Contents

  1. Overview
    1. The base (core) snap
    2. FIPS enabled base (core) snap
    3. The gadget snap
      1. Signing of shim and grub for the pc gadget
    4. The snapd snap
    5. The kernel snap
  2. Model assertions
    1. Core 24
    2. Core 22
    3. Core 20
    4. Core 18
    5. Core 16
  3. Build and promotion automation
  4. Promoting snaps to stable
  5. Image automation
  6. Releasing a new ubuntu-core image
  7. Adding new Ubuntu Core platforms/images
  8. Adding new Ubuntu Core Appliances
  9. Useful Documentation

This document serves the purpose of gathering all the useful information regarding the construction of and development of the ubuntu-core flavor.

Overview

Every ubuntu-core image is composed of a defined set of snaps. The following section gives a quick overview of what each snap is about and includes a handy list of links for the given project.

New images are composed using the ubuntu-image tool and so called model assertions. In our case, model assertions tell ubuntu-image what to compose the created image of. It is the model that defines the base snap to use, the gadget and kernel. There are different model assertions for 16 and 18, for each supported platform.

The base (core) snap

This is the base filesystem with all the bare-essential libraries and tools for any system to work. Like the core snap, this is required to be present on any 18 core-enabled system. Basically it has to offer any crucial functionality that is needed for a minimal system to function and cannot be easily installed through separate snaps.

FIPS enabled base (core) snap

Variants of (some of) the base snaps exist and are maintained by the ubuntu core team as well. These snaps build using special snap recipes on LP with a PPA override for FIPS packages.

The gadget snap

Each supported device has its own gadget snap. Gadget snaps are what defines the device, carrying binaries for the bootloader, declaring the partition layout etc. It is important to keep in mind that the gadget code repositories are also used by classic Ubuntu preinstalled images, although currently separate branches are used.

There following gadget snaps are only used for the 16 series. Even though some of those repositories have 18 branches and/or include some snaps in the 18 track, they do not participate in any of the core18 images and should only be used for core16 (core):

Signing of shim and grub for the pc gadget

NOTE: the Ubuntu Core specific signing PPA is only used up to and including core22, anything newer will use the signed shim and GRUB from the main archive.

The shim and grub binaries are signed with a private key specific for Ubuntu Core systems. By using a different key to the one for classic systems we ensure that it will be possible to have devices that can start UC but not classic. The procedure to obtain newly signed binaries is:

  1. Copy grub2, grub2-unsigned, and shim source packages from the archive to https://launchpad.net/~ucdev/+archive/ubuntu/uc-build-ppa, including the binary packages generated by them (these should not be rebuilt). Although this is not strictly needed, with this we make sure that the artifacts that need to be signed are stored in the PPA and not pulled from the archive, which might be problematic if we need to re-sign this specific version and the archive has rotated versions (it only stores the latest three) so it gets more difficult to access these assets.

  2. Upload the corresponding grub2-signed and shim-signed source packages, but with a changelog entry that uses epoch 2, that is, version should be 2:<archive_version>. Using a different epoch ensures that if the shim/grub version in the archive bumps we will still pull the package signed with the UC key. (Ideally make it fail the build so only binaries built from the signing PPA exist - this can be done by adding final checks on whether the signature is chained to Canonical certs with "sbverify --cert CanonicalMasterCA.crt <file>", see https://launchpadlibrarian.net/491880978/shim-signed_1.41_1.43+uc20.4.diff.gz).

  3. Create a bug in grub2-signed and shim-signed projects, see for instance https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1981997. Subscribe the ~canonical-signing and ~canonical-foundations teams to it.

  4. Wait or ask somebody with permissions to copy the packages to the signing PPA so they get built and signed with the UC key.

  5. Once the packages are signed, they should be copied (by somebody with permissions) to https://launchpad.net/~ucdev/+archive/ubuntu/uc-staging-ppa. This PPA is included when building the pc gadget so shim/grub are pulled from there.

The copy-package tool (git clone lp:ubuntu-archive-tools) is used to copy package from the archive to PPAs. For example:

$ ./copy-package -b -s focal-updates --to ppa:ucdev/ubuntu/uc-build-ppa --to-suite focal -e 2.04-1ubuntu26.15 grub2

See https://wiki.ubuntu.com/ArchiveAdministration for more details.

Historically the PPAs used for this process were https://launchpad.net/~canonical-foundations/+archive/ubuntu/uc20-build-ppa and https://launchpad.net/~canonical-foundations/+archive/ubuntu/uc20-staging-ppa.

The snapd snap

The snap offering snapd itself. This was once part of the core snap but it has been ripped out as a separate snap since recently.

The kernel snap

For core16 only (not used for core18), legacy snaps:

Model assertions

All available and officially supported model assertions are available on https://github.com/snapcore/models .

One can get the model assertions for the selected supported platform by using the following commands:

Core 24

Besides the default, signed ones below, we also provide -dangerous and -<channel> model assertions.

Core 22

Besides the default, signed ones below, we also provide -dangerous and -<channel> model assertions.

Core 20

Besides the default, signed ones below, we also provide -dangerous and -<channel> model assertions.

Core 18

Core 16

Build and promotion automation

See UbuntuCore/CoreSnapAutomation .

Promoting snaps to stable

For some cases, the 18 snaps use a special 18 track instead of the default one. This means that for those snaps, instead of channels like stable, candidate, beta, edge there's 18/stable, 18/candidate, 18/beta, 18/edge - especially for gadget snaps. Before attempting promotion from one channel to another, always make sure that you are specifying the right track and channel. Otherwise one might promote a core18-targeted snap to the stable channel used by core16 devices. Look at the list of revisions and available tracks/channels before promotion.

The edge, beta and candidate snap promotions are handled by our automation (see above section). Manual promotion is only required when moving a snap from candidate to stable, in which case the following instructions need to be followed. NOTE! For core18/core20/core20+ snaps, always coordinate first with the snapstore team before promoting to stable. Base snap releases always cause huge spikes in bandwidth consumption so we need to make sure there are no other releases/operations in progress that could cause infrastructure issues.

Another important thing to keep in mind is that all base snap releases are released using progressive releases (phased upgrades). So, in fact, only after approximately 36 hours (15% increment roughly every 6 hours) a new version is available for all users in the respective <track/>stable channel.

Releasing a new snap to stable:

Image automation

As with every Ubuntu flavor, Ubuntu Core has standard daily builds enabled for UC16, UC18 and UC20 on cdimage. Daily images are being produced for different stability levels and published to their respective directories. Those daily images are only meant to be used for testing and development purposes and are never actually advertised or 'promoted'. Note: the same infrastructure is used when officially releasing a new image, using the 'stable' channel images.

New image builds can be requested by contacting members of the ubuntu-cdimage Launchpad team. It is not possible to do it via the ISO tracker (as it is the case with most other Ubuntu flavors).

Releasing a new ubuntu-core image

See UbuntuCore/ReleaseProcess .

Adding new Ubuntu Core platforms/images

See UbuntuCore/AddingImages .

Adding new Ubuntu Core Appliances

Ubuntu Appliances are basically Ubuntu Core images with some special snaps preinstalled and preconfigured. Such images can be loaded on the given platform (Pi's mostly right now) to turn it into a home/office appliance. Currently those are built on ubuntu-cdimage and based on UC18.

See UbuntuCore/AddingAppliances .

Useful Documentation

UbuntuCore/Development (last edited 2024-11-08 08:09:26 by the-meulengracht)