Ubuntu Noble warden-specific systemd hardening

[mike-jc]

This is for Ubuntu Noble stemcell.

These changes are related to issues:

• warden/boshlite: Missing SSH keys in /etc/ssh causing issues with ssh
• Necessary systemd services could be removed during hardening

Added a new stage base_systemd_clean to the warden_stages collection, which is applied during stemcell build, and removes all custom and optional systemd services, keeping only the necessary minimum set.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: mike-jc / name: Mike Yeromko (0319bcc, 216b4a6, 22fe474, 5b043ec, d3f1cd9, f5d310b)

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 39f5badd-d547-467a-acee-9db505adba15

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mkocher]

Given that we use our containerized stemcells for a lot of testing, I'd be inclined to have it mimic production as much as conveniently possible. I'd prefer to see this an explicit list of services to disable in a container instead of an allow list of services. We recently did some of this in #486 (noble) and #500 (jammy).

[mike-jc]

Given that we use our containerized stemcells for a lot of testing, I'd be inclined to have it mimic production as much as conveniently possible. I'd prefer to see this an explicit list of services to disable in a container instead of an allow list of services. We recently did some of this in #486 (noble) and #500 (jammy).

Thank you @mkocher, that's a good point.

I removed the allowlisting of systemd services and tested the mask list approach. The {{systemd-binfmt}} service is already masked, and testing confirms this is sufficient for warden/boshlite on both Jammy and Noble: during testing with the latest official Noble stemcell and the Jammy stemcell built on PR 500, along with a dev release containing PR 60 for Docker CPI, all HAProxy acceptance tests passed successfully.

So I close this PR and the PR for Jammy. We need only Docker CPI changes to have stemcells work there.