From f30e415752955e83516a4c3f7095f5a96e1cdf6c Mon Sep 17 00:00:00 2001 From: Aadhar Agarwal Date: Sat, 23 May 2026 14:17:48 -0700 Subject: [PATCH] fix(acl): bump marketplace to 3.20260517.01 and adapt to UKI rename Bumps the ACL marketplace image to 3.20260517.01, which renames the active UKI from "acl.efi" to UAPI-compliant "vmlinuz-.efi". systemd-boot auto-discovers cmdline addons in ".efi.extra.d/", so anything that hardcoded "acl.efi.extra.d/" silently breaks on the new image -- specifically: * the FIPS addon never loads (kernel boots without fips=1), and * the firstboot addon restored by cleanup-vhd.sh lands in the wrong directory, flipping Ignition into subsequent-boot mode, skipping oem-cloudinit, dropping scriptless cloud-config customData, and hanging CSE for 17 minutes. Changes: * .pipelines/.vsts-vhd-builder*.yaml: IMG_VERSION -> 3.20260517.01 for all ACL VHD jobs. * vhdbuilder/scripts/linux/acl/tool_installs_acl.sh: discover the active UKI dynamically and write fips.addon.efi into its .extra.d/. * vhdbuilder/packer/test/linux-vhd-content-test.sh (testFips): probe the active UKI's .extra.d/ for the FIPS addon instead of the hardcoded path. * vhdbuilder/packer/cleanup-vhd.sh: restore firstboot.addon.efi into the active UKI's .extra.d/. Fail loud (exit 1) when no UKI is found; the fail-loud path stays ACL-scoped under the existing [ -f /boot/acl/uki-addons/firstboot.addon.efi ] guard, so non-ACL distros are unaffected. All three dynamic-discovery sites support both the legacy "acl.efi" and the new "vmlinuz-.efi" naming so the same scripts work against older marketplace images during transition. Variable names, error messages, and failure semantics are harmonized across the three sites so a future grep finds all of them. Signed-off-by: Aadhar Agarwal --- .pipelines/.vsts-vhd-builder-release.yaml | 8 +++---- .pipelines/.vsts-vhd-builder.yaml | 8 +++---- vhdbuilder/packer/cleanup-vhd.sh | 19 +++++++++++++--- .../packer/test/linux-vhd-content-test.sh | 18 ++++++++++++--- .../scripts/linux/acl/tool_installs_acl.sh | 22 ++++++++++++++++++- 5 files changed, 60 insertions(+), 15 deletions(-) diff --git a/.pipelines/.vsts-vhd-builder-release.yaml b/.pipelines/.vsts-vhd-builder-release.yaml index 0a813282246..caa195a680c 100644 --- a/.pipelines/.vsts-vhd-builder-release.yaml +++ b/.pipelines/.vsts-vhd-builder-release.yaml @@ -873,7 +873,7 @@ stages: echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner' echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3' echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-acl' - echo '##vso[task.setvariable variable=IMG_VERSION]3.20260510.01' + echo '##vso[task.setvariable variable=IMG_VERSION]3.20260517.01' echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2' echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16ds_v5' echo '##vso[task.setvariable variable=FEATURE_FLAGS]None' @@ -898,7 +898,7 @@ stages: echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner' echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3' echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-arm64-gen2-acl' - echo '##vso[task.setvariable variable=IMG_VERSION]3.20260510.02' + echo '##vso[task.setvariable variable=IMG_VERSION]3.20260517.01' echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2' echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16pds_v6' echo '##vso[task.setvariable variable=FEATURE_FLAGS]None' @@ -923,7 +923,7 @@ stages: echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner' echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3' echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-acl' - echo '##vso[task.setvariable variable=IMG_VERSION]3.20260510.01' + echo '##vso[task.setvariable variable=IMG_VERSION]3.20260517.01' echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2' echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16ds_v5' echo '##vso[task.setvariable variable=FEATURE_FLAGS]None' @@ -948,7 +948,7 @@ stages: echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner' echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3' echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-arm64-gen2-acl' - echo '##vso[task.setvariable variable=IMG_VERSION]3.20260510.02' + echo '##vso[task.setvariable variable=IMG_VERSION]3.20260517.01' echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2' echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16pds_v6' echo '##vso[task.setvariable variable=FEATURE_FLAGS]None' diff --git a/.pipelines/.vsts-vhd-builder.yaml b/.pipelines/.vsts-vhd-builder.yaml index d2e5b986819..9ef3771e51b 100644 --- a/.pipelines/.vsts-vhd-builder.yaml +++ b/.pipelines/.vsts-vhd-builder.yaml @@ -212,7 +212,7 @@ stages: echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner' echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3' echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-acl' - echo '##vso[task.setvariable variable=IMG_VERSION]3.20260510.01' + echo '##vso[task.setvariable variable=IMG_VERSION]3.20260517.01' echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2' echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16ds_v5' echo '##vso[task.setvariable variable=FEATURE_FLAGS]None' @@ -234,7 +234,7 @@ stages: echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner' echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3' echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-arm64-gen2-acl' - echo '##vso[task.setvariable variable=IMG_VERSION]3.20260510.02' + echo '##vso[task.setvariable variable=IMG_VERSION]3.20260517.01' echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2' echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16pds_v6' echo '##vso[task.setvariable variable=FEATURE_FLAGS]None' @@ -256,7 +256,7 @@ stages: echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner' echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3' echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-acl' - echo '##vso[task.setvariable variable=IMG_VERSION]3.20260510.01' + echo '##vso[task.setvariable variable=IMG_VERSION]3.20260517.01' echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2' echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16ds_v5' echo '##vso[task.setvariable variable=FEATURE_FLAGS]None' @@ -278,7 +278,7 @@ stages: echo '##vso[task.setvariable variable=IMG_PUBLISHER]MicrosoftCBLMariner' echo '##vso[task.setvariable variable=IMG_OFFER]azure-linux-3' echo '##vso[task.setvariable variable=IMG_SKU]azure-linux-3-arm64-gen2-acl' - echo '##vso[task.setvariable variable=IMG_VERSION]3.20260510.02' + echo '##vso[task.setvariable variable=IMG_VERSION]3.20260517.01' echo '##vso[task.setvariable variable=HYPERV_GENERATION]V2' echo '##vso[task.setvariable variable=AZURE_VM_SIZE]Standard_D16pds_v6' echo '##vso[task.setvariable variable=FEATURE_FLAGS]None' diff --git a/vhdbuilder/packer/cleanup-vhd.sh b/vhdbuilder/packer/cleanup-vhd.sh index 0f755d0ef27..68a6d9bccb7 100644 --- a/vhdbuilder/packer/cleanup-vhd.sh +++ b/vhdbuilder/packer/cleanup-vhd.sh @@ -13,9 +13,22 @@ rm -f /etc/machine-id touch /etc/machine-id chmod 644 /etc/machine-id # Restore the UKI firstboot addon consumed by ignition-quench during this build -# Without this, VMs created from this VHD won't get flatcar.first_boot=detected on the kernel cmdline -if [ -f /boot/acl/uki-addons/firstboot.addon.efi ] && [ ! -f /boot/EFI/Linux/acl.efi.extra.d/firstboot.addon.efi ]; then - install -D -m 0644 /boot/acl/uki-addons/firstboot.addon.efi /boot/EFI/Linux/acl.efi.extra.d/firstboot.addon.efi +# Without this, VMs created from this VHD won't get flatcar.first_boot=detected on the kernel cmdline. +# The active UKI follows UAPI naming (vmlinuz-.efi) on newer ACL images and was +# previously named acl.efi -- discover it dynamically rather than hardcoding either name. +if [ -f /boot/acl/uki-addons/firstboot.addon.efi ]; then + uki_path="$(find /boot/EFI/Linux -maxdepth 1 -type f \ + \( -name 'vmlinuz-*.efi' -o -name 'acl.efi' \) 2>/dev/null \ + | sort | head -n1)" + if [ -z "${uki_path}" ]; then + echo "cleanup-vhd: No UKI found under /boot/EFI/Linux (expected acl.efi or vmlinuz-*.efi); firstboot addon not restored" >&2 + exit 1 + fi + uki_name="$(basename "${uki_path}")" + addon_dir="/boot/EFI/Linux/${uki_name}.extra.d" + if [ ! -f "${addon_dir}/firstboot.addon.efi" ]; then + install -D -m 0644 /boot/acl/uki-addons/firstboot.addon.efi "${addon_dir}/firstboot.addon.efi" + fi fi # Cleanup disk usage diagnostics file (created by generate-disk-usage.sh) rm -f /opt/azure/disk-usage.txt diff --git a/vhdbuilder/packer/test/linux-vhd-content-test.sh b/vhdbuilder/packer/test/linux-vhd-content-test.sh index 2c879f28a69..d0ca5fe6cc3 100644 --- a/vhdbuilder/packer/test/linux-vhd-content-test.sh +++ b/vhdbuilder/packer/test/linux-vhd-content-test.sh @@ -642,10 +642,22 @@ testFips() { else err $test "/etc/system-fips marker file does not exist." fi - if [ -f /boot/EFI/Linux/acl.efi.extra.d/fips.addon.efi ]; then - echo "ACL FIPS UKI addon file exists in active ESP location." + # ACL images historically named the UKI "acl.efi"; newer (UAPI-compliant) + # images use "vmlinuz-.efi". systemd-boot loads cmdline addons + # from ".extra.d/", so the addon directory tracks the + # UKI's actual name. Probe for either layout. + uki_path=$(find /boot/EFI/Linux -maxdepth 1 -type f \ + \( -name 'vmlinuz-*.efi' -o -name 'acl.efi' \) 2>/dev/null | sort | head -n1) + if [ -z "${uki_path}" ]; then + err $test "No UKI found under /boot/EFI/Linux (expected acl.efi or vmlinuz-*.efi)." else - err $test "ACL FIPS UKI addon file does not exist in active ESP location." + uki_name=$(basename "${uki_path}") + fips_addon_path="/boot/EFI/Linux/${uki_name}.extra.d/fips.addon.efi" + if [ -f "${fips_addon_path}" ]; then + echo "ACL FIPS UKI addon file exists at ${fips_addon_path}." + else + err $test "ACL FIPS UKI addon file does not exist at ${fips_addon_path}." + fi fi fi diff --git a/vhdbuilder/scripts/linux/acl/tool_installs_acl.sh b/vhdbuilder/scripts/linux/acl/tool_installs_acl.sh index 84393439014..fada785401a 100644 --- a/vhdbuilder/scripts/linux/acl/tool_installs_acl.sh +++ b/vhdbuilder/scripts/linux/acl/tool_installs_acl.sh @@ -33,13 +33,33 @@ installFIPS() { echo "Installing FIPS..." local fips_addon_src="/boot/acl/uki-addons/fips.addon.efi" - local fips_addon_dst="/boot/EFI/Linux/acl.efi.extra.d/fips.addon.efi" if [ ! -f "${fips_addon_src}" ]; then echo "FIPS addon not found at ${fips_addon_src}" >&2 exit 1 fi + # Discover the active UKI on the ESP. systemd-boot loads addons from + # the directory named ".extra.d/", so the destination + # must track the UKI's actual name. ACL images historically named the + # UKI "acl.efi"; newer (UAPI-compliant) images use "vmlinuz-.efi". + # Hardcoding "acl.efi.extra.d/" silently orphans the addon on the new + # naming scheme and leaves the kernel booting without fips=1. + local uki_path + uki_path="$(find /boot/EFI/Linux -maxdepth 1 -type f \ + \( -name 'vmlinuz-*.efi' -o -name 'acl.efi' \) 2>/dev/null \ + | sort | head -n1)" + + if [ -z "${uki_path}" ]; then + echo "No UKI found under /boot/EFI/Linux (expected acl.efi or vmlinuz-*.efi)" >&2 + exit 1 + fi + + local uki_name + uki_name="$(basename "${uki_path}")" + local fips_addon_dst="/boot/EFI/Linux/${uki_name}.extra.d/fips.addon.efi" + + echo "Installing FIPS addon: ${fips_addon_src} -> ${fips_addon_dst}" install -D -m 0644 "${fips_addon_src}" "${fips_addon_dst}" touch /etc/system-fips