In the past we started a proof-of-concept implementation of self-updating
OSTree-based LXC containers, but in the end the project which prompted this
development ended up updating containers from the host.

Since we have no planned use for them, they are not part of any formal release,
no test is performed on them and since they fell quite behind after the rebase
to Buster with several parts still commented out, let's drop them altogether.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

After the rebase to Buster, some AppArmor profiles have become
problematic and prevent the components from working: this is the case for
Newport, which currently fails to start.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Need to have 'fsck' tool in initramfs for all images variants.
Include 'fsck' overlay into ospacks.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Frederic Danis authored 6 years ago and Emanuele Aina committed 6 years ago

APERTIS-5675

This uses the new Recipe action to merged previous recipes in one.

ROOTDIR needs to be reseted between ostree-commit and ostree-deploy
Fixes: APERTIS-5739

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

After the rebase to Buster, some AppArmor profiles have become
problematic and prevent the components from working.

In particular, the logind, Canterbury and Ribchester profiles prevent
the Mildenhall HMI from appearing on the screen.

Until they get updated, switch them to complain mode rather
than enforcing.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

The chaiwala-apparmor-profiles contains some AppArmor abstractions in use in
some Apertis-specific profiles.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Emanuele Aina authored 6 years ago and Frédéric Dalleau committed 6 years ago

Pass multiple components to apt_source.sh when applicable and don't call it
with components that have been set up already like `target`.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Jenkins is actually defining the full names for every artifact anyway and the
default is not particularly useful when building stuff locally without passing
any parameter so let's ensure the default names are sane and drop the
00000000.0 default.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

When opening a new session sudo tries to resolve the fqdn of the host, but that
introduces a sensible delay if the host does not have a fqdn set up
appropriately, as it is often the case with development board or when booting
images in QEMU.

We currently also ship libnss-myhostname which in theory could solve the issue
at the system level and not just for sudo, but upstream configures it to come
*after* dns resolution to avoid breaking `hostname --fqdn`, see
https://github.com/systemd/systemd/issues/1280



Our use-case is sligthly different and we may configure libnss-myhostname to
precede dns resolution, but in the meantime keep disabling this in sudo as the
apertis-customization package used to do.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

UEFI images currently fail on `bootctl install`:

  bootctl --path=/boot/efi install | Failed to get machine id: No medium found
  Action `Install UEFI bootloader` failed at stage Run, error: exit status 1

This is due to bootctl using the machine-id to set the default entry in
/boot/loader/loader.conf and the kernel postinst script using the same value to
create the matching /boot/loader/entries entry.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

The old GPLv2 version of coreutils shipped in our :target repository does not
ship the truncate applet.

Use the truncate tool provided by the (dockerized) host instead.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Sjoerd Simons authored 6 years ago and Emanuele Aina committed 6 years ago

/etc/machine-id is expected to either contain a UUID or be *empty*.
using echo doesn't result in an empty file, it generates a file with
just a newline.

Switch to using truncate so it's actually an empty file. Fixes systemd
being unhappy about the content.

Signed-off-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk>

Sjoerd Simons authored 6 years ago and Emanuele Aina committed 6 years ago

Make sure ospacks and images don't accidentally get build against 18.12

Signed-off-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk>

When virtualization is available, Debos uses systemd-nspawn to run commands in
the "chroot".

systemd-nspawn automatically takes care of setting up a working
/etc/resolv.conf, usually by bind mounting the "host" one:

 https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#--resolv-conf=

In our case, the host is the VM managed by fakemachine, which is configured to
use systemd-resolved.

The end result is that the stub /etc/resolv.conf pointing to 127.0.0.53 is
copied to our rootfs and included in the generated ospack.

This is arguably a weird corner of Debos, the resolv.conf file should really
not persist out of the chroot:

 https://phabricator.apertis.org/T4308



However, in the past ConnMan used to ship a tmpfiles.d snippet to overwrite
it with a link to /var/run/connman/resolv.conf but since commit 45ccde23a90c
shipped in ConnMan 1.36 the snippet has been changed to no longer overwrite
existing files, causing DNS resolution to fail on our images.

By dropping /etc/resolv.conf at the end of each recipe, after all the
chroot:true actions, we should be able to ensure that the final artifacts
don't ship it and at runtime the ConnMan tmpfiles.d snippet should work
 again as intended.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Subsume the unit mounting a tmpfs on /media that was formerly shipped by
apertis-customizations.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Add the /sbin/apertis-dev script that was shipped by apertis-customizations.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

The apertis-customization package used to ship in tmpfiles.d/apertis.conf a
link from /etc/machine-id to /var/lib/dbus/machine-id to ensure that the
machine-id is unique.

This is now done automatically provided that /etc/machine-id is a empty file.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Subsume the apertis-create-homedir systemd unit creating $HOME at boot time
that was formerly shipped by apertis-customizations.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Sjoerd Simons authored 6 years ago and Emanuele Aina committed 6 years ago

With newer kernels it takes far longer in early boot to get random
numbers (as >= 4.18 kernels ensure good quality entropy is availble
before starting  providing randomness).

Install rng-tools to integrate with hardware random number generators
while jitterentropy-rngd can provide randomness without.

Signed-off-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

I.mx6 is an important target but not the only arm target so drop the
various specialisations for it. The general images should be able to
boot on different SoC platforms as well

Signed-off-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk>

Andrej Shadura authored 6 years ago and Sjoerd Simons committed 6 years ago

Minimize the minimal image recipe to packages already present in the new
buster bootstrap aka next.

Minimal images have no automatic mounts of mass storage devices.
Allow to mount USB storage devices automatically in R/O mode to
prevent accidental corruption of filesystem on device.

This feature is needed for mass storage upgrades.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

The `$arch-$platform` overlay mechanism was a relic of the old
`cb_build` pipeline. Split it up into semantic overlays and include them
only where appropriate.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

The catch-all arch-platform overlay was a relic of the old `cb_build`
pipeline. Split it up into semantic overlays and include them only
where appropriate.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Emanuele Aina authored 6 years ago and Andrej Shadura committed 6 years ago

Drop the `ivitools` conditional and always install the Canterbury appfw.

Since we don't install any graphical application, there's no need for
the `hmi` and `helper-libs` repositories.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Emanuele Aina authored 6 years ago and Andrej Shadura committed 6 years ago

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Emanuele Aina authored 6 years ago and Andrej Shadura committed 6 years ago

Add the timestamp as `BUILD_ID` and the image type as `VARIANT_ID`
in `/etc/os-release`, so at some point we'll be able to phase
out `/etc/image_version`.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>