Use disable_services.rb recipe to disable dynamic services we want using DevSettings (#2883)

himani2411 · Himani Anil Deshpande · web-flow · commit 89e4c46d37a1 · 2025-02-21T17:37:57.000-05:00
Co-authored-by: Himani Anil Deshpande &lt;himanidp@amazon.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@ This file is used to list changes made in each version of the AWS ParallelCluste
 ------
 **ENHANCEMENTS**
 - Add support for Ubuntu24.
+- Disable unused services like cups and wpa_supplicant from Official ParallelCluster AMIs to improve security.
 
 **CHANGES**
 - On Ubuntu 22.04, install the Nvidia driver with the same compiler version used to compile the kernel.
diff --git a/cookbooks/aws-parallelcluster-platform/recipes/install/disable_services.rb b/cookbooks/aws-parallelcluster-platform/recipes/install/disable_services.rb
@@ -27,3 +27,12 @@
 service 'log4j-cve-2021-44228-hotpatch' do
   action %i(disable stop mask)
 end unless on_docker?
+
+# Disable services if node['cluster']['disable_services'] is provided
+if node['cluster']['disable_services']
+  node['cluster']['disable_services'].split().each do |service_name|
+    service service_name do
+      action %i(disable stop mask)
+    end unless on_docker?
+  end
+end
diff --git a/cookbooks/aws-parallelcluster-platform/spec/unit/recipes/disable_services_spec.rb b/cookbooks/aws-parallelcluster-platform/spec/unit/recipes/disable_services_spec.rb
@@ -1,10 +1,15 @@
 require 'spec_helper'
 
+DISABLE_SERVICE_NAME = 'service_name1 service_name_2'.freeze
+
 describe 'aws-parallelcluster-platform::disable_services' do
   for_all_oses do |platform, version|
     context "on #{platform}#{version}" do
       cached(:chef_run) do
-        runner(platform: platform, version: version).converge(described_recipe)
+        runner = ChefSpec::Runner.new do |node|
+          node.override['cluster']['disable_services'] = DISABLE_SERVICE_NAME
+        end
+        runner.converge(described_recipe)
       end
 
       it 'disables DLAMI multi eni helper' do
@@ -18,6 +23,14 @@
         is_expected.to stop_service('log4j-cve-2021-44228-hotpatch')
         is_expected.to mask_service('log4j-cve-2021-44228-hotpatch')
       end
+
+      DISABLE_SERVICE_NAME.split().each do |service_name|
+        it "disables #{service_name}" do
+          is_expected.to disable_service(service_name)
+          is_expected.to stop_service(service_name)
+          is_expected.to mask_service(service_name)
+        end
+      end
     end
   end
 end
