Merge pull request #397 from cloudfoundry/pr-noble-warden-fixes

Update warden stage to support Noble

bosh-stemcell/spec/stemcells/ubuntu_noble_spec.rb

@@ -124,26 +124,6 @@
     end
   end
 
-  context 'installs recent version of unshare so it gets the -p flag', {
-    exclude_on_alicloud: true,
-    exclude_on_aws: true,
-    exclude_on_azure: true,
-    exclude_on_cloudstack: true,
-    exclude_on_google: true,
-    exclude_on_vsphere: true,
-    exclude_on_openstack: true,
-    exclude_on_softlayer: true,
-  } do
-    context 'so we can run upstart in as PID 1 in the container' do
-      describe file('/var/vcap/bosh/bin/unshare') do
-        it { should be_file }
-        it { should be_executable }
-        it { should be_owned_by('root') }
-        its(:group) { should eq('root') }
-      end
-    end
-  end
-
   context 'installed by system_parameters' do
     describe file('/var/vcap/bosh/etc/operating_system') do
       its(:content) { should match('ubuntu') }

bosh-stemcell/spec/stemcells/warden_spec.rb

@@ -3,46 +3,27 @@
 describe 'Warden Stemcell', stemcell_image: true do
   it_behaves_like 'udf module is disabled'
 
-  describe file('/usr/sbin/runsvdir-start') do
-    it { should be_file }
-  end
-
   context 'installed by system_parameters' do
     describe file('/var/vcap/bosh/etc/infrastructure') do
       its(:content) { should include('warden') }
     end
   end
 
-  context 'rsyslog runit configuration' do
-    describe file('/etc/sv/rsyslog/run') do
-      its(:content) { should include('exec rsyslogd -n') }
-      it { should be_executable }
-    end
-
-    describe file('/etc/service/rsyslog') do
-      it { should be_linked_to '/etc/sv/rsyslog' }
+  context 'auditd config' do
+    describe file('/etc/audit/auditd.conf') do
+      its(:content) { should include('local_events = no') }
     end
   end
 
-  context 'ssh runit configuration' do
-    describe file('/etc/sv/ssh/run') do
-      its(:content) { should include('exec /usr/sbin/sshd -D') }
-      it { should be_executable }
-    end
-
-    describe file('/etc/service/ssh') do
-      it { should be_linked_to '/etc/sv/ssh' }
+  context 'systemd config' do
+    describe file('/etc/systemd/system.conf') do
+      its(:content) { should include('DefaultStartLimitBurst=500') }
     end
   end
 
-  context 'cron runit configuration' do
-    describe file('/etc/sv/cron/run') do
-      its(:content) { should include('exec cron -f') }
-      it { should be_executable }
-    end
-
-    describe file('/etc/service/cron') do
-      it { should be_linked_to '/etc/sv/cron' }
+  context 'pam common-password config' do
+    describe file('/etc/pam.d/common-password') do
+      its(:content) { should include('#session	required			pam_faillock.so') }
     end
   end
 end

stemcell_builder/stages/base_warden/apply.sh

@@ -5,58 +5,16 @@ set -e
 base_dir=$(readlink -nf $(dirname $0)/../..)
 source $base_dir/lib/prelude_apply.bash
 
-# Noble no longer has "runsvdir-start". The equivalent is /etc/runit/2
-install -m0750 "${chroot}/etc/runit/2" "${chroot}/usr/sbin/runsvdir-start"
-
-cp "$(dirname "$0")/assets/runit.service" "${chroot}/lib/systemd/system/"
-run_in_chroot "${chroot}" "systemctl enable runit"
-
 # Explicit make the mount point for bind-mount
 # Otherwise using none ubuntu host will fail creating vm
 mkdir -p $chroot/warden-cpi-dev
 
-# Run system services via runit and replace /usr/sbin/service with a script which call runit
-mkdir -p $chroot/etc/sv/
-
-cp -a $assets_dir/runit/{ssh,rsyslog,cron} $chroot/etc/sv/
-
-run_in_chroot $chroot "
-chmod +x /etc/sv/{ssh,rsyslog,cron}/run
-ln -s /etc/sv/{ssh,rsyslog,cron} /etc/service/
-"
-
-# Remove systemd setting from rsyslog as warden doesn't use systemd
-run_in_chroot $chroot "
-sed -i '/^\\\$SystemLogSocketName /d' /etc/rsyslog.conf
-"
-
-# Pending for disk_quota
-#run_in_chroot $chroot "
-#ln -s /proc/self/mounts /etc/mtab
-#"
+# Auditd cannot capture events within a container
+sed -i 's/^local_events = yes$/local_events = no/g' $chroot/etc/audit/auditd.conf
 
-# unshare is used to launch upstart as PID 1, in tests
-# upstart does not run in normal bosh-lite containers
-unshare_binary=$chroot/var/vcap/bosh/bin/unshare
-cp -f $assets_dir/unshare $unshare_binary
-chmod +x $unshare_binary
-chown root:root $unshare_binary
-
-# Replace /usr/sbin/service with a script which calls runit
-run_in_chroot $chroot "
-dpkg-divert --local --rename --add /usr/sbin/service
-"
-
-cp -f $assets_dir/service $chroot/usr/sbin/service
-
-run_in_chroot $chroot "
-chmod +x /usr/sbin/service
-"
-
-cat > $chroot/var/vcap/bosh/bin/bosh-start-logging-and-auditing <<BASH
-#!/bin/bash
-# "service auditd start" because there is no upstart in containers
-BASH
+# As containers have less to startup, some services are restarted very quickly and can hit the systemd
+# restart limit of 5 restarts in 5 seconds
+sed -i 's/^#DefaultStartLimitBurst=5$/DefaultStartLimitBurst=500/g' $chroot/etc/systemd/system.conf
 
 cat > $chroot/var/vcap/bosh/bin/restart_networking <<EOF
 #!/bin/bash
@@ -73,7 +31,8 @@ cat > $chroot/var/vcap/bosh/agent.json <<JSON
       "UseDefaultTmpDir": true,
       "UsePreformattedPersistentDisk": true,
       "BindMountPersistentDisk": true,
-      "SkipDiskSetup": true
+      "SkipDiskSetup": true,
+      "ServiceManager": "systemd"
     }
   },
   "Infrastructure": {