From 644205669ff1cf7718b8385c80325b68777b9223 Mon Sep 17 00:00:00 2001 From: Maria Shaldybin Date: Fri, 27 Feb 2026 22:44:01 +0000 Subject: [PATCH] Use logger instead of printing to stdout for bosh-enable-monit-access --- platform/firewall/cgroup_linux.go | 26 +++++++++++---------- platform/firewall/nftables_firewall.go | 6 ++--- platform/firewall/nftables_firewall_test.go | 2 -- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/platform/firewall/cgroup_linux.go b/platform/firewall/cgroup_linux.go index fbe6368f1..287f90e3f 100644 --- a/platform/firewall/cgroup_linux.go +++ b/platform/firewall/cgroup_linux.go @@ -6,25 +6,30 @@ import ( "path/filepath" "strings" "syscall" + + boshlog "github.com/cloudfoundry/bosh-utils/logger" ) +const cgroupLogTag = "cgroup" + // getCurrentCgroupPath reads /proc/self/cgroup and extracts the cgroupv2 path. // Returns path WITHOUT leading slash (e.g., "system.slice/runc-bpm-galera-agent.scope") // to match the format used by the nft CLI. -func getCurrentCgroupPath() (string, error) { +func getCurrentCgroupPath(logger boshlog.Logger) (string, error) { data, err := os.ReadFile("/proc/self/cgroup") if err != nil { return "", fmt.Errorf("reading /proc/self/cgroup: %w", err) } - // Find line starting with "0::" (cgroupv2) - // Format: "0::/system.slice/runc-bpm-galera-agent.scope" - for _, line := range strings.Split(string(data), "\n") { + lines := strings.Split(string(data), "\n") + logger.Debug(cgroupLogTag, "/proc/self/cgroup contents: %v", lines) + + for _, line := range lines { line = strings.TrimSpace(line) if strings.HasPrefix(line, "0::") { path := strings.TrimPrefix(line, "0::") - // Strip leading slash to match Noble script format path = strings.TrimPrefix(path, "/") + logger.Info(cgroupLogTag, "Detected cgroupv2 path: %s", path) return path, nil } } @@ -39,24 +44,21 @@ func getCurrentCgroupPath() (string, error) { // - Cgroup path doesn't exist in /sys/fs/cgroup // - Hybrid cgroup system (cgroupv2 mounted but no controllers delegated) // - Nested containers where cgroup path is different from host view -func isCgroupAccessible(cgroupPath string) bool { - // Check if cgroup path exists +func isCgroupAccessible(logger boshlog.Logger, cgroupPath string) bool { fullPath := filepath.Join("/sys/fs/cgroup", cgroupPath) if _, err := os.Stat(fullPath); err != nil { - fmt.Printf("bosh-monit-access: Cgroup path doesn't exist: %s\n", fullPath) + logger.Info(cgroupLogTag, "Cgroup path doesn't exist: %s", fullPath) return false } - // Check if this is a hybrid cgroup system (cgroupv2 mounted but no controllers) - // On hybrid systems, /sys/fs/cgroup/cgroup.controllers exists but is empty controllers, err := os.ReadFile("/sys/fs/cgroup/cgroup.controllers") if err != nil { - fmt.Printf("bosh-monit-access: Cannot read cgroup.controllers: %v\n", err) + logger.Info(cgroupLogTag, "Cannot read cgroup.controllers: %v", err) return false } if len(strings.TrimSpace(string(controllers))) == 0 { - fmt.Println("bosh-monit-access: Hybrid cgroup system detected (no controllers in cgroupv2)") + logger.Info(cgroupLogTag, "Hybrid cgroup system detected (no controllers in cgroupv2)") return false } diff --git a/platform/firewall/nftables_firewall.go b/platform/firewall/nftables_firewall.go index 5979eaf0d..c78fb49ae 100644 --- a/platform/firewall/nftables_firewall.go +++ b/platform/firewall/nftables_firewall.go @@ -181,8 +181,8 @@ func (f *NftablesFirewall) EnableMonitAccess() error { } // 2. Try cgroup-based rule first (better isolation) - cgroupPath, err := getCurrentCgroupPath() - if err == nil && isCgroupAccessible(cgroupPath) { + cgroupPath, err := getCurrentCgroupPath(f.logger) + if err == nil && isCgroupAccessible(f.logger, cgroupPath) { inodeID, err := getCgroupInodeID(cgroupPath) if err == nil { f.logger.Info(f.logTag, "Using cgroup rule for: %s (inode: %d)", cgroupPath, inodeID) @@ -429,7 +429,7 @@ func (f *NftablesFirewall) addUIDRule(uid uint32) error { if err == nil { for _, rule := range rules { if ruleMatchesUID(rule, uid) { - fmt.Println("bosh-monit-access: UID rule already exists, skipping") + f.logger.Info(f.logTag, "UID rule already exists for UID %d, skipping", uid) return nil } } diff --git a/platform/firewall/nftables_firewall_test.go b/platform/firewall/nftables_firewall_test.go index d789b95d7..a02c4221b 100644 --- a/platform/firewall/nftables_firewall_test.go +++ b/platform/firewall/nftables_firewall_test.go @@ -5,7 +5,6 @@ package firewall_test import ( "encoding/binary" "errors" - "fmt" "net" "os" @@ -197,7 +196,6 @@ var _ = Describe("NftablesFirewall", func() { Expect(fakeConn.AddRuleCallCount()).To(Equal(1)) rule := fakeConn.AddRuleArgsForCall(0) - fmt.Printf("rule: %+v\n", rule) Expect(rule.Chain.Name).To(Equal("monit_access_jobs")) })