cloudfoundry · mariash · Feb 17, 2026 · Feb 17, 2026 · Feb 17, 2026 · Feb 17, 2026
diff --git a/jobs/galera-agent/spec b/jobs/galera-agent/spec
@@ -9,7 +9,6 @@ templates:
 
 packages:
 - galera-agent
-- bosh-monit-access
 
 provides:
 - name: galera-agent

diff --git a/jobs/galera-agent/templates/service.bash b/jobs/galera-agent/templates/service.bash
@@ -4,10 +4,13 @@ set -o nounset
 
 # Setup firewall rule to allow monit access from this job.
 # Try new nftables firewall approach first (bosh-agent with monit_access_jobs chain).
-if /var/vcap/packages/bosh-monit-access/bin/bosh-monit-access --check; then
-  # New firewall with jobs chain exists - use bosh-monit-access helper
-  /var/vcap/packages/bosh-monit-access/bin/bosh-monit-access 1>&2
-else
+set +e
+/var/vcap/bosh/etc/bosh-enable-monit-access
+exit_status=$?
+set -e
+
+if [[ $exit_status -ne 0 ]]; then
+  # Failed to enable monit access using bosh-agent.
   # Fallback to old approaches for backward compatibility with older stemcells
   if type -f -p nft >/dev/null && nft list ruleset | grep -q monit_output; then
     rule_handle=$(nft -a list ruleset | awk '/galera-agent/ { print $NF }')

diff --git a/packages/bosh-monit-access/packaging b/packages/bosh-monit-access/packaging
diff --git a/packages/bosh-monit-access/spec b/packages/bosh-monit-access/spec
diff --git a/src/bosh-monit-access/cgroup.go b/src/bosh-monit-access/cgroup.go