Prevent systemd-binfmt from running in containers

When stemcells run as privileged containers (e.g., Docker CPI on Apple
Silicon), systemd-binfmt clears the host's binfmt_misc registrations,
including Rosetta, causing "exec format error" for x86_64 processes.

Add a drop-in override with ConditionVirtualization=!container to skip
the service in containers while preserving normal behavior on VMs.

Signed-off-by: Matthew Kocher <matthew.kocher@broadcom.com>

Author: KauzClay

stemcell_builder/stages/bosh_systemd/apply.sh

@@ -12,3 +12,14 @@ source $base_dir/lib/prelude_bosh.bash
 run_in_chroot $chroot "
 echo 'RemoveIPC=no' >> /etc/systemd/logind.conf
 "
+
+# Prevent systemd-binfmt from running in containers.
+# When running in a privileged container (e.g., Docker CPI on Apple Silicon),
+# this service clears the host's binfmt_misc registrations (including Rosetta),
+# causing "exec format error" for all subsequent x86_64 processes.
+mkdir -p $chroot/etc/systemd/system/systemd-binfmt.service.d
+
+cat > $chroot/etc/systemd/system/systemd-binfmt.service.d/skip-in-container.conf <<EOF
+[Unit]
+ConditionVirtualization=!container
+EOF