diff --git a/stemcell_builder/stages/bosh_go_agent/assets/runit/agent/run b/stemcell_builder/stages/bosh_go_agent/assets/runit/agent/run index 741db436cc..9725216175 100755 --- a/stemcell_builder/stages/bosh_go_agent/assets/runit/agent/run +++ b/stemcell_builder/stages/bosh_go_agent/assets/runit/agent/run @@ -4,10 +4,6 @@ set -e export PATH=/var/vcap/bosh/bin:$PATH exec 2>&1 -source /var/vcap/bosh/etc/monit-access-helper.sh - -permit_monit_access - cd /var/vcap/bosh exec nice -n -15 /var/vcap/bosh/bin/bosh-agent -P $(cat /var/vcap/bosh/etc/operating_system) -C /var/vcap/bosh/agent.json diff --git a/stemcell_builder/stages/bosh_monit/apply.sh b/stemcell_builder/stages/bosh_monit/apply.sh index baf830c554..405f2f93c7 100755 --- a/stemcell_builder/stages/bosh_monit/apply.sh +++ b/stemcell_builder/stages/bosh_monit/apply.sh @@ -29,13 +29,3 @@ chmod 0700 $chroot/$bosh_dir/etc/monitrc # monit refuses to start without an include file present mkdir -p $chroot/$bosh_app_dir/monit touch $chroot/$bosh_app_dir/monit/empty.monitrc - -# Monit wrapper script: -mv $chroot/$bosh_dir/bin/monit $chroot/$bosh_dir/bin/monit-actual - -cp $dir/assets/monit-access-helper.sh $chroot/$bosh_dir/etc/ -cp $dir/assets/monit $chroot/$bosh_dir/bin/monit -chmod +x $chroot/$bosh_dir/bin/monit - -cp $dir/assets/restrict-monit-api-access $chroot/etc/network/if-up.d/restrict-monit-api-access -chmod +x $chroot/etc/network/if-up.d/restrict-monit-api-access diff --git a/stemcell_builder/stages/bosh_monit/assets/monit b/stemcell_builder/stages/bosh_monit/assets/monit deleted file mode 100644 index 990fecadeb..0000000000 --- a/stemcell_builder/stages/bosh_monit/assets/monit +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -set -e - -source /var/vcap/bosh/etc/monit-access-helper.sh - -permit_monit_access - -exec /var/vcap/bosh/bin/monit-actual "$@" diff --git a/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh b/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh deleted file mode 100644 index 3f66ca3a2d..0000000000 --- a/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh +++ /dev/null @@ -1,24 +0,0 @@ -# This is the integer value of the argument "0xb0540001", which is -# b054:0001 . The major number (the left-hand side) is "BOSH", leet-ified. -# The minor number (the right-hand side) is 1, indicating that this is the -# first thing in our "BOSH" classid namespace. -# -# _Hopefully_ noone uses a major number of "b054", and we avoid collisions _forever_! -# If you need to select new classids for firewall rules or traffic control rules, keep -# the major number "b054" for bosh stuff, unless there's a good reason to not. -# -# The net_cls.classid structure is described in more detail here: -# https://www.kernel.org/doc/Documentation/cgroup-v1/net_cls.txt - -monit_isolation_classid=2958295041 - -permit_monit_access() { - net_cls_location="$(cat /proc/self/mounts | grep ^cgroup | grep net_cls | awk '{ print $2 }' )" - net_cls_subproc="$(grep net_cls /proc/self/cgroup | awk -F ":" '{ print $3 }' )" - monit_access_cgroup="${net_cls_location}/${net_cls_subproc}/monit-api-access" - - mkdir -p "${monit_access_cgroup}" - echo "${monit_isolation_classid}" > "${monit_access_cgroup}/net_cls.classid" - - echo $$ > "${monit_access_cgroup}/tasks" -} diff --git a/stemcell_builder/stages/bosh_monit/assets/restrict-monit-api-access b/stemcell_builder/stages/bosh_monit/assets/restrict-monit-api-access deleted file mode 100644 index 4b25e2fbaf..0000000000 --- a/stemcell_builder/stages/bosh_monit/assets/restrict-monit-api-access +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -source /var/vcap/bosh/etc/monit-access-helper.sh - -if iptables -t mangle -C POSTROUTING -d 127.0.0.1 -p tcp --dport 2822 \ - -m cgroup \! --cgroup "${monit_isolation_classid}" -j DROP -then - /bin/true -else - iptables -t mangle -I POSTROUTING -d 127.0.0.1 -p tcp --dport 2822 \ - -m cgroup \! --cgroup "${monit_isolation_classid}" -j DROP - iptables -t mangle -I POSTROUTING -d 127.0.0.1 -p tcp --dport 2822 \ - -m state --state ESTABLISHED,RELATED -j ACCEPT -fi