Merge from core24

.github/workflows/tests.yaml

@@ -21,7 +21,7 @@ jobs:
         run: |
           rm -rf "${{ github.workspace }}"
           mkdir "${{ github.workspace }}"
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: x86 build
         run: |
@@ -33,7 +33,7 @@ jobs:
           spread-arm -artifacts=./artifacts google-nested-arm:tests/spread/build/
           find ./artifacts -type f -name "*.artifact" -exec cp {} "${{ github.workspace }}" \;
 
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         with:
           name: core-snap
           path: "${{ github.workspace }}/core24.artifact"
@@ -55,8 +55,8 @@ jobs:
         run: |
           rm -rf "${{ github.workspace }}"
           mkdir "${{ github.workspace }}"
-      - uses: actions/checkout@v2
-      - uses: actions/download-artifact@v2
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
         with:
           name: core-snap
           path: "${{ github.workspace }}/core24.artifact"
@@ -86,14 +86,14 @@ jobs:
           rm -rf "${{ github.workspace }}"
           mkdir "${{ github.workspace }}"
 
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           path: core-base
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           repository: 'snapcore/snapd'
           path: snapd
-      - uses: actions/download-artifact@v2
+      - uses: actions/download-artifact@v4
         with:
           name: core-snap
 

Makefile

@@ -2,6 +2,15 @@
 TESTDIR ?= "prime/"
 SNAP_NAME=core24
 BUILDDIR=/build/$(SNAP_NAME)
+CODENAME:="$(shell . /etc/os-release; echo "$$VERSION_CODENAME")"
+
+# include any fips environmental setup if the file exists.
+# Variables:
+# - SNAP_FIPS_BUILD
+-include .fips-env
+ifdef SNAP_FIPS_BUILD
+    export SNAP_FIPS_BUILD
+endif
 
 .PHONY: all
 all: check
@@ -24,6 +33,7 @@ install:
 		cp /etc/apt/trusted.gpg $(DESTDIR)/etc/apt/ || true; \
 		cp -r /etc/apt/trusted.gpg.d $(DESTDIR)/etc/apt/ || true; \
 	fi
+
 	# since recently we're also missing some /dev files that might be
 	# useful during build - make sure they're there
 	[ -e $(DESTDIR)/dev/null ] || mknod -m 666 $(DESTDIR)/dev/null c 1 3
@@ -33,10 +43,22 @@ install:
 		mknod -m 666 $(DESTDIR)/dev/urandom c 1 9
 	# copy static files verbatim
 	/bin/cp -a static/* $(DESTDIR)
+ifdef SNAP_FIPS_BUILD
+	# copy the FIPS PPA config file in if it exists and if
+	# the current build is a FIPS build
+	if [ -e ./fips.conf ]; then \
+		mkdir -p $(DESTDIR)/etc/apt/auth.conf.d/; \
+		cp ./fips.conf $(DESTDIR)/etc/apt/auth.conf.d/01-fips.conf; \
+	fi
+
+	# If we are doing a fips build, make sure updates are enabled
+	# and we export that to the hooks
+	sed -n 's/$(CODENAME)-security/$(CODENAME)-updates/p' /etc/apt/sources.list >> $(DESTDIR)/etc/apt/sources.list;
+endif
+	mkdir -p $(DESTDIR)/install-data
 	# generate dconf data for init
 	/usr/bin/dconf compile init-default.compiled dconf-init-data
 	/bin/mv init-default.compiled $(DESTDIR)/
-	mkdir -p $(DESTDIR)/install-data
 	$(CRAFT_PROJECT_DIR)/generate-connections.py $(CRAFT_PROJECT_DIR)/snap-connections.txt $(DESTDIR)/usr/libexec/snap-connections.sh
 	# customize
 	set -eux; for f in ./hooks/[0-9]*.chroot; do		\
@@ -47,15 +69,49 @@ install:
 	done
 	rm -rf $(DESTDIR)/install-data
 
+	# remove the auth file again
+	rm -f $(DESTDIR)/etc/apt/auth.conf.d/01-fips.conf
+
 	# see https://github.com/systemd/systemd/blob/v247/src/shared/clock-util.c#L145
 	touch $(DESTDIR)/usr/lib/clock-epoch
 
+	if ! snap list "$(SNAP_NAME)" | grep "$(SNAP_NAME)"; then \
+		snap install "$(SNAP_NAME)" --beta; \
+	else \
+		snap refresh "$(SNAP_NAME)" --beta; \
+	fi
+
+	# When building through spread there is no .git, which means we cannot
+	# generate the changelog in this case, ensure that the current folder is
+	# a git repository
+	if git rev-parse HEAD && [ -e "/snap/$(SNAP_NAME)/current/usr/share/snappy/dpkg.yaml" ]; then \
+		CHG_PARAMS=; \
+		if [ -e /build/$(SNAP_NAME) ]; then \
+			CHG_PARAMS=--launchpad; \
+		fi; \
+		./tools/generate-changelog.py \
+			"/snap/$(SNAP_NAME)/current" \
+			"$(DESTDIR)" \
+			"$(SNAP_NAME)" \
+			$$CHG_PARAMS; \
+	else \
+		echo "WARNING: changelog will not be generated for this build"; \
+	fi
+
 	# only generate manifest and dpkg.yaml files for lp build
 	if [ -e $(BUILDDIR) ]; then \
 		/bin/cp $(DESTDIR)/usr/share/snappy/dpkg.list $(BUILDDIR)/$(SNAP_NAME)-$$(date +%Y%m%d%H%M)_$(DPKG_ARCH).manifest; \
 		/bin/cp $(DESTDIR)/usr/share/snappy/dpkg.yaml $(BUILDDIR)/$(SNAP_NAME)-$$(date +%Y%m%d%H%M)_$(DPKG_ARCH).dpkg.yaml; \
+		if [ -e $(DESTDIR)/usr/share/doc/ChangeLog ]; then \
+			/bin/cp $(DESTDIR)/usr/share/doc/ChangeLog $(BUILDDIR)/$(SNAP_NAME)-$$(date +%Y%m%d%H%M)_$(DPKG_ARCH).ChangeLog; \
+		fi \
 	fi;
 
+	# after generating changelogs we can cleanup those bits
+	# from the base
+	find "$(DESTDIR)/usr/share/doc/" -name 'changelog.Debian.gz' -print -delete
+	find "$(DESTDIR)/usr/share/doc/" -name 'changelog.gz' -print -delete
+
 .PHONY: check
 check:
 	# exclude "useless cat" from checks, while useless they also make

fips.conf.example

@@ -0,0 +1,4 @@
+# replace the <LOGIN> and <PASSWORD> with your own private access
+# information from launchpad
+# OBS: these comments should be removed
+machine private-ppa.launchpadcontent.net/fips-cc-stig/fips-under-certification login <LOGIN> password <PASSWORD>

hooks/000-provide-uids-gids.chroot

@@ -117,6 +117,7 @@ dnsmasq:x:109:65534:Reserved:/var/lib/misc:/bin/false
 tss:x:110:116:Reserved:/var/lib/tpm:/bin/false
 polkitd:x:111:120:polkit:/nonexistent:/usr/sbin/nologin
 dhcpcd:x:107:65534:DHCP Client Daemon,,,:/usr/lib/dhcpcd:/bin/false
+systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
 gdm:x:200:200:Gnome Display Manager:/var/lib/gdm3:/bin/false
 gnome-initial-setup:x:201:65534::/run/gnome-initial-setup/:/bin/false
 colord:x:202:202:colord colour management daemon:/var/lib/colord:/usr/sbin/nologin
@@ -158,6 +159,7 @@ dnsmasq:*:16644:0:99999:7:::
 tss:*:16701:0:99999:7:::
 polkitd:!*:19690::::::
 dhcpcd:!:19835::::::
+systemd-coredump:!*:99999::::::
 gdm:*:18459:0:99999:7:::
 gnome-initial-setup:*:18495:0:99999:7:::
 colord:*:18495:0:99999:7:::
@@ -226,6 +228,7 @@ render:x:117:
 sgx:x:119:
 _ssh:x:118:
 polkitd:x:120:
+systemd-coredump:x:999:
 gdm:x:200:
 colord:x:202:
 geoclue:x:203:
@@ -295,6 +298,7 @@ render:!::
 sgx:!::
 _ssh:!::
 polkitd:!*::
+systemd-coredump:!*::
 gdm:!::
 colord:!::
 geoclue:!::

hooks/001-extra-packages.chroot

@@ -11,7 +11,6 @@ export DEBIAN_FRONTEND=noninteractive
 # ensure we don't use proposed for new installs
 rm -f /etc/apt/sources.list.d/proposed.list
 
-
 # ensure we have /proc or systemd will fail
 mount -t proc proc /proc
 trap 'umount /proc' EXIT
@@ -118,6 +117,55 @@ FSbrQ9ACQFlqN49Ogbl47J6TZ7BrjDpROote55ixmrU=
 -----END PGP PUBLIC KEY BLOCK-----
 EOF
 
+# write FIPS PPA files if the current build is a FIPS build
+if [[ ${SNAP_FIPS_BUILD+x} ]]; then
+    # for private builds a conf file is neccessary, setup for PPA access
+    # if provided
+    if [ -e etc/apt/auth.conf.d/01-fips.conf ]; then
+        # add fips personal token
+        echo "deb https://private-ppa.launchpadcontent.net/fips-cc-stig/fips-under-certification/ubuntu $CODENAME main" > /etc/apt/sources.list.d/fips.list
+        cat >etc/apt/trusted.gpg.d/fips-cc-stig.asc <<'EOF'
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: Hostname: 
+Version: Hockeypuck 2.2
+
+xsFNBFd0YRgBEADfq65pgoIg/iNw2NddIIoBiEr19Aan8KfUfi/yDMBXiBywARMQ
+NDRJgicfOZOAjKUcuBXNKa4rAqBNXdl6AMGvOy3wRjppiyzWN8Se2KNzaLiIit2S
+zHF+NBWX6EFyod1CL92kOsIdPyg+/vUGoJqGA7AsD7Rmfmkt/xscdcV+vFJD+rNj
+gYAaMAD+oHU6EtNKi8ALdPH5+tVktmOQIn7rrTnSTFkh7uV4trYSGWHLIwP5LF/c
+U86oRKAJG/6vRW5Es7SonvvTIOMa/kDl3Es9hwPP4pNqcVvrbLECkwQPPKmdT8mC
+KTO2a9WF9Hmmf0XtBNju+3SfZtfIhQpvyWLOfQ8FwwNWPiKp7LG3zAtjd/lzT1Ot
+A2uL2UmJ7bnaPy2wK9j1gj2caCLUqdkJl3Wkk1MAm5tZ0HfIgpIJgsM0wrda425r
+zlI+yhrJWKLoie40Rj4rAe3rVHl+6W5/pCaPauRjF8OdYbY/PvhydGBnvpWQqe0F
+StuuLJmyUHljVkEByJKc1HbnhdUPpJLvs9fZSnFn9GadINaQ29Qd3lbkqdBisBVK
+IbLaib7hdEQ+H/t8wjvzQ1Zwa94HzdT9U4TpT9o/RMyD/FsoVmHtsKSdu0nSla8b
+lTa/1iGpWA1G3j3+40olG2hWRP5dFe3LTMIDrags+6X5Evj0QSmk1njzBwARAQAB
+zSJMYXVuY2hwYWQgUFBBIGZvciBUaGUgRklQUy1DQy1TVElHwsF4BBMBAgAiBQJX
+dGEYAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAYW6d9nbNEw9jdEACC
+ZlP2megNeBK3XGq3akYveAItfnKfjCRvDyQ7D8Kaqmj1Izq6Qd6beg4Lznyiz2QZ
+6pwqYcHNC9P7itl5bVa/zw0gP3XVgdIU6oGkzQk9NDbLPTuKSZyUDSYaMd+vNIqR
+Ppl6v9jBf5sYayhbYCxs5ZUK1EJDvVqIAaTQtFGULJhVeBw5W5LLXx7j8d+piws4
+E/toXzZk9gK8KsWAdzUZl4HHEV1Bq82aUFVaS16bxL5ci8Q58aS/0BNl6EX9tO69
+VWNbQI8T/dcBDQqYhrT3wliod/GvRjFcE8ZQlvToQxx2Telo0FahIPWNWnuC3Hl4
+Qe6mbOOXiFDw5o/nCjtS/x1G9xjOHniVzg4zemk84+71PC9CmBBg+wsl+kYBfPTV
+7cDmlOg/bxqi4XdQdyPCH/wxNAZeeCSv1VyMIkm4lmTa7cfjm8b4+sroMLX6UJ/v
++lFv9LtuF3ErCaoaUKkgPpBYKUokosds8wpgPYLBfKYlzvEmvePwMF7t79/XeeLv
+Mcp1q0QiFDChMZQ3KqyFhyxYVRI9GNWgbdbjgHl6LLoV3SVq/toZmAmwKtNhRYj1
+jIdKcjjWuo2jYQHndcxmzof0xpVaforni094zZA/jjN5z7Xsqh7qrOL5ZR9w7qfl
+UNuHk+m6RrdnU0GhZFiccabKzM11OElMcupvOQeIRA==
+=MKdQ
+-----END PGP PUBLIC KEY BLOCK-----
+EOF
+    fi
+
+    mkdir -p etc/apt/preferences.d/
+    cat >etc/apt/preferences.d/fips.pref <<'EOF'
+Package: *
+Pin: release o=LP-PPA-fips-cc-stig-fips-under-certification
+Pin-Priority: 1010
+EOF
+fi
+
 # This gives higher priority to local-debs repository
 cat <<EOF >/etc/apt/preferences
 Package: *
@@ -173,7 +221,14 @@ EOF
 
 # install some packages we need
 apt-get update
-apt-get dist-upgrade -y --allow-downgrades
+
+# when doing a FIPS build we will allow downgrades due to package
+# versions possibly being lower in the FIPS ppa
+if [[ ${SNAP_FIPS_BUILD+x} ]]; then
+    apt-get dist-upgrade -y --allow-downgrades
+else
+    apt-get dist-upgrade -y --allow-downgrades
+fi
 
 PACKAGES=(
     apparmor
@@ -215,6 +270,7 @@ PACKAGES=(
     squashfs-tools
     sudo
     systemd
+    systemd-coredump
     systemd-sysv
     systemd-timesyncd
     systemd-resolved
@@ -242,7 +298,15 @@ case "$(dpkg --print-architecture)" in
         ;;
 esac
 
-apt-get install --no-install-recommends --allow-downgrades -y "${PACKAGES[@]}"
+if [[ ${SNAP_FIPS_BUILD+x} ]]; then
+    # Ensure vital crypt packages are refreshed / downgraded and downloaded
+    # from the FIPS ppa. This should also contain openssh-server, but we already
+    # have that one listed above.
+    PACKAGES+=(libgcrypt20 libgnutls30t64 openssl-fips-module-3)
+    apt-get install --no-install-recommends --allow-downgrades -y "${PACKAGES[@]}"
+else
+    apt-get install --no-install-recommends --allow-downgrades -y "${PACKAGES[@]}"
+fi
 
 apt-get autoremove -y
 

hooks/020-extra-files.chroot

@@ -35,6 +35,7 @@ chmod 700 /var/lib/private
 echo "extra cloud init files"
 mkdir -p /etc/cloud
 mkdir -p /var/lib/cloud
+mkdir -p /var/lib/waagent
 
 echo "console-conf directories"
 mkdir -p /var/lib/console-conf

hooks/600-no-debian.chroot

@@ -6,6 +6,9 @@ set -ex
 
 echo "I: Removing the debian legacy"
 
+# dpkg-deb and dpkg purposefully left behind
+dpkg --purge --force-depends apt libapt-pkg6.0t64 debconf
+
 # store manifest of all installed packages
 install -m755 -d usr/share/snappy
 dpkg -l > usr/share/snappy/dpkg.list
@@ -29,9 +32,6 @@ dpkg -l > usr/share/snappy/dpkg.list
   dpkg-query -W --showformat='- ${binary:Package}=${Version}\n'
 } > /usr/share/snappy/dpkg.yaml
 
-# dpkg-deb and dpkg purposefully left behind
-dpkg --purge --force-depends apt libapt-pkg5.0 debconf
-
 rm -r \
         var/lib/dpkg \
         var/log/apt

hooks/603-cleanup-docs.chroot

@@ -4,10 +4,9 @@
 
 set -ex
 
-echo "I: Removing docs"
+echo "I: Removing docs (leaving copyrights and changelogs)"
 
-# docs, drop changelogs and examples, but leave the copyright
-find usr/share/doc/ -name 'changelog.Debian.gz' -print -delete
+# docs, drop examples, but leave the copyright and changelog
 find usr/share/doc/ -depth -type d -name 'examples' -print -exec rm -rv \{\} \;
 rm -r usr/share/doc-base
 

snapcraft.yaml

@@ -21,8 +21,9 @@ parts:
     build-packages:
       - wget
     build-environment:
-      - RELEASE: "24.04.1"
-      - BASE: ubuntu-base-${RELEASE}-base-${CRAFT_ARCH_BUILD_FOR}.tar.gz
+      - RELEASE: "24.04"
+      - DOT_RELEASE: "1"
+      - BASE: ubuntu-base-${RELEASE}${DOT_RELEASE:+.$DOT_RELEASE}-base-${CRAFT_ARCH_BUILD_FOR}.tar.gz
       - DIR_URL: https://cdimage.ubuntu.com/ubuntu-base/releases/${RELEASE}/release
       - URL: ${DIR_URL}/${BASE}
       - SHA256: ${DIR_URL}/SHA256SUMS
@@ -59,10 +60,20 @@ parts:
     build-packages:
       - shellcheck
       - distro-info
+      - python3-debian
+      - python3-requests
+      - python3-yaml
       - dconf-cli
     override-pull: |
-      craftctl set version="$(/bin/date +%Y%m%d)"
       craftctl default
+      # detect whether we are doing a fips build on LP
+      if git remote get-url origin | grep "fips"; then
+        craftctl set version="$(/bin/date +%Y%m%d)+fips"
+        echo "SNAP_FIPS_BUILD=1" > ./.fips-env
+      else
+        craftctl set version="$(/bin/date +%Y%m%d)"
+        rm -f ./.fips-env
+      fi
     override-prime: |
       craftctl default
       # ensure build-in tests are run

static/etc/system-image/writable-paths

@@ -53,9 +53,11 @@
 /var/lib/apparmor                       auto                    persistent  transition  none
 /var/lib/dbus                           auto                    persistent  none        none
 /var/lib/dhcp                           auto                    persistent  none        none
+/var/lib/dhcpcd                         auto                    persistent  transition  none
 # cloud-init
 /etc/cloud                              auto                    persistent  transition  none
 /var/lib/cloud                          auto                    persistent  none        none
+/var/lib/waagent                        auto                    persistent  none  none
 # for various clouds like GCE
 /etc/sysctl.d                           auto                    persistent  transition  none
 # swapfile

static/usr/lib/tmpfiles.d/coredump-comf-d.conf

@@ -0,0 +1,5 @@
+# Used to create the coredump config drop-in dir
+#
+# See tmpfiles.d(5) for details
+
+d /etc/systemd/coredump.conf.d