From b98e2b1349a48b8d997c16471f6bb2cac2cb02ee Mon Sep 17 00:00:00 2001
From: Ned Petrov <nedd.petrov@gmail.com>
Date: Tue, 9 Jun 2026 07:42:52 +0300
Subject: [PATCH 01/19] Remove CentOS-specific code and assets

CentOS stemcells are no longer built, so this drops dead stages,
assets, and code paths. Also removes the default_su_directive
override (already removed on ubuntu-noble), which silently overrode
the correct 'su root syslog' set globally in ubuntu-logrotate.conf.
---
 bosh-stemcell/lib/shellout_types/service.rb   |  2 +-
 .../spec/support/stemcell_shared_examples.rb  |  8 ---
 .../stages/bosh_audit_centos/apply.sh         | 32 ----------
 .../stages/image_install_grub/apply.sh        |  6 +-
 .../stages/image_install_grub_efi/apply.sh    |  6 +-
 .../apply.sh                                  |  6 +-
 .../stages/logrotate_config/apply.sh          |  5 --
 .../assets/centos-logrotate.conf              | 58 -------------------
 .../assets/default_su_directive               |  5 --
 .../assets/centos/password-auth.patch         |  6 --
 .../assets/centos/system-auth.patch           | 13 -----
 .../stages/system_open_vm_tools/apply.sh      |  1 -
 12 files changed, 10 insertions(+), 138 deletions(-)
 delete mode 100755 stemcell_builder/stages/bosh_audit_centos/apply.sh
 delete mode 100644 stemcell_builder/stages/logrotate_config/assets/centos-logrotate.conf
 delete mode 100644 stemcell_builder/stages/logrotate_config/assets/default_su_directive
 delete mode 100644 stemcell_builder/stages/password_policies/assets/centos/password-auth.patch
 delete mode 100644 stemcell_builder/stages/password_policies/assets/centos/system-auth.patch

diff --git a/bosh-stemcell/lib/shellout_types/service.rb b/bosh-stemcell/lib/shellout_types/service.rb
index ef80fa174d..476b7b4ada 100644
--- a/bosh-stemcell/lib/shellout_types/service.rb
+++ b/bosh-stemcell/lib/shellout_types/service.rb
@@ -27,7 +27,7 @@ def check_service_enabled(runlevel)
       stdout, stderr, status = @chroot.run("cat", "/etc/*release")
       raise stderr.to_s if status != 0
 
-      raise "Cannot determine Linux distribution: #{stdout}" unless /Ubuntu|CentOS|openSUSE/.match?(stdout)
+      raise "Cannot determine Linux distribution: #{stdout}" unless /Ubuntu|openSUSE/.match?(stdout)
 
       check_is_enabled_systemctl
     end
diff --git a/bosh-stemcell/spec/support/stemcell_shared_examples.rb b/bosh-stemcell/spec/support/stemcell_shared_examples.rb
index 232c596366..477a1a7329 100644
--- a/bosh-stemcell/spec/support/stemcell_shared_examples.rb
+++ b/bosh-stemcell/spec/support/stemcell_shared_examples.rb
@@ -160,13 +160,5 @@
         end
       end
     end
-
-    describe "default su directive" do
-      describe file("/etc/logrotate.d/default_su_directive") do
-        it "does `su root root` after any leading comments" do
-          expect(subject.content).to match(/\A(#.*\n)*su root root\Z/)
-        end
-      end
-    end
   end
 end
diff --git a/stemcell_builder/stages/bosh_audit_centos/apply.sh b/stemcell_builder/stages/bosh_audit_centos/apply.sh
deleted file mode 100755
index 21614455c6..0000000000
--- a/stemcell_builder/stages/bosh_audit_centos/apply.sh
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-base_dir=$(readlink -nf $(dirname $0)/../..)
-source $base_dir/stages/bosh_audit/shared_functions.bash
-source $base_dir/lib/prelude_bosh.bash
-
-pkg_mgr install audit
-
-run_in_bosh_chroot $chroot "systemctl disable auditd.service"
-
-write_shared_audit_rules
-
-echo '
--a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/lib64/dbus-1/dbus-daemon-launch-helper -k privileged
--a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/openssh/ssh-keysign -k privileged
--a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/sssd/krb5_child -k privileged
--a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/sssd/ldap_child -k privileged
--a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/sssd/p11_child -k privileged
--a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/sssd/proxy_child -k privileged
--a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/sssd/selinux_child -k privileged
--a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/utempter/utempter -k privileged
-' >> $chroot/etc/audit/rules.d/audit.rules
-
-# for stig V-38663: brings file permissions in aligment with what is declared by the RPM database
-# this is techinically not necessary as per the stig definition, but our tests are not as lenient as the stig is
-chmod 640 $chroot/etc/audit/rules.d/audit.rules
-
-record_use_of_privileged_binaries
-
-override_default_audit_variables
diff --git a/stemcell_builder/stages/image_install_grub/apply.sh b/stemcell_builder/stages/image_install_grub/apply.sh
index 470122f7d1..af271b0496 100755
--- a/stemcell_builder/stages/image_install_grub/apply.sh
+++ b/stemcell_builder/stages/image_install_grub/apply.sh
@@ -37,15 +37,15 @@ add_on_exit "umount ${image_mount_point}"
 # == Guide to variables in this script (all paths are defined relative to the real root dir, not the chroot)
 
 # work: the base working directory outside the chroot
-#      eg: /mnt/stemcells/aws/xen/centos/work/work
+#      eg: /mnt/stemcells/aws/xen/ubuntu/work/work
 # disk_image: path to the stemcell disk image
-#      eg: /mnt/stemcells/aws/xen/centos/work/work/aws-xen-centos.raw
+#      eg: /mnt/stemcells/aws/xen/ubuntu/work/work/aws-xen-ubuntu.raw
 # device: path to the loopback devide mapped to the entire disk image
 #      eg: /dev/loop0
 # loopback_dev: device node mapped to the main partition in disk_image
 #      eg: /dev/mapper/loop0p1
 # image_mount_point: place where loopback_dev is mounted as a filesystem
-#      eg: /mnt/stemcells/aws/xen/centos/work/work/mnt
+#      eg: /mnt/stemcells/aws/xen/ubuntu/work/work/mnt
 
 # Generate random password
 random_password=$(tr -dc A-Za-z0-9_ < /dev/urandom | head -c 16)
diff --git a/stemcell_builder/stages/image_install_grub_efi/apply.sh b/stemcell_builder/stages/image_install_grub_efi/apply.sh
index 01a23c2125..9c18196db0 100755
--- a/stemcell_builder/stages/image_install_grub_efi/apply.sh
+++ b/stemcell_builder/stages/image_install_grub_efi/apply.sh
@@ -38,9 +38,9 @@ add_on_exit "umount ${image_mount_point}/boot/efi"
 # == Guide to variables in this script (all paths are defined relative to the real root dir, not the chroot)
 
 # work: the base working directory outside the chroot
-#      eg: /mnt/stemcells/aws/xen/centos/work/work
+#      eg: /mnt/stemcells/aws/xen/ubuntu/work/work
 # disk_image: path to the stemcell disk image
-#      eg: /mnt/stemcells/aws/xen/centos/work/work/aws-xen-centos.raw
+#      eg: /mnt/stemcells/aws/xen/ubuntu/work/work/aws-xen-ubuntu.raw
 # device: path to the loopback devide mapped to the entire disk image
 #      eg: /dev/loop0
 # loopback_efi_dev: device node mapped to the EFI boot ("/boot/efi") partition in disk_image
@@ -48,7 +48,7 @@ add_on_exit "umount ${image_mount_point}/boot/efi"
 # loopback_root_dev: device node mapped to the root partition ("/") in disk_image
 #      eg: /dev/mapper/loop0p2
 # image_mount_point: place where loopback_dev is mounted as a filesystem
-#      eg: /mnt/stemcells/aws/xen/centos/work/work/mnt
+#      eg: /mnt/stemcells/aws/xen/ubuntu/work/work/mnt
 
 # Generate random password
 random_password=$(tr -dc A-Za-z0-9_ < /dev/urandom | head -c 16)
diff --git a/stemcell_builder/stages/image_install_grub_softlayer_two_partitions/apply.sh b/stemcell_builder/stages/image_install_grub_softlayer_two_partitions/apply.sh
index 094911477b..184c836ab7 100755
--- a/stemcell_builder/stages/image_install_grub_softlayer_two_partitions/apply.sh
+++ b/stemcell_builder/stages/image_install_grub_softlayer_two_partitions/apply.sh
@@ -42,15 +42,15 @@ add_on_exit "umount ${image_mount_point}/boot"
 # == Guide to variables in this script (all paths are defined relative to the real root dir, not the chroot)
 
 # work: the base working directory outside the chroot
-#      eg: /mnt/stemcells/aws/xen/centos/work/work
+#      eg: /mnt/stemcells/aws/xen/ubuntu/work/work
 # disk_image: path to the stemcell disk image
-#      eg: /mnt/stemcells/aws/xen/centos/work/work/aws-xen-centos.raw
+#      eg: /mnt/stemcells/aws/xen/ubuntu/work/work/aws-xen-ubuntu.raw
 # device: path to the loopback devide mapped to the entire disk image
 #      eg: /dev/loop0
 # loopback_dev: device node mapped to the main partition in disk_image
 #      eg: /dev/mapper/loop0p1
 # image_mount_point: place where loopback_dev is mounted as a filesystem
-#      eg: /mnt/stemcells/aws/xen/centos/work/work/mnt
+#      eg: /mnt/stemcells/aws/xen/ubuntu/work/work/mnt
 
 # Generate random password
 random_password=$(tr -dc A-Za-z0-9_ < /dev/urandom | head -c 16)
diff --git a/stemcell_builder/stages/logrotate_config/apply.sh b/stemcell_builder/stages/logrotate_config/apply.sh
index 9d0dccc124..91058a9d70 100755
--- a/stemcell_builder/stages/logrotate_config/apply.sh
+++ b/stemcell_builder/stages/logrotate_config/apply.sh
@@ -32,15 +32,10 @@ install_logrotate_cron_script() {
   sed -i -e 's/^\s*\(\/usr\/sbin\/logrotate\)\b/nice -n 19 ionice -c3 \1/' "$chroot/usr/bin/logrotate-cron"
 }
 
-install_default_su_directive() {
-  cp -f "$assets_dir/default_su_directive" "$chroot/etc/logrotate.d/default_su_directive"
-}
-
 install_logrotate_conf
 install_setup_logrotate_script
 seed_default_logrotate_cronjob
 install_logrotate_cron_script
-install_default_su_directive
 
 ## TODO: either remove /etc/logrotate.d/{wtmp,btmp}
 ## or remove it from logrotate.conf and copy over the default created wtmp,btmp files
diff --git a/stemcell_builder/stages/logrotate_config/assets/centos-logrotate.conf b/stemcell_builder/stages/logrotate_config/assets/centos-logrotate.conf
deleted file mode 100644
index d7b4e4d00f..0000000000
--- a/stemcell_builder/stages/logrotate_config/assets/centos-logrotate.conf
+++ /dev/null
@@ -1,58 +0,0 @@
-# see "man logrotate" for details
-# rotate log files weekly
-weekly
-
-# keep 4 weeks worth of backlogs
-rotate 4
-
-# create new (empty) log files after rotating old ones
-create
-
-# use date as a suffix of the rotated file
-dateext
-
-# uncomment this if you want your log files compressed
-#compress
-
-# RPM packages drop log rotation information into this directory
-include /etc/logrotate.d
-
-## no packages own wtmp and btmp -- we'll rotate them here
-#/var/log/wtmp {
-#    monthly
-#    create 0664 root utmp
-#	  minsize 1M
-#    rotate 1
-#}
-#
-#/var/log/btmp {
-#    missingok
-#    monthly
-#    create 0600 root utmp
-#    rotate 1
-#}
-
-# no packages own wtmp and btmp -- we'll rotate them here
-/var/log/wtmp {
-    missingok
-    create 0664 root utmp
-    rotate 4
-    nodateext
-    size 5M
-    notifempty
-    compress
-    delaycompress
-}
-
-/var/log/btmp {
-    missingok
-    create 0600 root utmp
-    rotate 4
-    nodateext
-    size 5M
-    notifempty
-    compress
-    delaycompress
-}
-
-# system-specific logs may be also be configured here.
\ No newline at end of file
diff --git a/stemcell_builder/stages/logrotate_config/assets/default_su_directive b/stemcell_builder/stages/logrotate_config/assets/default_su_directive
deleted file mode 100644
index 0e7331f8be..0000000000
--- a/stemcell_builder/stages/logrotate_config/assets/default_su_directive
+++ /dev/null
@@ -1,5 +0,0 @@
-# logrotate on CentOS refuses to rotate logs in /var/log because the
-# directory is owned by root:syslog and not root:root.
-# logrotate is placated by the su directive, telling syslog what user:group
-# to rotate files with. Defaulting to root:root
-su root root
diff --git a/stemcell_builder/stages/password_policies/assets/centos/password-auth.patch b/stemcell_builder/stages/password_policies/assets/centos/password-auth.patch
deleted file mode 100644
index 9de29cdd99..0000000000
--- a/stemcell_builder/stages/password_policies/assets/centos/password-auth.patch
+++ /dev/null
@@ -1,6 +0,0 @@
-5c5,7
-< auth        sufficient    pam_unix.so try_first_pass
----
-> auth        [success=1 default=bad] pam_unix.so try_first_pass
-> auth        [default=die] pam_faillock.so authfail deny=5 unlock_time=900 fail_interval=900
-> auth        sufficient    pam_faillock.so authsucc deny=5 unlock_time=900 fail_interval=900
diff --git a/stemcell_builder/stages/password_policies/assets/centos/system-auth.patch b/stemcell_builder/stages/password_policies/assets/centos/system-auth.patch
deleted file mode 100644
index 73f091439b..0000000000
--- a/stemcell_builder/stages/password_policies/assets/centos/system-auth.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-5c5,7
-< auth        sufficient    pam_unix.so try_first_pass
----
-> auth        [success=1 default=bad] pam_unix.so try_first_pass
-> auth        [default=die] pam_faillock.so authfail deny=5 unlock_time=900 fail_interval=900
-> auth        sufficient    pam_faillock.so authsucc deny=5 unlock_time=900 fail_interval=900
-11c13,14
-< password    sufficient    pam_unix.so try_first_pass use_authtok  sha512 shadow
----
-> password    required      pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
-> password    sufficient    pam_unix.so try_first_pass use_authtok  sha512 shadow remember=24 minlen=14
-18a19
-> session     required      pam_lastlog.so showfailed
diff --git a/stemcell_builder/stages/system_open_vm_tools/apply.sh b/stemcell_builder/stages/system_open_vm_tools/apply.sh
index d2adf6a224..e11b27ff5e 100755
--- a/stemcell_builder/stages/system_open_vm_tools/apply.sh
+++ b/stemcell_builder/stages/system_open_vm_tools/apply.sh
@@ -6,7 +6,6 @@ base_dir=$(readlink -nf $(dirname $0)/../..)
 source $base_dir/lib/prelude_apply.bash
 source $base_dir/lib/prelude_bosh.bash
 
-# Installation on CentOS requires v7
 pkg_mgr install open-vm-tools
 
 # open-vm-tools installs unwanted fusermount binary

From dc3c1ee01b1af43ab9c4d54a3f828591c1062aaa Mon Sep 17 00:00:00 2001
From: aram price <aram.price@broadcom.com>
Date: Tue, 9 Jun 2026 16:35:14 -0700
Subject: [PATCH 02/19] CI: remove (future) deprecated `--preserve-env` flag

Explicitly pass:
- GEM_HOME
- BUILD_TIME
- UBUNTU_ADVANTAGE_TOKEN
- UBUNTU_FIPS_USE_IAAS_KERNEL

Fixes:
```
sudo: preserving the entire environment is not supported, '--preserve-env' is ignored
ubuntu@21f652d6-b208-4386-b0c0-097e26578228:/tmp/build/44575cf5$ set -e
ubuntu@21f652d6-b208-4386-b0c0-097e26578228:/tmp/build/44575cf5$
ubuntu@21f652d6-b208-4386-b0c0-097e26578228:/tmp/build/44575cf5$ cd "/tmp/build/44575cf5/bosh-linux-stemcell-builder"
ubuntu@21f652d6-b208-4386-b0c0-097e26578228:/tmp/build/44575cf5/bosh-linux-stemcell-builder$ bundle install
Bundler 4.0.13 is running, but your lockfile was generated with 2.5.23. Installing Bundler 2.5.23 and restarting using that version.
Fetching gem metadata from https://rubygems.org/.
Fetching bundler 2.5.23

Retrying download gem from https://rubygems.org/ due to error (2/4): Bundler::PermissionError There was an error while trying to write to `/usr/local/lib/ruby/gems/3.3.0/cache/bundler-2.5.23.gem`. It is likely that you need to grant write permissions for that path.
```
^ https://bosh.ci.cloudfoundry.org/teams/stemcell/pipelines/ubuntu-resolute-builder/jobs/build-os-image/builds/1#L6a052874:4:13
---
 ci/tasks/build.sh           | 8 ++++++--
 ci/tasks/os-images/build.sh | 9 +++++++--
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/ci/tasks/build.sh b/ci/tasks/build.sh
index d69d2b5cdc..a9c4a178ca 100755
--- a/ci/tasks/build.sh
+++ b/ci/tasks/build.sh
@@ -77,13 +77,17 @@ chown -R ubuntu:ubuntu "${REPO_PARENT}/bosh-linux-stemcell-builder"
 chown -R ubuntu:ubuntu /mnt
 sudo chmod u+s "$(which sudo)"
 
-sudo --preserve-env --set-home --user ubuntu -- /bin/bash --login -i <<SUDO
+sudo --set-home --user ubuntu -- \
+  env GEM_HOME="${GEM_HOME}" \
+      UBUNTU_ADVANTAGE_TOKEN="${UBUNTU_ADVANTAGE_TOKEN:-}" \
+      UBUNTU_FIPS_USE_IAAS_KERNEL="${UBUNTU_FIPS_USE_IAAS_KERNEL:-}" \
+  /bin/bash --login -i <<SUDO
 set -e
 
 cd "${REPO_PARENT}/bosh-linux-stemcell-builder"
 bundle install
 
-bundle exec rake stemcell:build[${IAAS},${HYPERVISOR},${OS_NAME},${OS_VERSION},${OS_IMAGE},${CANDIDATE_BUILD_NUMBER}]
+bundle exec rake "stemcell:build[${IAAS},${HYPERVISOR},${OS_NAME},${OS_VERSION},${OS_IMAGE},${CANDIDATE_BUILD_NUMBER}]"
 SUDO
 
 #
diff --git a/ci/tasks/os-images/build.sh b/ci/tasks/os-images/build.sh
index f14be5d0b6..62bb14b479 100755
--- a/ci/tasks/os-images/build.sh
+++ b/ci/tasks/os-images/build.sh
@@ -35,11 +35,16 @@ chown -R ubuntu:ubuntu "${REPO_PARENT}/bosh-linux-stemcell-builder"
 chown -R ubuntu:ubuntu /mnt
 sudo chmod u+s "$(which sudo)"
 
-sudo --preserve-env --set-home --user ubuntu -- /bin/bash --login -i <<SUDO
+sudo --set-home --user ubuntu -- \
+  env GEM_HOME="${GEM_HOME}" \
+      BUILD_TIME="${BUILD_TIME:-}" \
+      UBUNTU_ADVANTAGE_TOKEN="${UBUNTU_ADVANTAGE_TOKEN:-}" \
+      UBUNTU_DEBOOTSTRAP_MIRROR="${UBUNTU_DEBOOTSTRAP_MIRROR:-}" \
+  /bin/bash --login -i <<SUDO
 set -e
 
 cd "${REPO_PARENT}/bosh-linux-stemcell-builder"
 bundle install
 
-bundle exec rake stemcell:build_os_image[$OPERATING_SYSTEM_NAME,$OPERATING_SYSTEM_VERSION,$OS_IMAGE]
+bundle exec rake "stemcell:build_os_image[${OPERATING_SYSTEM_NAME},${OPERATING_SYSTEM_VERSION},${OS_IMAGE}]"
 SUDO

From 7305da87c3656a3539ffd477e00ecc49c65afcd4 Mon Sep 17 00:00:00 2001
From: aram price <aram.price@broadcom.com>
Date: Tue, 9 Jun 2026 18:19:03 -0700
Subject: [PATCH 03/19] CI: use explicit list with `--preserve-env`

---
 ci/tasks/build.sh           | 8 +++-----
 ci/tasks/os-images/build.sh | 9 +++------
 2 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/ci/tasks/build.sh b/ci/tasks/build.sh
index a9c4a178ca..bcd52fd9f4 100755
--- a/ci/tasks/build.sh
+++ b/ci/tasks/build.sh
@@ -77,11 +77,9 @@ chown -R ubuntu:ubuntu "${REPO_PARENT}/bosh-linux-stemcell-builder"
 chown -R ubuntu:ubuntu /mnt
 sudo chmod u+s "$(which sudo)"
 
-sudo --set-home --user ubuntu -- \
-  env GEM_HOME="${GEM_HOME}" \
-      UBUNTU_ADVANTAGE_TOKEN="${UBUNTU_ADVANTAGE_TOKEN:-}" \
-      UBUNTU_FIPS_USE_IAAS_KERNEL="${UBUNTU_FIPS_USE_IAAS_KERNEL:-}" \
-  /bin/bash --login -i <<SUDO
+sudo --set-home --user ubuntu \
+  --preserve-env=GEM_HOME,UBUNTU_ADVANTAGE_TOKEN,UBUNTU_FIPS_USE_IAAS_KERNEL \
+  -- /bin/bash --login -i <<SUDO
 set -e
 
 cd "${REPO_PARENT}/bosh-linux-stemcell-builder"
diff --git a/ci/tasks/os-images/build.sh b/ci/tasks/os-images/build.sh
index 62bb14b479..f8f31b58a7 100755
--- a/ci/tasks/os-images/build.sh
+++ b/ci/tasks/os-images/build.sh
@@ -35,12 +35,9 @@ chown -R ubuntu:ubuntu "${REPO_PARENT}/bosh-linux-stemcell-builder"
 chown -R ubuntu:ubuntu /mnt
 sudo chmod u+s "$(which sudo)"
 
-sudo --set-home --user ubuntu -- \
-  env GEM_HOME="${GEM_HOME}" \
-      BUILD_TIME="${BUILD_TIME:-}" \
-      UBUNTU_ADVANTAGE_TOKEN="${UBUNTU_ADVANTAGE_TOKEN:-}" \
-      UBUNTU_DEBOOTSTRAP_MIRROR="${UBUNTU_DEBOOTSTRAP_MIRROR:-}" \
-  /bin/bash --login -i <<SUDO
+sudo --set-home --user ubuntu \
+  --preserve-env=GEM_HOME,BUILD_TIME,UBUNTU_ADVANTAGE_TOKEN,UBUNTU_DEBOOTSTRAP_MIRROR \
+  -- /bin/bash --login -i <<SUDO
 set -e
 
 cd "${REPO_PARENT}/bosh-linux-stemcell-builder"

From d929445bdd236d70120dfe3d33f9150b900ec8bd Mon Sep 17 00:00:00 2001
From: aram price <aram.price@broadcom.com>
Date: Tue, 9 Jun 2026 19:23:20 -0700
Subject: [PATCH 04/19] CI: pass `SHLVL` to make `~ubuntu/.bash_logout` succeed

---
 ci/tasks/build.sh           | 5 +++--
 ci/tasks/os-images/build.sh | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/ci/tasks/build.sh b/ci/tasks/build.sh
index bcd52fd9f4..c8ae18bcac 100755
--- a/ci/tasks/build.sh
+++ b/ci/tasks/build.sh
@@ -77,9 +77,10 @@ chown -R ubuntu:ubuntu "${REPO_PARENT}/bosh-linux-stemcell-builder"
 chown -R ubuntu:ubuntu /mnt
 sudo chmod u+s "$(which sudo)"
 
+# pass SHLVL or '~ubuntu/.bash_logout' will exit 1
 sudo --set-home --user ubuntu \
-  --preserve-env=GEM_HOME,UBUNTU_ADVANTAGE_TOKEN,UBUNTU_FIPS_USE_IAAS_KERNEL \
-  -- /bin/bash --login -i <<SUDO
+  --preserve-env=GEM_HOME,SHLVL,UBUNTU_ADVANTAGE_TOKEN,UBUNTU_FIPS_USE_IAAS_KERNEL \
+  -- /bin/bash --login <<SUDO
 set -e
 
 cd "${REPO_PARENT}/bosh-linux-stemcell-builder"
diff --git a/ci/tasks/os-images/build.sh b/ci/tasks/os-images/build.sh
index f8f31b58a7..5b55f27f79 100755
--- a/ci/tasks/os-images/build.sh
+++ b/ci/tasks/os-images/build.sh
@@ -35,9 +35,10 @@ chown -R ubuntu:ubuntu "${REPO_PARENT}/bosh-linux-stemcell-builder"
 chown -R ubuntu:ubuntu /mnt
 sudo chmod u+s "$(which sudo)"
 
+# pass SHLVL or '~ubuntu/.bash_logout' will exit 1
 sudo --set-home --user ubuntu \
-  --preserve-env=GEM_HOME,BUILD_TIME,UBUNTU_ADVANTAGE_TOKEN,UBUNTU_DEBOOTSTRAP_MIRROR \
-  -- /bin/bash --login -i <<SUDO
+  --preserve-env=GEM_HOME,SHLVL,BUILD_TIME,UBUNTU_ADVANTAGE_TOKEN,UBUNTU_DEBOOTSTRAP_MIRROR \
+  -- /bin/bash --login <<SUDO
 set -e
 
 cd "${REPO_PARENT}/bosh-linux-stemcell-builder"

From dfe1504e1671bbc78eec52c0254768fe4e727a7b Mon Sep 17 00:00:00 2001
From: CI Bot <infra@cloudfoundry.org>
Date: Wed, 10 Jun 2026 03:34:44 +0000
Subject: [PATCH 05/19] Bump os-image tgz

---
 image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4 | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4 b/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
index 7b39b27a6f..785564b2ba 100644
--- a/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
+++ b/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
@@ -1,12 +1,12 @@
 <metalink xmlns="urn:ietf:params:xml:ns:metalink">
   <file name="ubuntu-jammy.tgz">
-    <hash type="sha-512">aea9d114124dd96611935299222b29b9ad03537e90c4c0e0d41205012fc97b140113e8ed972d376a6da9b44fc8bab0f60bd1d92b51adbf29ed6cb241bbaf12d3</hash>
-    <hash type="sha-256">d93c7bb07f9d429772f8cb9386bf8d147b3d3a631fa1f9a578643faba9177f2a</hash>
-    <hash type="sha-1">3b14ab2843defa3355adea3f5f44381cec1af0af</hash>
-    <hash type="md5">b113324e19a4d450a7cf8c3d8e9efbe8</hash>
-    <size>435212632</size>
+    <hash type="sha-512">fab1ec89357516ccedd49d3c1a2f9e8db258ce7e69bb158fdd3ea825b3e2556d89606f0bbb5f83117d3b437a955998a346cfda3b0ffdf7797e4941ad4187ed2a</hash>
+    <hash type="sha-256">119afe900ff3339ae2f7edfd59b19582971f5d1de61e5bba3c269c8ea3233614</hash>
+    <hash type="sha-1">d7e7142fc0486c0a3b8a5c3b317b47dbb2fd188d</hash>
+    <hash type="md5">69c8530406c7669f7d99e5d8289a2b6f</hash>
+    <size>435214502</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/ubuntu-jammy.tgz</url>
-    <version>1082.0.0</version>
+    <version>1083.0.0</version>
   </file>
   <file name="usn-log.json">
     <hash type="sha-512">be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09</hash>
@@ -15,8 +15,8 @@
     <hash type="md5">68b329da9893e34099c7d8ad5cb9c940</hash>
     <size>1</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/usn-log.json</url>
-    <version>1082.0.0</version>
+    <version>1083.0.0</version>
   </file>
   <generator>metalink-repository-resource/0.0.0</generator>
-  <published>2026-06-09T19:33:14.185742096Z</published>
+  <published>2026-06-10T03:34:35.655940604Z</published>
 </metalink>

From b5a0b15b9f0d7f502e977f907037a4bee497af4a Mon Sep 17 00:00:00 2001
From: aram price <aram.price@broadcom.com>
Date: Tue, 9 Jun 2026 20:41:27 -0700
Subject: [PATCH 06/19] Update PR template

---
 .github/pull_request_template.md | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index a2e4fb33c9..10ae7a26fb 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -2,8 +2,6 @@ NOTE: this repository uses a "Merge Forward" strategy
 
 Changes should be made in the earliest applicable branch, and
 merged forward through subsequent branches.
-1. Create a PR into the oldest branch (`ubuntu-<short_name>`)
-2. After this PR has been merged create a `merge-to-<next_short_name>` branch
-3. Merge `ubuntu-<short_name>` into `merge-to-<next_short_name>`
-4. Create a PR to merge `merge-to-<next_short_name>` into `ubuntu-<next_short_name>`
-5. Repeat as needed for subsequent branches
+1. PR should be created against the oldest stemcell branch, ex: `ubuntu-<short_name-N>`
+2. After this PR has been merged create a PR to merge `ubuntu-<short_name-N>` into `ubuntu-<short_name-N+1>`
+3. Repeat as needed for subsequent stemcell line branches

From decbd76ec7c4050b29450a580388439366b54722 Mon Sep 17 00:00:00 2001
From: CI Bot <infra@cloudfoundry.org>
Date: Wed, 10 Jun 2026 04:10:08 +0000
Subject: [PATCH 07/19] Bump os-image tgz

---
 image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4 | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4 b/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
index 785564b2ba..be5921b24b 100644
--- a/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
+++ b/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
@@ -1,12 +1,12 @@
 <metalink xmlns="urn:ietf:params:xml:ns:metalink">
   <file name="ubuntu-jammy.tgz">
-    <hash type="sha-512">fab1ec89357516ccedd49d3c1a2f9e8db258ce7e69bb158fdd3ea825b3e2556d89606f0bbb5f83117d3b437a955998a346cfda3b0ffdf7797e4941ad4187ed2a</hash>
-    <hash type="sha-256">119afe900ff3339ae2f7edfd59b19582971f5d1de61e5bba3c269c8ea3233614</hash>
-    <hash type="sha-1">d7e7142fc0486c0a3b8a5c3b317b47dbb2fd188d</hash>
-    <hash type="md5">69c8530406c7669f7d99e5d8289a2b6f</hash>
-    <size>435214502</size>
+    <hash type="sha-512">2c80183e437c7a0979361c5627b96e4a48214a308415ffd6d86eca6ea2873880cfe1d45df9fcfa45f3e26283793098991151465faf0b30a68f7b5d778aa66e99</hash>
+    <hash type="sha-256">94d0c11c691e8a932412ea93d435ee48582c0e47f8922251c1c8c0852e6f83b6</hash>
+    <hash type="sha-1">828cb2e51b01cc38fbc51d2a5b5de75f9172d745</hash>
+    <hash type="md5">e10df4fb0e0b5b0dc4df0311979fec9d</hash>
+    <size>435213359</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/ubuntu-jammy.tgz</url>
-    <version>1083.0.0</version>
+    <version>1084.0.0</version>
   </file>
   <file name="usn-log.json">
     <hash type="sha-512">be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09</hash>
@@ -15,8 +15,8 @@
     <hash type="md5">68b329da9893e34099c7d8ad5cb9c940</hash>
     <size>1</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/usn-log.json</url>
-    <version>1083.0.0</version>
+    <version>1084.0.0</version>
   </file>
   <generator>metalink-repository-resource/0.0.0</generator>
-  <published>2026-06-10T03:34:35.655940604Z</published>
+  <published>2026-06-10T04:09:57.044646044Z</published>
 </metalink>

From 080edbee98b12f44b9350f36ed64a27944f039fa Mon Sep 17 00:00:00 2001
From: CI Bot <infra@cloudfoundry.org>
Date: Wed, 10 Jun 2026 15:24:23 +0000
Subject: [PATCH 08/19] Bump os-image tgz

---
 .../ubuntu-jammy/ubuntu-jammy.meta4           | 26 +++++++++----------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4 b/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
index be5921b24b..ded4085767 100644
--- a/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
+++ b/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
@@ -1,22 +1,22 @@
 <metalink xmlns="urn:ietf:params:xml:ns:metalink">
   <file name="ubuntu-jammy.tgz">
-    <hash type="sha-512">2c80183e437c7a0979361c5627b96e4a48214a308415ffd6d86eca6ea2873880cfe1d45df9fcfa45f3e26283793098991151465faf0b30a68f7b5d778aa66e99</hash>
-    <hash type="sha-256">94d0c11c691e8a932412ea93d435ee48582c0e47f8922251c1c8c0852e6f83b6</hash>
-    <hash type="sha-1">828cb2e51b01cc38fbc51d2a5b5de75f9172d745</hash>
-    <hash type="md5">e10df4fb0e0b5b0dc4df0311979fec9d</hash>
-    <size>435213359</size>
+    <hash type="sha-512">fbc0d89a7fa5e4ef34619b9abc93eb53fa2cca6194fb2ed3a8e21cfb7b29dab0b571baed9b3a568cdd18e38d18cc22381b71501549f561fca98e5840e1219a1d</hash>
+    <hash type="sha-256">35eb545449ac6771155a68f1011db511a70e9009bbce75967fd5c65a892ee16d</hash>
+    <hash type="sha-1">1f71eed0d62bbec1db27ab709cbdf29a76ad9904</hash>
+    <hash type="md5">1f86836cffbaabdb8a5d5495f9abecfb</hash>
+    <size>435216501</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/ubuntu-jammy.tgz</url>
-    <version>1084.0.0</version>
+    <version>1085.0.0</version>
   </file>
   <file name="usn-log.json">
-    <hash type="sha-512">be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09</hash>
-    <hash type="sha-256">01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b</hash>
-    <hash type="sha-1">adc83b19e793491b1c6ea0fd8b46cd9f32e592fc</hash>
-    <hash type="md5">68b329da9893e34099c7d8ad5cb9c940</hash>
-    <size>1</size>
+    <hash type="sha-512">c33c256f7c140a827b24433745fca44758cc4718e3cef9c4d726da18b7da778a5942d6983d32dee2de71d06402813f78895fc5c6b74ed7eb0d2187eeb797f157</hash>
+    <hash type="sha-256">b67758c1a68bee8c576e364181d2a8bc13ac5199e671b49fede2bebbcba26ef8</hash>
+    <hash type="sha-1">485618d4fd57270016167dc8d75de924243e69b9</hash>
+    <hash type="md5">943a504d1b25d024ff79aaf9773f148c</hash>
+    <size>6994</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/usn-log.json</url>
-    <version>1084.0.0</version>
+    <version>1085.0.0</version>
   </file>
   <generator>metalink-repository-resource/0.0.0</generator>
-  <published>2026-06-10T04:09:57.044646044Z</published>
+  <published>2026-06-10T15:24:12.3490296Z</published>
 </metalink>

From 15e36a1b35220bce65ed20055b0ecfcc1d374d2c Mon Sep 17 00:00:00 2001
From: CI Bot <infra@cloudfoundry.org>
Date: Wed, 10 Jun 2026 21:52:38 +0000
Subject: [PATCH 09/19] Bump os-image tgz

---
 .../ubuntu-jammy/ubuntu-jammy.meta4           | 26 +++++++++----------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4 b/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
index ded4085767..b6bc4fa826 100644
--- a/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
+++ b/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
@@ -1,22 +1,22 @@
 <metalink xmlns="urn:ietf:params:xml:ns:metalink">
   <file name="ubuntu-jammy.tgz">
-    <hash type="sha-512">fbc0d89a7fa5e4ef34619b9abc93eb53fa2cca6194fb2ed3a8e21cfb7b29dab0b571baed9b3a568cdd18e38d18cc22381b71501549f561fca98e5840e1219a1d</hash>
-    <hash type="sha-256">35eb545449ac6771155a68f1011db511a70e9009bbce75967fd5c65a892ee16d</hash>
-    <hash type="sha-1">1f71eed0d62bbec1db27ab709cbdf29a76ad9904</hash>
-    <hash type="md5">1f86836cffbaabdb8a5d5495f9abecfb</hash>
-    <size>435216501</size>
+    <hash type="sha-512">5b7967ee8bc8a99bdc33e3ae1e88ba37977fae0a8ce4f89ce75bc7ac0997fb7a6e0cea144455eb20d27b993fba500eb3b1d60e74990a1fa9ffa5a7ec0f63913a</hash>
+    <hash type="sha-256">8cc94158a3a4862baeb39936d59cf3669d7774874bff05d49b28064ad260671d</hash>
+    <hash type="sha-1">d065fdcf010830156559211b261592a2d6ce1317</hash>
+    <hash type="md5">776f517428e1ea9d840f252cb9eed3ee</hash>
+    <size>435209924</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/ubuntu-jammy.tgz</url>
-    <version>1085.0.0</version>
+    <version>1086.0.0</version>
   </file>
   <file name="usn-log.json">
-    <hash type="sha-512">c33c256f7c140a827b24433745fca44758cc4718e3cef9c4d726da18b7da778a5942d6983d32dee2de71d06402813f78895fc5c6b74ed7eb0d2187eeb797f157</hash>
-    <hash type="sha-256">b67758c1a68bee8c576e364181d2a8bc13ac5199e671b49fede2bebbcba26ef8</hash>
-    <hash type="sha-1">485618d4fd57270016167dc8d75de924243e69b9</hash>
-    <hash type="md5">943a504d1b25d024ff79aaf9773f148c</hash>
-    <size>6994</size>
+    <hash type="sha-512">04c6305dd88f1f0fdb8c052c3161682a0320751c96e6e5b6bc0b948bd3c0745d250ff57be25a11e69c1cbc1faf49d6e4dbd9f16163ccdc6ee61f6bdb89e13732</hash>
+    <hash type="sha-256">52256f7644d5e043f59cd3799675e5b76577fc57b7ccac248349ec4a382b2643</hash>
+    <hash type="sha-1">17fb83a8835fffe0fa223470bd10451554cf9ca9</hash>
+    <hash type="md5">d6447fb301e142d191d4d2ce0a39ae2b</hash>
+    <size>8289</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/usn-log.json</url>
-    <version>1085.0.0</version>
+    <version>1086.0.0</version>
   </file>
   <generator>metalink-repository-resource/0.0.0</generator>
-  <published>2026-06-10T15:24:12.3490296Z</published>
+  <published>2026-06-10T21:52:23.610214379Z</published>
 </metalink>

From ca5a6c769eefc36c175040042de41fad63af76d6 Mon Sep 17 00:00:00 2001
From: I761617 <ivaylo.ivanov06@sap.com>
Date: Mon, 4 May 2026 10:55:21 +0300
Subject: [PATCH 10/19] Add instance storage discovery patterns in config

---
 stemcell_builder/stages/bosh_aws_agent_settings/apply.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/stemcell_builder/stages/bosh_aws_agent_settings/apply.sh b/stemcell_builder/stages/bosh_aws_agent_settings/apply.sh
index bc2e647e5d..baf6e0dc1f 100755
--- a/stemcell_builder/stages/bosh_aws_agent_settings/apply.sh
+++ b/stemcell_builder/stages/bosh_aws_agent_settings/apply.sh
@@ -11,7 +11,9 @@ cat > $chroot/var/vcap/bosh/agent.json <<JSON
       $(get_partitioner_type_mapping)
       "DevicePathResolutionType": "virtio",
       "CreatePartitionIfNoEphemeralDisk": true,
-      "UseMonitIptablesFirewall": true
+      "UseMonitIptablesFirewall": true,
+      "InstanceStorageDevicePattern": "/dev/nvme*n1",
+      "InstanceStorageManagedVolumePattern": "/dev/disk/by-id/nvme-Amazon_Elastic_Block_Store_*"
     }
   },
   "Infrastructure": {

From ef51888a5db43d4fa8ac7e3444c303576ac1920e Mon Sep 17 00:00:00 2001
From: I761617 <ivaylogi98@gmail.com>
Date: Tue, 9 Jun 2026 15:03:04 +0300
Subject: [PATCH 11/19] Add tests for InstanceStorageDevicePattern and
 InstanceStorageManagedVolumePattern in aws_spec.rb

---
 bosh-stemcell/spec/stemcells/aws_spec.rb | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/bosh-stemcell/spec/stemcells/aws_spec.rb b/bosh-stemcell/spec/stemcells/aws_spec.rb
index 6bec843796..7c54a9d92e 100644
--- a/bosh-stemcell/spec/stemcells/aws_spec.rb
+++ b/bosh-stemcell/spec/stemcells/aws_spec.rb
@@ -24,6 +24,22 @@
     end
   end
 
+  context "installed by bosh_aws_agent_settings" do
+    describe file("/var/vcap/bosh/agent.json") do
+      it { should be_valid_json_file }
+
+      it "sets InstanceStorageDevicePattern for NVMe instance storage" do
+        config = JSON.parse(subject.content)
+        expect(config.dig("Platform", "Linux", "InstanceStorageDevicePattern")).to eq("/dev/nvme*n1")
+      end
+
+      it "sets InstanceStorageManagedVolumePattern to exclude EBS volumes" do
+        config = JSON.parse(subject.content)
+        expect(config.dig("Platform", "Linux", "InstanceStorageManagedVolumePattern")).to eq("/dev/disk/by-id/nvme-Amazon_Elastic_Block_Store_*")
+      end
+    end
+  end
+
   describe "nvme" do
     describe "nvme-id finder" do
       subject { file("/sbin/nvme-id") }

From e6f4e277b367038fcd580970ad1e36bdf441d974 Mon Sep 17 00:00:00 2001
From: I761617 <ivaylogi98@gmail.com>
Date: Thu, 11 Jun 2026 13:12:21 +0300
Subject: [PATCH 12/19] Add NVMe support to Alicloud infrastructure
 configuration

---
 .../lib/bosh/stemcell/infrastructure.rb        |  5 ++++-
 .../spec/bosh/stemcell/infrastructure_spec.rb  | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/bosh-stemcell/lib/bosh/stemcell/infrastructure.rb b/bosh-stemcell/lib/bosh/stemcell/infrastructure.rb
index 8ea52a9ceb..55bba599a2 100644
--- a/bosh-stemcell/lib/bosh/stemcell/infrastructure.rb
+++ b/bosh-stemcell/lib/bosh/stemcell/infrastructure.rb
@@ -158,7 +158,10 @@ def initialize
       end
 
       def additional_cloud_properties
-        {"root_device_name" => "/dev/vda1"}
+        {
+          "root_device_name" => "/dev/vda1",
+          "nvme_support" => "supported"
+        }
       end
     end
 
diff --git a/bosh-stemcell/spec/bosh/stemcell/infrastructure_spec.rb b/bosh-stemcell/spec/bosh/stemcell/infrastructure_spec.rb
index e62abc9cf2..fc9a090024 100644
--- a/bosh-stemcell/spec/bosh/stemcell/infrastructure_spec.rb
+++ b/bosh-stemcell/spec/bosh/stemcell/infrastructure_spec.rb
@@ -95,6 +95,24 @@ module Bosh::Stemcell
     end
   end
 
+  describe Infrastructure::Alicloud do
+    its(:name) { should eq("alicloud") }
+    its(:hypervisor) { should eq("kvm") }
+    its(:default_disk_size) { should eq(5120) }
+    its(:disk_formats) { should eq(["raw"]) }
+    its(:stemcell_formats) { should eq(["alicloud-raw"]) }
+
+    it { should eq Infrastructure.for("alicloud") }
+    it { should_not eq Infrastructure.for("aws") }
+
+    it "has alicloud specific additional cloud properties" do
+      expect(subject.additional_cloud_properties).to eq({
+        "root_device_name" => "/dev/vda1",
+        "nvme_support" => "supported"
+      })
+    end
+  end
+
   describe Infrastructure::Google do
     its(:name) { should eq("google") }
     its(:hypervisor) { should eq("kvm") }

From 9d44ccf34dd5db856ac7cb6bf05efb44cfaf9a7b Mon Sep 17 00:00:00 2001
From: CI Bot <infra@cloudfoundry.org>
Date: Thu, 11 Jun 2026 23:27:35 +0000
Subject: [PATCH 13/19] bump bosh-agent/2.853.0

---
 .../bosh_go_agent/assets/bosh-agent-version   |  2 +-
 .../bosh_go_agent/assets/metalink.meta4       | 64 +++++++++----------
 2 files changed, 33 insertions(+), 33 deletions(-)

diff --git a/stemcell_builder/stages/bosh_go_agent/assets/bosh-agent-version b/stemcell_builder/stages/bosh_go_agent/assets/bosh-agent-version
index 477a5d6b1b..7a708b3056 100644
--- a/stemcell_builder/stages/bosh_go_agent/assets/bosh-agent-version
+++ b/stemcell_builder/stages/bosh_go_agent/assets/bosh-agent-version
@@ -1 +1 @@
-2.852.0
\ No newline at end of file
+2.853.0
\ No newline at end of file
diff --git a/stemcell_builder/stages/bosh_go_agent/assets/metalink.meta4 b/stemcell_builder/stages/bosh_go_agent/assets/metalink.meta4
index 7d1835d328..ccacf0c5b7 100644
--- a/stemcell_builder/stages/bosh_go_agent/assets/metalink.meta4
+++ b/stemcell_builder/stages/bosh_go_agent/assets/metalink.meta4
@@ -1,49 +1,49 @@
 <metalink xmlns="urn:ietf:params:xml:ns:metalink">
-  <file name="bosh-agent-2.852.0-linux-amd64">
-    <hash type="sha-512">332ee5a24befff9b9751abf531eb56824cdf915e009ba766ef14b50c165af23cdc649520aca492cac8db906e30111d8305bf77e348cb65c64f932593d6e4e498</hash>
-    <hash type="sha-256">acc3f514ff57797abd873291d7b3397c7b5e20f8716390d52f137fd53bebbef7</hash>
-    <hash type="sha-1">f9d13300fa816741e0553df1a4445b67961abb2d</hash>
-    <hash type="md5">88820119036d0928875776ca8a4af1e4</hash>
+  <file name="bosh-agent-2.853.0-linux-amd64">
+    <hash type="sha-512">d0a556cfe6ee547a392507720778ae5d01f07493a2145a86481c14a3403d9c30e1d7c638320a69e7c7466f82de1e7ef33f72078141692399d6a435f2ce5bde52</hash>
+    <hash type="sha-256">ba14b0cad896824615c9587226e029b9403a3e0cd5fa352eb8c95ff4cbbd2eb4</hash>
+    <hash type="sha-1">5d2e3d215038e19eb0c9eaff1b662a68ef05b462</hash>
+    <hash type="md5">c14e6a3396b5d91f48ce992150470d14</hash>
     <size>22122821</size>
-    <url>https://s3-external-1.amazonaws.com/bosh-agent-binaries/bosh-agent-2.852.0-linux-amd64</url>
-    <version>2.852.0</version>
+    <url>https://s3-external-1.amazonaws.com/bosh-agent-binaries/bosh-agent-2.853.0-linux-amd64</url>
+    <version>2.853.0</version>
   </file>
-  <file name="bosh-agent-2.852.0-windows-amd64.exe">
-    <hash type="sha-512">fba4a14f78b798c3dcee072f7f9c6a08abf74f0fd5e2612f33dc087b3a21868e33e61ceb39a56c1eed350d6a3bb6a95bfb610de620961c2e3706adb0f36cba6b</hash>
-    <hash type="sha-256">eb9b5f26b9438ece5f4f24b70db46b8222e71b207ec12fca3261bbc24959fdc2</hash>
-    <hash type="sha-1">2ac9da1644c836ab7326a19e42af3586ae998b32</hash>
-    <hash type="md5">1e5d2a1648092cfb73737a2c5d31be30</hash>
+  <file name="bosh-agent-2.853.0-windows-amd64.exe">
+    <hash type="sha-512">020cf7ef2b316d4ac439f7c9014a5aee14c494e26cce8fcb2047c816cd3f01a7854934febe2b559a6cf28464e02b69f69af48adec166ddb11d765470f34f1f35</hash>
+    <hash type="sha-256">de0cfda10e02a2b9f54895438bee8e8dbafcdce755955b5ec861122b0cf1c8c2</hash>
+    <hash type="sha-1">6aa3ea0b51933bab83623528ce2a254863b5c77a</hash>
+    <hash type="md5">e2573a8f9f1f95d30084e6351793ec66</hash>
     <size>21970944</size>
-    <url>https://s3-external-1.amazonaws.com/bosh-agent-binaries/bosh-agent-2.852.0-windows-amd64.exe</url>
-    <version>2.852.0</version>
+    <url>https://s3-external-1.amazonaws.com/bosh-agent-binaries/bosh-agent-2.853.0-windows-amd64.exe</url>
+    <version>2.853.0</version>
   </file>
-  <file name="bosh-agent-pipe-2.852.0-windows-amd64.exe">
-    <hash type="sha-512">8d95cbcb1e23ab81cfb884cdcf9f6db2b604623776034a04459a4e0d4372227abb50e370b9fe1eff1c277dc34741e4af0ecb6f9c7d0061b5d08071726f9c8c97</hash>
-    <hash type="sha-256">e87f467c5f0254437dd33aac392c29b5e4c68a78fdff522f10cf569491c263af</hash>
-    <hash type="sha-1">89682658edec43c05b86b0b9fbdda5dc3d4d7b64</hash>
-    <hash type="md5">d7768248330549d65c9b2ff3ea016277</hash>
+  <file name="bosh-agent-pipe-2.853.0-windows-amd64.exe">
+    <hash type="sha-512">8eef49380cd4bfe5ef49bf39c45d6d515d0d4a08b4dd620971302559d875e4e99737bef0d7ca1923cbb193ce84d58911f0e2b03552b3d3e5b69592ffd41cea3e</hash>
+    <hash type="sha-256">ba4aea6089bebf268591b0065dfe82f7dbe8ab2d4e3598f5da046ae2b87cb5fb</hash>
+    <hash type="sha-1">3603673f891f8d056f553a83872bbd498ab3ea7e</hash>
+    <hash type="md5">b24203fc73e8cc0ba16acfc5cd5abc03</hash>
     <size>9023488</size>
-    <url>https://s3-external-1.amazonaws.com/bosh-agent-binaries/bosh-agent-pipe-2.852.0-windows-amd64.exe</url>
-    <version>2.852.0</version>
+    <url>https://s3-external-1.amazonaws.com/bosh-agent-binaries/bosh-agent-pipe-2.853.0-windows-amd64.exe</url>
+    <version>2.853.0</version>
   </file>
-  <file name="git-sha-2.852.0">
-    <hash type="sha-512">9075fec0295e986aa95bfa9de8bb40e26e0932b05af5e8e666fe35f6c6e21944d5395b4efa047e91b2332d56e751563f13b7a68e7e9f2f8c9b28c82f7d15c7f4</hash>
-    <hash type="sha-256">7f7c0d8e0a7213855d75459be82aa25fea12de33a3539931a324e655fbeb5e69</hash>
-    <hash type="sha-1">6af2c57a4cc2437d26859f49c1c2a6f0672291c8</hash>
-    <hash type="md5">85872b0eae97abb6f174cebf373b4bda</hash>
+  <file name="git-sha-2.853.0">
+    <hash type="sha-512">10664db5dfc7cfa7093f4066360330fbc1c3cde76ea2c99f9873f1e7a6a1a32bcc75891b087ff13ca07e2a8ec9390e2cb9a9140e0a5cc348aef1366460389aa3</hash>
+    <hash type="sha-256">2dcb81d1f5cf460b91657b4e9f3ea727f106e31d25c5c61ca5631dc989dc1357</hash>
+    <hash type="sha-1">513b22fc425772a8607bf183b4323e14f372c286</hash>
+    <hash type="md5">6d95a40df0db4c0cc5a8d77f58854059</hash>
     <size>9</size>
-    <url>https://s3-external-1.amazonaws.com/bosh-agent-binaries/git-sha-2.852.0</url>
-    <version>2.852.0</version>
+    <url>https://s3-external-1.amazonaws.com/bosh-agent-binaries/git-sha-2.853.0</url>
+    <version>2.853.0</version>
   </file>
-  <file name="service_wrapper-2.852.0.xml">
+  <file name="service_wrapper-2.853.0.xml">
     <hash type="sha-512">fe22cd6fd90ded459b08385497032f2de4022f712dc753dc026ffbc024d3cdd5007f68886f0d4dd8a7832ece138455c3320ce65b72eec054ed3717f6212a7567</hash>
     <hash type="sha-256">a1f4729600504b0cc026ff5e826bb403b43a564780e091d01e0ab7bacb15906a</hash>
     <hash type="sha-1">a5a1e59f6bfaa23bffb85a6647bfbc3df1dbf594</hash>
     <hash type="md5">c0e9e8c1a9510c750742534ba431530b</hash>
     <size>708</size>
-    <url>https://s3-external-1.amazonaws.com/bosh-agent-binaries/service_wrapper-2.852.0.xml</url>
-    <version>2.852.0</version>
+    <url>https://s3-external-1.amazonaws.com/bosh-agent-binaries/service_wrapper-2.853.0.xml</url>
+    <version>2.853.0</version>
   </file>
   <generator>metalink-repository-resource/0.0.0</generator>
-  <published>2026-06-02T20:37:38.94033158Z</published>
+  <published>2026-06-06T14:32:36.787282533Z</published>
 </metalink>

From d8b99bae5c62ccff558f01250357631315a32132 Mon Sep 17 00:00:00 2001
From: CI Bot <infra@cloudfoundry.org>
Date: Thu, 11 Jun 2026 23:44:17 +0000
Subject: [PATCH 14/19] Bump os-image tgz

---
 image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4 | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4 b/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
index b6bc4fa826..219e9c6b7a 100644
--- a/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
+++ b/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
@@ -1,12 +1,12 @@
 <metalink xmlns="urn:ietf:params:xml:ns:metalink">
   <file name="ubuntu-jammy.tgz">
-    <hash type="sha-512">5b7967ee8bc8a99bdc33e3ae1e88ba37977fae0a8ce4f89ce75bc7ac0997fb7a6e0cea144455eb20d27b993fba500eb3b1d60e74990a1fa9ffa5a7ec0f63913a</hash>
-    <hash type="sha-256">8cc94158a3a4862baeb39936d59cf3669d7774874bff05d49b28064ad260671d</hash>
-    <hash type="sha-1">d065fdcf010830156559211b261592a2d6ce1317</hash>
-    <hash type="md5">776f517428e1ea9d840f252cb9eed3ee</hash>
-    <size>435209924</size>
+    <hash type="sha-512">9cbf6f532438096decc50669158a2130e6ce1525a2010ccb55fcee62c5c8ba2af754c96d57c10850d244211502ed48b8b6be6ad4dfaf730b7ad91888c9f48ff1</hash>
+    <hash type="sha-256">d21cdfaeb686a5f73c67c25eac943a31195597232f1cd7142eec67f85703b330</hash>
+    <hash type="sha-1">1694259aad769d606f0e935a0e124721b59dc49f</hash>
+    <hash type="md5">9a00d0f8213ae6e624049df0754059a7</hash>
+    <size>435225172</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/ubuntu-jammy.tgz</url>
-    <version>1086.0.0</version>
+    <version>1087.0.0</version>
   </file>
   <file name="usn-log.json">
     <hash type="sha-512">04c6305dd88f1f0fdb8c052c3161682a0320751c96e6e5b6bc0b948bd3c0745d250ff57be25a11e69c1cbc1faf49d6e4dbd9f16163ccdc6ee61f6bdb89e13732</hash>
@@ -15,8 +15,8 @@
     <hash type="md5">d6447fb301e142d191d4d2ce0a39ae2b</hash>
     <size>8289</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/usn-log.json</url>
-    <version>1086.0.0</version>
+    <version>1087.0.0</version>
   </file>
   <generator>metalink-repository-resource/0.0.0</generator>
-  <published>2026-06-10T21:52:23.610214379Z</published>
+  <published>2026-06-11T23:44:05.085975371Z</published>
 </metalink>

From 549882c618a9c38ae9647249856e35adb5687dbd Mon Sep 17 00:00:00 2001
From: CI Bot <infra@cloudfoundry.org>
Date: Fri, 12 Jun 2026 05:42:50 +0000
Subject: [PATCH 15/19] bump bosh-agent/2.854.0

---
 .../bosh_go_agent/assets/bosh-agent-version   |  2 +-
 .../bosh_go_agent/assets/metalink.meta4       | 68 +++++++++----------
 2 files changed, 35 insertions(+), 35 deletions(-)

diff --git a/stemcell_builder/stages/bosh_go_agent/assets/bosh-agent-version b/stemcell_builder/stages/bosh_go_agent/assets/bosh-agent-version
index 7a708b3056..82763783dd 100644
--- a/stemcell_builder/stages/bosh_go_agent/assets/bosh-agent-version
+++ b/stemcell_builder/stages/bosh_go_agent/assets/bosh-agent-version
@@ -1 +1 @@
-2.853.0
\ No newline at end of file
+2.854.0
\ No newline at end of file
diff --git a/stemcell_builder/stages/bosh_go_agent/assets/metalink.meta4 b/stemcell_builder/stages/bosh_go_agent/assets/metalink.meta4
index ccacf0c5b7..966f89dd30 100644
--- a/stemcell_builder/stages/bosh_go_agent/assets/metalink.meta4
+++ b/stemcell_builder/stages/bosh_go_agent/assets/metalink.meta4
@@ -1,49 +1,49 @@
 <metalink xmlns="urn:ietf:params:xml:ns:metalink">
-  <file name="bosh-agent-2.853.0-linux-amd64">
-    <hash type="sha-512">d0a556cfe6ee547a392507720778ae5d01f07493a2145a86481c14a3403d9c30e1d7c638320a69e7c7466f82de1e7ef33f72078141692399d6a435f2ce5bde52</hash>
-    <hash type="sha-256">ba14b0cad896824615c9587226e029b9403a3e0cd5fa352eb8c95ff4cbbd2eb4</hash>
-    <hash type="sha-1">5d2e3d215038e19eb0c9eaff1b662a68ef05b462</hash>
-    <hash type="md5">c14e6a3396b5d91f48ce992150470d14</hash>
-    <size>22122821</size>
-    <url>https://s3-external-1.amazonaws.com/bosh-agent-binaries/bosh-agent-2.853.0-linux-amd64</url>
-    <version>2.853.0</version>
+  <file name="bosh-agent-2.854.0-linux-amd64">
+    <hash type="sha-512">60c32b3a0b02fdfe23d4954225b3f102934a1018f2314d567fd7fa5703f4d1357a39045e06866bf030476eb51d3c6b733c2104d149f963f6f791a2df1b19d62e</hash>
+    <hash type="sha-256">ac491b683c1c31cccdfddc0b38dc4c535f20646c1cc10bd4b009441be174e767</hash>
+    <hash type="sha-1">9619886e9d58a3067bb9f28d62692491561ada94</hash>
+    <hash type="md5">48debf1aa8e03b54142ce6812c1ce708</hash>
+    <size>22082723</size>
+    <url>https://s3-external-1.amazonaws.com/bosh-agent-binaries/bosh-agent-2.854.0-linux-amd64</url>
+    <version>2.854.0</version>
   </file>
-  <file name="bosh-agent-2.853.0-windows-amd64.exe">
-    <hash type="sha-512">020cf7ef2b316d4ac439f7c9014a5aee14c494e26cce8fcb2047c816cd3f01a7854934febe2b559a6cf28464e02b69f69af48adec166ddb11d765470f34f1f35</hash>
-    <hash type="sha-256">de0cfda10e02a2b9f54895438bee8e8dbafcdce755955b5ec861122b0cf1c8c2</hash>
-    <hash type="sha-1">6aa3ea0b51933bab83623528ce2a254863b5c77a</hash>
-    <hash type="md5">e2573a8f9f1f95d30084e6351793ec66</hash>
-    <size>21970944</size>
-    <url>https://s3-external-1.amazonaws.com/bosh-agent-binaries/bosh-agent-2.853.0-windows-amd64.exe</url>
-    <version>2.853.0</version>
+  <file name="bosh-agent-2.854.0-windows-amd64.exe">
+    <hash type="sha-512">f89e68eb2e29d914534efaf4191c06c0200ce2d0614bfe154d9a9e7d2818a0ac2c9a9dc962fde80de15acaed55766ef8d2b726a460b3df0c4bca62c7c6f53e7b</hash>
+    <hash type="sha-256">6251ba807a219fa87407f3739922fe5844e56bc8cf6f2b8159696995fe0233f9</hash>
+    <hash type="sha-1">c202613fe2d93cd08d32387b45907abcd9664743</hash>
+    <hash type="md5">68ed8655d6e11d192652b08892aa8985</hash>
+    <size>21927424</size>
+    <url>https://s3-external-1.amazonaws.com/bosh-agent-binaries/bosh-agent-2.854.0-windows-amd64.exe</url>
+    <version>2.854.0</version>
   </file>
-  <file name="bosh-agent-pipe-2.853.0-windows-amd64.exe">
-    <hash type="sha-512">8eef49380cd4bfe5ef49bf39c45d6d515d0d4a08b4dd620971302559d875e4e99737bef0d7ca1923cbb193ce84d58911f0e2b03552b3d3e5b69592ffd41cea3e</hash>
-    <hash type="sha-256">ba4aea6089bebf268591b0065dfe82f7dbe8ab2d4e3598f5da046ae2b87cb5fb</hash>
-    <hash type="sha-1">3603673f891f8d056f553a83872bbd498ab3ea7e</hash>
-    <hash type="md5">b24203fc73e8cc0ba16acfc5cd5abc03</hash>
+  <file name="bosh-agent-pipe-2.854.0-windows-amd64.exe">
+    <hash type="sha-512">35e15074e659a8b4aee6ae63732e094e54cd817df948fc9e032791a633e349c9172c8823b681f2000b16601a06ad14ca8984d08685dd62427fef6a2396604a66</hash>
+    <hash type="sha-256">deff8634b505021d7816adec2fdfddec1e7dff27566409f1188c8117a80d261f</hash>
+    <hash type="sha-1">604007d3ae0b4bde21bf8f137e1a9aff1e64188a</hash>
+    <hash type="md5">0554fbe400f74aacc4d3934a9bec853c</hash>
     <size>9023488</size>
-    <url>https://s3-external-1.amazonaws.com/bosh-agent-binaries/bosh-agent-pipe-2.853.0-windows-amd64.exe</url>
-    <version>2.853.0</version>
+    <url>https://s3-external-1.amazonaws.com/bosh-agent-binaries/bosh-agent-pipe-2.854.0-windows-amd64.exe</url>
+    <version>2.854.0</version>
   </file>
-  <file name="git-sha-2.853.0">
-    <hash type="sha-512">10664db5dfc7cfa7093f4066360330fbc1c3cde76ea2c99f9873f1e7a6a1a32bcc75891b087ff13ca07e2a8ec9390e2cb9a9140e0a5cc348aef1366460389aa3</hash>
-    <hash type="sha-256">2dcb81d1f5cf460b91657b4e9f3ea727f106e31d25c5c61ca5631dc989dc1357</hash>
-    <hash type="sha-1">513b22fc425772a8607bf183b4323e14f372c286</hash>
-    <hash type="md5">6d95a40df0db4c0cc5a8d77f58854059</hash>
+  <file name="git-sha-2.854.0">
+    <hash type="sha-512">d39cf9145f19c00dccd07ed0b566661e6821edb137672220e86ecd502292831aed94ca101bb33c389e3e7c5c926a3d9c57e4dacfe08917e7c50974d74e4a6dd9</hash>
+    <hash type="sha-256">6c6958d30f3f5936fb0aca760e25aa086e2a5a92ef15d98892b46af207a43a9f</hash>
+    <hash type="sha-1">a30f0d58703a2e5296639b25d62af882fc7d7513</hash>
+    <hash type="md5">453d5cb300e14cc3ad8c71639a19123b</hash>
     <size>9</size>
-    <url>https://s3-external-1.amazonaws.com/bosh-agent-binaries/git-sha-2.853.0</url>
-    <version>2.853.0</version>
+    <url>https://s3-external-1.amazonaws.com/bosh-agent-binaries/git-sha-2.854.0</url>
+    <version>2.854.0</version>
   </file>
-  <file name="service_wrapper-2.853.0.xml">
+  <file name="service_wrapper-2.854.0.xml">
     <hash type="sha-512">fe22cd6fd90ded459b08385497032f2de4022f712dc753dc026ffbc024d3cdd5007f68886f0d4dd8a7832ece138455c3320ce65b72eec054ed3717f6212a7567</hash>
     <hash type="sha-256">a1f4729600504b0cc026ff5e826bb403b43a564780e091d01e0ab7bacb15906a</hash>
     <hash type="sha-1">a5a1e59f6bfaa23bffb85a6647bfbc3df1dbf594</hash>
     <hash type="md5">c0e9e8c1a9510c750742534ba431530b</hash>
     <size>708</size>
-    <url>https://s3-external-1.amazonaws.com/bosh-agent-binaries/service_wrapper-2.853.0.xml</url>
-    <version>2.853.0</version>
+    <url>https://s3-external-1.amazonaws.com/bosh-agent-binaries/service_wrapper-2.854.0.xml</url>
+    <version>2.854.0</version>
   </file>
   <generator>metalink-repository-resource/0.0.0</generator>
-  <published>2026-06-06T14:32:36.787282533Z</published>
+  <published>2026-06-11T23:25:36.524053958Z</published>
 </metalink>

From d1790e3961e7f0867bda35599d00e3513bd03370 Mon Sep 17 00:00:00 2001
From: CI Bot <infra@cloudfoundry.org>
Date: Fri, 12 Jun 2026 06:00:43 +0000
Subject: [PATCH 16/19] Bump os-image tgz

---
 image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4 | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4 b/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
index 219e9c6b7a..44d8665351 100644
--- a/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
+++ b/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
@@ -1,12 +1,12 @@
 <metalink xmlns="urn:ietf:params:xml:ns:metalink">
   <file name="ubuntu-jammy.tgz">
-    <hash type="sha-512">9cbf6f532438096decc50669158a2130e6ce1525a2010ccb55fcee62c5c8ba2af754c96d57c10850d244211502ed48b8b6be6ad4dfaf730b7ad91888c9f48ff1</hash>
-    <hash type="sha-256">d21cdfaeb686a5f73c67c25eac943a31195597232f1cd7142eec67f85703b330</hash>
-    <hash type="sha-1">1694259aad769d606f0e935a0e124721b59dc49f</hash>
-    <hash type="md5">9a00d0f8213ae6e624049df0754059a7</hash>
-    <size>435225172</size>
+    <hash type="sha-512">249ded4a60a3c79c779d3f937de1f4b75a7835e11822dc77caf8d63f2e2bcf5e9561f9f808ff1c125f28f69d8a23824c47272ce9ef322a69bb2bd60ee6045907</hash>
+    <hash type="sha-256">cd7807961cfd876880627bec561e0f816f1e21e998279b7665aeb77d2395c846</hash>
+    <hash type="sha-1">9969e43b3aa155e4e5cc0b47b217a94091f59200</hash>
+    <hash type="md5">a0b7ed840f0f400eb332add85730ce06</hash>
+    <size>435211053</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/ubuntu-jammy.tgz</url>
-    <version>1087.0.0</version>
+    <version>1088.0.0</version>
   </file>
   <file name="usn-log.json">
     <hash type="sha-512">04c6305dd88f1f0fdb8c052c3161682a0320751c96e6e5b6bc0b948bd3c0745d250ff57be25a11e69c1cbc1faf49d6e4dbd9f16163ccdc6ee61f6bdb89e13732</hash>
@@ -15,8 +15,8 @@
     <hash type="md5">d6447fb301e142d191d4d2ce0a39ae2b</hash>
     <size>8289</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/usn-log.json</url>
-    <version>1087.0.0</version>
+    <version>1088.0.0</version>
   </file>
   <generator>metalink-repository-resource/0.0.0</generator>
-  <published>2026-06-11T23:44:05.085975371Z</published>
+  <published>2026-06-12T06:00:33.134456831Z</published>
 </metalink>

From 720d3a3e19de3de3a20abc25c0a0b21dcf13efd7 Mon Sep 17 00:00:00 2001
From: Beyhan Veli <beyhan.veli@sap.com>
Date: Fri, 12 Jun 2026 08:59:18 +0200
Subject: [PATCH 17/19] Revert "Harden monit-access-helper.sh cgroupv2 mount
 point detection"

---
 .../stages/bosh_monit/assets/monit-access-helper.sh   | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh b/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
index d41c4e3636..be95cfa3a8 100644
--- a/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
+++ b/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
@@ -19,21 +19,20 @@ monit_isolation_classid=2958295041
 #
 # Prefer cgroup.controllers; also accept stat(2) filesystem type for hosts where
 # the file is missing from the mount view but the root is still cgroup2fs.
-system_using_unified_cgroup_v2() {
+monit_using_unified_cgroup_v2() {
     [ -f /sys/fs/cgroup/cgroup.controllers ] && return 0
     [ "$(stat -fc %T /sys/fs/cgroup 2>/dev/null)" = "cgroup2fs" ]
 }
 
 permit_monit_access() {
-    if system_using_unified_cgroup_v2; then
+    if monit_using_unified_cgroup_v2; then
         # cgroupv2 (unified hierarchy)
         # Create a sub-cgroup under the current process's cgroup and move into it.
         # The iptables rules match on this cgroup path.
-        cgroup_mount="$(awk '$1 == "cgroup2" && $3 == "cgroup2" { print $2 }' /proc/self/mounts)"
-        nb_matching_cgroup_mounts=$(echo "$cgroup_mount" | grep -c '^.')
+        cgroup_mount="$(awk '$3 == "cgroup2" { print $2 }' /proc/self/mounts)"
         current_cgroup="$(grep '^0::' /proc/self/cgroup | cut -d: -f3)"
-        if [ "${nb_matching_cgroup_mounts}" -ne 1 ] || [ -z "${current_cgroup}" ]; then
-            echo "permit_monit_access: unable to resolve cgroup v2 mount or path. current_cgroup=${current_cgroup} cgroup_mount=${cgroup_mount} nb_matching_cgroup_mounts=${nb_matching_cgroup_mounts}" >&2
+        if [ -z "${cgroup_mount}" ] || [ -z "${current_cgroup}" ]; then
+            echo "permit_monit_access: unable to resolve cgroup v2 mount or path" >&2
             return 1
         fi
         monit_access_cgroup="${cgroup_mount}${current_cgroup}/monit-api-access"

From 306b7b8c511e4edf225452cd6299babb8ccff9aa Mon Sep 17 00:00:00 2001
From: CI Bot <infra@cloudfoundry.org>
Date: Fri, 12 Jun 2026 19:44:34 +0000
Subject: [PATCH 18/19] Bump os-image tgz

---
 image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4 | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4 b/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
index 44d8665351..c8faadd4ab 100644
--- a/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
+++ b/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
@@ -1,12 +1,12 @@
 <metalink xmlns="urn:ietf:params:xml:ns:metalink">
   <file name="ubuntu-jammy.tgz">
-    <hash type="sha-512">249ded4a60a3c79c779d3f937de1f4b75a7835e11822dc77caf8d63f2e2bcf5e9561f9f808ff1c125f28f69d8a23824c47272ce9ef322a69bb2bd60ee6045907</hash>
-    <hash type="sha-256">cd7807961cfd876880627bec561e0f816f1e21e998279b7665aeb77d2395c846</hash>
-    <hash type="sha-1">9969e43b3aa155e4e5cc0b47b217a94091f59200</hash>
-    <hash type="md5">a0b7ed840f0f400eb332add85730ce06</hash>
-    <size>435211053</size>
+    <hash type="sha-512">b748ba44907447a03a8e161b370795221f94961f42d59684a5d3f5aef3d48aa523dca132825ce1abf983fca1fc96532c2db9bffbcf4d71714bcff63b5026d62f</hash>
+    <hash type="sha-256">a4fff818d92a51015e05337bc3085a06696122f2bff31cdd2053957d99b9ee25</hash>
+    <hash type="sha-1">ab89630e24048ea311a4ee6a2964d3e1998177ed</hash>
+    <hash type="md5">25d8f6bba0a5e43838922b5f704e580d</hash>
+    <size>435207580</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/ubuntu-jammy.tgz</url>
-    <version>1088.0.0</version>
+    <version>1089.0.0</version>
   </file>
   <file name="usn-log.json">
     <hash type="sha-512">04c6305dd88f1f0fdb8c052c3161682a0320751c96e6e5b6bc0b948bd3c0745d250ff57be25a11e69c1cbc1faf49d6e4dbd9f16163ccdc6ee61f6bdb89e13732</hash>
@@ -15,8 +15,8 @@
     <hash type="md5">d6447fb301e142d191d4d2ce0a39ae2b</hash>
     <size>8289</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/usn-log.json</url>
-    <version>1088.0.0</version>
+    <version>1089.0.0</version>
   </file>
   <generator>metalink-repository-resource/0.0.0</generator>
-  <published>2026-06-12T06:00:33.134456831Z</published>
+  <published>2026-06-12T19:44:25.082634332Z</published>
 </metalink>

From f4e85982597c4a03f8f5c18d1be98ddc1abff800 Mon Sep 17 00:00:00 2001
From: aram price <aram.price@broadcom.com>
Date: Fri, 12 Jun 2026 12:42:52 -0700
Subject: [PATCH 19/19] Nit: fix spelling

---
 stemcell_builder/stages/image_install_grub/apply.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stemcell_builder/stages/image_install_grub/apply.sh b/stemcell_builder/stages/image_install_grub/apply.sh
index af271b0496..4bcdb70ee6 100755
--- a/stemcell_builder/stages/image_install_grub/apply.sh
+++ b/stemcell_builder/stages/image_install_grub/apply.sh
@@ -40,7 +40,7 @@ add_on_exit "umount ${image_mount_point}"
 #      eg: /mnt/stemcells/aws/xen/ubuntu/work/work
 # disk_image: path to the stemcell disk image
 #      eg: /mnt/stemcells/aws/xen/ubuntu/work/work/aws-xen-ubuntu.raw
-# device: path to the loopback devide mapped to the entire disk image
+# device: path to the loopback device mapped to the entire disk image
 #      eg: /dev/loop0
 # loopback_dev: device node mapped to the main partition in disk_image
 #      eg: /dev/mapper/loop0p1