|
| 1 | +************** |
| 2 | +Snap Lifecycle |
| 3 | +************** |
| 4 | + |
| 5 | +Snap Build Lifecycle |
| 6 | +==================== |
| 7 | +This document aims to document the lifecycle of the various kernel snap |
| 8 | +forms. |
| 9 | + |
| 10 | +Background |
| 11 | +---------- |
| 12 | +The majority of kernels with snaps are consumed both as Debian packages and |
| 13 | +those snaps. To reduce testing requirements and streamline production the same |
| 14 | +binaries are used for both forms. Due to the Ubuntu requirement for source to |
| 15 | +be included with the binaries it is simplest to generate the binaries as part |
| 16 | +of generating the Debian binary packages and repackage those into snaps where |
| 17 | +needed. Where a kernel is to be signed this is performed during the packaging |
| 18 | +process in those Debian package builds. |
| 19 | + |
| 20 | +Workflow Support |
| 21 | +---------------- |
| 22 | +Kernel snaps are represented as a separate phase in the kernel workflow. There |
| 23 | +will be a Workflow Tracker for each Debian kernel build, and a separate |
| 24 | +subordinate tracker for the snap kernel build. The snap tracker will have the |
| 25 | +Debian trackers as its parent and will proceed once that Debian tracker is |
| 26 | +complete. |
| 27 | + |
| 28 | +Debian Pocket Usage |
| 29 | +------------------- |
| 30 | +The Debian package builds flow through their own life-cycle proceeding from the |
| 31 | +``build`` location, to ``proposed``, and onwards to ``updates`` and ``security`` as |
| 32 | +testing allows. |
| 33 | + |
| 34 | +Kernels in the ``build`` location are unsigned and intended for simple boot |
| 35 | +testing or for testing for signing compliance. Kernels in ``proposed`` are |
| 36 | +signed (if applicable) and formal candidates for regression and certification |
| 37 | +testing. |
| 38 | + |
| 39 | +Snap Risk Usage |
| 40 | +--------------- |
| 41 | +Snaps on the ``edge`` channel are unsigned and intended for simple boot testing. |
| 42 | +Snaps on the ``beta`` channel are signed and intended for certification testing. |
| 43 | +The ``edge`` kernels are built using the Debian binaries in the ``build`` |
| 44 | +location. The ``beta`` kernels are built using the Debian binaries in the |
| 45 | +``proposed`` locations. |
| 46 | + |
| 47 | +Track Usage |
| 48 | +----------- |
| 49 | +We make heavy use of store tracks to separate series specific snaps from each |
| 50 | +other. For Ubuntu LTS releases which align with Ubuntu Core releases those |
| 51 | +tracks are typically the Ubuntu Core release years (for example ``24``). For |
| 52 | +interim Ubuntu releases these are the full release name (for example |
| 53 | +``24.10``). |
| 54 | + |
| 55 | +Where a series has a hardware enablement kernel (:ref hwe-kernels) those are |
| 56 | +placed on the HWE specific tracks (for example ``24-hwe``). |
| 57 | + |
| 58 | +Unsigned Kernels |
| 59 | +---------------- |
| 60 | +Unsigned kernels such as the ``pi-kernel`` will be directly generated in the |
| 61 | +Debian ``main`` package. The ``linux-image`` packages are consumed and |
| 62 | +``ubuntu-core-initramfs`` used to generate an initramfs to accompany it. These |
| 63 | +are packaged up along with any required firmware. |
| 64 | + |
| 65 | +Signed Kernels |
| 66 | +-------------- |
| 67 | +Signed kernel such as the ``pc-kernel`` will be generated in the Debian |
| 68 | +``main`` package, and passed through the signing pipeline as part of the Debian |
| 69 | +``signed`` package. The ``linux-image`` packages (now generated by the |
| 70 | +``signed`` package) are consumed and ``ubuntu-core-initramfs`` used to generate |
| 71 | +an initramfs to accompany it. These are packaged up along with any required |
| 72 | +firmware. ``ubuntu-cre-initramfs`` is installed and envoked as part of the |
| 73 | +kernel postinst.d handling to convert the existing ``vmlinux-<verflav>`` image |
| 74 | +into a ``kernel.efi-<verflav>`` image. |
| 75 | + |
| 76 | +Kernel UKIs |
| 77 | +----------- |
| 78 | +For kernels use cases which require measurement we also produce Unified Kernel |
| 79 | +Images. That is a bootable PE executable which contains the kernel binary, an |
| 80 | +initramfs, and the kernel command line. This UKI is generated in the |
| 81 | +``linux-signed`` package through use of an additional mode of the |
| 82 | +``ubuntu-core-initramfs`` tooling. This process produces a single binary and |
| 83 | +is signed after it is combined via the signing pipeline. |
| 84 | + |
| 85 | +Stubble Kernels |
| 86 | +--------------- |
| 87 | +On arm64 we have an additional problem. For a number of platforms the ``dtb`` |
| 88 | +is not correctly supplied by the firmware. To handle these cases a ``stubble`` |
| 89 | +wrapper is used to detect those platforms and to inject the appropriate ``dtb`` |
| 90 | +as appropriate, then handing off control to the wrapped kernel image. The |
| 91 | +kernel image is taken from the Debian ``linux-image`` package in the normal |
| 92 | +way. The ``stubble-kernel`` package is installed and envoked as part of the |
| 93 | +kernel postinst.d handling to convert the existing ``vmlinuz-<verflav>`` image |
| 94 | +into a ``stubble.efi-<verflav>`` image. |
| 95 | + |
| 96 | +Snap Workflow Lifecycle |
| 97 | +======================= |
| 98 | +The snap workflow lifecycle runs in parallel to and interlocked with the Debian |
| 99 | +Workflow lifecycle. This ensures that the snap workflow waits for the |
| 100 | +prerequisite binaries. It also ensures that testing of both Debian packages |
| 101 | +and snap must be complete before they can progress further. Finally ensuring |
| 102 | +that the Debian packages and Snaps release together. |
| 103 | + |
| 104 | +Unsigned Build |
| 105 | +-------------- |
| 106 | +When a Debian kernel build completes in the ``build`` location the ``edge`` |
| 107 | +build of the Snap is triggered. This causes an auto-crank of the snap which |
| 108 | +parameterises the snapcraft.yaml configuration, and kicks off builds against |
| 109 | +the appropriate snap build recipe. This causes the kernel to be processed into |
| 110 | +a snap and uploaded to the snap-store. The store will automatically publish this |
| 111 | +onto the ``edge`` channel for testing. |
| 112 | + |
| 113 | +Early Testing |
| 114 | +------------- |
| 115 | +Once published we trigger any available early testing. This includes ``boot-testing``, |
| 116 | +``abi-testing`` and ``signing-signoff``. Once each of these is successfully completed |
| 117 | +the Debian package may progress into the signing pipeline and on into its ``proposed`` location. |
| 118 | + |
| 119 | +Proposed Build |
| 120 | +-------------- |
| 121 | +Once the Debian kernel is in its ``proposed`` location a second auto-crank is |
| 122 | +triggered to process the kernel into a snap via a second snap recipe. This |
| 123 | +causes the kernel to be uploaded to the ``beta`` channel ready for wider formal |
| 124 | +testing. |
| 125 | + |
| 126 | +For signed kernels this ensures the snap on the ``beta`` channel has a signed |
| 127 | +payload. We also regenerate the snap for unsigned kernel, while this may seem |
| 128 | +redundant it allows us to perform experimental builds only to ``edge`` without |
| 129 | +disrupting the workflow once the build has progressed to ``beta``. |
| 130 | + |
| 131 | +Testing |
| 132 | +------- |
| 133 | +Once we have a snap on the ``beta`` channel formal testing is triggered. This |
| 134 | +includes ``certification-testing`` for the snap. Once this testing is complete |
| 135 | +the snap will be promoted to the ``candidate`` channel. |
| 136 | + |
| 137 | +QA Testing |
| 138 | +---------- |
| 139 | +Once we have a formal canidate snap this may be sent for further acceptance |
| 140 | +testing in QA. Testing for the Debian package and snap are combined and gate |
| 141 | +the further promotion of both. Promotion is further gated by any applicable |
| 142 | +signoff tasks. |
| 143 | + |
| 144 | +Release |
| 145 | +------- |
| 146 | +Once all gating factors, testing, signoff, and cycle boundaries are satisfied |
| 147 | +the snap will be promoted to the ``stable`` channel, this occurs in lock-step |
| 148 | +with the promotion of the Debian package to ``updates``. The Debian package my |
| 149 | +then promote further to ``security`` but there is no equivalent channel for |
| 150 | +snaps. |
0 commit comments