systemd-bootchart-quit.service multi-user.target wants
+fi
+
+[ -d /run/log/base ] || mkdir -p /run/log/base
diff --git a/static/usr/lib/systemd/system-generators/rtc-sys-time-init-generator b/static/usr/lib/systemd/system-generators/rtc-sys-time-init-generator
new file mode 100755
index 0000000..e9f2103
--- /dev/null
+++ b/static/usr/lib/systemd/system-generators/rtc-sys-time-init-generator
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+# This generator instantiates rtc-sys-time-init at dev-rtc*.service by hooking it
+# into sysinit.target when requested by kernel command line parameter
+# ubuntu_core.rtc_sys_time_init=dev-rtc*. Instances are based on the template
+# rtc-sys-time-init at .service that is not generated.
+
+DEBUG_ENABLE="false"
+
+log() {
+ echo "$@" >> "/dev/kmsg"
+}
+
+debug() {
+ if [ "$DEBUG_ENABLE" = "true" ]; then
+ log "$@"
+ fi
+}
+
+normal_dir="$1"
+
+# Look for kernel command line parameter ubuntu_core.rtc_sys_time_init
+if ! dev_node=$(/usr/libexec/core/get-arg "ubuntu_core.rtc_sys_time_init"); then
+ debug "Kernel command line does not contain parameter ubuntu_core.rtc_sys_time_init"
+ exit 0
+fi
+
+# Expect /dev/rtc and /dev/rtc0 to /dev/rtc9
+if ! expr "$dev_node" : '^/dev/rtc[0-9]\{0,1\}$' >/dev/null; then
+ log "Warning: kernel command line parameter ubuntu_core.rtc_sys_time_init=$dev_node seems invalid"
+ # Do not exit, require highly visible service failure
+fi
+
+dev_unit=$(systemd-escape --path "$dev_node")
+instance="rtc-sys-time-init@$dev_unit.service"
+target_dir="$normal_dir/sysinit.target.wants"
+target_link=$target_dir/$instance
+template="/usr/lib/systemd/system/rtc-sys-time-init at .service"
+
+if [ -L "$target_link" ]; then
+ debug "Already enabled"
+ exit 0
+fi
+
+if [ -d "$target_dir" ] || mkdir -p "$target_dir"; then
+ if ln -snf "$template" "$target_link"; then
+ debug "Enabled $instance: $target_link -> $template"
+ else
+ log "Error: cannot create symlink $target_link -> $template"
+ exit 1
+ fi
+else
+ log "Error: cannot create target directory $target_dir"
+fi
diff --git a/static/usr/lib/systemd/system/fix-hctosys.service b/static/usr/lib/systemd/system/fix-hctosys.service
deleted file mode 100644
index 96d9b99..0000000
--- a/static/usr/lib/systemd/system/fix-hctosys.service
+++ /dev/null
@@ -1,6 +0,0 @@
-[Unit]
-Description=Work around automatic hctosys
-
-[Service]
-Type=oneshot
-ExecStart=/usr/lib/core/fix-hctosys
diff --git a/static/usr/lib/systemd/system/local-fs.target.wants/remount-core-fs.service b/static/usr/lib/systemd/system/local-fs.target.wants/remount-core-fs.service
new file mode 120000
index 0000000..6898efb
--- /dev/null
+++ b/static/usr/lib/systemd/system/local-fs.target.wants/remount-core-fs.service
@@ -0,0 +1 @@
+../remount-core-fs.service
\ No newline at end of file
diff --git a/static/usr/lib/systemd/system/remount-core-fs.service b/static/usr/lib/systemd/system/remount-core-fs.service
new file mode 100644
index 0000000..ef20cdb
--- /dev/null
+++ b/static/usr/lib/systemd/system/remount-core-fs.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=Reset propagation of initial mount points
+DefaultDependencies=no
+Before=local-fs-pre.target
+Before=local-fs.target
+Before=shutdown.target
+Wants=local-fs-pre.target
+Conflicts=shutdown.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/lib/core/remount-core-fs
+
+[Install]
+WantedBy=local-fs.target
diff --git a/static/usr/lib/systemd/system/remount-data.service b/static/usr/lib/systemd/system/remount-data.service
new file mode 100644
index 0000000..7fc8227
--- /dev/null
+++ b/static/usr/lib/systemd/system/remount-data.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Remounting /run/mnt/data read-only
+DefaultDependencies=no
+ConditionPathIsMountPoint=/run/mnt/data
+After=umount.target
+Before=shutdown.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/mount -o remount,ro /run/mnt/data
diff --git a/static/usr/lib/systemd/system/remount-seed.service b/static/usr/lib/systemd/system/remount-seed.service
new file mode 100644
index 0000000..3aae98b
--- /dev/null
+++ b/static/usr/lib/systemd/system/remount-seed.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Remounting /run/mnt/ubuntu-seed read-only
+DefaultDependencies=no
+ConditionPathIsMountPoint=/run/mnt/ubuntu-seed
+After=umount.target
+Before=shutdown.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/mount -o remount,ro /run/mnt/ubuntu-seed
diff --git a/static/usr/lib/systemd/system/rtc-sys-time-init at .service b/static/usr/lib/systemd/system/rtc-sys-time-init at .service
new file mode 100644
index 0000000..86834c2
--- /dev/null
+++ b/static/usr/lib/systemd/system/rtc-sys-time-init at .service
@@ -0,0 +1,29 @@
+# rtc-sys-time-init at .service is enabled either by generator rtc-sys-time-init-generator or
+# by udev rule in 90-rtc-sys-time-init.rules, depending on kernel command line parameter
+# ubuntu_core.rtc_sys_time_init=dev/rtc*. When the parameter is provided the generator
+# instantiates rtc-sys-time-init at dev-rtc*.service by hooking it into sysinit.target with
+# symlink in /run/systemd/generator*/sysinit.target.wants. Otherwise the udev rule will
+# instantiate rtc-sys-time-init at dev-rtc*.service if the RTC driver/module set the system
+# time as indicated by device attribute hctosys==1.
+#
+# This service addresses two different scenarios in order:
+# 1) Ensure system time is not behind the most recent epoch/clock file timestamps.
+# This addresses: https://github.com/snapcore/core20/pull/136
+# 2) Ensure the system time is set to valid RTC time when this is requested with
+# kernel command line parameter ubuntu_core.rtc_sys_time_init=/dev/rtc*
+#
+# This service relies on udev rule from 90-rtc-sys-time-init.rules to create device units
+# dev-rtc*.device for all available RTC devices.
+[Unit]
+Description=Correct system time and sync to RTC time
+DefaultDependencies=no
+After=%i.device
+Requires=%i.device
+Before=systemd-timesyncd.service
+Conflicts=shutdown.target
+Before=shutdown.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/lib/core/rtc-sys-time-init /%I
diff --git a/static/usr/lib/systemd/system/run-mnt-data.mount.d/late-umount.conf b/static/usr/lib/systemd/system/run-mnt-data.mount.d/late-umount.conf
new file mode 100644
index 0000000..98bb059
--- /dev/null
+++ b/static/usr/lib/systemd/system/run-mnt-data.mount.d/late-umount.conf
@@ -0,0 +1,3 @@
+[Unit]
+# This will remove implicit "Conflicts=umount.target"
+DefaultDependencies=no
diff --git a/static/usr/lib/systemd/system/run-mnt-kernel.mount.d/late-umount.conf b/static/usr/lib/systemd/system/run-mnt-kernel.mount.d/late-umount.conf
new file mode 100644
index 0000000..98bb059
--- /dev/null
+++ b/static/usr/lib/systemd/system/run-mnt-kernel.mount.d/late-umount.conf
@@ -0,0 +1,3 @@
+[Unit]
+# This will remove implicit "Conflicts=umount.target"
+DefaultDependencies=no
diff --git "a/static/usr/lib/systemd/system/run-mnt-ubuntu\\x2dseed.mount.d/late-umount.conf" "b/static/usr/lib/systemd/system/run-mnt-ubuntu\\x2dseed.mount.d/late-umount.conf"
new file mode 100644
index 0000000..98bb059
--- /dev/null
+++ "b/static/usr/lib/systemd/system/run-mnt-ubuntu\\x2dseed.mount.d/late-umount.conf"
@@ -0,0 +1,3 @@
+[Unit]
+# This will remove implicit "Conflicts=umount.target"
+DefaultDependencies=no
diff --git a/static/usr/lib/systemd/system/shutdown.target.wants/remount-data.service b/static/usr/lib/systemd/system/shutdown.target.wants/remount-data.service
new file mode 120000
index 0000000..b918c39
--- /dev/null
+++ b/static/usr/lib/systemd/system/shutdown.target.wants/remount-data.service
@@ -0,0 +1 @@
+../remount-data.service
\ No newline at end of file
diff --git a/static/usr/lib/systemd/system/shutdown.target.wants/remount-seed.service b/static/usr/lib/systemd/system/shutdown.target.wants/remount-seed.service
new file mode 120000
index 0000000..886bb72
--- /dev/null
+++ b/static/usr/lib/systemd/system/shutdown.target.wants/remount-seed.service
@@ -0,0 +1 @@
+../remount-seed.service
\ No newline at end of file
diff --git a/static/usr/lib/systemd/system/snapd.autoimport-device at .service b/static/usr/lib/systemd/system/snapd.autoimport-device at .service
index be3ce2f..4d60174 100644
--- a/static/usr/lib/systemd/system/snapd.autoimport-device at .service
+++ b/static/usr/lib/systemd/system/snapd.autoimport-device at .service
@@ -1,6 +1,8 @@
[Unit]
Description=Auto import assertions from a specific block device
After=snapd.service snapd.socket snapd.seeded.service
+# snapd.autoimport.service might try to mount the same disks so run after
+After=snapd.autoimport.service
ConditionKernelCommandLine=snapd_recovery_mode=run
[Service]
diff --git a/static/usr/lib/systemd/system/snapd.sshd-keygen.service b/static/usr/lib/systemd/system/snapd.sshd-keygen.service
index f5148a1..c0e8135 100644
--- a/static/usr/lib/systemd/system/snapd.sshd-keygen.service
+++ b/static/usr/lib/systemd/system/snapd.sshd-keygen.service
@@ -1,6 +1,6 @@
[Unit]
Description=Generate sshd host keys
-Before=sshd.service
+Before=ssh.service
[Service]
Type=oneshot
diff --git "a/static/usr/lib/systemd/system/system-systemd\\x2dfsck.slice" "b/static/usr/lib/systemd/system/system-systemd\\x2dfsck.slice"
new file mode 100644
index 0000000..d016242
--- /dev/null
+++ "b/static/usr/lib/systemd/system/system-systemd\\x2dfsck.slice"
@@ -0,0 +1,6 @@
+# We need to mark this slice as not conflicting with shutdown.target.
+# Otherwise it would drag mounts to be unmounted.
+[Unit]
+Description=Fsck Units Slice
+DefaultDependencies=no
+
diff --git a/static/usr/lib/systemd/system/systemd-bootchart-quit.service b/static/usr/lib/systemd/system/systemd-bootchart-quit.service
new file mode 100644
index 0000000..bbac321
--- /dev/null
+++ b/static/usr/lib/systemd/system/systemd-bootchart-quit.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Stop systemd-bootchart
+After=snapd.seeded.service
+Requisite=snapd.seeded.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemctl stop systemd-bootchart.service
diff --git a/static/usr/lib/systemd/system/systemd-bootchart.service.d/ubuntu-core.conf b/static/usr/lib/systemd/system/systemd-bootchart.service.d/ubuntu-core.conf
new file mode 100644
index 0000000..bc4f491
--- /dev/null
+++ b/static/usr/lib/systemd/system/systemd-bootchart.service.d/ubuntu-core.conf
@@ -0,0 +1,15 @@
+[Unit]
+Conflicts=shutdown.target
+Before=shutdown.target
+
+# poststop.sh needs to write to /run/mnt/data so we need to stop
+# before read-only remounting happens
+Conflicts=remount-data.service
+Before=remount-data.service
+# In case of install/recover/factory-reset, we want
+# poststop.sh to stop before /run/mnt/ubuntu-data
+After=run-mnt-ubuntu\x2ddata.mount
+
+[Service]
+KillSignal=SIGHUP
+ExecStopPost=/lib/systemd/systemd-bootchart-poststop.sh
diff --git a/static/usr/lib/systemd/system/usr-lib-modules.mount.d/late-umount.conf b/static/usr/lib/systemd/system/usr-lib-modules.mount.d/late-umount.conf
new file mode 100644
index 0000000..98bb059
--- /dev/null
+++ b/static/usr/lib/systemd/system/usr-lib-modules.mount.d/late-umount.conf
@@ -0,0 +1,3 @@
+[Unit]
+# This will remove implicit "Conflicts=umount.target"
+DefaultDependencies=no
diff --git a/static/usr/lib/systemd/systemd-bootchart-poststop.sh b/static/usr/lib/systemd/systemd-bootchart-poststop.sh
new file mode 100755
index 0000000..3e44afc
--- /dev/null
+++ b/static/usr/lib/systemd/systemd-bootchart-poststop.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+
+set -eu
+
+modeenv=/run/mnt/data/system-data/var/lib/snapd/modeenv
+mode="$(/usr/libexec/core/get-mode mode "${modeenv}")" || mode="unknown"
+
+case "${mode}" in
+ install|recover|factory-reset)
+ save_dir=/run/mnt/ubuntu-data/system-data/var/log/debug
+ ;;
+ *)
+ save_dir=/run/mnt/data/system-data/var/log/debug
+ ;;
+esac
+
+next_num=1
+for boot in "${save_dir}"/boot*; do
+ if [ -d "${boot}" ]; then
+ base="$(basename "${boot}")"
+ num="${base#boot}"
+ if [ "${num}" -ge "${next_num}" ]; then
+ next_num="$((${num}+1))"
+ fi
+ fi
+done
+next_dir="${save_dir}/boot${next_num}"
+mkdir -p "${next_dir}"
+mv /run/log/base/*.svg "${next_dir}/"
+
+for initrd_file in /run/log/*.svg; do
+ if [ -f "${initrd_file}" ]; then
+ base="$(basename "${initrd_file}")"
+ mv "${initrd_file}" "${next_dir}/initrd-${base}"
+ fi
+done
diff --git a/static/usr/lib/tmpfiles.d/journald-conf-d.conf b/static/usr/lib/tmpfiles.d/journald-conf-d.conf
new file mode 100644
index 0000000..a0f350c
--- /dev/null
+++ b/static/usr/lib/tmpfiles.d/journald-conf-d.conf
@@ -0,0 +1,5 @@
+# Used to create the journald config drop-in dir
+#
+# See tmpfiles.d(5) for details
+
+d /etc/systemd/journald.conf.d
diff --git a/static/usr/lib/udev/rules.d/66-snapd-autoimport.rules b/static/usr/lib/udev/rules.d/66-snapd-autoimport.rules
index b81f260..9a3c662 100644
--- a/static/usr/lib/udev/rules.d/66-snapd-autoimport.rules
+++ b/static/usr/lib/udev/rules.d/66-snapd-autoimport.rules
@@ -1,2 +1,2 @@
-ACTION=="add|change", SUBSYSTEM=="block", KERNEL!="loop*", KERNEL!="ram*" \
+ACTION=="add|change", SUBSYSTEM=="block", KERNEL!="loop*", KERNEL!="ram*", ENV{ID_FS_USAGE}=="filesystem" \
ENV{SYSTEMD_WANTS}+="snapd.autoimport-device@%k.service"
diff --git a/static/usr/lib/udev/rules.d/71-nvidia.rules b/static/usr/lib/udev/rules.d/71-nvidia.rules
new file mode 100644
index 0000000..095713e
--- /dev/null
+++ b/static/usr/lib/udev/rules.d/71-nvidia.rules
@@ -0,0 +1,17 @@
+# 0x10de is NVIDIA vendor id
+#
+# Tag the device as master-of-seat so that logind is happy
+# (see LP: #1365336)
+SUBSYSTEM=="pci", ATTRS{vendor}=="0x10de", TAG+="seat", TAG+="master-of-seat"
+
+# Enable runtime PM for NVIDIA VGA/3D controller devices
+ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x03[0-9]*", TEST=="power/control", ATTR{power/control}="auto"
+
+# Enable runtime PM for NVIDIA Audio devices
+ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x040300", TEST=="power/control", ATTR{power/control}="auto"
+
+# Enable runtime PM for NVIDIA USB xHCI Host Controller devices
+ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", TEST=="power/control", ATTR{power/control}="auto"
+
+# Enable runtime PM fo NVIDIA USB Type-C UCSI devices
+ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c8000", TEST=="power/control", ATTR{power/control}="auto"
diff --git a/static/usr/lib/udev/rules.d/90-fix-hctosys.rules b/static/usr/lib/udev/rules.d/90-fix-hctosys.rules
deleted file mode 100644
index 63d8629..0000000
--- a/static/usr/lib/udev/rules.d/90-fix-hctosys.rules
+++ /dev/null
@@ -1,3 +0,0 @@
-# when rtc* is added run a workaround script, see
-# https://github.com/snapcore/core20/pull/136
-ACTION=="add", SUBSYSTEM=="rtc", KERNEL=="rtc*", TAG+="systemd", ENV{SYSTEMD_WANTS}="fix-htctosys.service"
diff --git a/static/usr/lib/udev/rules.d/90-rtc-sys-time-init.rules b/static/usr/lib/udev/rules.d/90-rtc-sys-time-init.rules
new file mode 100644
index 0000000..f3fb715
--- /dev/null
+++ b/static/usr/lib/udev/rules.d/90-rtc-sys-time-init.rules
@@ -0,0 +1,18 @@
+ACTION!="add", GOTO="rtc-sys-end"
+SUBSYSTEM!="rtc", GOTO="rtc-sys-end"
+KERNEL!="rtc*", GOTO="rtc-sys-end"
+
+# When device rtc* is added
+# 1) and the RTC module have successfully set system time from RTC (indicated with hctosys attribute)
+# 2) and the kernel command line does not contain parameter ubuntu_core.rtc_sys_time_init that will cause
+# systemd generator rtc-sys-time-init-generator to instantiate rtc-sys-time-init at .service
+# instantiate rtc-sys-time-init at .service for the device node
+IMPORT{cmdline}=="ubuntu_core.rtc_sys_time_init"
+ATTR{hctosys}=="1", ENV{ubuntu_core.rtc_sys_time_init}!="?*", ENV{SYSTEMD_WANTS}+="rtc-sys-time-init at .service"
+
+# When device rtc* is added create device unit dev-rtc*.device which is used by rtc-sys-time-init at .service
+# enabled by generator rtc-sys-time-init-generator when kernel command line contains parameter
+# ubuntu_core.rtc_sys_time_init=/dev/rtc*
+TAG+="systemd"
+
+LABEL="rtc-sys-end"
diff --git a/static/usr/libexec/core/get-arg b/static/usr/libexec/core/get-arg
new file mode 100755
index 0000000..12273d7
--- /dev/null
+++ b/static/usr/libexec/core/get-arg
@@ -0,0 +1,84 @@
+#!/bin/sh
+
+# Usage:
+# get-arg param-name
+#
+# get-arg will look for kernel parameter "param-name" or "param_name"
+# and return 0 if found, 1 if not found. If the parameter as a value,
+# e.g. "param-name=the-value", then the value "the-value" will be
+# printed.
+
+# For more information on how to parse kernel parameters, see function
+# `next_arg` in
+# https://github.com/torvalds/linux/blob/master/lib/cmdline.c
+
+set -eu
+
+if [ "$#" -ne 1 ]; then
+ echo "Expected kernel parameter name as argument" 1>&2
+ exit 1
+fi
+
+looking_for="$(echo "${1}" | sed 's/_/-/g')"
+
+if [ "${SYSTEMD_PROC_CMDLINE:+set}" = set ]; then
+ # Using same debug variable as systemd for testing
+ cmdline="${SYSTEMD_PROC_CMDLINE}"
+else
+ cmdline=$(cat /proc/cmdline)
+fi
+
+set --
+
+# We cannot use ANSI-C quoting (e.g. $'\n') in busybox-initramfs
+whitespaces="$(printf '\t\n\v\f\r \240')"
+in_quote=no
+param=
+current="${cmdline}"
+while [ -n "${current}" ]; do
+ # We cannot use subtring parameter expansion
+ # (e.g. ${cmdline:$i:1}) in busybox-initramfs
+ suffix="${current#?}"
+ char="${current%${suffix}}"
+ current="${suffix}"
+ case "${char}" in
+ ["${whitespaces}"])
+ if [ "${in_quote}" = no ]; then
+ if [ -n "${param}" ]; then
+ set -- "$@" "${param}"
+ fi
+ param=
+ else
+ param="${param}${char}"
+ fi
+ ;;
+ '"')
+ if [ "${in_quote}" = yes ]; then
+ in_quote=no
+ else
+ in_quote=yes
+ fi
+ ;;
+ *)
+ param="${param}${char}"
+ ;;
+ esac
+done
+
+if [ -n "${param}" ]; then
+ set -- "$@" "${param}"
+fi
+
+for param in "$@"; do
+ name="$(echo "${param%%=*}" | sed 's/_/-/g')"
+ if [ "${name}" = "${looking_for}" ]; then
+ case "${param}" in
+ *=*)
+ echo "${param#*=}"
+ ;;
+ esac
+ exit 0
+ fi
+done
+
+exit 1
diff --git a/static/usr/libexec/core/get-mode b/static/usr/libexec/core/get-mode
new file mode 100755
index 0000000..93165f3
--- /dev/null
+++ b/static/usr/libexec/core/get-mode
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+# Usage:
+# get-mode entry-name /path/to/modeenv
+#
+# get-mode will look for entry-name in modeenv files and return 0 if
+# found, 1 if not found. It will print the value to stdout.
+
+set -eu
+
+if [ "$#" -gt 2 ]; then
+ echo "Too many arguments" 1>&2
+ exit 1
+fi
+
+if [ "$#" -lt 1 ]; then
+ echo "Expected a name as argument" 1>&2
+ exit 1
+fi
+
+name="${1}"
+modeenv="${2:-/var/lib/snapd/modeenv}"
+
+while read -r line; do
+ case "${line}" in
+ "${name}"=*)
+ echo "${line#*=}"
+ exit 0
+ ;;
+ *)
+ ;;
+ esac
+done <"${modeenv}"
+
+exit 1
diff --git a/static/usr/share/pam-configs/optional-lockout b/static/usr/share/pam-configs/optional-lockout
new file mode 100644
index 0000000..67d5d4e
--- /dev/null
+++ b/static/usr/share/pam-configs/optional-lockout
@@ -0,0 +1,7 @@
+Name: Optional lockout
+Default: yes
+Priority: 0
+Auth-Type: Primary
+Auth:
+ [success=1 default=ignore] pam_exec.so quiet /usr/lib/core/lockout-not-enabled.sh
+ [default=ignore] pam_faillock.so authfail
diff --git a/static/usr/share/pam-configs/optional-lockout-authsucc b/static/usr/share/pam-configs/optional-lockout-authsucc
new file mode 100644
index 0000000..3c77126
--- /dev/null
+++ b/static/usr/share/pam-configs/optional-lockout-authsucc
@@ -0,0 +1,7 @@
+Name: Optional lockout (authsucc)
+Default: yes
+Priority: 0
+Auth-Type: Additional
+Auth:
+ [success=1 default=ignore] pam_exec.so quiet /usr/lib/core/lockout-not-enabled.sh
+ sufficient pam_faillock.so authsucc
diff --git a/static/usr/share/pam-configs/optional-lockout-preauth b/static/usr/share/pam-configs/optional-lockout-preauth
new file mode 100644
index 0000000..5d03bb4
--- /dev/null
+++ b/static/usr/share/pam-configs/optional-lockout-preauth
@@ -0,0 +1,7 @@
+Name: Optional lockout (preauth)
+Default: yes
+Priority: 2048
+Auth-Type: Primary
+Auth:
+ [success=1 default=ignore] pam_exec.so quiet /usr/lib/core/lockout-not-enabled.sh
+ requisite pam_faillock.so preauth
diff --git a/static/usr/share/pam-configs/snappy-extrausers b/static/usr/share/pam-configs/snappy-extrausers
index 64f015d..4edaf81 100644
--- a/static/usr/share/pam-configs/snappy-extrausers
+++ b/static/usr/share/pam-configs/snappy-extrausers
@@ -3,9 +3,9 @@ Default: yes
Priority: 257
Auth-Type: Primary
Auth:
- [success=end authinfo_unavail=ignore default=die] pam_extrausers.so nodelay nullok try_first_pass
+ [success=end authinfo_unavail=ignore default=bad] pam_extrausers.so nodelay nullok try_first_pass
Auth-Initial:
- [success=end authinfo_unavail=ignore default=die] pam_extrausers.so nodelay nullok
+ [success=end authinfo_unavail=ignore default=bad] pam_extrausers.so nodelay nullok
Password-Type: Primary
Password:
[success=end default=ignore] pam_extrausers.so minlen=4 sha512 use_authtok try_first_pass
More information about the Neon-commits
mailing list