Merge branch 'dev' into jasonjung/test-query-0

.pipelines/.vsts-vhd-windows-automation.yaml

@@ -12,6 +12,10 @@ parameters:
   displayName: Release Notes
   type: boolean
   default: false
+- name: PRTargetBranch
+  displayName: PR Target Branch
+  type: string
+  default: master
 
 variables:
   - group: "AKS Dev Assistant (KV)"
@@ -43,6 +47,7 @@ steps:
   env:
     GITHUB_TOKEN: $(GITHUB_TOKEN)
     BUILD_ID: $(BUILD_ID)
+    PR_TARGET_BRANCH: ${{ parameters.PRTargetBranch }}
   displayName: 'Release Notes'
   condition: eq('${{ parameters.ReleaseNotes }}', true)
 

aks-node-controller/.gitignore

@@ -1 +1,2 @@
 aks-node-controller
+aks-node-controller.log

aks-node-controller/app.go

@@ -26,6 +26,10 @@ type App struct {
 func cmdRunner(cmd *exec.Cmd) error {
 	return cmd.Run()
 }
+func cmdRunnerDryRun(cmd *exec.Cmd) error {
+	slog.Info("dry-run", "cmd", cmd.String())
+	return nil
+}
 
 type ProvisionFlags struct {
 	ProvisionConfig string
@@ -56,13 +60,17 @@ func (a *App) run(ctx context.Context, args []string) error {
 	case "provision":
 		fs := flag.NewFlagSet("provision", flag.ContinueOnError)
 		provisionConfig := fs.String("provision-config", "", "path to the provision config file")
+		dryRun := fs.Bool("dry-run", false, "print the command that would be run without executing it")
 		err := fs.Parse(args[2:])
 		if err != nil {
 			return fmt.Errorf("parse args: %w", err)
 		}
 		if provisionConfig == nil || *provisionConfig == "" {
 			return errors.New("--provision-config is required")
 		}
+		if dryRun != nil && *dryRun {
+			a.cmdRunner = cmdRunnerDryRun
+		}
 		return a.Provision(ctx, ProvisionFlags{ProvisionConfig: *provisionConfig})
 	case "provision-wait":
 		provisionStatusFiles := ProvisionStatusFiles{ProvisionJSONFile: provisionJSONFilePath, ProvisionCompleteFile: provisionCompleteFilePath}

aks-node-controller/app_test.go

@@ -6,6 +6,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"reflect"
 	"strconv"
 	"testing"
 	"time"
@@ -148,6 +149,17 @@ func TestApp_Provision(t *testing.T) {
 	}
 }
 
+func TestApp_Provision_DryRun(t *testing.T) {
+	app := &App{
+		cmdRunner: cmdRunner,
+	}
+	result := app.Run(context.Background(), []string{"aks-node-controller", "provision", "--provision-config=parser/testdata/test_aksnodeconfig.json", "--dry-run"})
+	assert.Equal(t, 0, result)
+	if reflect.ValueOf(app.cmdRunner).Pointer() != reflect.ValueOf(cmdRunnerDryRun).Pointer() {
+		t.Fatal("app.cmdRunner is expected to be cmdRunnerDryRun")
+	}
+}
+
 func TestApp_ProvisionWait(t *testing.T) {
 	testData := "hello world"
 

aks-node-controller/const.go

@@ -3,7 +3,7 @@ package main
 // Some options are intentionally non-configurable to avoid customization by users
 // it will help us to avoid introducing any breaking changes in the future.
 const (
-	logFile                   = "/var/log/azure/aks-node-controller.log"
+	logPath                   = "/var/log/azure/aks-node-controller.log"
 	provisionJSONFilePath     = "/var/log/azure/aks/provision.json"
 	provisionCompleteFilePath = "/opt/azure/containers/provision.complete"
 )

aks-node-controller/main.go

@@ -3,23 +3,52 @@ package main
 import (
 	"context"
 	"fmt"
+	"io"
 	"log/slog"
 	"os"
+	"path/filepath"
 )
 
 func main() {
-	logFile, err := os.OpenFile(logFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
+	// defer calls are not executed on os.Exit
+	logCleanup := configureLogging()
+	app := App{cmdRunner: cmdRunner}
+	exitCode := app.Run(context.Background(), os.Args)
+	logCleanup()
+	os.Exit(exitCode)
+}
+
+func configureLogging() func() {
+	logPath := setupLogPath()
+
+	if err := os.MkdirAll(filepath.Dir(logPath), 0755); err != nil {
+		fmt.Printf("failed to create log directory: %s\n", err)
+		os.Exit(1)
+	}
+
+	logFile, err := os.OpenFile(logPath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
 	if err != nil {
 		//nolint:forbidigo // there is no other way to communicate the error
 		fmt.Printf("failed to open log file: %s\n", err)
 		os.Exit(1)
 	}
-
-	logger := slog.New(slog.NewJSONHandler(logFile, nil))
+	mw := io.MultiWriter(logFile, os.Stderr)
+	logger := slog.New(slog.NewJSONHandler(mw, nil))
 	slog.SetDefault(logger)
+	return func() {
+		err := logFile.Close()
+		if err != nil {
+			// stdout is important, don't pollute with non-important warnings
+			_, _ = fmt.Fprintf(os.Stderr, "failed to close log file: %s\n", err)
+		}
+	}
+}
 
-	app := App{cmdRunner: cmdRunner}
-	exitCode := app.Run(context.Background(), os.Args)
-	_ = logFile.Close()
-	os.Exit(exitCode)
+func setupLogPath() string {
+	// Try to create production directory first
+	if err := os.MkdirAll(filepath.Dir(logPath), 0755); err == nil {
+		return logPath
+	}
+	// If directory creation fails, fallback to current directory
+	return "aks-node-controller.log"
 }

e2e/scenario_test.go

@@ -1234,7 +1234,7 @@ func Test_Ubuntu2204ARM64_KubeletCustomConfig(t *testing.T) {
 	})
 }
 
-func Test_Ubuntu2404UbuntuGen2(t *testing.T) {
+func Test_Ubuntu2404Gen2(t *testing.T) {
 	RunScenario(t, &Scenario{
 		Description: "Tests that a node using the Ubuntu 2404 VHD can be properly bootstrapped with containerd v2",
 		Config: Config{
@@ -1244,25 +1244,9 @@ func Test_Ubuntu2404UbuntuGen2(t *testing.T) {
 			},
 			Validator: func(ctx context.Context, s *Scenario) {
 				containerdVersions := getExpectedPackageVersions("containerd", "ubuntu", "r2404")
-				if len(containerdVersions) != 1 {
-					t.Errorf("expected exactly one version for containerd, got %v", containerdVersions)
-				}
-				// assert versions[0] value starts with '2.'
-				if !strings.HasPrefix(containerdVersions[0], "2.") {
-					t.Errorf("expected containerd version to start with '2.', got %v", containerdVersions[0])
-				}
 				runcVersions := getExpectedPackageVersions("runc", "ubuntu", "r2404")
-				if len(runcVersions) != 1 {
-					t.Errorf("expected exactly one version for containerd, got %v", runcVersions)
-				}
-				// assert versions[0] value starts with '1.2.'
-				if !strings.HasPrefix(runcVersions[0], "1.2.") {
-					t.Errorf("expected containerd version to start with '1.2.', got %v", containerdVersions[0])
-				}
-				ValidateInstalledPackageVersion(ctx, s, "moby-containerd", containerdVersions[0])
-				ValidateInstalledPackageVersion(ctx, s, "moby-runc", getExpectedPackageVersions("runc", "ubuntu", "r2404")[0])
-				// assert that /etc/containerd/config.toml exists and does not contain deprecated properties from 1.7
-				ValidateFileExcludesContent(ctx, s, "/etc/containerd/config.toml", "CriuPath", "CriuPath")
+				ValidateContainerd2Properties(ctx, s, containerdVersions)
+				ValidateRunc12Properties(ctx, s, runcVersions)
 			},
 		},
 	})
@@ -1277,8 +1261,10 @@ func Test_Ubuntu2404Gen1(t *testing.T) {
 			BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) {
 			},
 			Validator: func(ctx context.Context, s *Scenario) {
-				ValidateInstalledPackageVersion(ctx, s, "moby-containerd", getExpectedPackageVersions("containerd", "ubuntu", "r2404")[0])
-				ValidateInstalledPackageVersion(ctx, s, "moby-runc", getExpectedPackageVersions("runc", "ubuntu", "r2404")[0])
+				containerdVersions := getExpectedPackageVersions("containerd", "ubuntu", "r2404")
+				runcVersions := getExpectedPackageVersions("runc", "ubuntu", "r2404")
+				ValidateContainerd2Properties(ctx, s, containerdVersions)
+				ValidateRunc12Properties(ctx, s, runcVersions)
 			},
 		},
 	})
@@ -1296,8 +1282,10 @@ func Test_Ubuntu2404ARM(t *testing.T) {
 				vmss.SKU.Name = to.Ptr("Standard_D2pds_V5")
 			},
 			Validator: func(ctx context.Context, s *Scenario) {
-				ValidateInstalledPackageVersion(ctx, s, "moby-containerd", getExpectedPackageVersions("containerd", "ubuntu", "r2404")[0])
-				ValidateInstalledPackageVersion(ctx, s, "moby-runc", getExpectedPackageVersions("runc", "ubuntu", "r2404")[0])
+				containerdVersions := getExpectedPackageVersions("containerd", "ubuntu", "r2404")
+				runcVersions := getExpectedPackageVersions("runc", "ubuntu", "r2404")
+				ValidateContainerd2Properties(ctx, s, containerdVersions)
+				ValidateRunc12Properties(ctx, s, runcVersions)
 			},
 		},
 	})

e2e/validators.go

@@ -317,3 +317,25 @@ func isResourceAvailable(node *corev1.Node, resourceName string) bool {
 	}
 	return false
 }
+
+func ValidateContainerd2Properties(ctx context.Context, s *Scenario, versions []string) {
+	require.Lenf(s.T, versions, 1, "Expected exactly one version for moby-containerd but got %d", len(versions))
+	// assert versions[0] value starts with '2.'
+	require.Truef(s.T, strings.HasPrefix(versions[0], "2."), "expected moby-containerd version to start with '2.', got %v", versions[0])
+
+	ValidateInstalledPackageVersion(ctx, s, "moby-containerd", versions[0])
+	// assert that /etc/containerd/config.toml exists and does not contain deprecated properties from 1.7
+	ValidateFileExcludesContent(ctx, s, "/etc/containerd/config.toml", "CriuPath", "CriuPath")
+	// assert that containerd.server service file does not contain LimitNOFILE
+	// https://github.com/containerd/containerd/blob/main/docs/containerd-2.0.md#limitnofile-configuration-has-been-removed
+	ValidateFileExcludesContent(ctx, s, "/etc/systemd/system/containerd.service", "LimitNOFILE", "LimitNOFILE")
+	// nri plugin is enabled by default
+	ValidateDirectoryContent(ctx, s, "/run/nri/nri", []string{"nri.sock"})
+}
+
+func ValidateRunc12Properties(ctx context.Context, s *Scenario, versions []string) {
+	require.Lenf(s.T, versions, 1, "Expected exactly one version for moby-runc but got %d", len(versions))
+	// assert versions[0] value starts with '1.2.'
+	require.Truef(s.T, strings.HasPrefix(versions[0], "1.2."), "expected moby-runc version to start with '1.2.', got %v", versions[0])
+	ValidateInstalledPackageVersion(ctx, s, "moby-runc", versions[0])
+}

parts/linux/cloud-init/artifacts/components.json

@@ -361,11 +361,17 @@
       "multiArchVersionsV2": [
         {
           "renovateTag": "registry=https://mcr.microsoft.com, name=oss/kubernetes-csi/azuredisk-csi",
-          "latestVersion": "v1.29.10"
+          "latestVersion": "v1.29.12",
+          "previousLatestVersion": "v1.29.10"
         },
         {
           "renovateTag": "registry=https://mcr.microsoft.com, name=oss/kubernetes-csi/azuredisk-csi",
-          "latestVersion": "v1.30.6"
+          "latestVersion": "v1.30.7",
+          "previousLatestVersion": "v1.30.6"
+        },
+        {
+          "renovateTag": "registry=https://mcr.microsoft.com, name=oss/kubernetes-csi/azuredisk-csi",
+          "latestVersion": "v1.31.2"
         }
       ]
     },

pkg/agent/baker.go

@@ -481,7 +481,11 @@ func getContainerServiceFuncMap(config *datamodel.NodeBootstrappingConfiguration
 				sb.WriteString(fmt.Sprintf("LimitMEMLOCK=%s\n", ulimitConfig.MaxLockedMemory))
 			}
 			if ulimitConfig.NoFile != "" {
-				sb.WriteString(fmt.Sprintf("LimitNOFILE=%s\n", ulimitConfig.NoFile))
+				// ulimit is removed in containerd 2.0+, which is available only in ubuntu2404 distro
+				// https://github.com/containerd/containerd/blob/main/docs/containerd-2.0.md#limitnofile-configuration-has-been-removed
+				if !profile.Is2404VHDDistro() {
+					sb.WriteString(fmt.Sprintf("LimitNOFILE=%s\n", ulimitConfig.NoFile))
+				}
 			}
 			return sb.String()
 		},

pkg/agent/baker_test.go

@@ -333,7 +333,7 @@ var _ = Describe("Assert generated customData and cseCmd", func() {
 		// !!! WARNING !!!
 		// avoid mutation of the original config -- both functions mutate input.
 		// GetNodeBootstrappingPayload mutates the input so it's not the same as what gets passed to GetNodeBootstrappingCmd which causes bugs.
-		// unit tests should always rely on unmutated copies of the base config.
+		// unit tests should always rely on un-mutated copies of the base config.
 		configCustomDataInput, err := deepcopy.Anything(config)
 		Expect(err).To(BeNil())
 
@@ -1546,6 +1546,10 @@ oom_score = 0
 					TransparentHugePageEnabled: "never",
 					TransparentHugePageDefrag:  "defer+madvise",
 					SwapFileSizeMB:             &swapFileSizeMB,
+					UlimitConfig: &datamodel.UlimitConfig{
+						MaxLockedMemory: "75000",
+						NoFile:          "1048",
+					},
 				}
 			}, func(o *nodeBootstrappingOutput) {
 				kubeletConfigFileContent, err := getBase64DecodedValue([]byte(o.vars["KUBELET_CONFIG_FILE_CONTENT"]))
@@ -1565,6 +1569,11 @@ oom_score = 0
 				Expect(sysctlContent).To(ContainSubstring("net.ipv4.neigh.default.gc_thresh2=8192"))
 				Expect(sysctlContent).To(ContainSubstring("net.ipv4.neigh.default.gc_thresh3=16384"))
 				Expect(sysctlContent).To(ContainSubstring("net.ipv4.ip_local_reserved_ports=65330"))
+
+				Expect(o.vars["SHOULD_CONFIG_CONTAINERD_ULIMITS"]).To(Equal("true"))
+				containerdUlimitContent := o.vars["CONTAINERD_ULIMITS"]
+				Expect(containerdUlimitContent).To(ContainSubstring("LimitNOFILE=1048"))
+				Expect(containerdUlimitContent).To(ContainSubstring("LimitMEMLOCK=75000"))
 			}),
 		Entry("AKSUbuntu2204 with k8s 1.31 and custom kubeletConfig and serializeImagePull flag", "AKSUbuntu2204+CustomKubeletConfig+SerializeImagePulls", "1.31.0",
 			func(config *datamodel.NodeBootstrappingConfiguration) {
@@ -1625,6 +1634,21 @@ oom_score = 0
 			Expect(o.vars["ENABLE_IMDS_RESTRICTION"]).To(Equal("false"))
 			Expect(o.vars["INSERT_IMDS_RESTRICTION_RULE_TO_MANGLE_TABLE"]).To(Equal("false"))
 		}),
+		Entry("AKSUbuntu2404 with custom osConfig for Ulimit", "AKSUbuntu2404+CustomLinuxOSConfigUlimit", ">=1.32.x",
+			func(config *datamodel.NodeBootstrappingConfiguration) {
+				config.ContainerService.Properties.AgentPoolProfiles[0].CustomLinuxOSConfig = &datamodel.CustomLinuxOSConfig{
+					UlimitConfig: &datamodel.UlimitConfig{
+						MaxLockedMemory: "75000",
+						NoFile:          "1048",
+					},
+				}
+				config.ContainerService.Properties.AgentPoolProfiles[0].Distro = datamodel.AKSUbuntuContainerd2404
+			}, func(o *nodeBootstrappingOutput) {
+				Expect(o.vars["SHOULD_CONFIG_CONTAINERD_ULIMITS"]).To(Equal("true"))
+				containerdUlimitContent := o.vars["CONTAINERD_ULIMITS"]
+				Expect(containerdUlimitContent).NotTo(ContainSubstring("LimitNOFILE=1048"))
+				Expect(containerdUlimitContent).To(ContainSubstring("LimitMEMLOCK=75000"))
+			}),
 	)
 })