wip: resolute on apple silicon doesn't work yet - monit can't reload

mkocher · mkocher · commit dd895e630754 · 2026-04-10T15:21:07.000-07:00
diff --git a/bosh-stemcell/spec/assets/dpkg-list-ubuntu.txt b/bosh-stemcell/spec/assets/dpkg-list-ubuntu.txt
@@ -316,8 +316,6 @@ libpsl5t64:amd64
 libpwquality-common
 libpwquality1:amd64
 libpython3-stdlib:amd64
-libpython3.13-minimal:amd64
-libpython3.13-stdlib:amd64
 libpython3.14-minimal:amd64
 libpython3.14-stdlib:amd64
 libpython3.14:amd64
@@ -488,8 +486,6 @@ python3-uc-micro
 python3-wadllib
 python3-yaml
 python3-zipp
-python3.13
-python3.13-minimal
 python3.14
 python3.14-minimal
 quota
diff --git a/bosh-stemcell/spec/stemcells/warden_spec.rb b/bosh-stemcell/spec/stemcells/warden_spec.rb
@@ -1,3 +1,8 @@
+# @AI-Generated
+# Modified with AI assistance using Cursor with Composer
+# Description:
+# 2026-04-07: Specs for warden ssh.socket mask and auditd foreground drop-in.
+
 require 'spec_helper'
 
 describe 'Warden Stemcell', stemcell_image: true do
@@ -48,4 +53,23 @@
     end
   end
 
+  context 'SSH without socket activation (warden containers)' do
+    describe file('/etc/systemd/system/ssh.socket') do
+      it { should be_linked_to '/dev/null' }
+    end
+
+    describe file('/etc/systemd/system/ssh.service.d/warden-no-socket-activation.conf') do
+      it { should be_file }
+      its(:content) { should include('RefuseManualStart=no') }
+    end
+  end
+
+  context 'auditd foreground (warden / Docker systemd ENOSYS)' do
+    describe file('/etc/systemd/system/auditd.service.d/warden-auditd-foreground.conf') do
+      it { should be_file }
+      its(:content) { should include('Type=simple') }
+      its(:content) { should include('ExecStart=/usr/sbin/auditd -n') }
+    end
+  end
+
 end
diff --git a/bosh-stemcell/spec/support/os_image_shared_examples.rb b/bosh-stemcell/spec/support/os_image_shared_examples.rb
@@ -1,3 +1,8 @@
+# @AI-Generated
+# Modified with AI assistance using Cursor with Composer
+# Description:
+# 2026-04-07: Align audit.rules expectations with shared_functions (no stime; always,exit for system-locale).
+
 shared_examples_for 'every OS image' do
   let(:sshd_config) { file('/etc/ssh/sshd_config') }
   let(:etc_environment) { file('/etc/environment') }
@@ -593,7 +598,7 @@
 
     describe 'events that modify system date and time must be recorded (CIS-8.1.4)' do
       its(:content) { should match /^-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change$/ }
-      its(:content) { should match /^-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change$/ }
+      its(:content) { should match /^-a always,exit -F arch=b32 -S adjtimex -S settimeofday -k time-change$/ }
       its(:content) { should match /^-a always,exit -F arch=b64 -S clock_settime -k time-change$/ }
       its(:content) { should match /^-a always,exit -F arch=b32 -S clock_settime -k time-change$/ }
       its(:content) { should match /^-w \/etc\/localtime -p wa -k time-change$/ }
@@ -637,8 +642,8 @@
     end
 
     describe 'record events that modify system network environment (CIS-4.1.6)' do
-      its(:content) { should match /^-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale$/ }
-      its(:content) { should match /^-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale$/ }
+      its(:content) { should match /^-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale$/ }
+      its(:content) { should match /^-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale$/ }
       its(:content) { should match /^-w \/etc\/issue -p wa -k system-locale$/ }
       its(:content) { should match /^-w \/etc\/issue\.net -p wa -k system-locale$/ }
       its(:content) { should match /^-w \/etc\/hosts -p wa -k system-locale$/ }
diff --git a/stemcell_builder/lib/helpers.sh b/stemcell_builder/lib/helpers.sh
@@ -1,3 +1,8 @@
+# @AI-Generated
+# Modified with AI assistance using Cursor with Composer
+# Description:
+# 2026-04-06: run_in_chroot: stdin-free bash -c + env (fixes pipelines e.g. grub-mkpasswd); setsid -f -w around unshare (avoids SIGTTOU stops); chroot env sets DEBIAN_FRONTEND + SYSTEMD_OFFLINE + proxies.
+
 function disable {
   if [ -e $1 ]
   then
@@ -24,18 +29,37 @@ function run_in_chroot {
   disable $chroot/sbin/initctl
   disable $chroot/usr/sbin/invoke-rc.d
 
-  # `unshare -f -p` to prevent `kill -HUP 1` from causing `init` to exit;
-  unshare -f -p -m $SHELL <<EOS
-    mkdir -p $chroot/dev
-    mount -n --bind /dev $chroot/dev
-    mount -n --bind /dev/shm $chroot/dev/shm
-    mount -n --bind /dev/pts $chroot/dev/pts
+  # unshare: isolate mounts + PID namespace (see comment in original helpers).
+  # Inner shell must not read its script from stdin (heredoc): that breaks stdin for
+  # nested pipelines (e.g. grub-mkpasswd-pbkdf2). Pass command via env instead.
+  #
+  # setsid -f -w: new session without a controlling tty so apt/dpkg stderr does not
+  # trigger SIGTTOU (job-control stop, ps state T) under sudo / nested ptys.
+  env RUN_IN_CHROOT_ROOT="$chroot" \
+    RUN_IN_CHROOT_CMD="$script" \
+    RUN_IN_CHROOT_HTTP_PROXY="${http_proxy:-}" \
+    RUN_IN_CHROOT_HTTPS_PROXY="${https_proxy:-}" \
+    RUN_IN_CHROOT_NO_PROXY="${no_proxy:-}" \
+    setsid -f -w -- unshare -f -p -m /bin/bash -c '
+    set -e
+    chroot="$RUN_IN_CHROOT_ROOT"
+    mkdir -p "$chroot/dev"
+    mount -n --bind /dev "$chroot/dev"
+    mount -n --bind /dev/shm "$chroot/dev/shm"
+    mount -n --bind /dev/pts "$chroot/dev/pts"
 
-    mkdir -p $chroot/proc
-    mount -n --bind /proc $chroot/proc
+    mkdir -p "$chroot/proc"
+    mount -n --bind /proc "$chroot/proc"
 
-    chroot $chroot env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin http_proxy=${http_proxy:-} https_proxy=${https_proxy:-} no_proxy=${no_proxy:-} bash -e -c "$script"
-EOS
+    chroot "$chroot" env -i \
+      PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
+      DEBIAN_FRONTEND=noninteractive \
+      SYSTEMD_OFFLINE=1 \
+      http_proxy="$RUN_IN_CHROOT_HTTP_PROXY" \
+      https_proxy="$RUN_IN_CHROOT_HTTPS_PROXY" \
+      no_proxy="$RUN_IN_CHROOT_NO_PROXY" \
+      bash -e -c "$RUN_IN_CHROOT_CMD"
+  '
 
   # Enable daemon startup
   enable $chroot/sbin/initctl
@@ -93,4 +117,3 @@ function is_x86_64() {
     return 1
   fi
 }
-
diff --git a/stemcell_builder/lib/prelude_apply.bash b/stemcell_builder/lib/prelude_apply.bash
@@ -1,3 +1,8 @@
+# @AI-Generated
+# Modified with AI assistance using Cursor with Composer
+# Description:
+# 2026-04-06: pkg_mgr: drop redundant DEBIAN_FRONTEND export (set in run_in_chroot env).
+
 source $base_dir/lib/prelude_common.bash
 source $base_dir/lib/helpers.sh
 
@@ -24,7 +29,7 @@ git config --global --add safe.directory /opt/bosh
 
 function pkg_mgr {
   run_in_chroot $chroot "apt-get update"
-  run_in_chroot $chroot "export DEBIAN_FRONTEND=noninteractive; apt-get --fix-broken --no-install-recommends --assume-yes $*"
+  run_in_chroot $chroot "apt-get --fix-broken --no-install-recommends --assume-yes $*"
   run_in_chroot $chroot "apt-get clean"
 }
 
diff --git a/stemcell_builder/stages/base_warden/apply.sh b/stemcell_builder/stages/base_warden/apply.sh
@@ -1,4 +1,8 @@
 #!/usr/bin/env bash
+# @AI-Generated
+# Modified with AI assistance using Cursor with Composer
+# Description:
+# 2026-04-07: Mask ssh.socket and enable ssh.service for warden; auditd Type=simple + auditd -n (Docker ENOSYS on PID file refs).
 
 set -e
 
@@ -78,13 +82,44 @@ rosetta_services=(
   systemd-networkd
   systemd-logind
   systemd-timesyncd
+  systemd-udevd
+  logrotate
   auditd
 )
 
+#todo: add udevd test
+
 for service in "${rosetta_services[@]}"; do
   mkdir -p "$chroot/etc/systemd/system/${service}.service.d"
   cp "$assets_dir/rosetta-compat.conf" "$chroot/etc/systemd/system/${service}.service.d/rosetta-compat.conf"
 done
 
 # Mask systemd-binfmt.service which fails under Rosetta emulation
 run_in_chroot "$chroot" "systemctl mask systemd-binfmt.service"
+
+# auditd: systemd can return ENOSYS when creating pidfd/cgroup references from PIDFile under Docker/Colima
+# ("Failed to create reference to PID ... auditd.pid"). Foreground auditd avoids forking + PIDFile lifecycle quirks.
+mkdir -p "$chroot/etc/systemd/system/auditd.service.d"
+cat > "$chroot/etc/systemd/system/auditd.service.d/warden-auditd-foreground.conf" <<'UNIT'
+[Service]
+Type=simple
+PIDFile=
+ExecStart=
+ExecStart=/usr/sbin/auditd -n
+UNIT
+
+# TODO: maybe this should go up out of warden?
+run_in_chroot "$chroot" "systemctl mask nvmf-autoconnect.service"
+
+
+# Ubuntu enables OpenSSH via ssh.socket (socket activation). systemd's listener stub fork can fail with
+# ENOSYS ("Function not implemented") under Docker/Colima and similar, especially with Rosetta x86_64
+# emulation — see journalctl -u ssh.socket. Use the traditional ssh.service so sshd binds port 22 itself.
+mkdir -p "$chroot/etc/systemd/system/ssh.service.d"
+cat > "$chroot/etc/systemd/system/ssh.service.d/warden-no-socket-activation.conf" <<'UNIT'
+[Unit]
+# When ssh.socket is masked, sshd must start via ssh.service; drop RefuseManualStart from the vendor unit.
+RefuseManualStart=no
+UNIT
+run_in_chroot "$chroot" "systemctl mask ssh.socket"
+run_in_chroot "$chroot" "systemctl enable ssh.service"
diff --git a/stemcell_builder/stages/bosh_audit/shared_functions.bash b/stemcell_builder/stages/bosh_audit/shared_functions.bash
@@ -1,12 +1,16 @@
 #!/usr/bin/env bash
+# @AI-Generated
+# Modified with AI assistance using Cursor with Composer
+# Description:
+# 2026-04-07: Audit rules: drop stime, use always,exit for system-locale, heredoc append (no leading blank line), tidy privileged header line.
 
 set -e
 
 base_dir=$(readlink -nf $(dirname $0)/../..)
 source $base_dir/lib/prelude_apply.bash
 
 function write_shared_audit_rules {
-  echo '
+  cat <<'AUDIT_RULES' >> "$chroot/etc/audit/rules.d/audit.rules"
 -w /sbin/insmod -p x -k modules
 -w /sbin/rmmod -p x -k modules
 -w /sbin/modprobe -p x -k modules
@@ -20,7 +24,7 @@ function write_shared_audit_rules {
 
 # Record events that modify system date and time
 -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
--a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
+-a always,exit -F arch=b32 -S adjtimex -S settimeofday -k time-change
 -a always,exit -F arch=b64 -S clock_settime -k time-change
 -a always,exit -F arch=b32 -S clock_settime -k time-change
 -w /etc/localtime -p wa -k time-change
@@ -52,8 +56,8 @@ function write_shared_audit_rules {
 -w /etc/security/opasswd -p wa -k identity
 
 # Record events that modify system network environment
--a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
--a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
+-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
+-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
 -w /etc/issue -p wa -k system-locale
 -w /etc/issue.net -p wa -k system-locale
 -w /etc/hosts -p wa -k system-locale
@@ -135,7 +139,7 @@ function write_shared_audit_rules {
 
 # Recorde execution of unix_update
 -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-unix-update
-' >> $chroot/etc/audit/rules.d/audit.rules
+AUDIT_RULES
 }
 
 function override_default_audit_variables {
@@ -154,7 +158,6 @@ function override_default_audit_variables {
 }
 
 function record_use_of_privileged_binaries {
-    echo '
-# Record use of privileged commands' >> $chroot/etc/audit/rules.d/audit.rules
+    echo '# Record use of privileged commands' >> $chroot/etc/audit/rules.d/audit.rules
     find $chroot/bin $chroot/sbin $chroot/usr/bin $chroot/usr/sbin $chroot/boot -xdev \( -perm -4000 -o -perm -2000 \) -type f | sed -e s:^${chroot}:: | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged" }' >> $chroot/etc/audit/rules.d/audit.rules
 }
