Fix Symlink Resolution in Bind Mounts for Noble Stemcell Compatibility

[dudejas]

Problem

BPM fails to start containerized jobs on Ubuntu 24.04 (Noble) stemcells with permission errors:

exec: "/var/vcap/packages/bpm/bin/tini": stat /var/vcap/packages/bpm/bin/tini: permission denied

Impact: All BPM-managed jobs fail to start on Noble stemcells (verified with health_monitor)

Environment:

• Stemcell: Ubuntu 24.04 Noble (bosh-google-kvm-ubuntu-noble-go_agent/1.165)
• BPM: 1.4.23
• runc: 1.2.8
• cgroups: v2 (unified hierarchy)
• systemd: 255

Root Cause

On Noble, /var/vcap/packages/* are symlinks to /var/vcap/data/packages/*/.... BPM creates bind mounts using these symlink paths as sources. The container runtime cannot resolve symlinks within the containerized namespace due to cgroups v2 and kernel 6.8+ changes, causing permission errors.

# Host
/var/vcap/packages/bpm → /var/vcap/data/packages/bpm/abc123...

# Container mount (broken)
source: "/var/vcap/packages/bpm"  # symlink - unresolvable

# Container mount (fixed)
source: "/var/vcap/data/packages/bpm/abc123/"  # real path - works

Solution

Resolve symlinks to canonical paths using filepath.EvalSymlinks() before creating bind mount specifications. Falls back to original path if resolution fails for backwards compatibility.

Changes

Added symlink resolution in mount.go
Graceful fallback on errors
Test coverage in mount_symlink_test.go

[beyhan]

@aramprice is this also relevant for cloudfoundry/bosh#2655?

[aramprice]

@beyhan - it will likely be relevant once the current issue ("protect monit" scripts assume cgroups v1) is resolved.