Harden monit-access-helper.sh cgroupv2 mount point detection

[gberche-orange]

Restrict the inspection of /proc/self/mounts to cgroupv2 device (1st column) in addition to existing cgroup fstype (column 3).

Also fail fast in case of multiple detected mount points.

Fix #585

---

NOTE: this repository uses a "Merge Forward" strategy

Changes should be made in the earliest applicable branch, and
merged forward through subsequent branches.

1. Create a PR into the oldest branch (ubuntu-<short_name>)
2. After this PR has been merged create a merge-to-<next_short_name> branch
3. Merge ubuntu-<short_name> into merge-to-<next_short_name>
4. Create a PR to merge merge-to-<next_short_name> into ubuntu-<next_short_name>
5. Repeat as needed for subsequent branches

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 139f30db-1d71-405c-964a-c4c443db74a3

📥 Commits

Reviewing files that changed from the base of the PR and between b35a8f1 and e9d0103.

📒 Files selected for processing (1)

• stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh

---

Walkthrough

This PR renames the unified-cgroup detection helper to system_using_unified_cgroup_v2 and hardens permit_monit_access: it now extracts cgroup2 mountpoints from /proc/self/mounts only when both mount source and fs type indicate cgroup2, counts matches, requires exactly one match and a non-empty 0:: current cgroup, includes these resolved values in error output, and on success builds the monit-api-access sub-cgroup path from the validated mount and cgroup path.

Suggested reviewers

• rkoster
• mariash
• aramprice

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title clearly and concisely summarizes the main change: hardening cgroupv2 mount point detection in monit-access-helper.sh.
Description check	✅ Passed	PR description explains the specific technical changes and fixes issue #585; includes merge-forward strategy information from repository template.
Linked Issues check	✅ Passed	Changes implement all requirements from issue #585: restrict mount detection to cgroupv2 device field, detect multiple mount points, and fail fast on ambiguity.
Out of Scope Changes check	✅ Passed	All changes in monit-access-helper.sh are directly related to hardening cgroupv2 mount point detection as specified in linked issue #585; no out-of-scope modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[rkoster]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh`:
- Around line 35-38: The error message in monit-access-helper.sh's
permit_monit_access check currently omits the count of matching cgroup v2
mounts; update the echo to include the nb_matching_cgroup_mounts variable so
operators can see whether zero, one, or multiple mounts were found. Locate the
conditional that checks cgroup_mount, nb_matching_cgroup_mounts, and
current_cgroup and modify the error string to append
"nb_matching_cgroup_mounts=${nb_matching_cgroup_mounts}" alongside the existing
current_cgroup and cgroup_mount values.
- Line 33: The variable nb_matching_cgroup_mounts is computed with wc -l which
returns 1 for an empty cgroup_mount (because echo "" yields a newline); replace
that wc -l approach so nb_matching_cgroup_mounts accurately reflects the number
of non-empty lines in cgroup_mount. Feed cgroup_mount to a one-pass line counter
(e.g., run awk over the input and increment for lines with content, printing 0
if none) and assign that result to nb_matching_cgroup_mounts, keeping the
surrounding logic that checks -z "${cgroup_mount}" unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: cff13715-d8eb-49a1-9181-f8cc3eac0fee

📥 Commits

Reviewing files that changed from the base of the PR and between 1e4a114 and 50cc4d1.

📒 Files selected for processing (1)

• stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh

[coderabbitai]

♻️ Duplicate comments (1)

stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh (1)

35-38: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Include mount count in error message for better diagnostics.

The error message does not include nb_matching_cgroup_mounts, making it harder to distinguish between zero mounts, multiple mounts, or an empty cgroup path when troubleshooting failures.

📝 Suggested enhancement

-    echo "permit_monit_access: unable to resolve cgroup v2 mount or path. current_cgroup=${current_cgroup} cgroup_mount=${cgroup_mount}" >&2
+    echo "permit_monit_access: unable to resolve cgroup v2 mount or path. nb_matching_cgroup_mounts=${nb_matching_cgroup_mounts} current_cgroup=${current_cgroup} cgroup_mount=${cgroup_mount}" >&2

This helps operators quickly distinguish between:

• No mounts found (nb_matching_cgroup_mounts=0)
• Multiple mounts found (nb_matching_cgroup_mounts=2+)
• Empty current_cgroup path

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh` around
lines 35 - 38, Update the error message in permit_monit_access (in
monit-access-helper.sh) to include the nb_matching_cgroup_mounts variable so
diagnostics show whether there were 0, multiple, or other matching cgroup
mounts; change the echo line that currently prints current_cgroup and
cgroup_mount to also append nb_matching_cgroup_mounts so the log reports
current_cgroup=${current_cgroup} cgroup_mount=${cgroup_mount}
nb_matching_cgroup_mounts=${nb_matching_cgroup_mounts} before returning 1.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh`:
- Around line 35-38: Update the error message in permit_monit_access (in
monit-access-helper.sh) to include the nb_matching_cgroup_mounts variable so
diagnostics show whether there were 0, multiple, or other matching cgroup
mounts; change the echo line that currently prints current_cgroup and
cgroup_mount to also append nb_matching_cgroup_mounts so the log reports
current_cgroup=${current_cgroup} cgroup_mount=${cgroup_mount}
nb_matching_cgroup_mounts=${nb_matching_cgroup_mounts} before returning 1.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: fad58a8a-100a-401c-b782-2300fa5a4f71

📥 Commits

Reviewing files that changed from the base of the PR and between 50cc4d1 and b35a8f1.

📒 Files selected for processing (1)

• stemcell_builder/stages/bosh_monit/assets/monit-access-helper.sh

[gberche-orange]

thanks @rkoster for the assisted review. Please let me know if there are other feedback that needs handling for this PR.