BRE-1893 fix(azure-marketplace): resolve certification failures (#504)

[BRE-1893](https://bitwarden.atlassian.net/browse/BRE-1893) Address Azure Marketplace certification failures from the 2026.4.1 release submission. * ClientAliveInterval (200.3.3.1): write the setting to /etc/ssh/sshd_config.d/10-azure-marketplace.conf so it wins over cloud-init's drop-in. Validator reads sshd -T to match what Azure tests. * No swap on OS disk (200.3.3.3): set ResourceDisk.EnableSwap=n in /etc/waagent.conf and drop a cloud-init swap module so swap is not recreated on first boot. Validator asserts the waagent.conf setting. * Linux Agent (200.3.3.4): explicitly install walinuxagent from noble-updates and systemctl enable it so the agent reports to the Azure fabric on first boot. Validator adds an is-enabled check. * Bash history (200.5.1): delete .bash_history in the final packer provisioner with HISTFILE=/dev/null so subsequent steps do not repopulate it. Validator checks for file absence.
2026-06-28 06:15:46 +00:00 · 2026-05-12 12:01:20 -04:00
parent 9076109dd8
commit 6a68aefd3f
3 changed files with 70 additions and 31 deletions
--- a/CommonMarketplace/scripts/90-cleanup.sh
+++ b/CommonMarketplace/scripts/90-cleanup.sh
@@ -4,6 +4,10 @@

 set -o errexit

+# Prevent this script from writing to bash history
+unset HISTFILE
+export HISTSIZE=0
+
 # Ensure /tmp exists and has the proper permissions
 if [ ! -d /tmp ]; then
  mkdir /tmp
@@ -18,19 +22,35 @@ if [ -n "$(command -v apt-get)" ]; then
  apt-get -y autoclean
 fi

-# Disable swap (marketplace requirement: no swap on OS disk)
+# Disable swap (marketplace requirement: no swap on OS disk).
+# Build-time: clear current swap and fstab.
 swapoff -a 2>/dev/null || true
 sed -i '/\bswap\b/d' /etc/fstab
 if [ -f /swapfile ]; then
  rm -f /swapfile
 fi
-
-# Configure SSH client alive interval (Azure requirement: 30-235 seconds)
-if grep -q "^#*\s*ClientAliveInterval" /etc/ssh/sshd_config; then
-  sed -i 's/^#*\s*ClientAliveInterval.*/ClientAliveInterval 120/' /etc/ssh/sshd_config
-else
-  echo "ClientAliveInterval 120" >> /etc/ssh/sshd_config
+# Boot-time: tell waagent not to create resource-disk swap on first boot.
+if [ -f /etc/waagent.conf ]; then
+  sed -i 's/^ResourceDisk\.EnableSwap=.*/ResourceDisk.EnableSwap=n/' /etc/waagent.conf
+  sed -i 's/^ResourceDisk\.SwapSizeMB=.*/ResourceDisk.SwapSizeMB=0/' /etc/waagent.conf
 fi
+# Boot-time: tell cloud-init not to create /swap.img.
+cat > /etc/cloud/cloud.cfg.d/99-disable-swap.cfg <<'EOF'
+swap:
+  filename: /swap.img
+  size: 0
+  maxsize: 0
+EOF
+chmod 644 /etc/cloud/cloud.cfg.d/99-disable-swap.cfg
+
+# Configure SSH client alive interval (Azure requirement: 30-235 seconds).
+# Use a drop-in that sorts before /etc/ssh/sshd_config.d/50-cloud-init.conf so
+# this setting wins — sshd uses the first occurrence of each directive.
+cat > /etc/ssh/sshd_config.d/10-azure-marketplace.conf <<'EOF'
+ClientAliveInterval 120
+ClientAliveCountMax 3
+EOF
+chmod 644 /etc/ssh/sshd_config.d/10-azure-marketplace.conf

 rm -rf /tmp/* /var/tmp/*