~jchittum/livecd-rootfs:jammy-support-for-multi-apparmor-features

Branch merges

Propose for merging

Merged into livecd-rootfs:ubuntu/jammy at revision 85c6eb15355b25fcd7041b965ab8bc14389adbae

Steve Langasek: Approve on 2023-04-10

Diff: 43 lines (+18/-0)

3 files modified

debian/changelog (+6/-0)
live-build/apparmor/5.19/ipc/posix_mqueue (+1/-0)
live-build/functions (+11/-0)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

85c6eb1... by John Chittum on 2023-04-07

open 2.765.21 in changelog

e1fca53... by John Chittum on 2023-04-05

feat: add 5.19 kernel apparmor features

the 5.19 kernel added ipc posix_mqueue apparmor features. the generic
set of apparmor features for the 5.15 LTS jammy kernel does not have
this feature. Along with the commit "support kernel with different
apparmor feats", this ensures that the HWE kernel for 5.19 has a
matching set.

note that on the next HWE roll, another directory will need to be added.
For each new HWE kernel roll, checking capabilities, creating the
directory, and adding the correct features will be required.

bd1690b... by John Chittum on 2023-04-05

feat: support kernel with different apparmor feats

Jammy HWE is rolling to 5.19. the 5.19 kernel introduced more apparmor
features, specifically ipc. due to the roll, we now must support builds
with 2 different feature sets.

This specifically affects snap-preseeding, where if a snap_preseed is
run with a mismatched apparmor feature set, snap will require a restart
to match the running kernel's feature set. in the clouds, this can add
somehwere between 5-10s (as of checks on 20230404). This is a large boot
time performance hit.

Implementation is done at the `snap_validate_seed` function level. This
function is called in snap scenarios. It checks for an installed kernel
in the chroot, gets the major.min version, and checks for
apparmor/$KERN. If found, it will do a copy of the directory, providing
a naive override mechanism.

For CPC builds, we are adding a call to `snap_validate_seed` at the end
of affected hooks as well. This is a safe procedure to call, as it
reruns the snap_preseed for all snaps. By running at the end of build
processes, it ensures that any kernel changes done during the build are
taken into account.

3effc18... by Łukasz Zemczak on 2023-03-17

releasing package livecd-rootfs version 2.765.20

2075062... by Łukasz Zemczak on 2023-03-17

Enable building intel-iot live-server images.

54f134a... by Dimitri John Ledkov on 2023-03-02

releasing package livecd-rootfs version 2.765.19

632753a... by Dimitri John Ledkov on 2023-03-02

auto/config: Add support for ubuntu core arm64 generic images

LP: #2009067

Signed-off-by: Dimitri John Ledkov <email address hidden>

be40105... by Łukasz Zemczak on 2023-02-22

releasing package livecd-rootfs version 2.765.18

5bd8a46... by Łukasz Zemczak on 2023-02-22

Typo fix.

cccc04e... by Łukasz Zemczak on 2023-02-22

Fix path.