After the rebase to Buster some AppArmor profiles have become problematic,
preventing the components from working, in this is the case Rhosydd. Put
the tool in complain mode for now.

Signed-off-by: Martyn Welch <martyn.welch@collabora.com>

Rhosydd had been re-enabled in the target, but not in the SDK or devroot
where it had also previously been installed. Re-enable it on the SDK, but
just in 1 place, deleting the second. On the devroot, we should really
have the relevant library headers rather than rhosydd its self, so add
libcroesor-0-dev and librhosydd-0-dev to that image instead.

Signed-off-by: Martyn Welch <martyn.welch@collabora.com>

After the rebase to Buster some AppArmor profiles have become problematic,
preventing the components from working. This is the case for a number of
the tracker tools. Put tracker in complain mode for now.

Signed-off-by: Martyn Welch <martyn.welch@collabora.com>

Need to have 'fsck' tool in initramfs for all images variants.
Include 'fsck' overlay into ospacks.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

In previous versions of Apertis we were using a modified iptables package
containing custom scripting/systemd unit to load iptables rules at boot.
Debian contains the iptables-persistent package which performs this task.

Use this instead of adding the custom scripts to the new version. Add the
custom rules to an overlay so we don't need to modify the package.

Signed-off-by: Martyn Welch <martyn.welch@collabora.com>

With newer kernels it takes far longer in early boot to get random
numbers (as >= 4.18 kernels ensure good quality entropy is availble
before starting  providing randomness).

Commit 85cc6eba took care of the minimal ospack/images introducing
rng-tools to integrate with hardware random number generators
while jitterentropy-rngd can provide randomness without.

This commit applies the same change to the target, basesdk and sdk
ospacks/images.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Frederic Danis authored 6 years ago and Emanuele Aina committed 6 years ago

APERTIS-5675

This uses the new Recipe action to merged previous recipes in one.

ROOTDIR needs to be reseted between ostree-commit and ostree-deploy
Fixes: APERTIS-5739

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

Signed-off-by: Martyn Welch <martyn.welch@collabora.com>

The Eclipse SDK is currently not being installed in the SDK image. Add it
back, remove redundant old entries in the Debos configuration and tweak
the desktop file to take into account it's new name and icon.

Signed-off-by: Martyn Welch <martyn.welch@collabora.com>

After the rebase to Buster, some AppArmor profiles have become
problematic and prevent the components from working.

In particular, the logind, Canterbury and Ribchester profiles prevent
the Mildenhall HMI from appearing on the screen.

Until they get updated, switch them to complain mode rather
than enforcing.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

The chaiwala-apparmor-profiles contains some AppArmor abstractions in use in
some Apertis-specific profiles.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Emanuele Aina authored 6 years ago and Frédéric Dalleau committed 6 years ago

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

The package has been introduced back into :sdk

Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>

Dropped (obsolete) dependency on gir1.2-appindicator3-0.1 for blueman

Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>

Ritesh Raj Sarraf authored 6 years ago and Ritesh Raj Sarraf committed 6 years ago

Extended Support Release of firefox browser with a long term support
plan. The same is also maintained in Debian Stable. The browser is part
of the :sdk component

Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>

Emanuele Aina authored 6 years ago and Frédéric Dalleau committed 6 years ago

Add a description field on the step installing the GPLv3 coreutils.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Emanuele Aina authored 6 years ago and Frédéric Dalleau committed 6 years ago

Pass multiple components to apt_source.sh when applicable and don't call it
with components that have been set up already like `target`.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Jenkins is actually defining the full names for every artifact anyway and the
default is not particularly useful when building stuff locally without passing
any parameter so let's ensure the default names are sane and drop the
00000000.0 default.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

When opening a new session sudo tries to resolve the fqdn of the host, but that
introduces a sensible delay if the host does not have a fqdn set up
appropriately, as it is often the case with development board or when booting
images in QEMU.

We currently also ship libnss-myhostname which in theory could solve the issue
at the system level and not just for sudo, but upstream configures it to come
*after* dns resolution to avoid breaking `hostname --fqdn`, see
https://github.com/systemd/systemd/issues/1280



Our use-case is sligthly different and we may configure libnss-myhostname to
precede dns resolution, but in the meantime keep disabling this in sudo as the
apertis-customization package used to do.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

UEFI images currently fail on `bootctl install`:

  bootctl --path=/boot/efi install | Failed to get machine id: No medium found
  Action `Install UEFI bootloader` failed at stage Run, error: exit status 1

This is due to bootctl using the machine-id to set the default entry in
/boot/loader/loader.conf and the kernel postinst script using the same value to
create the matching /boot/loader/entries entry.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Sjoerd Simons authored 6 years ago and Frédéric Dalleau committed 6 years ago

Update package names where appropriate and comment out packages not yet
available in the repositories. This allows a first round in building the
syysroot/devroot/sdk and basesdk ospacks.

Signed-off-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk>

The old GPLv2 version of coreutils shipped in our :target repository does not
ship the truncate applet.

Use the truncate tool provided by the (dockerized) host instead.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Sjoerd Simons authored 6 years ago and Emanuele Aina committed 6 years ago

/etc/machine-id is expected to either contain a UUID or be *empty*.
using echo doesn't result in an empty file, it generates a file with
just a newline.

Switch to using truncate so it's actually an empty file. Fixes systemd
being unhappy about the content.

Signed-off-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk>

Sjoerd Simons authored 6 years ago and Emanuele Aina committed 6 years ago

Make sure ospacks and images don't accidentally get build against 18.12

Signed-off-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk>

When virtualization is available, Debos uses systemd-nspawn to run commands in
the "chroot".

systemd-nspawn automatically takes care of setting up a working
/etc/resolv.conf, usually by bind mounting the "host" one:

 https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#--resolv-conf=

In our case, the host is the VM managed by fakemachine, which is configured to
use systemd-resolved.

The end result is that the stub /etc/resolv.conf pointing to 127.0.0.53 is
copied to our rootfs and included in the generated ospack.

This is arguably a weird corner of Debos, the resolv.conf file should really
not persist out of the chroot:

 https://phabricator.apertis.org/T4308



However, in the past ConnMan used to ship a tmpfiles.d snippet to overwrite
it with a link to /var/run/connman/resolv.conf but since commit 45ccde23a90c
shipped in ConnMan 1.36 the snippet has been changed to no longer overwrite
existing files, causing DNS resolution to fail on our images.

By dropping /etc/resolv.conf at the end of each recipe, after all the
chroot:true actions, we should be able to ensure that the final artifacts
don't ship it and at runtime the ConnMan tmpfiles.d snippet should work
 again as intended.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Subsume the unit mounting a tmpfs on /media that was formerly shipped by
apertis-customizations.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

The apertis-customization package used to ship in tmpfiles.d/apertis.conf a
link from /etc/machine-id to /var/lib/dbus/machine-id to ensure that the
machine-id is unique.

This is now done automatically provided that /etc/machine-id is a empty file.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Subsume the apertis-create-homedir systemd unit creating $HOME at boot time
that was formerly shipped by apertis-customizations.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

The `$arch-$platform` overlay mechanism was a relic of the old
`cb_build` pipeline. Split it up into semantic overlays and include them
only where appropriate.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

The catch-all arch-platform overlay was a relic of the old `cb_build`
pipeline. Split it up into semantic overlays and include them only
where appropriate.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

The basesdk overlay was not actually included since `debos` was not
following the symlink to the sdk one.

Avoid the symlink by getting rid for the sdk recipe of the `$arch-$type`
mechanism, which is an ancient relic inherited from the conversion from
the old `cb_build` pipeline.

Splitting the overlay into semantic units also allow us to avoid the
Eclipse icon on the base SDK desktop, where Eclipse is not installed.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Emanuele Aina authored 6 years ago and Frédéric Dalleau committed 6 years ago

Now that we have the ospack-basesdk recipe we don't need the conditional
blocks anymore.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Oops. Commit 54240d3b broke the build as I botched the directive to
use, leaving `script:` even if `command:` was now the right one as
`install` is a system command and not a local script.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Emanuele Aina authored 6 years ago and Andrej Shadura committed 6 years ago

No need to run `chown` separatedly, `install` can set the right
ownership from the start.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Emanuele Aina authored 6 years ago and Andrej Shadura committed 6 years ago

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Emanuele Aina authored 6 years ago and Andrej Shadura committed 6 years ago

Now that the ospack recipes have been split they can default to the
correct type.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Emanuele Aina authored 6 years ago and Andrej Shadura committed 6 years ago

Add the timestamp as `BUILD_ID` and the image type as `VARIANT_ID`
in `/etc/os-release`, so at some point we'll be able to phase
out `/etc/image_version`.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Emanuele Aina authored 6 years ago and Andrej Shadura committed 6 years ago

After commit a7e7e101 `/home/user` has been owned by `root:root`,
breaking grahical login among the others.

This is because we are no longer creating `/home/user` when creating the
user itself, but `scripts/clone-sample-repos.sh` does
`mkdir -p /home/user/sample-applications/` and then
`chown user:user -R /home/user/sample-applications/`, leaving
`/home/user/` with the wrong owner.

Forcing the creation of the homedir addresses the issue.

Fixes: APERTIS-5527
Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Ritesh Raj Sarraf authored 6 years ago and Andrej Shadura committed 6 years ago

This is a derivative of image type 'sdk' with 'ivitools' disabled
Apertis: T5428

Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>

Use just a single board definition for both SDK images, and
symlinks for the overlay.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>