From ca3b43402ad5f7f6d8801cb2a0961a21f6125e8b Mon Sep 17 00:00:00 2001 From: Matthew Kocher Date: Sat, 13 Jun 2026 19:58:09 -0700 Subject: [PATCH 1/6] add bpm to acceptance test manifests, bump vars to noble --- acceptance-tests/ipv4director/smoke/manifest.yml | 4 ++++ .../ipv4director/syslogrelease/manifest.yml | 4 ++++ ci/configure.sh | 2 +- ci/pipelines/builder.yml | 1 + ci/pipelines/vars.yml | 10 +++++----- 5 files changed, 15 insertions(+), 6 deletions(-) diff --git a/acceptance-tests/ipv4director/smoke/manifest.yml b/acceptance-tests/ipv4director/smoke/manifest.yml index e2c88213be..c4aecf03b0 100644 --- a/acceptance-tests/ipv4director/smoke/manifest.yml +++ b/acceptance-tests/ipv4director/smoke/manifest.yml @@ -4,6 +4,8 @@ name: stemcell-acceptance-tests releases: - name: syslog version: latest +- name: bpm + version: latest stemcells: - alias: default @@ -25,6 +27,8 @@ instance_groups: - {name: default} azs: [z1] jobs: + - name: bpm + release: bpm - name: syslog_forwarder release: syslog properties: diff --git a/acceptance-tests/ipv4director/syslogrelease/manifest.yml b/acceptance-tests/ipv4director/syslogrelease/manifest.yml index 68f68df322..ff76e8c99e 100644 --- a/acceptance-tests/ipv4director/syslogrelease/manifest.yml +++ b/acceptance-tests/ipv4director/syslogrelease/manifest.yml @@ -4,6 +4,8 @@ name: stemcell-acceptance-tests releases: - name: syslog version: latest +- name: bpm + version: latest stemcells: - alias: default @@ -40,6 +42,8 @@ instance_groups: networks: - {name: default} jobs: + - name: bpm + release: bpm - name: syslog_forwarder release: syslog consumes: diff --git a/ci/configure.sh b/ci/configure.sh index 581fbe2018..12c08ce84c 100755 --- a/ci/configure.sh +++ b/ci/configure.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash set -eu -o pipefail -STEMCELL_LINE="ubuntu-noble" +STEMCELL_LINE="ubuntu-resolute" REPO_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" diff --git a/ci/pipelines/builder.yml b/ci/pipelines/builder.yml index 07bdad8285..bcb62ec17b 100644 --- a/ci/pipelines/builder.yml +++ b/ci/pipelines/builder.yml @@ -1092,6 +1092,7 @@ resources: paths: - ci - .ruby-version + - acceptance-tests uri: https://github.com/cloudfoundry/bosh-linux-stemcell-builder.git - name: bats diff --git a/ci/pipelines/vars.yml b/ci/pipelines/vars.yml index 66acfd512e..bd62c23198 100644 --- a/ci/pipelines/vars.yml +++ b/ci/pipelines/vars.yml @@ -2,12 +2,12 @@ --- stemcell_details: agent_suffix: "" #! empty - branch: ubuntu-noble + branch: ubuntu-resolute major_version: 1 - os_version: "24.04" - os_name: ubuntu-noble - os_short_name: noble - subnet_int: "24" #! use last two digits of release year: ex 2010 -> 10 + os_version: "26.04" + os_name: ubuntu-resolute + os_short_name: resolute + subnet_int: "26" #! use last two digits of release year: ex 2010 -> 10 use_efi: true include_iaas: [ {iaas: alicloud, hypervisor: kvm}, From 853fb6bd39b56b8efe2dd34b4e2e3b35ba61d1e0 Mon Sep 17 00:00:00 2001 From: Matthew Kocher Date: Sat, 13 Jun 2026 23:37:44 -0700 Subject: [PATCH 2/6] remove --all from cleanup The pipeline already runs `bosh clean-up --all` in the teardown step. Removing this allos BPM to be uploaded once. It also makes the tests faster as the releases don't have to be recompiled for each suite. --- acceptance-tests/testhelpers/bosh.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acceptance-tests/testhelpers/bosh.go b/acceptance-tests/testhelpers/bosh.go index fbd397402d..d081015bb4 100644 --- a/acceptance-tests/testhelpers/bosh.go +++ b/acceptance-tests/testhelpers/bosh.go @@ -35,7 +35,7 @@ func (b *BOSH) Teardown() { Expect(err).ToNot(HaveOccurred()) Expect(exitStatus).To(Equal(0), fmt.Sprintf("stdOut: %s \n stdErr: %s", stdOut, stdErr)) - stdOut, stdErr, exitStatus, err = b.Run("clean-up", "--all") + stdOut, stdErr, exitStatus, err = b.Run("clean-up") Expect(err).ToNot(HaveOccurred()) Expect(exitStatus).To(Equal(0), fmt.Sprintf("stdOut: %s \n stdErr: %s", stdOut, stdErr)) } From e79280fce0a58cf2473211d08ec717717c891510 Mon Sep 17 00:00:00 2001 From: Matthew Kocher Date: Sun, 14 Jun 2026 22:00:42 -0700 Subject: [PATCH 3/6] better pam error logging, handle Resolute `sa1` location --- .../ipv4director/smoke/smoke_test.go | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/acceptance-tests/ipv4director/smoke/smoke_test.go b/acceptance-tests/ipv4director/smoke/smoke_test.go index 6a510414b5..93f23a4f26 100644 --- a/acceptance-tests/ipv4director/smoke/smoke_test.go +++ b/acceptance-tests/ipv4director/smoke/smoke_test.go @@ -83,7 +83,16 @@ var _ = Describe("Stemcell", func() { contents, err := io.ReadAll(tempFile) Expect(err).ToNot(HaveOccurred()) - Expect(contents).ToNot(ContainSubstring("No such file or directory")) + + // Extract only the offending lines so failures are readable (auth.log can be + // hundreds of kilobytes and Gomega truncates the full-content diff). + var offending []string + for _, line := range strings.Split(string(contents), "\n") { + if strings.Contains(line, "No such file or directory") { + offending = append(offending, line) + } + } + Expect(offending).To(BeEmpty(), "auth.log contained 'No such file or directory':\n%s", strings.Join(offending, "\n")) }) It("#141987897: has ipv6 enabled in the kernel", func() { @@ -96,8 +105,11 @@ var _ = Describe("Stemcell", func() { _, _, exitStatus, err := bosh.Run( "--column=stdout", "ssh", "default/0", "-r", "-c", - // sleep to ensure we have multiple samples so average can be verified - `sudo /usr/lib/sysstat/sa1 && sudo /usr/lib/sysstat/sa1 1 1 && sleep 2`, + // Ubuntu 26.04+ relocated sa1 to /usr/libexec/sysstat/; fall back to the + // legacy path for older releases. sleep ensures multiple samples for the + // Average: check. + `SA1=$(ls /usr/lib/sysstat/sa1 /usr/libexec/sysstat/sa1 2>/dev/null | head -1) && `+ + `sudo "$SA1" && sudo "$SA1" 1 1 && sleep 2`, ) Expect(err).ToNot(HaveOccurred()) Expect(exitStatus).To(Equal(0)) From 0b7c35eabb1db3be111a077bfbdecd296f801eca Mon Sep 17 00:00:00 2001 From: aram price Date: Fri, 12 Jun 2026 16:24:37 -0700 Subject: [PATCH 4/6] fix: migrate changes from HEREDOC to agent.json --- .../stages/bosh_aws_agent_settings/assets/agent.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/stemcell_builder/stages/bosh_aws_agent_settings/assets/agent.json b/stemcell_builder/stages/bosh_aws_agent_settings/assets/agent.json index 2a0f10a3ba..0d5e59492e 100644 --- a/stemcell_builder/stages/bosh_aws_agent_settings/assets/agent.json +++ b/stemcell_builder/stages/bosh_aws_agent_settings/assets/agent.json @@ -6,7 +6,10 @@ "CreatePartitionIfNoEphemeralDisk": true, "ServiceManager": "systemd", "DiskIDTransformPattern": "^vol-(.+)$", - "DiskIDTransformReplacement": "nvme-Amazon_Elastic_Block_Store_vol${1}" + "DiskIDTransformReplacement": "nvme-Amazon_Elastic_Block_Store_vol${1}", + "UseMonitIptablesFirewall": true, + "InstanceStorageDevicePattern": "/dev/nvme*n1", + "InstanceStorageManagedVolumePattern": "/dev/disk/by-id/nvme-Amazon_Elastic_Block_Store_*" } }, "Infrastructure": { @@ -24,4 +27,4 @@ "UseRegistry": true } } -} \ No newline at end of file +} From d6c36baeb919e575cc4add54e77a94d248174fac Mon Sep 17 00:00:00 2001 From: Matthew Kocher Date: Sun, 14 Jun 2026 23:27:15 -0700 Subject: [PATCH 5/6] fix libpam-lastlog2 this seems like a bug in the libpam-lastlog2 package --- stemcell_builder/stages/password_policies/apply.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/stemcell_builder/stages/password_policies/apply.sh b/stemcell_builder/stages/password_policies/apply.sh index 1a5717dd8e..85b587ff40 100755 --- a/stemcell_builder/stages/password_policies/apply.sh +++ b/stemcell_builder/stages/password_policies/apply.sh @@ -33,6 +33,16 @@ patch -p1 $chroot/etc/pam.d/common-auth < $assets_dir/ubuntu/common-auth.patch strip_trailing_whitespace_from $chroot/etc/pam.d/common-password patch -p1 $chroot/etc/pam.d/common-password < $assets_dir/ubuntu/common-password.patch +# libpam-lastlog2 installs pam_lastlog2.so only to the multiarch path +# (/usr/lib/x86_64-linux-gnu/security/) but PAM's securedir is /usr/lib/security/. +# Bridge the gap so PAM can load the module referenced above. +if [ -f "$chroot/usr/lib/x86_64-linux-gnu/security/pam_lastlog2.so" ] && \ + [ ! -e "$chroot/usr/lib/security/pam_lastlog2.so" ]; then + mkdir -p "$chroot/usr/lib/security" + ln -sf /usr/lib/x86_64-linux-gnu/security/pam_lastlog2.so \ + "$chroot/usr/lib/security/pam_lastlog2.so" +fi + strip_trailing_whitespace_from $chroot/etc/pam.d/login patch $chroot/etc/pam.d/login < $assets_dir/ubuntu/login.patch From e688d3c87fb37042a78a90a849db56b819c48545 Mon Sep 17 00:00:00 2001 From: Matthew Kocher Date: Thu, 18 Jun 2026 15:03:58 -0700 Subject: [PATCH 6/6] ci: add bpm release as syslog now depends on it --- .../ipv4director/syslogrelease/smoke_suite_test.go | 2 ++ ci/pipelines/builder.yml | 6 ++++++ ci/tasks/test-stemcell.sh | 2 ++ ci/tasks/test-stemcell.yml | 1 + 4 files changed, 11 insertions(+) diff --git a/acceptance-tests/ipv4director/syslogrelease/smoke_suite_test.go b/acceptance-tests/ipv4director/syslogrelease/smoke_suite_test.go index 7829a30db4..850aa7550c 100644 --- a/acceptance-tests/ipv4director/syslogrelease/smoke_suite_test.go +++ b/acceptance-tests/ipv4director/syslogrelease/smoke_suite_test.go @@ -22,9 +22,11 @@ var _ = BeforeSuite(func() { bosh = testhelpers.NewBOSH() stemcellPath := testhelpers.RequireEnv("STEMCELL_PATH") syslogReleasePath := testhelpers.RequireEnv("SYSLOG_RELEASE_PATH") + bpmReleasePath := testhelpers.RequireEnv("BPM_RELEASE_PATH") bosh.UploadStemcell(stemcellPath) bosh.UploadRelease(syslogReleasePath) + bosh.UploadRelease(bpmReleasePath) bosh.SafeDeploy() }) diff --git a/ci/pipelines/builder.yml b/ci/pipelines/builder.yml index bcb62ec17b..ceeb2ad55d 100644 --- a/ci/pipelines/builder.yml +++ b/ci/pipelines/builder.yml @@ -1125,6 +1125,12 @@ resources: type: bosh-io-release source: repository: cloudfoundry/os-conf-release + +- name: bpm-release + type: bosh-io-release + source: + repository: cloudfoundry/bpm-release + - name: bosh-deployment type: git source: diff --git a/ci/tasks/test-stemcell.sh b/ci/tasks/test-stemcell.sh index 094e7c6af6..ba50164d6a 100755 --- a/ci/tasks/test-stemcell.sh +++ b/ci/tasks/test-stemcell.sh @@ -16,6 +16,7 @@ BOSH_CLIENT_SECRET="$(bosh int "${REPO_PARENT}/director-state/director-creds.yml BOSH_ENVIRONMENT="$(bosh int "${REPO_PARENT}/director-state/director-creds.yml" --path /internal_ip)" SYSLOG_RELEASE_PATH="$(realpath "${REPO_PARENT}/syslog-release"/*.tgz)" OS_CONF_RELEASE_PATH="$(realpath "${REPO_PARENT}/os-conf-release"/*.tgz)" +BPM_RELEASE_PATH="$(realpath "${REPO_PARENT}/bpm-release"/*.tgz)" STEMCELL_PATH="$(realpath "${REPO_PARENT}/stemcell"/*.tgz)" # Quote value since the bosh CLI YAML parses it which results in `0.40` becoming `0.4` # shellcheck disable=SC2089 @@ -28,6 +29,7 @@ export BOSH_CLIENT_SECRET export BOSH_ENVIRONMENT export SYSLOG_RELEASE_PATH export OS_CONF_RELEASE_PATH +export BPM_RELEASE_PATH export STEMCELL_PATH export BOSH_stemcell_version diff --git a/ci/tasks/test-stemcell.yml b/ci/tasks/test-stemcell.yml index c1c26e398c..2384206ebe 100644 --- a/ci/tasks/test-stemcell.yml +++ b/ci/tasks/test-stemcell.yml @@ -7,6 +7,7 @@ inputs: - name: stemcell - name: syslog-release - name: os-conf-release +- name: bpm-release - name: director-state params: