From 720d3a3e19de3de3a20abc25c0a0b21dcf13efd7 Mon Sep 17 00:00:00 2001
From: Beyhan Veli <beyhan.veli@sap.com>
Date: Fri, 12 Jun 2026 08:59:18 +0200
Subject: [PATCH 1/2] Revert "Harden monit-access-helper.sh cgroupv2 mount
 point detection"

---
 .../stages/bosh_monit/assets/monit-access-helper.sh   | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh b/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
index d41c4e3636..be95cfa3a8 100644
--- a/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
+++ b/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
@@ -19,21 +19,20 @@ monit_isolation_classid=2958295041
 #
 # Prefer cgroup.controllers; also accept stat(2) filesystem type for hosts where
 # the file is missing from the mount view but the root is still cgroup2fs.
-system_using_unified_cgroup_v2() {
+monit_using_unified_cgroup_v2() {
     [ -f /sys/fs/cgroup/cgroup.controllers ] && return 0
     [ "$(stat -fc %T /sys/fs/cgroup 2>/dev/null)" = "cgroup2fs" ]
 }
 
 permit_monit_access() {
-    if system_using_unified_cgroup_v2; then
+    if monit_using_unified_cgroup_v2; then
         # cgroupv2 (unified hierarchy)
         # Create a sub-cgroup under the current process's cgroup and move into it.
         # The iptables rules match on this cgroup path.
-        cgroup_mount="$(awk '$1 == "cgroup2" && $3 == "cgroup2" { print $2 }' /proc/self/mounts)"
-        nb_matching_cgroup_mounts=$(echo "$cgroup_mount" | grep -c '^.')
+        cgroup_mount="$(awk '$3 == "cgroup2" { print $2 }' /proc/self/mounts)"
         current_cgroup="$(grep '^0::' /proc/self/cgroup | cut -d: -f3)"
-        if [ "${nb_matching_cgroup_mounts}" -ne 1 ] || [ -z "${current_cgroup}" ]; then
-            echo "permit_monit_access: unable to resolve cgroup v2 mount or path. current_cgroup=${current_cgroup} cgroup_mount=${cgroup_mount} nb_matching_cgroup_mounts=${nb_matching_cgroup_mounts}" >&2
+        if [ -z "${cgroup_mount}" ] || [ -z "${current_cgroup}" ]; then
+            echo "permit_monit_access: unable to resolve cgroup v2 mount or path" >&2
             return 1
         fi
         monit_access_cgroup="${cgroup_mount}${current_cgroup}/monit-api-access"

From 701ac72ac150a86c061824ef3b8604b028c75c61 Mon Sep 17 00:00:00 2001
From: Guillaume Berche <guillaume.berche@orange.com>
Date: Fri, 12 Jun 2026 12:56:37 +0200
Subject: [PATCH 2/2] Harden cgroupv2 mounts detection by selecting the first
 mount

1e4a11482 was filtering on the cgroupv2 device to prevent a `cgroup_mount` variable with multiline content failing downsteam without clear errors.

cilium-originating mount
```
cat /proc/self/mounts | grep cgroup2
     # device  mount_point         fs_type dummy
    cgroup2 /sys/fs/cgroup/unified cgroup2 rw,nosuid,nodev,noexec,relatime 0 0
    none    /run/cilium/cgroupv2   cgroup2 rw,relatime 0 0
```

however, in warden/docker stemcells, the device is cgroup, which introduced regression #637
```
cat /proc/self/mounts | grep cgroup2
     # device  mount_point         fs_type dummy
     cgroup  /sys/fs/cgroup        cgroup2 rw,...
```

Applying suggestion by @colins in https://github.com/cloudfoundry/bosh-linux-stemcell-builder/issues/637 to instead rely on the chronological ordering of mount points, and select the canonical cgroup2 mount point first added by the kernel during boot process.

https://man7.org/linux/man-pages/man5/proc_pid_mounts.5.html
> /proc/self/mounts, lists the mounts of the process's own mount namespace.  The format of this file is documented in [fstab(5)](https://man7.org/linux/man-pages/man5/fstab.5.html).

https://man7.org/linux/man-pages/man5/fstab.5.html
> The order of records in fstab is important because [fsck(8)](https://man7.org/linux/man-pages/man8/fsck.8.html), [mount(8)](https://man7.org/linux/man-pages/man8/mount.8.html), and [umount(8)](https://man7.org/linux/man-pages/man8/umount.8.html)
>        sequentially iterate through fstab doing their thing

https://man7.org/linux/man-pages/man7/cgroups.7.html
>   Note that on many modern systems, systemd(1) automatically mounts
>        the cgroup2 filesystem at /sys/fs/cgroup/unified during the boot
>        process.
---
 .../stages/bosh_monit/assets/monit-access-helper.sh             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh b/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
index be95cfa3a8..b6eac78555 100644
--- a/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
+++ b/stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh
@@ -29,7 +29,7 @@ permit_monit_access() {
         # cgroupv2 (unified hierarchy)
         # Create a sub-cgroup under the current process's cgroup and move into it.
         # The iptables rules match on this cgroup path.
-        cgroup_mount="$(awk '$3 == "cgroup2" { print $2 }' /proc/self/mounts)"
+        cgroup_mount="$(awk '$3 == "cgroup2" { print $2; exit }' /proc/self/mounts)"
         current_cgroup="$(grep '^0::' /proc/self/cgroup | cut -d: -f3)"
         if [ -z "${cgroup_mount}" ] || [ -z "${current_cgroup}" ]; then
             echo "permit_monit_access: unable to resolve cgroup v2 mount or path" >&2