Harden monit-access-helper.sh cgroupv2 mount point detection

[gberche-orange]

Restrict the inspection of /proc/self/mounts to cgroupv2 device (1st column) in addition to existing cgroup fstype (column 3).

Also fail fast in case of multiple detected mount points.

Fix #585

---

NOTE: this repository uses a "Merge Forward" strategy

Changes should be made in the earliest applicable branch, and
merged forward through subsequent branches.

1. Create a PR into the oldest branch (ubuntu-<short_name>)
2. After this PR has been merged create a merge-to-<next_short_name> branch
3. Merge ubuntu-<short_name> into merge-to-<next_short_name>
4. Create a PR to merge merge-to-<next_short_name> into ubuntu-<next_short_name>
5. Repeat as needed for subsequent branches

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This PR renames the unified-cgroup detection helper to system_using_unified_cgroup_v2 and hardens permit_monit_access: it now extracts cgroup2 mountpoints from /proc/self/mounts only when both mount source and fs type indicate cgroup2, counts matches, requires exactly one match and a non-empty 0:: current cgroup, includes these resolved values in error output, and on success builds the monit-api-access sub-cgroup path from the validated mount and cgroup path.

Suggested reviewers

• rkoster

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: hardening cgroupv2 mount point detection by making it stricter.
Description check	✅ Passed	The description includes the required merge-forward strategy instructions and clearly explains the change and issue it fixes.
Linked Issues check	✅ Passed	The PR addresses all coding requirements from issue #585: restricts cgroup2 detection to match both device and fstype columns, adds fail-fast behavior for multiple mounts, and resolves the monit wrapper confusion issue.
Out of Scope Changes check	✅ Passed	The changes are narrowly scoped to the monit-access-helper.sh script, directly addressing the cgroupv2 mount detection issue without introducing unrelated modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[rkoster]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh`:
- Around line 35-38: The error message in monit-access-helper.sh's
permit_monit_access check currently omits the count of matching cgroup v2
mounts; update the echo to include the nb_matching_cgroup_mounts variable so
operators can see whether zero, one, or multiple mounts were found. Locate the
conditional that checks cgroup_mount, nb_matching_cgroup_mounts, and
current_cgroup and modify the error string to append
"nb_matching_cgroup_mounts=${nb_matching_cgroup_mounts}" alongside the existing
current_cgroup and cgroup_mount values.
- Line 33: The variable nb_matching_cgroup_mounts is computed with wc -l which
returns 1 for an empty cgroup_mount (because echo "" yields a newline); replace
that wc -l approach so nb_matching_cgroup_mounts accurately reflects the number
of non-empty lines in cgroup_mount. Feed cgroup_mount to a one-pass line counter
(e.g., run awk over the input and increment for lines with content, printing 0
if none) and assign that result to nb_matching_cgroup_mounts, keeping the
surrounding logic that checks -z "${cgroup_mount}" unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: cff13715-d8eb-49a1-9181-f8cc3eac0fee

📥 Commits

Reviewing files that changed from the base of the PR and between 1e4a114 and 50cc4d1.

📒 Files selected for processing (1)

• stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh

[coderabbitai]

♻️ Duplicate comments (1)

stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh (1)

35-38: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Include mount count in error message for better diagnostics.

The error message does not include nb_matching_cgroup_mounts, making it harder to distinguish between zero mounts, multiple mounts, or an empty cgroup path when troubleshooting failures.

📝 Suggested enhancement

-    echo "permit_monit_access: unable to resolve cgroup v2 mount or path. current_cgroup=${current_cgroup} cgroup_mount=${cgroup_mount}" >&2
+    echo "permit_monit_access: unable to resolve cgroup v2 mount or path. nb_matching_cgroup_mounts=${nb_matching_cgroup_mounts} current_cgroup=${current_cgroup} cgroup_mount=${cgroup_mount}" >&2

This helps operators quickly distinguish between:

• No mounts found (nb_matching_cgroup_mounts=0)
• Multiple mounts found (nb_matching_cgroup_mounts=2+)
• Empty current_cgroup path

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh` around
lines 35 - 38, Update the error message in permit_monit_access (in
monit-access-helper.sh) to include the nb_matching_cgroup_mounts variable so
diagnostics show whether there were 0, multiple, or other matching cgroup
mounts; change the echo line that currently prints current_cgroup and
cgroup_mount to also append nb_matching_cgroup_mounts so the log reports
current_cgroup=${current_cgroup} cgroup_mount=${cgroup_mount}
nb_matching_cgroup_mounts=${nb_matching_cgroup_mounts} before returning 1.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh`:
- Around line 35-38: Update the error message in permit_monit_access (in
monit-access-helper.sh) to include the nb_matching_cgroup_mounts variable so
diagnostics show whether there were 0, multiple, or other matching cgroup
mounts; change the echo line that currently prints current_cgroup and
cgroup_mount to also append nb_matching_cgroup_mounts so the log reports
current_cgroup=${current_cgroup} cgroup_mount=${cgroup_mount}
nb_matching_cgroup_mounts=${nb_matching_cgroup_mounts} before returning 1.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: fad58a8a-100a-401c-b782-2300fa5a4f71

📥 Commits

Reviewing files that changed from the base of the PR and between 50cc4d1 and b35a8f1.

📒 Files selected for processing (1)

• stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh

[gberche-orange]

thanks @rkoster for the assisted review. Please let me know if there are other feedback that needs handling for this PR.

[rkoster]

@mkocher could you take a look at this one given you have the most context on the jammy cgroups v2 magic.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh (1)

22-25: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Fix breaking rename: restrict-monit-api-access still calls the old function name

• stemcell_builder/stages/bosh_monit/assets/restrict-monit-api-access still references monit_using_unified_cgroup_v2 (line 5), but stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh now defines system_using_unified_cgroup_v2, so this will break when the old function isn’t present.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh` around
lines 22 - 25, The helper function was renamed to system_using_unified_cgroup_v2
but the script restrict-monit-api-access still calls
monit_using_unified_cgroup_v2; update restrict-monit-api-access to call
system_using_unified_cgroup_v2 (or add a small shim function named
monit_using_unified_cgroup_v2 that forwards to system_using_unified_cgroup_v2)
so the runtime reference matches the defined symbol and avoids a
missing-function error.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh`:
- Around line 22-25: The helper function was renamed to
system_using_unified_cgroup_v2 but the script restrict-monit-api-access still
calls monit_using_unified_cgroup_v2; update restrict-monit-api-access to call
system_using_unified_cgroup_v2 (or add a small shim function named
monit_using_unified_cgroup_v2 that forwards to system_using_unified_cgroup_v2)
so the runtime reference matches the defined symbol and avoids a
missing-function error.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: e16c72b5-3e5f-4780-8e8d-2001d19de0d7

📥 Commits

Reviewing files that changed from the base of the PR and between e9d0103 and 5e3b543.

📒 Files selected for processing (1)

• stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh

[rkoster]

Thanks! @gberche-orange

[gberche-orange]

Thanks for your review and merging @rkoster !