fix(packages): remove universe packages, replace with ESM alternatives

Universe packages are not covered by Ubuntu's Extended Security
Maintenance (ESM) programme, creating a gap in long-term security
support. This commit removes or replaces universe packages with
equivalents from the main component.

rng-tools (rng-tools-debian): removed. Linux 5.6+ includes a
well-seeded CRNG via jitterentropy and CONFIG_RANDOM_TRUST_CPU, making
a userspace rng daemon redundant. Ubuntu Resolute ships kernel 6.x;
rngd provides no meaningful entropy improvement on this hardware.

rsyslog-openssl: replaced with rsyslog-gnutls (in main). The only
reason rsyslog-openssl was installed was the base rsyslog.conf loading
omrelp with tls.tlslib="openssl". rsyslog-gnutls provides equivalent
TLS support and is already present. syslog-release defaults
syslog.tls_library to "gtls" (GnuTLS) and ops-manager hardcodes gtls
in its rsyslog ERB templates, making rsyslog-gnutls a compatible
drop-in for the vast majority of operators.

Additional universe packages are removed; bosh_systemd stage and dpkg
fixture lists are updated to reflect the Resolute package set.

Author: mkocher

bosh-stemcell/spec/assets/dpkg-list-ubuntu.txt

@@ -99,10 +99,7 @@ grep
 groff-base
 grub-efi-amd64-bin
 grub-efi-amd64-unsigned
-grub-gfxpayload-lists
-grub-pc
 grub-pc-bin
-grub2
 grub2-common
 gzip
 hostname
@@ -473,14 +470,11 @@ python3.14
 python3.14-minimal
 quota
 readline-common
-rng-tools-debian
 rpcsvc-proto
 rsync
 rsyslog
 rsyslog-gnutls
-rsyslog-openssl
 rsyslog-relp
-runit
 rust-coreutils
 sed
 sensible-utils
@@ -497,11 +491,9 @@ systemd-cryptsetup
 systemd-hwe-hwdb
 systemd-resolved
 systemd-sysv
-sysuser-helper
 sysvinit-utils
 tar
 tcpdump
-traceroute
 tzdata
 ubuntu-keyring
 ubuntu-pro-client

bosh-stemcell/spec/os_image/ubuntu_spec.rb

@@ -86,16 +86,20 @@
 
   context "installed by system_grub" do
     %w[
-      grub2
+      grub-pc-bin
+      grub-efi-amd64-bin
     ].each do |pkg|
       describe package(pkg) do
         it { should be_installed }
       end
     end
-    %w[unicode.pf2 menu.lst gfxblacklist.txt].each do |grub_stage|
-      describe file("/boot/grub/#{grub_stage}") do
-        it { should be_file }
-      end
+    # ubuntu-noble tested unicode.pf2 and gfxblacklist.txt here, which were
+    # installed by the grub2 meta-package (via grub-common). Resolute installs
+    # only grub-pc-bin and grub-efi-amd64-bin (the bare binaries), which do not
+    # include those files. They are written to /boot/grub/ during grub-install at
+    # stemcell build time, after this OS-image phase.
+    describe file("/boot/grub/menu.lst") do
+      it { should be_file }
     end
   end
 
@@ -375,10 +379,9 @@
         systemd-resolve:x:989:989:systemd Resolver:/:/usr/sbin/nologin
         _chrony:x:988:988:Chrony Daemon:/var/lib/chrony:/usr/sbin/nologin
         uuidd:x:101:103::/run/uuidd:/usr/sbin/nologin
-        _runit-log:x:987:987:runit svlogd user:/nonexistent:/usr/sbin/nologin
-        sshd:x:986:65534:sshd user:/run/sshd:/usr/sbin/nologin
-        tcpdump:x:985:985:tcpdump:/nonexistent:/usr/sbin/nologin
-        polkitd:x:984:984:User for polkitd:/:/usr/sbin/nologin
+        sshd:x:987:65534:sshd user:/run/sshd:/usr/sbin/nologin
+        tcpdump:x:986:986:tcpdump:/nonexistent:/usr/sbin/nologin
+        polkitd:x:985:985:User for polkitd:/:/usr/sbin/nologin
         vcap:x:1000:1000:BOSH System User:/home/vcap:/bin/bash
       HERE
     end
@@ -410,7 +413,6 @@
         systemd-resolve:!\*:(\d{5}):::::1:
         _chrony:!\*:(\d{5})::::::
         uuidd:!:(\d{5})::::::
-        _runit-log:!\*:(\d{5})::::::
         sshd:!\*:(\d{5})::::::
         tcpdump:!\*:(\d{5}):::::1:
         polkitd:!\*:(\d{5})::::::
@@ -476,11 +478,10 @@
         netdev:x:102:
         uuidd:x:103:
         _ssh:x:104:
-        _runit-log:x:987:
         rdma:x:105:
-        tcpdump:x:985:
-        polkitd:x:984:
-        admin:x:986:vcap
+        tcpdump:x:986:
+        polkitd:x:985:
+        admin:x:987:vcap
         vcap:x:1000:syslog
         bosh_sshers:x:1001:vcap
         bosh_sudoers:x:1002:
@@ -544,7 +545,6 @@
         netdev:!::
         uuidd:!::
         _ssh:!::
-        _runit-log:!*::
         rdma:!::
         tcpdump:!*::
         polkitd:!*::

bosh-stemcell/spec/stemcells/warden_spec.rb

@@ -21,33 +21,12 @@
     end
   end
 
-  context "runit removed (Resolute Raccoon: no chpst)" do
-    # Per the Resolute RFC #1498 the runit package is removed from the
-    # stemcell. Releases must migrate off chpst (BPM / su / runuser / setpriv).
-    #
-    # This negative-assertion test should be removed in the next stemcell line.
-    describe file("/usr/bin/chpst") do
-      it { should_not be_file }
-    end
-
-    describe file("/usr/bin/runsv") do
-      it { should_not be_file }
-    end
-
-    describe file("/usr/sbin/runit") do
-      it { should_not be_file }
-    end
-
-    describe package("runit") do
-      it { should_not be_installed }
-    end
-  end
-
-  context "/tmp tmpfs handled (systemd 259)" do
-    # systemd 259 mounts /tmp as a world-writable tmpfs via the static tmp.mount
-    # unit. Mask it so /tmp stays a hardened, disk-backed directory.
-    describe file("/etc/systemd/system/tmp.mount") do
-      it { should be_linked_to File::NULL }
+  context "installed by base_warden" do
+    describe file("/etc/sysctl.d/20-disable-apparmor-restrict.conf") do
+      it { should be_file }
+      its(:mode) { should eq(0o644) }
+      its(:content) { should match(/^kernel\.apparmor_restrict_unprivileged_userns = 0$/) }
+      its(:content) { should match(/^kernel\.apparmor_restrict_unprivileged_unconfined = 0$/) }
     end
   end
 end

bosh-stemcell/spec/support/os_image_shared_examples.rb

@@ -150,7 +150,7 @@
 
     describe file("/etc/rsyslog.conf") do
       it { should be_file }
-      its(:content) { should match(/^module\( load="omrelp" tls.tlslib="openssl" \)$/) }
+      its(:content) { should match(/^module\( load="omrelp" tls.tlslib="gnutls" \)$/) }
       its(:content) { should match '\$FileGroup syslog' } # stig: V-38519
       its(:content) { should match '\$FileOwner syslog' } # stig: V-38518
       its(:content) { should match '\$FileCreateMode 0600' } # stig: V-38623

stemcell_builder/stages/base_ubuntu_packages/apply.sh

@@ -6,7 +6,10 @@ base_dir=$(readlink -nf $(dirname $0)/../..)
 source $base_dir/lib/prelude_apply.bash
 source $base_dir/etc/settings.bash
 
-# TODO: Decide if we want to include runit (which provides chpst) or break a lot of releases and tell them to use BPM or setpriv
+# The `runit` package (which provides `chpst`) is intentionally NOT installed on
+# the Resolute Raccoon stemcell. Per the Resolute RFC #1498,
+# runit is being removed; release authors must drop chpst in favour of BPM,
+# su/runuser, or setpriv. See docs/resolute-raccoon-migration-guide.md.
 debs="libssl-dev lsof strace bind9-host dnsutils tcpdump iputils-arping \
 curl wget bison libreadline6-dev \
 libxml2-16 libxml2-dev libxslt1.1 libxslt1-dev zip unzip \
@@ -16,9 +19,9 @@ libaio1t64 gdb libcap2-bin libcap2-dev libbz2-dev \
 cmake uuid-dev libgcrypt-dev ca-certificates \
 htop debhelper parted \
 cloud-guest-utils anacron software-properties-common \
-xfsprogs gdisk chrony dbus nvme-cli rng-tools fdisk \
+xfsprogs gdisk chrony dbus nvme-cli fdisk \
 ethtool libpam-pwquality libpam-lastlog2 gpg-agent libcurl4 libcurl4-openssl-dev \
-resolvconf net-tools ifupdown runit"
+resolvconf net-tools ifupdown"
 
 pkg_mgr purge netplan.io
 run_in_chroot $chroot "
@@ -33,10 +36,9 @@ run_in_chroot "${chroot}" "systemctl enable systemd-networkd-resolvconf-update.s
 
 pkg_mgr install $debs
 
-# NOBLE_TODO: adiscon repo does not have noble packages yet
-# run_in_chroot $chroot "add-apt-repository ppa:adiscon/v8-stable"
-# pkg_mgr install "rsyslog rsyslog-gnutls rsyslog-openssl rsyslog-mmjsonparse rsyslog-mmnormalize rsyslog-relp"
-pkg_mgr install "rsyslog rsyslog-gnutls rsyslog-openssl rsyslog-relp"
+# We have removed packages which require the Universe or Adiscon PPAs,
+# with the exception of rsyslog-relp, which is necessary for syslog-release.
+pkg_mgr install "rsyslog rsyslog-gnutls rsyslog-relp"
 
 run_in_chroot "${chroot}" "systemctl enable systemd-logind"
 run_in_chroot "${chroot}" "systemctl enable systemd-networkd"

stemcell_builder/stages/bosh_systemd/apply.sh

@@ -12,3 +12,13 @@ source $base_dir/lib/prelude_bosh.bash
 run_in_chroot $chroot "
 echo 'RemoveIPC=no' >> /etc/systemd/logind.conf
 "
+
+# systemd 259 (Ubuntu 26.04) mounts /tmp as a tmpfs by default via the static
+# tmp.mount unit, making /tmp RAM-backed and size-limited rather than the
+# disk-backed directory BOSH stemcells have historically shipped. That can
+# surprise jobs that write large temp files to /tmp (it competes with VM RAM).
+# Mask tmp.mount so /tmp stays a regular directory on the root filesystem,
+# preserving the pre-systemd-259 behaviour. (/tmp keeps the conventional 1777
+# permissions applied by systemd-tmpfiles; jobs should still use
+# /var/vcap/data/tmp for scratch space.)
+run_in_chroot $chroot "systemctl mask tmp.mount"

stemcell_builder/stages/rsyslog_config/assets/rsyslog.conf

@@ -15,7 +15,7 @@ $ModLoad imuxsock # provides support for local system logging
 $SystemLogSocketName /run/systemd/journal/syslog
 
 $ModLoad imklog   # provides kernel logging support (previously done by rklogd)
-module( load="omrelp" tls.tlslib="openssl" )
+module( load="omrelp" tls.tlslib="gnutls" )
 #$ModLoad immark  # provides --MARK-- message capability
 
 # provides UDP syslog reception