Skip to content

fix: update waagent during boot of firsttime #7747

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
awesomenix wants to merge 1 commit into
base: main
Choose a base branch
from
+63 −6
Draft

fix: update waagent during boot of firsttime #7747

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 0 additions & 6 deletions e2e/scenario_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -400,9 +400,6 @@ func Test_Ubuntu2204FIPS(t *testing.T) {
vmss.Properties.AdditionalCapabilities = &armcompute.AdditionalCapabilities{
EnableFips1403Encryption: to.Ptr(true),
}
settings := vmss.Properties.VirtualMachineProfile.ExtensionProfile.Extensions[0].Properties.ProtectedSettings
vmss.Properties.VirtualMachineProfile.ExtensionProfile.Extensions[0].Properties.Settings = settings
vmss.Properties.VirtualMachineProfile.ExtensionProfile.Extensions[0].Properties.ProtectedSettings = nil
},
Validator: func(ctx context.Context, s *Scenario) {
ValidateInstalledPackageVersion(ctx, s, "moby-containerd", components.GetExpectedPackageVersions("containerd", "ubuntu", "r2204")[0])
Expand All @@ -425,9 +422,6 @@ func Test_Ubuntu2204Gen2FIPS(t *testing.T) {
vmss.Properties.AdditionalCapabilities = &armcompute.AdditionalCapabilities{
EnableFips1403Encryption: to.Ptr(true),
}
settings := vmss.Properties.VirtualMachineProfile.ExtensionProfile.Extensions[0].Properties.ProtectedSettings
vmss.Properties.VirtualMachineProfile.ExtensionProfile.Extensions[0].Properties.Settings = settings
vmss.Properties.VirtualMachineProfile.ExtensionProfile.Extensions[0].Properties.ProtectedSettings = nil
},
Validator: func(ctx context.Context, s *Scenario) {
ValidateInstalledPackageVersion(ctx, s, "moby-containerd", components.GetExpectedPackageVersions("containerd", "ubuntu", "r2204")[0])
Expand Down
49 changes: 49 additions & 0 deletions vhdbuilder/packer/packer_source.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -426,3 +426,52 @@ cpAndMode() {
mode=$3
DIR=$(dirname "$dest") && mkdir -p ${DIR} && cp $src $dest && chmod $mode $dest || exit $ERR_PACKER_COPY_FILE
}

updateWALinuxAgent() {
local waagent_version="2.15.0.1"
local tarball="v${waagent_version}.tar.gz"
local extract_dir="WALinuxAgent-${waagent_version}"

apt-get purge -y walinuxagent
Comment on lines +430 to +435
Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updateWALinuxAgent directly calls apt-get purge -y walinuxagent without using the repo’s retry/timeout helpers (e.g. apt_get_purge in vhdbuilder/packer/install-dependencies.sh). This makes builds more brittle and can hang/fail differently than the rest of the provisioning flow; please switch to the existing helper (and only run on apt-based distros).

Suggested change
updateWALinuxAgent() {
local waagent_version="2.15.0.1"
local tarball="v${waagent_version}.tar.gz"
local extract_dir="WALinuxAgent-${waagent_version}"
apt-get purge -y walinuxagent
apt_get_purge() {
local package="$1"
# Only attempt purge on apt-based distributions
if ! command -v apt-get >/dev/null 2>&1; then
echo "apt-get not found; skipping purge of ${package}"
return 0
}
local retries=5
local wait_seconds=10
local attempt=1
while [ "${attempt}" -le "${retries}" ]; do
echo "Purging package '${package}' with apt-get (attempt ${attempt}/${retries})"
DEBIAN_FRONTEND=noninteractive apt-get purge -y "${package}" && return 0
echo "apt-get purge failed for '${package}' on attempt ${attempt}; retrying in ${wait_seconds}s..."
sleep "${wait_seconds}"
attempt=$((attempt + 1))
done
echo "Failed to purge package '${package}' with apt-get after ${retries} attempts"
return 1
}
updateWALinuxAgent() {
local waagent_version="2.15.0.1"
local tarball="v${waagent_version}.tar.gz"
local extract_dir="WALinuxAgent-${waagent_version}"
apt_get_purge walinuxagent || return 1

Copilot uses AI. Check for mistakes.
systemctl daemon-reload
rm -rf /usr/lib/python3/dist-packages/azurelinuxagent*
rm -rf /usr/local/lib/python3.10/dist-packages/azurelinuxagent*

Comment on lines +438 to +439
Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hardcoding /usr/local/lib/python3.10/dist-packages/ is not compatible with Ubuntu 24.04 (python3.12) and can leave an older azurelinuxagent in /usr/local that shadows the newly installed one. Determine the correct site-packages path dynamically (e.g., from python3 -c 'import site; ...') and remove/install accordingly.

Suggested change
rm -rf /usr/local/lib/python3.10/dist-packages/azurelinuxagent*
# Dynamically determine any /usr/local site-packages directory and remove azurelinuxagent from it
local local_site_packages
local_site_packages=$(python3 - <<'EOF'
import site
paths = []
if hasattr(site, "getsitepackages"):
paths.extend(site.getsitepackages())
get_user_site = getattr(site, "getusersitepackages", None)
if callable(get_user_site):
user_site = get_user_site()
if isinstance(user_site, str):
paths.append(user_site)
for p in paths:
if p.startswith("/usr/local/"):
print(p)
break
EOF
) || local_site_packages=""
if [[ -n "$local_site_packages" ]]; then
rm -rf "${local_site_packages%/}/azurelinuxagent"*
fi

Copilot uses AI. Check for mistakes.
# Download WALinuxAgent source
wget -O "${tarball}" "https://github.com/Azure/WALinuxAgent/archive/refs/tags/${tarball}" || {
echo "Failed to download WALinuxAgent"
return 1
}
Comment on lines +440 to +444
Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The agent source is downloaded and installed as root from GitHub without any integrity verification (checksum/signature) beyond HTTPS. For a base image build step, please add a deterministic integrity check (e.g., pinned SHA256 for the tarball or verify a signed release) to reduce supply-chain risk.

Copilot uses AI. Check for mistakes.

# Extract and install
tar -xvf "${tarball}" || {
echo "Failed to extract WALinuxAgent tarball"
rm -f "${tarball}"
return 1
}

pushd "${extract_dir}" || {
echo "Failed to enter WALinuxAgent directory"
rm -rf "${tarball}" "${extract_dir}"
return 1
}

python3 setup.py install --register-service --install-lib=/usr/lib/python3/dist-packages --install-scripts=/usr/sbin || {
echo "Failed to install WALinuxAgent"
popd
rm -rf "${tarball}" "${extract_dir}"
return 1
}

popd

# Disable auto-update to prevent the agent from updating itself
sed -i 's/^AutoUpdate.Enabled=y/AutoUpdate.Enabled=n/' /etc/waagent.conf

systemctl enable walinuxagent

# Cleanup downloaded files
rm -rf "${tarball}" "${extract_dir}"

echo "WALinuxAgent ${waagent_version} installed successfully"
}
2 changes: 2 additions & 0 deletions vhdbuilder/packer/pre-install-dependencies.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ if isMarinerOrAzureLinux "$OS"; then
fi

installJq || echo "WARNING: jq installation failed, VHD Build benchmarks will not be available for this build."
updateWALinuxAgent || echo "WARNING: WALinuxAgent update failed"
Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updateWALinuxAgent is invoked unconditionally, but its implementation uses apt-get and Debian/Ubuntu-specific Python paths. This will fail (or partially run and mutate the image unexpectedly) on non-Ubuntu distros built by this script (e.g., Mariner/AzureLinux/Flatcar). Gate this call to Ubuntu/Debian images (or implement distro-specific logic inside updateWALinuxAgent).

Suggested change
updateWALinuxAgent || echo "WARNING: WALinuxAgent update failed"
if [[ "$OS" == "UBUNTU" || "$OS" == "DEBIAN" ]]; then
updateWALinuxAgent || echo "WARNING: WALinuxAgent update failed"
fi

Copilot uses AI. Check for mistakes.
Copy link
Contributor

@r2k1 r2k1 Jan 28, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, did you intentionally break it? Did copilot catch an issue?

capture_benchmark "${SCRIPT_NAME}_source_packer_files_and_declare_variables"

copyPackerFiles
Expand All @@ -46,6 +47,7 @@ else
fi
systemctl daemon-reload
systemctlEnableAndStart systemd-journald 30 || exit 1

if ! isFlatcar "$OS" ; then
systemctlEnableAndStart rsyslog 30 || exit 1
fi
Expand Down
12 changes: 12 additions & 0 deletions vhdbuilder/packer/vhd-scanning.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,18 @@ if [ "${OS_SKU}" = "Ubuntu" ] && [ "${OS_VERSION}" = "22.04" ] && [ "$(printf %s
# Register FIPS feature and create VM using REST API. Exit if any step fails.
ensure_fips_feature_registered || exit $?
create_fips_vm "$VM_SIZE" || exit $?

# Test extension functionality using Custom Script Extension (cat /etc/os-release)
# This validates that the Linux agent and Custom Script Extension work on this VM
echo "Testing Custom Script Extension functionality..."
az vm extension set \
--resource-group $RESOURCE_GROUP_NAME \
--vm-name $SCAN_VM_NAME \
--name customScript \
--publisher Microsoft.Azure.Extensions \
--protected-settings '{"commandToExecute":"cat /etc/os-release"}'

capture_benchmark "${SCRIPT_NAME}_test_custom_script_extension"
else
echo "Creating VM using standard az vm create command..."

Expand Down
Loading