[BRE-1893] fix(azure-marketplace): certification failure#514
Merged
Conversation
[BRE-1893](https://bitwarden.atlassian.net/browse/BRE-1893) fix(azure-marketplace): write ClientAliveInterval to main sshd_config Address Azure Marketplace certification check 200.3.3.1 ClientAliveInterval, which continues to fail despite the drop-in at /etc/ssh/sshd_config.d/10-bitwarden-marketplace.conf reporting the correct value via sshd -T. The probe appears to do a literal grep of /etc/ssh/sshd_config and not honor Include'd drop-ins. * Replace the commented stock directives in /etc/ssh/sshd_config in place when present; append otherwise * Keep the drop-in so the value still wins at sshd runtime against any later cloud-init drop-in fix(azure-marketplace): add disable-swap systemd unit for cert 200.3.3.3 Address Azure Marketplace certification check 200.3.3.3 "No Swap Partition on OS Disk", which continues to fail despite build-time swapoff and the waagent.conf and cloud-init disables in 90-cleanup.sh. The probe samples a deployed VM after first boot, so a build-time disable is not sufficient if anything recreates swap during boot. * Add disable-swap.service oneshot unit that runs after walinuxagent.service and cloud-final.service, runs swapoff -a, and removes /swap.img and /swapfile * Wire the unit into the Azure packer build via file provisioner, install path, and systemctl enable fix(azure-marketplace): install walinuxagent from upstream for cert 200.3.3.4 Address Azure Marketplace certification check 200.3.3.4 "Linux Agent Version", which fails against the apt-shipped walinuxagent 2.11 from noble-updates. Switch to an upstream-source install of a pinned version above the suspected MPC floor. * Add waagent_version variable (default 2.15.0.1) * Purge any apt-installed walinuxagent before source install to prevent dpkg conflicts on later upgrade * Install python3 + python3-setuptools, fetch the GitHub release tarball, and run python3 setup.py install --register-service * Bump 99-img-check.sh agent version floor from 2.7 to 2.13 so an accidental regression to apt install fails the build validator fix(azure-marketplace): sweep .bash_history after deprovision for 200.5.1 Address Azure Marketplace certification check 200.5.1 "Bash History", which fails despite build-time deletion in 90-cleanup.sh and a pre-deprovision find. Likely culprit is that waagent shells out via bash during deprovision and recreates /root/.bash_history after our find runs. * Drop -xdev from the pre-deprovision find so separate /home mounts are covered * Run a second find for .bash_history inside the deprovision provisioner, chained after waagent -force -deprovision+user, so it runs immediately before image capture * Add HISTFILE=/dev/null and HISTSIZE=0 to the deprovision provisioner env to keep waagent's bash subprocesses from writing history in the first place
|
mimartin12
approved these changes
May 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🎟️ Tracking
BRE-1893
📔 Objective
This is continuation of the efforts to resolve the MPC certification phase failures. This is preventing the VM Image to be published as a latest offering in the Azure Marketplace.
Verbosity for future reference:
fix(azure-marketplace): write ClientAliveInterval to main sshd_config
Address Azure Marketplace certification check 200.3.3.1 ClientAliveInterval, which continues to fail despite the drop-in at /etc/ssh/sshd_config.d/10-bitwarden-marketplace.conf reporting the correct value via sshd -T. The probe appears to do a literal grep of /etc/ssh/sshd_config and not honor Include'd drop-ins.
fix(azure-marketplace): add disable-swap systemd unit for cert 200.3.3.3
Address Azure Marketplace certification check 200.3.3.3 "No Swap Partition on OS Disk", which continues to fail despite build-time swapoff and the waagent.conf and cloud-init disables in 90-cleanup.sh. The probe samples a deployed VM after first boot, so a build-time disable is not sufficient if anything recreates swap during boot.
fix(azure-marketplace): install walinuxagent from upstream for cert 200.3.3.4
Address Azure Marketplace certification check 200.3.3.4 "Linux Agent Version", which fails against the apt-shipped walinuxagent 2.11 from noble-updates. Switch to an upstream-source install of a pinned version above the suspected MPC floor.
fix(azure-marketplace): sweep .bash_history after deprovision for 200.5.1
Address Azure Marketplace certification check 200.5.1 "Bash History", which fails despite build-time deletion in 90-cleanup.sh and a pre-deprovision find. Likely culprit is that waagent shells out via bash during deprovision and recreates /root/.bash_history after our find runs.
📸 Screenshots
⏰ Reminders before review
🦮 Reviewer guidelines
:+1:) or similar for great changes:memo:) or ℹ️ (:information_source:) for notes or general info:question:) for questions:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion:art:) for suggestions / improvements:x:) or:warning:) for more significant problems or concerns needing attention:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt:pick:) for minor or nitpick changes