After the rebase to Buster some AppArmor profiles have become problematic,
preventing the components from working, in this is the case Rhosydd. Put
the tool in complain mode for now.

Signed-off-by: Martyn Welch <martyn.welch@collabora.com>

After the rebase to Buster some AppArmor profiles have become problematic,
preventing the components from working. This is the case for a number of
the tracker tools. Put tracker in complain mode for now.

Signed-off-by: Martyn Welch <martyn.welch@collabora.com>

After the rebase to Buster, some AppArmor profiles have become
problematic and prevent the components from working: this is the case for
Newport, which currently fails to start.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Emanuele Aina authored 5 years ago and Martyn Welch committed 5 years ago

Newport was listed twice, and there's no need to install
{ribchester,canterbury}-core separately from their full counterparts.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Need to have 'fsck' tool in initramfs for all images variants.
Include 'fsck' overlay into ospacks.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

In previous versions of Apertis we were using a modified iptables package
containing custom scripting/systemd unit to load iptables rules at boot.
Debian contains the iptables-persistent package which performs this task.

Use this instead of adding the custom scripts to the new version. Add the
custom rules to an overlay so we don't need to modify the package.

Signed-off-by: Martyn Welch <martyn.welch@collabora.com>

With newer kernels it takes far longer in early boot to get random
numbers (as >= 4.18 kernels ensure good quality entropy is availble
before starting  providing randomness).

Commit 85cc6eba took care of the minimal ospack/images introducing
rng-tools to integrate with hardware random number generators
while jitterentropy-rngd can provide randomness without.

This commit applies the same change to the target, basesdk and sdk
ospacks/images.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Frederic Danis authored 6 years ago and Emanuele Aina committed 6 years ago

APERTIS-5675

This uses the new Recipe action to merged previous recipes in one.

ROOTDIR needs to be reseted between ostree-commit and ostree-deploy
Fixes: APERTIS-5739

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

Signed-off-by: Martyn Welch <martyn.welch@collabora.com>

After the rebase to Buster, some AppArmor profiles have become
problematic and prevent the components from working.

In particular, the logind, Canterbury and Ribchester profiles prevent
the Mildenhall HMI from appearing on the screen.

Until they get updated, switch them to complain mode rather
than enforcing.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

The chaiwala-apparmor-profiles contains some AppArmor abstractions in use in
some Apertis-specific profiles.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

The package has been introduced back into :sdk

Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>

Emanuele Aina authored 6 years ago and Frédéric Dalleau committed 6 years ago

Pass multiple components to apt_source.sh when applicable and don't call it
with components that have been set up already like `target`.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Jenkins is actually defining the full names for every artifact anyway and the
default is not particularly useful when building stuff locally without passing
any parameter so let's ensure the default names are sane and drop the
00000000.0 default.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

When opening a new session sudo tries to resolve the fqdn of the host, but that
introduces a sensible delay if the host does not have a fqdn set up
appropriately, as it is often the case with development board or when booting
images in QEMU.

We currently also ship libnss-myhostname which in theory could solve the issue
at the system level and not just for sudo, but upstream configures it to come
*after* dns resolution to avoid breaking `hostname --fqdn`, see
https://github.com/systemd/systemd/issues/1280



Our use-case is sligthly different and we may configure libnss-myhostname to
precede dns resolution, but in the meantime keep disabling this in sudo as the
apertis-customization package used to do.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

UEFI images currently fail on `bootctl install`:

  bootctl --path=/boot/efi install | Failed to get machine id: No medium found
  Action `Install UEFI bootloader` failed at stage Run, error: exit status 1

This is due to bootctl using the machine-id to set the default entry in
/boot/loader/loader.conf and the kernel postinst script using the same value to
create the matching /boot/loader/entries entry.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

The old GPLv2 version of coreutils shipped in our :target repository does not
ship the truncate applet.

Use the truncate tool provided by the (dockerized) host instead.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Sjoerd Simons authored 6 years ago and Emanuele Aina committed 6 years ago

/etc/machine-id is expected to either contain a UUID or be *empty*.
using echo doesn't result in an empty file, it generates a file with
just a newline.

Switch to using truncate so it's actually an empty file. Fixes systemd
being unhappy about the content.

Signed-off-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk>

Sjoerd Simons authored 6 years ago and Emanuele Aina committed 6 years ago

Make sure ospacks and images don't accidentally get build against 18.12

Signed-off-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk>

When virtualization is available, Debos uses systemd-nspawn to run commands in
the "chroot".

systemd-nspawn automatically takes care of setting up a working
/etc/resolv.conf, usually by bind mounting the "host" one:

 https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#--resolv-conf=

In our case, the host is the VM managed by fakemachine, which is configured to
use systemd-resolved.

The end result is that the stub /etc/resolv.conf pointing to 127.0.0.53 is
copied to our rootfs and included in the generated ospack.

This is arguably a weird corner of Debos, the resolv.conf file should really
not persist out of the chroot:

 https://phabricator.apertis.org/T4308



However, in the past ConnMan used to ship a tmpfiles.d snippet to overwrite
it with a link to /var/run/connman/resolv.conf but since commit 45ccde23a90c
shipped in ConnMan 1.36 the snippet has been changed to no longer overwrite
existing files, causing DNS resolution to fail on our images.

By dropping /etc/resolv.conf at the end of each recipe, after all the
chroot:true actions, we should be able to ensure that the final artifacts
don't ship it and at runtime the ConnMan tmpfiles.d snippet should work
 again as intended.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Subsume the unit mounting a tmpfs on /media that was formerly shipped by
apertis-customizations.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Add the /sbin/apertis-dev script that was shipped by apertis-customizations.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

The apertis-customization package used to ship in tmpfiles.d/apertis.conf a
link from /etc/machine-id to /var/lib/dbus/machine-id to ensure that the
machine-id is unique.

This is now done automatically provided that /etc/machine-id is a empty file.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Subsume the apertis-create-homedir systemd unit creating $HOME at boot time
that was formerly shipped by apertis-customizations.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

I.mx6 is an important target but not the only arm target so drop the
various specialisations for it. The general images should be able to
boot on different SoC platforms as well

Signed-off-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk>

The `$arch-$platform` overlay mechanism was a relic of the old
`cb_build` pipeline. Split it up into semantic overlays and include them
only where appropriate.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

The catch-all arch-platform overlay was a relic of the old `cb_build`
pipeline. Split it up into semantic overlays and include them only
where appropriate.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Emanuele Aina authored 6 years ago and Andrej Shadura committed 6 years ago

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Emanuele Aina authored 6 years ago and Andrej Shadura committed 6 years ago

Now that the ospack recipes have been split they can default to the
correct type.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Emanuele Aina authored 6 years ago and Andrej Shadura committed 6 years ago

Add the timestamp as `BUILD_ID` and the image type as `VARIANT_ID`
in `/etc/os-release`, so at some point we'll be able to phase
out `/etc/image_version`.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>