Disable the SSH daemon in self-assembling zones

sled-agent/src/profile.rs

@@ -116,12 +116,18 @@ impl Display for ServiceBuilder {
 
 pub struct ServiceInstanceBuilder {
     name: String,
+    enabled: bool,
     property_groups: Vec<PropertyGroupBuilder>,
 }
 
 impl ServiceInstanceBuilder {
     pub fn new(name: &str) -> Self {
-        Self { name: name.to_string(), property_groups: vec![] }
+        Self { name: name.to_string(), enabled: true, property_groups: vec![] }
+    }
+
+    pub fn disable(mut self) -> Self {
+        self.enabled = false;
+        self
     }
 
     pub fn add_property_group(
@@ -137,9 +143,10 @@ impl Display for ServiceInstanceBuilder {
     fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), std::fmt::Error> {
         write!(
             f,
-            r#"    <instance enabled="true" name="{name}">
+            r#"    <instance enabled="{enabled}" name="{name}">
 "#,
-            name = self.name
+            name = self.name,
+            enabled = self.enabled
         )?;
 
         for property_group in &self.property_groups {
@@ -315,6 +322,24 @@ mod tests {
         );
     }
 
+    #[test]
+    fn test_disabled_instance() {
+        let builder = ProfileBuilder::new("myprofile")
+            .add_service(ServiceBuilder::new("myservice").add_instance(
+                ServiceInstanceBuilder::new("default").disable(),
+            ));
+        assert_eq!(
+            format!("{}", builder),
+            r#"<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
+<service_bundle type="profile" name="myprofile">
+  <service version="1" type="service" name="myservice">
+    <instance enabled="false" name="default">
+    </instance>
+  </service>
+</service_bundle>"#,
+        );
+    }
+
     #[test]
     fn test_property_group() {
         let builder = ProfileBuilder::new("myprofile").add_service(

sled-agent/src/services.rs

@@ -1371,8 +1371,8 @@ impl ServiceManager {
             .add_property_group(dns_config_builder)
             // We do need to enable the default instance of the
             // dns/install service.  It's enough to just mention it
-            // here, as the ServiceInstanceBuilder always enables the
-            // instance being added.
+            // here, as the ServiceInstanceBuilder enables the
+            // instance being added by default.
             .add_instance(ServiceInstanceBuilder::new("default")))
     }
 
@@ -1473,6 +1473,8 @@ impl ServiceManager {
         //
         // These zones are self-assembling -- after they boot, there should
         // be no "zlogin" necessary to initialize.
+        let disabled_ssh_service = ServiceBuilder::new("network/ssh")
+            .add_instance(ServiceInstanceBuilder::new("default").disable());
         match &request {
             ZoneArgs::Omicron(OmicronZoneConfigLocal {
                 zone:
@@ -1507,6 +1509,7 @@ impl ServiceManager {
                     );
 
                 let profile = ProfileBuilder::new("omicron")
+                    .add_service(disabled_ssh_service)
                     .add_service(clickhouse_service)
                     .add_service(dns_service);
                 profile
@@ -1551,6 +1554,7 @@ impl ServiceManager {
                                 .add_property_group(config),
                         );
                 let profile = ProfileBuilder::new("omicron")
+                    .add_service(disabled_ssh_service)
                     .add_service(clickhouse_keeper_service)
                     .add_service(dns_service);
                 profile
@@ -1603,6 +1607,7 @@ impl ServiceManager {
                     );
 
                 let profile = ProfileBuilder::new("omicron")
+                    .add_service(disabled_ssh_service)
                     .add_service(cockroachdb_service)
                     .add_service(dns_service);
                 profile
@@ -1646,12 +1651,15 @@ impl ServiceManager {
                     .add_property("uuid", "astring", uuid)
                     .add_property("store", "astring", "/data");
 
-                let profile = ProfileBuilder::new("omicron").add_service(
-                    ServiceBuilder::new("oxide/crucible/agent").add_instance(
-                        ServiceInstanceBuilder::new("default")
-                            .add_property_group(config),
-                    ),
-                );
+                let profile = ProfileBuilder::new("omicron")
+                    .add_service(disabled_ssh_service)
+                    .add_service(
+                        ServiceBuilder::new("oxide/crucible/agent")
+                            .add_instance(
+                                ServiceInstanceBuilder::new("default")
+                                    .add_property_group(config),
+                            ),
+                    );
                 profile
                     .add_to_zone(&self.inner.log, &installed_zone)
                     .await
@@ -1685,12 +1693,15 @@ impl ServiceManager {
                     .add_property("listen_addr", "astring", listen_addr)
                     .add_property("listen_port", "astring", listen_port);
 
-                let profile = ProfileBuilder::new("omicron").add_service(
-                    ServiceBuilder::new("oxide/crucible/pantry").add_instance(
-                        ServiceInstanceBuilder::new("default")
-                            .add_property_group(config),
-                    ),
-                );
+                let profile = ProfileBuilder::new("omicron")
+                    .add_service(disabled_ssh_service)
+                    .add_service(
+                        ServiceBuilder::new("oxide/crucible/pantry")
+                            .add_instance(
+                                ServiceInstanceBuilder::new("default")
+                                    .add_property_group(config),
+                            ),
+                    );
                 profile
                     .add_to_zone(&self.inner.log, &installed_zone)
                     .await