feat: enable cloud-init write_files module for OSGuard images#7937
feat: enable cloud-init write_files module for OSGuard images#7937awesomenix merged 1 commit intomainfrom
Conversation
awesomenix
requested review from
AbelHu,
Devinwong,
SriHarsha001,
cameronmeissner,
djsly,
ganeshkumarashok,
juan-lee,
junjiezhang1997,
lilypan26,
phealy,
r2k1,
timmy-wright,
yagmurbaydogan,
yewmsft and
zachary-bailey
as code owners
awesomenix
force-pushed
the
nishp/no_sudo
branch
from
bba01dc to
d12017e
Compare
awesomenix
requested review from
calvin197,
mxj220 and
pdamianov-dev
as code owners
awesomenix
force-pushed
the
nishp/no_sudo
branch
from
d12017e to
7637557
Compare
There was a problem hiding this comment.
Pull request overview
This PR enables the cloud-init write_files module for OSGuard images to support custom data file delivery during node provisioning. Previously, OSGuard's cloud-init configuration only enabled users_groups and ssh modules, preventing any write_files entries from being written. The change is safe because all current write_files entries target /opt/ or /etc/ paths (both writable on OSGuard), avoiding the read-only /usr/ partition protected by dm-verity.
Changes:
- Enable
write_filesmodule in OSGuard cloud-init configuration - Add
IsAzlOSGuardtemplate function to guard OSGuard-specific logic - Add OSGuard-specific CSE helper and install script constants and variable mappings
- Document
/usr/write restriction and add regression test to prevent future violations - Remove
EnableScriptlessCSECmd = falseoverrides in OSGuard e2e tests (now works with default behavior)
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
parts/linux/cloud-init/artifacts/azlosguard/10-users-ssh-enable.cfg |
Adds write_files to the cloud_init_modules list to enable file delivery on OSGuard |
pkg/agent/baker.go |
Adds IsAzlOSGuard template function to detect OSGuard distros (both official and customized images) |
parts/linux/cloud-init/nodecustomdata.yml |
Adds OSGuard-specific distro script blocks and documents /usr/ read-only restriction with guard pattern |
pkg/agent/baker_test.go |
Adds regression test ensuring no write_files entries target /usr/ paths for OSGuard |
pkg/agent/const.go |
Adds OSGuard-specific CSE helper and install script file path constants |
pkg/agent/variables.go |
Adds OSGuard-specific script variable mappings for template rendering |
e2e/scenario_test.go |
Removes EnableScriptlessCSECmd = false overrides and fixes whitespace alignment |
awesomenix
force-pushed
the
nishp/no_sudo
branch
from
7637557 to
f787373
Compare
awesomenix
force-pushed
the
nishp/no_sudo
branch
from
f787373 to
7e0d606
Compare
| cloud_init_modules: | ||
| - write_files | ||
| - users_groups | ||
| - ssh |
There was a problem hiding this comment.
Enabling the write_files module at the OS image level is a behavioral change for all customData versions. Older AgentBaker customData templates treated OSGuard as IsMariner and would write Mariner distro scripts + package/snapshot update units into write_files; with /usr read-only on OSGuard, that older customData could now overwrite the baked OSGuard-safe scripts and/or enable update flows that aren’t OSGuard-compatible. Please confirm backward compatibility with older customData (6‑month VHD window), or add an image-side mitigation (e.g., prevent overwriting OSGuard distro scripts / disable update units when OSGuard is detected).
There was a problem hiding this comment.
this behaviour change is only with new OSGuard VHD, which means they also get new CSE + CustomData, i wouldnt worry about this scenario
| Entry("CustomizedImageLinuxGuard write_files should not target /usr/ paths", "CustomizedImageLinuxGuard", "1.24.2", | ||
| func(c *datamodel.NodeBootstrappingConfiguration) { | ||
| c.ContainerService.Properties.AgentPoolProfiles[0].KubernetesConfig = &datamodel.KubernetesConfig{ | ||
| ContainerRuntime: datamodel.Containerd, | ||
| } | ||
| c.ContainerService.Properties.AgentPoolProfiles[0].Distro = datamodel.CustomizedImageLinuxGuard | ||
| }, func(o *nodeBootstrappingOutput) { | ||
| for path := range o.files { | ||
| Expect(path).NotTo(HavePrefix("/usr/"), "OSGuard has /usr/ read-only (dm-verity), write_files must not target /usr/ paths: %s", path) | ||
| } | ||
| }, |
There was a problem hiding this comment.
This regression test only covers CustomizedImageLinuxGuard, but IsAzlOSGuard also returns true for the actual OSGuard VHD distro(s) via IsAzureLinuxOSGuardDistro(). Consider adding a second table entry for an OSGuard SIG distro (e.g., AKSAzureLinuxV3OSGuardGen2FIPSTL) so template changes can’t accidentally reintroduce /usr write_files paths for non-custom images. Also, if the intent is “no writes to /usr at all”, you may want to fail on path == "/usr" in addition to HavePrefix("/usr/").
awesomenix
force-pushed
the
nishp/no_sudo
branch
from
7e0d606 to
51608c9
Compare
Enable the write_files cloud-init module in OSGuard 10-users-ssh-enable.cfg so that custom data write_files entries are delivered during provisioning. Add IsOSGuard template function to guard future /usr/ path entries, since OSGuard has /usr/ mounted read-only via dm-verity. Add regression test ensuring no write_files entries target /usr/ paths for OSGuard.
awesomenix
force-pushed
the
nishp/no_sudo
branch
from
51608c9 to
3e8d49c
Compare
Summary
Enable the
write_filescloud-init module on OSGuard images so that custom datawrite_filesentries are delivered during node provisioning.Problem
OSGuard's
10-users-ssh-enable.cfgexplicitly listscloud_init_moduleswith onlyusers_groupsandssh. This causes cloud-init to skip thewrite_filesmodule entirely, preventing any files from the custom datawrite_filessection from being written during provisioning.Changes
10-users-ssh-enable.cfg: Addwrite_filestocloud_init_moduleslistbaker.go: AddIsOSGuardtemplate function (IsAzureLinuxOSGuardDistro() || CustomizedImageLinuxGuard) for guarding future/usr/path entriesnodecustomdata.yml: Add block comment documenting that OSGuard has/usr/read-only (dm-verity) and how to useIsOSGuardguardbaker_test.go: Add regression test asserting nowrite_filesentries target/usr/paths for OSGuardContext
OSGuard uses dm-verity (UKI +
reinitialize-verity) which makes/usr/read-only. All currentwrite_filesentries target/opt/or/etc/(both writable), so enabling the module is safe. TheIsOSGuardfunction and regression test prevent future regressions if someone adds a/usr/path entry.Testing
Test_AzureLinux3OSGuard