mirror of
https://github.com/bitwarden/self-host.git
synced 2026-06-27 22:05:45 +00:00
6a68aefd3f
[BRE-1893](https://bitwarden.atlassian.net/browse/BRE-1893) Address Azure Marketplace certification failures from the 2026.4.1 release submission. * ClientAliveInterval (200.3.3.1): write the setting to /etc/ssh/sshd_config.d/10-azure-marketplace.conf so it wins over cloud-init's drop-in. Validator reads sshd -T to match what Azure tests. * No swap on OS disk (200.3.3.3): set ResourceDisk.EnableSwap=n in /etc/waagent.conf and drop a cloud-init swap module so swap is not recreated on first boot. Validator asserts the waagent.conf setting. * Linux Agent (200.3.3.4): explicitly install walinuxagent from noble-updates and systemctl enable it so the agent reports to the Azure fabric on first boot. Validator adds an is-enabled check. * Bash history (200.5.1): delete .bash_history in the final packer provisioner with HISTFILE=/dev/null so subsequent steps do not repopulate it. Validator checks for file absence.
72 lines
2.1 KiB
Bash
72 lines
2.1 KiB
Bash
#!/bin/bash
|
|
|
|
# Marketplace Image Cleanup
|
|
|
|
set -o errexit
|
|
|
|
# Prevent this script from writing to bash history
|
|
unset HISTFILE
|
|
export HISTSIZE=0
|
|
|
|
# Ensure /tmp exists and has the proper permissions
|
|
if [ ! -d /tmp ]; then
|
|
mkdir /tmp
|
|
fi
|
|
chmod 1777 /tmp
|
|
|
|
if [ -n "$(command -v apt-get)" ]; then
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
apt-get -y update
|
|
apt-get -o Dpkg::Options::="--force-confold" upgrade -q -y
|
|
apt-get -y autoremove
|
|
apt-get -y autoclean
|
|
fi
|
|
|
|
# Disable swap (marketplace requirement: no swap on OS disk).
|
|
# Build-time: clear current swap and fstab.
|
|
swapoff -a 2>/dev/null || true
|
|
sed -i '/\bswap\b/d' /etc/fstab
|
|
if [ -f /swapfile ]; then
|
|
rm -f /swapfile
|
|
fi
|
|
# Boot-time: tell waagent not to create resource-disk swap on first boot.
|
|
if [ -f /etc/waagent.conf ]; then
|
|
sed -i 's/^ResourceDisk\.EnableSwap=.*/ResourceDisk.EnableSwap=n/' /etc/waagent.conf
|
|
sed -i 's/^ResourceDisk\.SwapSizeMB=.*/ResourceDisk.SwapSizeMB=0/' /etc/waagent.conf
|
|
fi
|
|
# Boot-time: tell cloud-init not to create /swap.img.
|
|
cat > /etc/cloud/cloud.cfg.d/99-disable-swap.cfg <<'EOF'
|
|
swap:
|
|
filename: /swap.img
|
|
size: 0
|
|
maxsize: 0
|
|
EOF
|
|
chmod 644 /etc/cloud/cloud.cfg.d/99-disable-swap.cfg
|
|
|
|
# Configure SSH client alive interval (Azure requirement: 30-235 seconds).
|
|
# Use a drop-in that sorts before /etc/ssh/sshd_config.d/50-cloud-init.conf so
|
|
# this setting wins — sshd uses the first occurrence of each directive.
|
|
cat > /etc/ssh/sshd_config.d/10-azure-marketplace.conf <<'EOF'
|
|
ClientAliveInterval 120
|
|
ClientAliveCountMax 3
|
|
EOF
|
|
chmod 644 /etc/ssh/sshd_config.d/10-azure-marketplace.conf
|
|
|
|
rm -rf /tmp/* /var/tmp/*
|
|
|
|
# Clear bash history for all users
|
|
unset HISTFILE
|
|
export HISTSIZE=0
|
|
for home_dir in /root /home/*; do
|
|
if [ -d "$home_dir" ]; then
|
|
cat /dev/null > "$home_dir/.bash_history" 2>/dev/null || true
|
|
fi
|
|
done
|
|
|
|
find /var/log -mtime -1 -type f -exec truncate -s 0 {} \;
|
|
rm -rf /var/log/*.gz /var/log/*.[0-9] /var/log/*-????????
|
|
rm -rf /var/lib/cloud/instances/*
|
|
rm -f /root/.ssh/authorized_keys /home/ubuntu/.ssh/authorized_keys /etc/ssh/*key*
|
|
touch /etc/ssh/revoked_keys
|
|
chmod 600 /etc/ssh/revoked_keys
|