Merge "Block packages in image-builder"

image-builder/assets/playbooks/roles/multistrap/defaults/main.yaml

@@ -73,6 +73,8 @@ ubuntu_packages:
     - wget
     - xfsprogs
     - xz-utils
+unapproved_packages: # provide the exact name of the packages that need to be blocked
+    - unattended-upgrades
 repos:
     - register_repo_with_rootfs: true
       name: Ubuntu

image-builder/assets/playbooks/roles/multistrap/tasks/main.yaml

@@ -25,6 +25,11 @@
     suffix: multistrap
   register: multistrap_tempdir
 
+- name: "Configure apt with unapproved packages"
+  template:
+    src: unapproved-packages.j2
+    dest: "{{ multistrap_tempdir.path }}/pref.conf"
+
 - name: "write out multistrap config"
   template:
     src: multistrap.conf.j2
@@ -62,6 +67,18 @@
     dest: "{{ rootfs_root }}/etc/systemd/network/99-default.link"
     mode: '0644'
 
+- name: "Configure apt with unapproved packages"
+  template:
+    src: unapproved-packages.j2
+    dest: "{{ rootfs_root }}/etc/apt/preferences.d/unapproved-packages.pref"
+
+- name: "Configure apt to remove unapproved packages from update"
+  ansible.builtin.lineinfile:
+    path: "{{ rootfs_root }}/etc/apt/apt.conf.d/01autoremove"
+    insertafter: "multiverse/metapackages"
+    line: '        "{{ item }}";'
+  with_items: "{{ unapproved_packages }}"
+
 - name: "Lock sources.list to prevent conflict and duplicates with multistrap repo list"
   shell: |
         set -e

image-builder/assets/playbooks/roles/multistrap/templates/multistrap.conf.j2

@@ -14,6 +14,8 @@ unpack=true
 # enable MultiArch for the specified architectures
 # default is empty
 #multiarch=allowed
+# apt preferences file
+aptpreferences=pref.conf
 # the order of sections is not important.
 # the bootstrap option determines which repository
 # is used to calculate the list of Priority: required packages.

image-builder/assets/playbooks/roles/multistrap/templates/unapproved-packages.j2

@@ -0,0 +1,6 @@
+{% for package in unapproved_packages %}
+Package: {{ package }}
+Pin: origin *
+Pin-Priority: -1
+
+{% endfor %}