Skip to content

Remove monit permit access and NATS firewall setup#470

Open
rkoster wants to merge 2 commits intocloudfoundry:ubuntu-jammyfrom
rkoster:remove-monit-permit-access
Open

Remove monit permit access and NATS firewall setup#470
rkoster wants to merge 2 commits intocloudfoundry:ubuntu-jammyfrom
rkoster:remove-monit-permit-access

Conversation

@rkoster
Copy link
Contributor

@rkoster rkoster commented Feb 9, 2026

Summary

  • Remove cgroup v1 net_cls-based monit API access control mechanism
  • Remove monit wrapper script, helper functions, and iptables rules
  • Remove permit_monit_access call from agent startup

The monit binary now runs directly without a wrapper. Access control will be managed by the bosh-agent's internal firewall implementation.

This prepares the stemcell builder for the bosh-agent changes that move firewall management into the agent itself.

Related

@rkoster
Remove monit access control wrapper and iptables firewall
9a23dd9 
Remove the cgroup v1 net_cls-based monit API access control mechanism
including the monit wrapper script, helper functions, and iptables rules.

The monit binary now runs directly without a wrapper. Access control
will be managed by the bosh-agent's internal firewall implementation.

Related to cloudfoundry/bosh-agent#399
@rkoster
Remove permit_monit_access call from agent startup
728436b 
Stop sourcing monit-access-helper.sh and calling permit_monit_access
when starting the bosh-agent. The agent will manage its own firewall
access internally instead of using the cgroup-based helper.

This completes the removal of the permit_monit_access functionality
now that pxc-release (the only consumer) no longer uses it.

Related to cloudfoundry/bosh-agent#399
Related to cloudfoundry/pxc-release#97
@rkoster rkoster mentioned this pull request Feb 9, 2026
Open
@github-project-automation github-project-automation bot moved this from Inbox to Pending Merge | Prioritized in Foundational Infrastructure Working Group Feb 9, 2026
@rkoster
Copy link
Contributor Author

rkoster commented Feb 12, 2026

Don't merge before: cloudfoundry/bosh-agent#399

@abg
Copy link
Member

abg commented Feb 13, 2026

Per the comment from @colins from the related pxc-release PR

@rkoster there is some more work to do for this. Specifically for backward compatibility for some MySQL components. We'd need some like monit-access-helper.sh in jammy so that we don't break features for customers.

Adding some color here:

This monit-access-helper.sh pattern is apparently being used by some of our internal bosh releases - this usually involves some niche database workflows that do some in-place restore like stopping the database service, putting some files in places and starting the service again.

Would it be acceptable if we kept monit-access-helper.sh for the ubunt-jammy stemcell, but reimplemented in terms of the nftables work? Maybe pulling in some of the work from cloudfoundry/pxc-release#97 into bosh-agent and adding some additional /var/vcap/bosh/bin/bosh-monit-access helper?

That may make sense as a follow up backwards compatibility PR.

@rkoster
Copy link
Contributor Author

rkoster commented Feb 13, 2026

Yes I'm not against backward compatibility, it is just out of scope for the use case that I'm interested in so me personally won't be doing the work. That being said I'm happy to review a PR adding backward compatibility.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aramprice aramprice aramprice approved these changes

@mariash mariash mariash approved these changes

@beyhan beyhan Awaiting requested review from beyhan

Assignees

No one assigned

Labels

None yet

Projects

Foundational Infrastructure Working Group
Status: Pending Merge | Prioritized

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rkoster @abg @aramprice @mariash