Restore non-essential systemd unit cleanup for jammy warden

[selzoc]

bosh-docker-cpi-release#60 moved the cleanup of non-essential systemd units out of the Docker CPI and into the stemcell, on the basis that the stemcell would mask anything that can't run in a container (resolving bosh-docker-cpi-release#58 and #504). On the jammy line, only the systemd-binfmt mask landed (#500); the rest of the CPI's allow-list was never reproduced here.

As a result, warden stemcells started with exec /sbin/init now boot the full stock systemd unit set. In a BOSH director the stock units contend with the monit-managed bpm jobs and the director fails to converge (e.g. the postgres role is never created). This regresses any consumer running a Docker-CPI director on a jammy warden stemcell ≥ the build that pairs with Docker CPI ≥ 0.2.9.

This restores the CPI's historical allow-list in base_warden, removing the non-essential .wants entries at build time. It uses -delete (≡ systemctl disable) rather than mask, matching the CPI's original semantics: units are dropped from the boot sequence but can still start as dependencies of a kept unit. runit, ssh, dbus, journald, logrotate, systemd-tmpfiles, systemd-user-sessions, and the bosh-agent are preserved. Deriving the set at build time keeps it correct as the package set changes.

Verified against ubuntu-jammy-stemcell:1.1250: 13 essential .wants entries kept, ~75 non-essential removed. This is the same prune Docker CPI 0.2.3 applied, which is green on cgroups-v1 workers. Adds a warden_spec assertion that non-essential units are removed and essential ones remain.

[coderabbitai]

Warning

Review limit reached

@selzoc, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 47 minutes and 33 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f2c1ad1f-78cd-4a50-bac0-9b32165c7731

📥 Commits

Reviewing files that changed from the base of the PR and between 219c3a2 and 27d583a.

📒 Files selected for processing (2)

• bosh-stemcell/spec/stemcells/warden_spec.rb
• stemcell_builder/stages/base_warden/apply.sh

Walkthrough

The base_warden/apply.sh chroot script gains a systemd unit trimming block that runs a find command across /etc/systemd/system and /lib/systemd/system, targeting .wants symlinks and deleting those not matching a keep-list of patterns (bosh-agent, dbus, journald, logrotate, runit, ssh, systemd-user-sessions, systemd-tmpfiles). This reproduces the Docker CPI allow-list behavior for the jammy warden stemcell. A corresponding RSpec context is added to warden_spec.rb that constructs the same keep-list, runs the equivalent find command against the built image, asserts no non-essential units remain, and asserts at least one essential unit is still present.

Suggested reviewers

• aramprice
• mariash
• ragaskar
• KauzClay

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: restoring non-essential systemd unit cleanup for jammy warden stemcells, which directly addresses the regression described in the PR.
Description check	✅ Passed	The description comprehensively explains the problem, solution, and verification approach, providing sufficient context for understanding the change despite the template requiring merge-forward strategy guidance.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch mask-jammy-units-for-docker-cpi

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@bosh-stemcell/spec/stemcells/warden_spec.rb`:
- Around line 76-84: The test for preserving essential units in the describe
block starting at line 81 is insufficient because it only verifies that at least
one entry exists (length > 0) rather than confirming that specific required
units like bosh-agent and runit are actually preserved. Update the test to both
assert that the command executes successfully without errors and include
additional assertions that verify each essential pattern (such as bosh-agent and
runit) is actually present in the command output, not just counting that some
entries exist.

In `@stemcell_builder/stages/base_warden/apply.sh`:
- Around line 104-115: The find command in the run_in_chroot block is deleting
any files or directories under .wants paths, but it should only delete symbolic
links (which is what systemctl disable creates). Add the `-type l` option to the
find command after the directory paths and before the other conditions to
constrain the deletion to only symlinks, preventing accidental removal of
regular package-shipped files or directories under .wants.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1cf6a771-ca2f-41ad-8640-eda66808df8b

📥 Commits

Reviewing files that changed from the base of the PR and between 1a31225 and 219c3a2.

📒 Files selected for processing (2)

• bosh-stemcell/spec/stemcells/warden_spec.rb
• stemcell_builder/stages/base_warden/apply.sh

[aramprice]

Seems reasonable though I'm not 100% confident in my assessment of systemd unit requirements 😬