Inital Resolute Raccoon stemcell changes#497
Open
mkocher wants to merge 5 commits into
Open
Conversation
cf-foundation-community-automation
Bot
moved this to Inbox
in Foundational Infrastructure Working Group
aramprice
reviewed
Mar 26, 2026
aramprice
reviewed
Mar 26, 2026
aramprice
reviewed
Mar 26, 2026
aramprice
reviewed
Mar 26, 2026
aramprice
reviewed
Mar 26, 2026
aramprice
reviewed
Mar 26, 2026
Member
|
I'm stoked to see this progress, nice work! |
This was referenced Mar 26, 2026
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
github-project-automation
Bot
moved this from Inbox
to Pending Merge | Prioritized
in Foundational Infrastructure Working Group
mkocher
force-pushed
the
feat/mk/ubuntu-resolute
branch
from
746e8aa to
27276dc
Compare
Contributor
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
mkocher
force-pushed
the
feat/mk/ubuntu-resolute
branch
from
27276dc to
91d6fc7
Compare
aramprice
reviewed
Jun 1, 2026
mkocher
force-pushed
the
feat/mk/ubuntu-resolute
branch
3 times, most recently
from
b644cdc to
e3b4696
Compare
Introduces Ubuntu 26.04 'Resolute Raccoon' as a supported stemcell target, adding stage configurations, package lists, spec fixtures, and build tooling to produce and validate a Resolute stemcell image. Rakefile now raises an error when operating_system_version is not specified to prevent accidental builds without an explicit OS target. Repack helper scripts and Vagrant configuration are updated to support the Resolute OS image layout. Warden stage masks systemd-udevd.service, which has no function in containerised environments. Package fixture lists are updated to reflect Resolute package names: libxmlsec1t64 is now libxmlsec1-1, linux-firmware-amd-misc is added, and libpython3.13 is removed (libpython3.14 is still present).
Collects fixes for failures that occur when running warden containers under Docker on Colima/Lima on Apple Silicon (arm64 kernel, x86_64 userland via Rosetta 2). base_warden/apply.sh: - Systemd service drop-ins (rosetta-compat.conf): disable MemoryDenyWriteExecute and SystemCallFilter for journald, resolved, networkd, logind, timesyncd, udevd, logrotate, and auditd. Rosetta's JIT requires W+X memory which these restrictions block. - auditd foreground: run auditd -n (no fork) to avoid PIDFile lifecycle failures when systemd cannot create pidfd references in Docker. - SSH socket activation: mask ssh.socket and enable ssh.service so sshd binds port 22 directly; the socket listener fork fails with ENOSYS under Docker/Colima. - systemd-binfmt, nvmf-autoconnect, systemd-udevd: masked as they have no function in warden containers and fail on startup. - PAM su fix: replace /etc/pam.d/su with a minimal config (pam_rootok + pam_permit). Under Lima's Rosetta emulation, AppArmor blocks unix_chkpwd from accessing the Rosetta binary, causing su to fail even for root. Using pam_rootok.so sufficient means root never invokes unix_chkpwd. Safe for warden: the host provides the security boundary. bosh_audit_ubuntu/apply.sh: - mkdir -p /etc/audit/rules.d before writing rules. Ubuntu 26.04 auditd no longer pre-creates this directory during package installation.
…rden Audit rule corrections for Ubuntu Resolute: Time-change rule (32-bit): drop -S stime from the adjtimex/settimeofday line. On current Ubuntu/glibc, stime is not a usable syscall, so removing it matches what the image can actually ship and what auditd will accept. System-locale rules: reorder exit,always → always,exit to match common auditd ordering and CIS-style wording, consistent with the rest of the file. Adds the base_ubuntu_arm64_systemd stage for the "multiarch" warden variant (resolute-multiarch). This stage replaces x86_64 systemd ELF binaries with arm64 equivalents so that systemd runs natively on Apple Silicon arm64 kernels under Rosetta, fixing pidfd_open and pidfd_send_signal ENOSYS failures. Standard warden and cloud infrastructure builds are unaffected. Updates stage collection, kernel, grub, and test fixtures to reflect the Resolute stemcell layout. rosetta stuff
Universe packages are not covered by Ubuntu's Extended Security Maintenance (ESM) programme, creating a gap in long-term security support. This commit removes or replaces universe packages with equivalents from the main component. rng-tools (rng-tools-debian): removed. Linux 5.6+ includes a well-seeded CRNG via jitterentropy and CONFIG_RANDOM_TRUST_CPU, making a userspace rng daemon redundant. Ubuntu Resolute ships kernel 6.x; rngd provides no meaningful entropy improvement on this hardware. rsyslog-openssl: replaced with rsyslog-gnutls (in main). The only reason rsyslog-openssl was installed was the base rsyslog.conf loading omrelp with tls.tlslib="openssl". rsyslog-gnutls provides equivalent TLS support and is already present. syslog-release defaults syslog.tls_library to "gtls" (GnuTLS) and ops-manager hardcodes gtls in its rsyslog ERB templates, making rsyslog-gnutls a compatible drop-in for the vast majority of operators. Additional universe packages are removed; bosh_systemd stage and dpkg fixture lists are updated to reflect the Resolute package set.
Documents the Ubuntu Resolute (26.04) stemcell build and test process.
mkocher
force-pushed
the
feat/mk/ubuntu-resolute
branch
from
e3b4696 to
b29a76e
Compare
Member
Author
|
I've addressed the initial feedback and would appreciate anyone interested taking a deeper look and providing feedback. I've added more comments than I normally would, as it seemed the best way to explain the changes. I've also added a warden-rosetta variant of the stemcell which uses an arm64 systemd binary. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note
This PR is made against the Noble branch in order to facilitate reviewing the PR. Upon approval it will be pushed as new ubuntu-resolute branch.
This is a work in progress Resolute Raccoon stemcell. It can build a warden stemcell and with some relatively minor release changes to garden-runc, pxc, and capi releases it can compile and deploy a cf-deployment environment.
Feedback about changes we should make in this stemcell line is welcome. At the moment there are no large changes like cgroupsv2 or systemd planned.
It's worth noting that Resolute brings in the rust rewrite of coreutils. Some recent changes to the
installutility broke pxc compliation, and may break other releases. See uutils/coreutils#11469 for more information.