feat: add ACL VHD build, provisioning, and e2e support#7991
Open
aadhar-agarwal wants to merge 1 commit intomainfrom
Open
feat: add ACL VHD build, provisioning, and e2e support#7991aadhar-agarwal wants to merge 1 commit intomainfrom
aadhar-agarwal wants to merge 1 commit intomainfrom
Conversation
aadhar-agarwal
requested review from
AbelHu,
Devinwong,
YaoC,
awesomenix,
calvin197,
cameronmeissner,
djsly,
ganeshkumarashok,
juan-lee,
junjiezhang1997,
lilypan26,
mxj220,
pdamianov-dev,
phealy,
r2k1,
timmy-wright,
yewmsft and
zachary-bailey
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Adds Azure Container Linux (ACL) Gen2 as a first-class distro across the VHD build pipeline, AgentBaker customData/provisioning, SIG image config exposure, and e2e validation.
Changes:
- Introduces an ACL Packer template + ignition (Butane) customdata and wires it into build pipelines and packer tooling.
- Extends AgentBaker datamodel/API/customData generation to recognize ACL (including SIG config + node image version overrides).
- Adds/updates e2e scenarios and validators to cover ACL (scripted + scriptless), plus adjusts provisioning scripts for ACL CA-trust/chrony behavior.
Reviewed changes
Copilot reviewed 43 out of 115 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| vhdbuilder/scripts/linux/acl/tool_installs_acl.sh | Adds ACL-specific tool install stubs and chrony/timesyncd handling for VHD build. |
| vhdbuilder/packer/vhd-scanning.sh | Adds isACL and excludes ACL from CIS scanning. |
| vhdbuilder/packer/vhd-image-builder-acl.json | New Packer template for building/publishing ACL Gen2 images. |
| vhdbuilder/packer/trivy-scan.sh | Treats AzureContainerLinux like Flatcar for azure-cli install via venv; minor formatting fixes. |
| vhdbuilder/packer/test/run-test.sh | Ensures IMG_SKU defaults to empty (needed for ACL pipeline template). |
| vhdbuilder/packer/test/linux-vhd-content-test.sh | Updates test conditions to recognize ACL behavior (git, chrony, IG, etc.). |
| vhdbuilder/packer/pre-install-dependencies.sh | Adds ACL handling for permissions/logging/rsyslog/waagent conf. |
| vhdbuilder/packer/post-install-dependencies.sh | Adds ACL disk sizing behavior (like Flatcar). |
| vhdbuilder/packer/packer_source.sh | Updates file-copy logic for ACL (PAM files, NOTICE, IG skip, etc.). |
| vhdbuilder/packer/install-ig.sh | Skips IG installation during VHD build for ACL. |
| vhdbuilder/packer/install-dependencies.sh | Adds ACL-specific VHD-build behaviors (iptables/resolved adjustments, sysext download path). |
| vhdbuilder/packer/cis-report.sh | Treats ACL like Flatcar for azure-cli PATH/venv assumptions. |
| vhdbuilder/packer/acl-customdata.yaml | New Butane ignition config for ACL VHD builds. |
| vhdbuilder/packer/acl-customdata.json | Generated ignition JSON for ACL builds. |
| pkg/agent/variables.go | Adds ACL distro script variables and disables cloud-init-only redact step for ACL. |
| pkg/agent/testdata/ACL/CustomData | New ACL ignition customData snapshot. |
| pkg/agent/testdata/ACL/CSECommand | New ACL CSE command snapshot. |
| pkg/agent/testdata/ACL+CustomCloud/CSECommand | New ACL + custom cloud CSE command snapshot. |
| pkg/agent/testdata/ACL+CustomCloud+USSec/CSECommand | New ACL + custom cloud + USSec CSE command snapshot. |
| pkg/agent/datamodel/types_test.go | Adds tests for IsACL and ACL vs Flatcar behavior. |
| pkg/agent/datamodel/types.go | Adds AKSACLGen2 distro, ACL detection helpers, and NodeBootstrappingConfiguration.IsACL(). |
| pkg/agent/datamodel/sig_config_test.go | Extends SIG config tests to include ACL gallery/config. |
| pkg/agent/datamodel/sig_config.go | Adds ACL SIG image config plumbing and AvailableACLDistros. |
| pkg/agent/datamodel/const.go | Adds OSSKUAzureContainerLinux. |
| pkg/agent/const.go | Adds embedded ACL-specific CSE helper/install script paths. |
| pkg/agent/bakerapi_test.go | Extends API tests for SIG config and version overrides to include ACL. |
| pkg/agent/bakerapi.go | Includes ACL SIG configs in returned distro map and lookup. |
| pkg/agent/baker_test.go | Adds ACL test entries and handles base64 decoding for ACL ignition customData. |
| pkg/agent/baker.go | Treats ACL like Flatcar for ignition encoding, cgroupv2, and disables customData for ACL. |
| parts/linux/cloud-init/nodecustomdata.yml | Adds ACL branches for distro-specific helper/install payloads and skips cloud-init-only artifacts for ACL. |
| parts/linux/cloud-init/artifacts/init-aks-custom-cloud.sh | Adds ACL OS detection and CA trust handling for custom cloud init. |
| parts/linux/cloud-init/artifacts/init-aks-custom-cloud-operation-requests.sh | Adds ACL OS detection and CA trust handling for operation-requests flow. |
| parts/linux/cloud-init/artifacts/cse_helpers.sh | Adds ACL_OS_NAME, isACL, and ACL package URI fallback logic. |
| parts/linux/cloud-init/artifacts/cse_config.sh | Adds ACL CA-trust paths and ensures PMC install gating excludes ACL like Flatcar. |
| parts/linux/cloud-init/artifacts/cis.sh | Skips Ubuntu-only CIS hardening steps for ACL. |
| parts/linux/cloud-init/artifacts/acl/update_certs.service | New ACL systemd unit for custom CA trust update. |
| parts/linux/cloud-init/artifacts/acl/cse_install_acl.sh | New ACL distro install script (sysext-based kubelet/kubectl/credential provider install). |
| parts/linux/cloud-init/artifacts/acl/cse_helpers_acl.sh | New ACL distro helpers stub file. |
| packer.mk | Adds ACL build target and ACL ignition generation target. |
| e2e/validators.go | Adjusts kernel log patterns to ignore ACL-specific benign strings. |
| e2e/scenario_test.go | Adds ACL e2e scenarios (scripted/scriptless/custom CA/AzureCNI/chrony restart/disable SSH/TLS fallback). |
| e2e/node_config.go | Disables customData for ACL in aks-node-controller config and wires ACL SIG gallery config into templates. |
| e2e/config/vhd.go | Adds ACL VHD definition (VHDACLGen2). |
| .pipelines/templates/.builder-release-template.yaml | Excludes ACL from SKU_NAME containerd suffix logic. |
| .pipelines/.vsts-vhd-builder-release.yaml | Adds a new buildaclgen2 release job with ACL-specific build variables. |
aadhar-agarwal
force-pushed
the
aadagarwal/build-acl
branch
from
5662785 to
bc4bd2a
Compare
aadhar-agarwal
force-pushed
the
aadagarwal/build-acl
branch
from
bc4bd2a to
5ea0935
Compare
aadhar-agarwal
force-pushed
the
aadagarwal/build-acl
branch
from
5ea0935 to
7e451f5
Compare
aadhar-agarwal
force-pushed
the
aadagarwal/build-acl
branch
from
7e451f5 to
835333a
Compare
| [Service] | ||
| Type=oneshot | ||
| ExecStart=/opt/scripts/update_certs.sh /etc/pki/ca-trust/source/anchors update-ca-trust | ||
| RestartSec=5 |
There was a problem hiding this comment.
RestartSec=5 has no effect here because the unit doesn’t set Restart= (defaults to no), and for a Type=oneshot service you typically either omit restart settings or explicitly choose a restart policy. Consider removing RestartSec or adding an intentional Restart= value if retries are desired.
Suggested change
| RestartSec=5 |
aadhar-agarwal
force-pushed
the
aadagarwal/build-acl
branch
from
835333a to
b84f4b9
Compare
aadhar-agarwal
force-pushed
the
aadagarwal/build-acl
branch
from
b84f4b9 to
5a4505e
Compare
Signed-off-by: Aadhar Agarwal <aadagarwal@microsoft.com>
aadhar-agarwal
force-pushed
the
aadagarwal/build-acl
branch
from
5a4505e to
676fa70
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Add ACL (Azure Container Linux) support
Summary
Adds Azure Container Linux (ACL) support across VHD build, provisioning/customData, SIG image config, and e2e validation.
Changes
Testing
Which issue(s) this PR fixes:
Fixes #