From 73cdd5f93497490bd6b97af7bc29a8ce8a582ae3 Mon Sep 17 00:00:00 2001
From: Clay Kauzlaric <clay.kauzlaric@broadcom.com>
Date: Wed, 4 Feb 2026 17:40:14 -0500
Subject: [PATCH] Prevent systemd-binfmt from running in containers

When stemcells run as privileged containers (e.g., Docker CPI on Apple
Silicon), systemd-binfmt clears the host's binfmt_misc registrations,
including Rosetta, causing "exec format error" for x86_64 processes.

Add a drop-in override with ConditionVirtualization=!container to skip
the service in containers while preserving normal behavior on VMs.

Signed-off-by: Matthew Kocher <matthew.kocher@broadcom.com>
---
 stemcell_builder/stages/bosh_systemd/apply.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/stemcell_builder/stages/bosh_systemd/apply.sh b/stemcell_builder/stages/bosh_systemd/apply.sh
index 9edd672da8..b5cc017584 100755
--- a/stemcell_builder/stages/bosh_systemd/apply.sh
+++ b/stemcell_builder/stages/bosh_systemd/apply.sh
@@ -12,3 +12,14 @@ source $base_dir/lib/prelude_bosh.bash
 run_in_chroot $chroot "
 echo 'RemoveIPC=no' >> /etc/systemd/logind.conf
 "
+
+# Prevent systemd-binfmt from running in containers.
+# When running in a privileged container (e.g., Docker CPI on Apple Silicon),
+# this service clears the host's binfmt_misc registrations (including Rosetta),
+# causing "exec format error" for all subsequent x86_64 processes.
+mkdir -p $chroot/etc/systemd/system/systemd-binfmt.service.d
+
+cat > $chroot/etc/systemd/system/systemd-binfmt.service.d/skip-in-container.conf <<EOF
+[Unit]
+ConditionVirtualization=!container
+EOF