feat: install aznfs package on AzureLinux 3.0#8085
Conversation
andyzhangx
requested review from
AbelHu,
Devinwong,
YaoC,
awesomenix,
calvin197,
cameronmeissner,
djsly,
ganeshkumarashok,
juan-lee,
junjiezhang1997,
lilypan26,
mxj220,
pdamianov-dev,
phealy,
r2k1,
sulixu,
surajssd,
timmy-wright,
yewmsft and
zachary-bailey
as code owners
There was a problem hiding this comment.
Pull request overview
Adds Azure Linux 3.0 support in the VHD build pipeline to install the aznfs NFS client package from packages.microsoft.com (PMC) by downloading and installing the Microsoft repo RPM, then installing aznfs. This fits into AgentBaker’s VHD builder + shared Linux provisioning script set by ensuring the dependency is present on Azure Linux 3.0 images.
Changes:
- Invoke
installAznfsPkgFromPMCduring Mariner/AzureLinux VHD dependency installation. - Add
installAznfsPkgFromPMCimplementation to the Mariner/AzureLinux install script. - Regenerate/refresh multiple
pkg/agent/testdata/**/CustomDatasnapshots.
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| vhdbuilder/packer/install-dependencies.sh | Calls installAznfsPkgFromPMC during Mariner/AzureLinux (non-OSGuard) VHD build setup. |
| parts/linux/cloud-init/artifacts/mariner/cse_install_mariner.sh | Introduces installAznfsPkgFromPMC to download/install Microsoft repo RPM and install aznfs on Azure Linux 3.0. |
| pkg/agent/testdata/Marinerv2+DisableUnattendedUpgrades=true/CustomData | Updated generated CustomData snapshot. |
| pkg/agent/testdata/Marinerv2+DisableUnattendedUpgrades=false/CustomData | Updated generated CustomData snapshot. |
| pkg/agent/testdata/MarinerV2+Kata/CustomData | Updated generated CustomData snapshot. |
| pkg/agent/testdata/MarinerV2+CustomCloud/CustomData | Updated generated CustomData snapshot. |
| pkg/agent/testdata/MarinerV2+CustomCloud+USSec/CustomData | Updated generated CustomData snapshot. |
| pkg/agent/testdata/MarinerV2+CustomCloud+USNat/CustomData | Updated generated CustomData snapshot. |
| pkg/agent/testdata/AzureLinuxv2+DisableUnattendedUpgrades=true/CustomData | Updated generated CustomData snapshot. |
| pkg/agent/testdata/AzureLinuxv2+DisableUnattendedUpgrades=false/CustomData | Updated generated CustomData snapshot. |
| pkg/agent/testdata/AzureLinuxV3+Kata/CustomData | Updated generated CustomData snapshot. |
| pkg/agent/testdata/AzureLinuxV2+Kata/CustomData | Updated generated CustomData snapshot. |
You can also share your feedback on Copilot code review. Take the survey.
andyzhangx
force-pushed
the
andyzhangx/install-aznfs-linux3-2
branch
from
647ac4d to
6e493f1
Compare
andyzhangx
force-pushed
the
andyzhangx/install-aznfs-linux3-2
branch
from
6e493f1 to
0b36d79
Compare
…or handling - Use dnf_install instead of rpm -i (rpm command won't work per andyzhangx's comment) - Use basename to derive RPM filename from URL instead of hardcoding - Use systemctl is-enabled/is-active checks with best-effort disable/stop to avoid breaking VHD build under set -e - Properly quote evalPackageDownloadURL argument
The schema does not allow ubuntu.default or flatcar.current for packages that don't support those OSes. Simply omitting the OS key is the correct way to indicate no support, matching the pattern used by other packages like oras and walinuxagent.
- Use $(uname -m) in download URL to support both x86_64 and aarch64 - Move installAznfsPkgFromPMC call after the component download loop so the pre-downloaded RPM is available when the function runs
- Remove defensive guards around aznfswatchdog disable/stop - let it fail the build if something is wrong - Remove aznfswatchdogv4 restart check (no longer needed) - Add Microsoft RPM GPG key import into RPM database
Address review comment: use version sort instead of arbitrary head -1 to ensure the newest RPM is installed when multiple versions exist in /opt/aznfs/downloads.
| ] | ||
| } | ||
| }, | ||
| "mariner": { |
There was a problem hiding this comment.
we dont build mariner anymore. not needed
There was a problem hiding this comment.
Good point, removed the mariner section from components.json.
| systemctl stop aznfswatchdog | ||
|
|
||
| echo "Importing Microsoft RPM GPG key into RPM database" | ||
| gpg --import /etc/pki/rpm-gpg/RPM-GPG-KEY-Microsoft || echo "Warning: failed to import Microsoft RPM GPG key" |
There was a problem hiding this comment.
see #8085 (comment), without this, there would be cert issue when dnf install other packages.
| installRPMPackageFromFile "kubectl" $desiredVersion || exit $ERR_KUBECTL_INSTALL_FAIL | ||
| } | ||
|
|
||
| installAznfsPkgFromPMC() { |
There was a problem hiding this comment.
what is this package for ? how come it doesnt live in azl3 repo ?
There was a problem hiding this comment.
there is no azl3 package due to GNU TLS dependency, this is only the way to install aznfs package on AzureLinux3, check here: https://learn.microsoft.com/en-us/azure/storage/files/encryption-in-transit-for-nfs-shares?tabs=azure-portal%2CAzureLinux
| "acr-mirror") | ||
| # acr-mirror is handled separately below via installAndConfigureArtifactStreaming. | ||
| ;; | ||
| "aznfs") |
There was a problem hiding this comment.
we should only perform the installAznfsPkgFromPMC in here, and combien the download in the function, no. need to decouple the downlaod and later do the install. if we want to always install it.
There was a problem hiding this comment.
Done — added installAznfsPkgFromPMC call in install-dependencies.sh after the download, so it's combined during VHD build. Also added a fallback download path in the function for cases where the RPM isn't pre-downloaded.
| "versionsV2": [ | ||
| { | ||
| "renovateTag": "<DO_NOT_UPDATE>", | ||
| "latestVersion": "3.0.15-1" |
There was a problem hiding this comment.
why arent we looking at tracking the versions with renovate ? when would this need to change ?
There was a problem hiding this comment.
The aznfs package is from PMC (packages.microsoft.com) not the AzureLinux repo, so renovate can't track it. The version is pinned with <DO_NOT_UPDATE> tag and we'd bump it manually when a new version is available. We could add a custom renovate datasource later if this becomes a maintenance burden.
There was a problem hiding this comment.
renovate support PMC, or I mean we could easily add support for the locaiton of this package
I'm just scared at one point we will loose track of the manual bump
There was a problem hiding this comment.
let's do it manually now since we need to verify the version before auto version bump. we need to make sure the version AB used is stable and won't break first. @djsly
- Remove mariner section from components.json (mariner no longer built) - Combine download+install in installAznfsPkgFromPMC with fallback download - Call installAznfsPkgFromPMC from install-dependencies.sh during VHD build
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (1)
vhdbuilder/packer/install-dependencies.sh:547
installAznfsPkgFromPMCis invoked twice for AzureLinux/Mariner builds: once inside the"aznfs"case and again unconditionally after the packages loop. On Azure Linux 3.0 this results in a redundant second install/config run, which adds build time and can introduce non-idempotent side effects. Please keep a single well-scoped call (either inside the aznfs case, or gated after the loop based on whether aznfs was downloaded).
installAznfsPkgFromPMC
;;
*)
echo "Package name: ${name} not supported for download. Please implement the download logic in the script."
# We can add a common function to download a generic package here.
# However, installation could be different for different packages.
;;
esac
capture_benchmark "${SCRIPT_NAME}_download_${name}"
done <<< "$packages"
installAndConfigureArtifactStreaming() {
local downloadURL="$1"
local version="$2"
# The arm64 packages have "-arm64" inserted before the file extension,
What type of PR is this?
/kind feature
What this PR does / why we need it:
feat: install aznfs package on AzureLinux 3.0
Install the aznfs NFS mount helper on AzureLinux 3.0 VHDs. The aznfs RPM is
downloaded directly from PMC at VHD build time (via
components.json) andstored in
/opt/aznfs/downloads. During node provisioning,installAznfsPkgFromPMCinstalls the pre-downloaded RPM locally with
dnf_install, avoiding the need toadd the rhel9 PMC repo to the RPM database (which could cause versioning
conflicts with AzureLinux packages).
Additional configuration:
AUTOUPDATE=false) to respect operator OS update settings and AKS SDPaznfswatchdogservice (onlyaznfswatchdogv4is needed)sort -Vto deterministically select the newest RPM when multiple versions existthere is no azl3 package due to GNU TLS dependency, this is only the way to install aznfs package on AzureLinux3, check here: https://learn.microsoft.com/en-us/azure/storage/files/encryption-in-transit-for-nfs-shares?tabs=azure-portal%2CAzureLinux
Which issue(s) this PR fixes:
Fixes #
Requirements:
Special notes for your reviewer:
Release note: