Skip to content

fix: add pre-flight check for oras binary before ACR login#7908

Open
Lyqed wants to merge 1 commit intoAzure:mainfrom
Lyqed:fix/check-oras-binary-before-acr-login
Open

fix: add pre-flight check for oras binary before ACR login#7908
Lyqed wants to merge 1 commit intoAzure:mainfrom
Lyqed:fix/check-oras-binary-before-acr-login

Conversation

@Lyqed
Copy link

@Lyqed Lyqed commented Feb 19, 2026

Summary

Closes #7907

AzureLinux V3 image 202601.27.0 shipped without the oras binary. When oras_login_with_kubelet_identity runs on such a node, every call to oras fails silently and error propagation eventually surfaces as exit code 211 (ERR_ORAS_PULL_NETWORK_TIMEOUT) — a misleading code that sends operators chasing network/IMDS issues instead of the real problem: the binary is simply absent.

This PR adds a pre-flight guard at the top of oras_login_with_kubelet_identity that:

  1. Checks command -v oras before doing any ACR work.
  2. On failure: logs $PATH, probes the three canonical install locations (/usr/local/bin/oras, /usr/bin/oras, /opt/bin/oras), dumps /etc/os-release, and queries rpm (AzureLinux/Mariner) or dpkg (Ubuntu) for installed oras packages.
  3. Returns the new, unambiguous ERR_ORAS_BINARY_NOT_FOUND=232 error code so the failure is instantly understandable from CSE logs.

Changes

File Change
parts/linux/cloud-init/artifacts/cse_helpers.sh Add ERR_ORAS_BINARY_NOT_FOUND=232; add pre-flight check in oras_login_with_kubelet_identity
pkg/agent/testdata/**/CustomData Regenerated by make generate (snapshot test data embeds the script)

Test plan

  • make generate — shellcheck passes on cse_helpers.sh; Go snapshot tests regenerated
  • make test — all unit tests pass
  • E2E: provision an AzureLinux V3 node with a mock/patched image that lacks oras; confirm CSE exits with code 232 and the diagnostic block appears in logs
  • E2E: provision a normal AzureLinux V3 node with oras present; confirm no regression (pre-flight check passes and login succeeds)

Notes for reviewers

  • The pre-flight check is placed before the client_id/tenant_id guard and before any oras call, so it catches the missing-binary case regardless of ACR anonymity or identity configuration.
  • Cross-distro: uses command -v (POSIX), rpm (AzureLinux/Mariner), dpkg (Ubuntu) — no bashisms in the diagnostic path; local variable oras_path declared with local per shell script guidelines.
  • Error code 232 follows 231 (ERR_IMDS_FETCH_FAILED) in the numeric sequence and does not collide with any existing code.

🤖 Generated with Claude Code

@Lyqed
fix: add pre-flight check for oras binary before ACR login
7494bce 
Without this check, a missing `oras` binary causes CSE to exit with
ERR_ORAS_PULL_NETWORK_TIMEOUT (211) — a misleading code that points
engineers at networking rather than the actual problem.

What:
- Add ERR_ORAS_BINARY_NOT_FOUND=232 error code to cse_helpers.sh
- Add pre-flight check at the start of oras_login_with_kubelet_identity
  that verifies `oras` is present in PATH before doing any ACR work

Why:
- AzureLinux V3 image 202601.27.0 shipped without the oras binary,
  causing all Karpenter-provisioned nodes to fail CSE with exit 211.
  The new check emits clear diagnostic output (PATH, known install
  paths, OS info, rpm/dpkg package list) and returns the unambiguous
  ERR_ORAS_BINARY_NOT_FOUND code so operators know immediately what
  went wrong.

How:
- command -v oras checked first; on failure, probe
  /usr/local/bin/oras, /usr/bin/oras, /opt/bin/oras and log OS info
  and installed packages via rpm (AzureLinux/Mariner) or dpkg (Ubuntu)
  before returning ERR_ORAS_BINARY_NOT_FOUND

Fixes Azure#7907
@Lyqed Lyqed marked this pull request as ready for review February 19, 2026 11:15
@Lyqed Lyqed mentioned this pull request Feb 19, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yewmsft yewmsft Awaiting requested review from yewmsft yewmsft is a code owner

@YaoC YaoC Awaiting requested review from YaoC YaoC is a code owner

@juan-lee juan-lee Awaiting requested review from juan-lee juan-lee is a code owner

@cameronmeissner cameronmeissner Awaiting requested review from cameronmeissner cameronmeissner is a code owner

@ganeshkumarashok ganeshkumarashok Awaiting requested review from ganeshkumarashok ganeshkumarashok is a code owner

@Devinwong Devinwong Awaiting requested review from Devinwong Devinwong is a code owner

@lilypan26 lilypan26 Awaiting requested review from lilypan26 lilypan26 is a code owner

@AbelHu AbelHu Awaiting requested review from AbelHu AbelHu is a code owner

@junjiezhang1997 junjiezhang1997 Awaiting requested review from junjiezhang1997 junjiezhang1997 is a code owner

@djsly djsly Awaiting requested review from djsly djsly is a code owner

@phealy phealy Awaiting requested review from phealy phealy is a code owner

@r2k1 r2k1 Awaiting requested review from r2k1 r2k1 is a code owner

@timmy-wright timmy-wright Awaiting requested review from timmy-wright timmy-wright is a code owner

@zachary-bailey zachary-bailey Awaiting requested review from zachary-bailey zachary-bailey is a code owner

@awesomenix awesomenix Awaiting requested review from awesomenix awesomenix is a code owner

@mxj220 mxj220 Awaiting requested review from mxj220 mxj220 is a code owner

@pdamianov-dev pdamianov-dev Awaiting requested review from pdamianov-dev pdamianov-dev is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: oras binary missing from AzureLinux V3 image 202601.27.0 — CSE fails with exit code 211

1 participant

@Lyqed