Skip to content

Fix issue 637 #640

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gberche-orange wants to merge 2 commits into
base: ubuntu-jammy
Choose a base branch
from
Open

Fix issue 637 #640

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
720d3a3
Revert "Harden monit-access-helper.sh cgroupv2 mount point detection"
beyhan Jun 12, 2026
701ac72
Harden cgroupv2 mounts detection by selecting the first mount
gberche-orange Jun 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 5 additions & 6 deletions stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,21 +19,20 @@ monit_isolation_classid=2958295041
#
# Prefer cgroup.controllers; also accept stat(2) filesystem type for hosts where
# the file is missing from the mount view but the root is still cgroup2fs.
system_using_unified_cgroup_v2() {
monit_using_unified_cgroup_v2() {
[ -f /sys/fs/cgroup/cgroup.controllers ] && return 0
[ "$(stat -fc %T /sys/fs/cgroup 2>/dev/null)" = "cgroup2fs" ]
}

permit_monit_access() {
if system_using_unified_cgroup_v2; then
if monit_using_unified_cgroup_v2; then
# cgroupv2 (unified hierarchy)
# Create a sub-cgroup under the current process's cgroup and move into it.
# The iptables rules match on this cgroup path.
cgroup_mount="$(awk '$1 == "cgroup2" && $3 == "cgroup2" { print $2 }' /proc/self/mounts)"
nb_matching_cgroup_mounts=$(echo "$cgroup_mount" | grep -c '^.')
cgroup_mount="$(awk '$3 == "cgroup2" { print $2; exit }' /proc/self/mounts)"
current_cgroup="$(grep '^0::' /proc/self/cgroup | cut -d: -f3)"
if [ "${nb_matching_cgroup_mounts}" -ne 1 ] || [ -z "${current_cgroup}" ]; then
echo "permit_monit_access: unable to resolve cgroup v2 mount or path. current_cgroup=${current_cgroup} cgroup_mount=${cgroup_mount} nb_matching_cgroup_mounts=${nb_matching_cgroup_mounts}" >&2
if [ -z "${cgroup_mount}" ] || [ -z "${current_cgroup}" ]; then
echo "permit_monit_access: unable to resolve cgroup v2 mount or path" >&2

@coderabbitai coderabbitai Bot Jun 12, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial | 💤 Low value

Consider making the error message more diagnostic.

The current message covers both failure cases (empty mount or empty path) but doesn't distinguish between them. For easier troubleshooting, consider separate error messages or include the actual (empty) values.

📋 Optional improvement for diagnostics 
-        if [ -z "${cgroup_mount}" ] || [ -z "${current_cgroup}" ]; then
-            echo "permit_monit_access: unable to resolve cgroup v2 mount or path" >&2
+        if [ -z "${cgroup_mount}" ]; then
+            echo "permit_monit_access: no cgroup2 mount found in /proc/self/mounts" >&2
+            return 1
+        fi
+        if [ -z "${current_cgroup}" ]; then
+            echo "permit_monit_access: unable to resolve cgroup v2 path from /proc/self/cgroup" >&2
             return 1
         fi
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh` at line 35,
The current error echo "permit_monit_access: unable to resolve cgroup v2 mount
or path" is ambiguous; update the error handling where that string is emitted to
distinguish which check failed and include the actual variable values (e.g., the
cgroup v2 mount and path variables used in the script) in the log so you can see
whether the mount or the path is empty (or both); emit separate messages like
"permit_monit_access: cgroup v2 mount empty: <value>" and/or
"permit_monit_access: cgroup v2 path empty: <value>" or a combined message that
prints both variable values for diagnostics.

return 1
fi
monit_access_cgroup="${cgroup_mount}${current_cgroup}/monit-api-access"
Expand Down
Loading