use bpm to run blackbox#246
Open
mkocher wants to merge 1 commit into
Open
Conversation
The Resolute Raccoon stemcell removes `runit` which provies chpst which was used in the blackbox start script to not run as root. Moving to BPM fixes this, as well as provides an enhanced security posture.
cf-foundation-community-automation
Bot
moved this to Inbox
in Foundational Infrastructure Working Group
jorbaum
reviewed
Jun 15, 2026
jorbaum
left a comment
jorbaum
left a comment
Contributor
There was a problem hiding this comment.
LGTM. I got one question regarding the DAC_READ_SEARCH capability. Otherwise its clear and looks good.
Sadly there is no CI running the acceptance tests yet.
| <% end %> | ||
|
|
||
| <% unless p('syslog.respect_file_permissions') %> | ||
| setcap cap_dac_read_search+ep /var/vcap/packages/blackbox/bin/blackbox |
Contributor
There was a problem hiding this comment.
Why is setcap cap_dac_read_search+ep still being set in pre-start.erb if BPM is now declaring capabilities: [DAC_READ_SEARCH]? These appear to be redundant.
Consider removing setcap cap_dac_read_search+ep here. AFAIU then only the bpm process would get those permissions and not the binary ifself. Then acceptance tests should run through without this line.
chombium
requested changes
Jun 15, 2026
| <% end %> | ||
|
|
||
| <% unless p('syslog.respect_file_permissions') %> | ||
| setcap cap_dac_read_search+ep /var/vcap/packages/blackbox/bin/blackbox |
github-project-automation
Bot
moved this from Inbox
to Waiting for Changes | Open for Contribution
in Foundational Infrastructure Working Group
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Resolute Raccoon stemcell removes
runitwhich provies chpst which was used in the blackbox start script to not run as root. Moving to BPM fixes this, as well as provides an enhanced security posture.I validated this change by running all of the acceptance tests. I updated
scripts/testto upload bpm release. I'm not sure if CI uses that script or will need a corresponding change.Type of change
Testing performed?
Checklist:
mainbranch, or relevant version branchIf you have any questions, or want to get attention for a PR or issue please reach out on the #logging-and-metrics channel in the cloudfoundry slack