From 9a23dd955006c35302df21ddfde6dec96e3fdef5 Mon Sep 17 00:00:00 2001 From: rkoster Date: Mon, 9 Feb 2026 15:04:26 +0000 Subject: [PATCH 1/2] Remove monit access control wrapper and iptables firewall Remove the cgroup v1 net_cls-based monit API access control mechanism including the monit wrapper script, helper functions, and iptables rules. The monit binary now runs directly without a wrapper. Access control will be managed by the bosh-agent's internal firewall implementation. Related to cloudfoundry/bosh-agent#399 --- stemcell_builder/stages/bosh_monit/apply.sh | 10 -------- .../stages/bosh_monit/assets/monit | 9 ------- .../bosh_monit/assets/monit-access-helper.sh | 24 ------------------- .../assets/restrict-monit-api-access | 14 ----------- 4 files changed, 57 deletions(-) delete mode 100644 stemcell_builder/stages/bosh_monit/assets/monit delete mode 100644 stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh delete mode 100644 stemcell_builder/stages/bosh_monit/assets/restrict-monit-api-access diff --git a/stemcell_builder/stages/bosh_monit/apply.sh b/stemcell_builder/stages/bosh_monit/apply.sh index baf830c554..405f2f93c7 100755 --- a/stemcell_builder/stages/bosh_monit/apply.sh +++ b/stemcell_builder/stages/bosh_monit/apply.sh @@ -29,13 +29,3 @@ chmod 0700 $chroot/$bosh_dir/etc/monitrc # monit refuses to start without an include file present mkdir -p $chroot/$bosh_app_dir/monit touch $chroot/$bosh_app_dir/monit/empty.monitrc - -# Monit wrapper script: -mv $chroot/$bosh_dir/bin/monit $chroot/$bosh_dir/bin/monit-actual - -cp $dir/assets/monit-access-helper.sh $chroot/$bosh_dir/etc/ -cp $dir/assets/monit $chroot/$bosh_dir/bin/monit -chmod +x $chroot/$bosh_dir/bin/monit - -cp $dir/assets/restrict-monit-api-access $chroot/etc/network/if-up.d/restrict-monit-api-access -chmod +x $chroot/etc/network/if-up.d/restrict-monit-api-access diff --git a/stemcell_builder/stages/bosh_monit/assets/monit b/stemcell_builder/stages/bosh_monit/assets/monit deleted file mode 100644 index 990fecadeb..0000000000 --- a/stemcell_builder/stages/bosh_monit/assets/monit +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -set -e - -source /var/vcap/bosh/etc/monit-access-helper.sh - -permit_monit_access - -exec /var/vcap/bosh/bin/monit-actual "$@" diff --git a/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh b/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh deleted file mode 100644 index 3f66ca3a2d..0000000000 --- a/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh +++ /dev/null @@ -1,24 +0,0 @@ -# This is the integer value of the argument "0xb0540001", which is -# b054:0001 . The major number (the left-hand side) is "BOSH", leet-ified. -# The minor number (the right-hand side) is 1, indicating that this is the -# first thing in our "BOSH" classid namespace. -# -# _Hopefully_ noone uses a major number of "b054", and we avoid collisions _forever_! -# If you need to select new classids for firewall rules or traffic control rules, keep -# the major number "b054" for bosh stuff, unless there's a good reason to not. -# -# The net_cls.classid structure is described in more detail here: -# https://www.kernel.org/doc/Documentation/cgroup-v1/net_cls.txt - -monit_isolation_classid=2958295041 - -permit_monit_access() { - net_cls_location="$(cat /proc/self/mounts | grep ^cgroup | grep net_cls | awk '{ print $2 }' )" - net_cls_subproc="$(grep net_cls /proc/self/cgroup | awk -F ":" '{ print $3 }' )" - monit_access_cgroup="${net_cls_location}/${net_cls_subproc}/monit-api-access" - - mkdir -p "${monit_access_cgroup}" - echo "${monit_isolation_classid}" > "${monit_access_cgroup}/net_cls.classid" - - echo $$ > "${monit_access_cgroup}/tasks" -} diff --git a/stemcell_builder/stages/bosh_monit/assets/restrict-monit-api-access b/stemcell_builder/stages/bosh_monit/assets/restrict-monit-api-access deleted file mode 100644 index 4b25e2fbaf..0000000000 --- a/stemcell_builder/stages/bosh_monit/assets/restrict-monit-api-access +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -source /var/vcap/bosh/etc/monit-access-helper.sh - -if iptables -t mangle -C POSTROUTING -d 127.0.0.1 -p tcp --dport 2822 \ - -m cgroup \! --cgroup "${monit_isolation_classid}" -j DROP -then - /bin/true -else - iptables -t mangle -I POSTROUTING -d 127.0.0.1 -p tcp --dport 2822 \ - -m cgroup \! --cgroup "${monit_isolation_classid}" -j DROP - iptables -t mangle -I POSTROUTING -d 127.0.0.1 -p tcp --dport 2822 \ - -m state --state ESTABLISHED,RELATED -j ACCEPT -fi From 728436b70ab2dc0213c4b169862c6c534152349d Mon Sep 17 00:00:00 2001 From: rkoster Date: Mon, 9 Feb 2026 15:04:44 +0000 Subject: [PATCH 2/2] Remove permit_monit_access call from agent startup Stop sourcing monit-access-helper.sh and calling permit_monit_access when starting the bosh-agent. The agent will manage its own firewall access internally instead of using the cgroup-based helper. This completes the removal of the permit_monit_access functionality now that pxc-release (the only consumer) no longer uses it. Related to cloudfoundry/bosh-agent#399 Related to cloudfoundry/pxc-release#97 --- stemcell_builder/stages/bosh_go_agent/assets/runit/agent/run | 4 ---- 1 file changed, 4 deletions(-) diff --git a/stemcell_builder/stages/bosh_go_agent/assets/runit/agent/run b/stemcell_builder/stages/bosh_go_agent/assets/runit/agent/run index 741db436cc..9725216175 100755 --- a/stemcell_builder/stages/bosh_go_agent/assets/runit/agent/run +++ b/stemcell_builder/stages/bosh_go_agent/assets/runit/agent/run @@ -4,10 +4,6 @@ set -e export PATH=/var/vcap/bosh/bin:$PATH exec 2>&1 -source /var/vcap/bosh/etc/monit-access-helper.sh - -permit_monit_access - cd /var/vcap/bosh exec nice -n -15 /var/vcap/bosh/bin/bosh-agent -P $(cat /var/vcap/bosh/etc/operating_system) -C /var/vcap/bosh/agent.json