Skip to content

feat: cache versioned kubelet kubectl package binaries #8287

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
awesomenix merged 1 commit into from
Apr 15, 2026
Merged

feat: cache versioned kubelet kubectl package binaries #8287

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 11 additions & 2 deletions e2e/node_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"github.com/Masterminds/semver"

"github.com/Azure/agentbaker/e2e/config"
"github.com/Azure/agentbaker/e2e/toolkit"
"github.com/Azure/agentbaker/pkg/agent"
"github.com/Azure/agentbaker/pkg/agent/datamodel"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
Expand Down Expand Up @@ -306,6 +307,14 @@ func nbcToAKSNodeConfigV1(nbc *datamodel.NodeBootstrappingConfiguration) *aksnod
// this is what we previously used for bash e2e from e2e/nodebootstrapping_template.json.
// which itself was extracted from baker_test.go logic, which was inherited from aks-engine.
func baseTemplateLinux(t testing.TB, location string, k8sVersion string, arch string) *datamodel.NodeBootstrappingConfiguration {
customKubeProxyImage := fmt.Sprintf("mcr.microsoft.com/oss/kubernetes/kube-proxy:v%s", k8sVersion)
customKubeBinaryURL := fmt.Sprintf("https://packages.aks.azure.com/kubernetes/v%s/binaries/kubernetes-node-linux-%s.tar.gz", k8sVersion, arch)
is134OrAbove, pErr := toolkit.CheckK8sConstraint(k8sVersion, ">=1.34.0")
require.NoError(t, pErr, "failed to parse Kubernetes version")
if is134OrAbove {
customKubeProxyImage = ""
customKubeBinaryURL = ""
}
config := &datamodel.NodeBootstrappingConfiguration{
ContainerService: &datamodel.ContainerService{
ID: "",
Expand Down Expand Up @@ -336,8 +345,8 @@ func baseTemplateLinux(t testing.TB, location string, k8sVersion string, arch st
UserAssignedID: "",
UserAssignedClientID: "",
CustomHyperkubeImage: "",
CustomKubeProxyImage: fmt.Sprintf("mcr.microsoft.com/oss/kubernetes/kube-proxy:v%s", k8sVersion),
CustomKubeBinaryURL: fmt.Sprintf("https://packages.aks.azure.com/kubernetes/v%s/binaries/kubernetes-node-linux-%s.tar.gz", k8sVersion, arch),
CustomKubeProxyImage: customKubeProxyImage,
CustomKubeBinaryURL: customKubeBinaryURL,
MobyVersion: "",
ContainerdVersion: "",
WindowsNodeBinariesURL: "",
Expand Down
17 changes: 17 additions & 0 deletions e2e/toolkit/k8s.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
package toolkit

import (
"github.com/Masterminds/semver"
)

func CheckK8sConstraint(kubernetesVersion string, constraintStr string) (bool, error) {
version, err := semver.NewVersion(kubernetesVersion)
if err != nil {
return false, err
}
constraint, err := semver.NewConstraint(constraintStr)
if err != nil {
return false, err
}
return constraint.Check(version), nil
}
Comment on lines +7 to +17
Copy link

Copilot AI Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CheckK8sConstraint is exported but has no GoDoc comment, which commonly fails repository linting and makes its intended input format (e.g., whether leading v is allowed) unclear. Recommendation (nit): add a short doc comment describing expected version formatting and what the constraint represents.

Copilot uses AI. Check for mistakes.
31 changes: 14 additions & 17 deletions parts/linux/cloud-init/artifacts/azlosguard/cse_install_osguard.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,27 +6,30 @@ stub() {

installKubeletKubectlFromPkg() {
local desiredVersion="${1}"
installRPMPackageFromFile "kubelet" $desiredVersion || exit $ERR_KUBELET_INSTALL_FAIL
installRPMPackageFromFile "kubectl" $desiredVersion || exit $ERR_KUBECTL_INSTALL_FAIL

installRPMPackageFromFile "kubelet" "${desiredVersion}" "/opt/bin/kubelet" || exit "$ERR_KUBELET_INSTALL_FAIL"
installRPMPackageFromFile "kubectl" "${desiredVersion}" "/opt/bin/kubectl" || exit "$ERR_KUBECTL_INSTALL_FAIL"
}

installRPMPackageFromFile() {
local packageName="${1}"
local desiredVersion="${2}"
local targetBinDir="${3:-"/opt/bin"}"
local targetPath="${3:-/opt/bin/${packageName}}"
local downloadDir="/opt/${packageName}/downloads"
local rpmFile=""
local fullPackageVersion=""

echo "installing ${packageName} version ${desiredVersion} by manually unpacking the RPM"
if [ "${packageName}" != "kubelet" ] && [ "${packageName}" != "kubectl" ] && [ "${packageName}" != "azure-acr-credential-provider" ]; then
echo "Error: Unsupported package ${packageName}. Only kubelet, kubectl, and azure-acr-credential-provider installs are allowed on OSGuard."
exit 1
fi
echo "installing ${packageName} version ${desiredVersion}"
downloadDir="/opt/${packageName}/downloads"

rpmFile=$(ls "${downloadDir}" | grep "${packageName}" | grep "${desiredVersion}" | sort -V | tail -n 1) || rpmFile=""
if [ -z "${rpmFile}" ] && { [ "${packageName}" = "kubelet" ] || [ "${packageName}" = "kubectl" ]; } && fallbackToKubeBinaryInstall "${packageName}" "${desiredVersion}"; then
echo "Successfully installed ${packageName} version ${desiredVersion} from binary fallback"
rm -rf ${downloadDir}
rm -rf "${downloadDir}"
return 0
fi
if [ -z "${rpmFile}" ]; then
Expand All @@ -37,7 +40,7 @@ installRPMPackageFromFile() {
return 1
fi
echo "Did not find cached rpm file, downloading ${packageName} version ${fullPackageVersion}"
downloadPkgFromVersion "${packageName}" ${fullPackageVersion} "${downloadDir}"
downloadPkgFromVersion "${packageName}" "${fullPackageVersion}" "${downloadDir}"
rpmFile=$(ls "${downloadDir}" | grep "${packageName}" | grep "${desiredVersion}" | sort -V | tail -n 1) || rpmFile=""
fi
if [ -z "${rpmFile}" ]; then
Expand All @@ -46,17 +49,11 @@ installRPMPackageFromFile() {
fi

rpmFile="${downloadDir}/${rpmFile}"
local rpmBinaryName="${packageName}"
local targetBinaryName="${packageName}"
if [ "${packageName}" = "azure-acr-credential-provider" ]; then
targetBinaryName="acr-credential-provider"
fi

echo "Unpacking usr/bin/${rpmBinaryName} from ${downloadDir}/${packageName}-${desiredVersion}*"
mkdir -p "${targetBinDir}"
echo "Unpacking usr/bin/${packageName} from ${downloadDir}/${packageName}-${desiredVersion}*"
mkdir -p "$(dirname "${targetPath}")"
# This assumes that the binary will either be in /usr/bin or /usr/local/bin, but not both.
rpm2cpio "${rpmFile}" | cpio -i --to-stdout "./usr/bin/${rpmBinaryName}" "./usr/local/bin/${rpmBinaryName}" | install -m0755 /dev/stdin "${targetBinDir}/${targetBinaryName}"
rm -rf ${downloadDir}
rpm2cpio "${rpmFile}" | cpio -i --to-stdout "./usr/bin/${packageName}" "./usr/local/bin/${packageName}" | install -m0755 /dev/stdin "${targetPath}"
rm -rf "${downloadDir}"
Comment on lines +52 to +56
Copy link

Copilot AI Apr 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This rpm2cpio | cpio -i --to-stdout call requests both ./usr/bin/<name> and ./usr/local/bin/<name> at once. If the RPM contains only one of these, cpio can fail (and if both exist it may concatenate both files to stdout), leading to an empty/corrupted binary being installed. Please extract exactly one resolved path (e.g., inspect the RPM file list first, or try /usr/bin/... and fall back to /usr/local/bin/... only if needed).

Copilot uses AI. Check for mistakes.
}

downloadPkgFromVersion() {
Expand All @@ -83,7 +80,7 @@ installCredentialProviderFromPkg() {
echo "installing azure-acr-credential-provider package version: $packageVersion"
mkdir -p "${CREDENTIAL_PROVIDER_BIN_DIR}"
chown -R root:root "${CREDENTIAL_PROVIDER_BIN_DIR}"
installRPMPackageFromFile "azure-acr-credential-provider" "${packageVersion}" "${CREDENTIAL_PROVIDER_BIN_DIR}" || exit $ERR_CREDENTIAL_PROVIDER_DOWNLOAD_TIMEOUT
installRPMPackageFromFile "azure-acr-credential-provider" "${packageVersion}" "${CREDENTIAL_PROVIDER_BIN_DIR}/acr-credential-provider" || exit "$ERR_CREDENTIAL_PROVIDER_DOWNLOAD_TIMEOUT"
}

installDeps() {
Expand Down
8 changes: 5 additions & 3 deletions parts/linux/cloud-init/artifacts/cse_helpers.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1074,14 +1074,16 @@ getLatestPkgVersionFromK8sVersion() {
fallbackToKubeBinaryInstall() {
packageName="${1:-}"
packageVersion="${2:-}"
local targetPath="${3:-/opt/bin/${packageName}}"
if [ "${packageName}" = "kubelet" ] || [ "${packageName}" = "kubectl" ]; then
if [ "${SHOULD_ENFORCE_KUBE_PMC_INSTALL}" = "true" ]; then
echo "Kube PMC install is enforced, skipping fallback to kube binary install for ${packageName}"
return 1
elif [ -f "/opt/bin/${packageName}-${packageVersion}" ]; then
mv "/opt/bin/${packageName}-${packageVersion}" "/opt/bin/${packageName}"
chmod a+x /opt/bin/${packageName}
rm -rf /opt/bin/${packageName}-* &
mv "/opt/bin/${packageName}-${packageVersion}" "${targetPath}"
Comment on lines 1074 to +1083
Copy link

Copilot AI Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The cache file naming on the VHD is /opt/bin/<tool>-<k8sVersion> (version stripped to X.Y.Z), but this helper looks for /opt/bin/<tool>-<packageVersion> verbatim. For RPMs, packageVersion may include a release suffix (e.g., 1.34.0-5.azl3), causing the cache-first path to be skipped even when /opt/bin/kubelet-1.34.0 exists. Normalize packageVersion to the intended <k8sVersion> (strip epoch and anything after the first -) and/or check both possible filenames.

Copilot uses AI. Check for mistakes.
chown root:root "${targetPath}"
chmod 0755 "${targetPath}"
rm -rf "/opt/bin/${packageName}-*" &
return 0
else
echo "No binary fallback found for ${packageName} version ${packageVersion}"
Expand Down
96 changes: 50 additions & 46 deletions parts/linux/cloud-init/artifacts/mariner/cse_install_mariner.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -213,8 +213,7 @@ installCredentialProviderFromPkg() {
echo "installing azure-acr-credential-provider package version: $packageVersion"
mkdir -p "${CREDENTIAL_PROVIDER_BIN_DIR}"
chown -R root:root "${CREDENTIAL_PROVIDER_BIN_DIR}"
installRPMPackageFromFile "azure-acr-credential-provider" "${packageVersion}" || exit $ERR_CREDENTIAL_PROVIDER_DOWNLOAD_TIMEOUT
ln -snf /usr/bin/azure-acr-credential-provider "$CREDENTIAL_PROVIDER_BIN_DIR/acr-credential-provider"
Comment thread
awesomenix marked this conversation as resolved.
installRPMPackageFromFile "azure-acr-credential-provider" "${packageVersion}" "${CREDENTIAL_PROVIDER_BIN_DIR}/acr-credential-provider" || exit "$ERR_CREDENTIAL_PROVIDER_DOWNLOAD_TIMEOUT"
Comment on lines 213 to +216
Copy link

Copilot AI Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This switches azure-acr-credential-provider from an RPM install (which would ensure runtime dependencies are present) to “extract the binary from the RPM.” If the binary isn’t fully static or relies on RPM-triggered setup, this can break at runtime. If the intent is only to optimize kubelet/kubectl, keep credential-provider on the RPM install path; otherwise, add validation (e.g., dependency checks) and tests to guarantee the extracted binary works without installing the RPM.

Copilot uses AI. Check for mistakes.
}

getPackageCacheRoot() {
Expand All @@ -233,8 +232,9 @@ installCredentialProviderFromPkg() {

installKubeletKubectlFromPkg() {
local desiredVersion="${1}"
installRPMPackageFromFile "kubelet" $desiredVersion || exit $ERR_KUBELET_INSTALL_FAIL
installRPMPackageFromFile "kubectl" $desiredVersion || exit $ERR_KUBECTL_INSTALL_FAIL

installRPMPackageFromFile "kubelet" "${desiredVersion}" "/opt/bin/kubelet" || exit "$ERR_KUBELET_INSTALL_FAIL"
Comment thread
awesomenix marked this conversation as resolved.
installRPMPackageFromFile "kubectl" "${desiredVersion}" "/opt/bin/kubectl" || exit "$ERR_KUBECTL_INSTALL_FAIL"
}

installToolFromLocalRepo() {
Expand Down Expand Up @@ -403,22 +403,60 @@ installNvidiaManagedExpPkgFromCache() {
done
}

extractBinaryFromRPM() {
local rpmFile="${1}"
local packageName="${2}"
local targetPath="${3:-/opt/bin/${packageName}}"
local extractDir
local binaryPath=""

extractDir=$(mktemp -d) || return 1
if ! (cd "${extractDir}" && rpm2cpio "${rpmFile}" | cpio -idm >/dev/null 2>&1); then
rm -rf "${extractDir}"
return 1
fi

for candidate in "${extractDir}/usr/bin/${packageName}" "${extractDir}/usr/local/bin/${packageName}"; do
if [ -f "${candidate}" ]; then
binaryPath="${candidate}"
break
Comment on lines +411 to +422
Copy link

Copilot AI Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extracting archives with cpio -idm without hardening flags can be risky if the RPM payload is ever compromised (e.g., paths that try to escape the extraction directory, unexpected file types, ownership preservation). Recommendation (moderate): add safer cpio flags (such as disabling absolute filenames and ownership preservation where supported) and/or validate the extracted path before moving the binary, mirroring best practices for safely unpacking archives even into a temp dir.

Suggested change
local binaryPath=""
extractDir=$(mktemp -d) || return 1
if ! (cd "${extractDir}" && rpm2cpio "${rpmFile}" | cpio -idm >/dev/null 2>&1); then
rm -rf "${extractDir}"
return 1
fi
for candidate in "${extractDir}/usr/bin/${packageName}" "${extractDir}/usr/local/bin/${packageName}"; do
if [ -f "${candidate}" ]; then
binaryPath="${candidate}"
break
local resolvedExtractDir
local binaryPath=""
local resolvedCandidate=""
extractDir=$(mktemp -d) || return 1
resolvedExtractDir=$(readlink -f "${extractDir}") || {
rm -rf "${extractDir}"
return 1
}
if ! (cd "${extractDir}" && rpm2cpio "${rpmFile}" | cpio -idm --no-absolute-filenames --no-preserve-owner >/dev/null 2>&1); then
rm -rf "${extractDir}"
return 1
fi
for candidate in "${extractDir}/usr/bin/${packageName}" "${extractDir}/usr/local/bin/${packageName}"; do
if [ -f "${candidate}" ]; then
resolvedCandidate=$(readlink -f "${candidate}") || continue
case "${resolvedCandidate}" in
"${resolvedExtractDir}"/*)
binaryPath="${resolvedCandidate}"
break
;;
esac

Copilot uses AI. Check for mistakes.
fi
done

if [ -z "${binaryPath}" ]; then
echo "Failed to locate ${packageName} binary in ${rpmFile}"
rm -rf "${extractDir}"
return 1
fi

mkdir -p "$(dirname "${targetPath}")"

mv "${binaryPath}" "${targetPath}"
chown root:root "${targetPath}"
chmod 0755 "${targetPath}"

rm -rf "${extractDir}"
}

installRPMPackageFromFile() {
local packageName="${1}"
local desiredVersion="${2}"
local targetPath="${3:-/opt/bin/${packageName}}"
echo "installing ${packageName} version ${desiredVersion}"
local downloadDir
local rpmFile=""
local fullPackageVersion=""
downloadDir="$(getPackageDownloadDir "${packageName}")"

if fallbackToKubeBinaryInstall "${packageName}" "${desiredVersion}" "${targetPath}"; then
echo "Successfully installed ${packageName} version ${desiredVersion} from binary fallback"
rm -rf "${downloadDir}"
return 0
fi

# check cached rpms for matching filename
rpmFile=$(ls "${downloadDir}" | grep "${packageName}" | grep "${desiredVersion}" | sort -V | tail -n 1) || rpmFile=""
if [ -z "${rpmFile}" ]; then
if fallbackToKubeBinaryInstall "${packageName}" "${desiredVersion}"; then
echo "Successfully installed ${packageName} version ${desiredVersion} from binary fallback"
rm -rf "${downloadDir}"
return 0
fi

# query all package versions and get the latest version for matching k8s version
# e.g. 1.34.0-5.azl3
fullPackageVersion=$(dnf list ${packageName} --showduplicates | grep ${desiredVersion}- | awk '{print $2}' | sort -V | tail -n 1)
Copy link

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unquoted ${packageName} and ${desiredVersion} can cause word-splitting/globbing and also make grep interpret version characters as regex metacharacters. Quote variables and consider grep -F -- \"${desiredVersion}-\" (fixed string) to avoid regex surprises and reduce injection risk from unexpected input.

Copilot uses AI. Check for mistakes.
Expand All @@ -427,7 +465,7 @@ installRPMPackageFromFile() {
return 1
fi
echo "Did not find cached rpm file, downloading ${packageName} version ${fullPackageVersion}"
downloadPkgFromVersion "${packageName}" ${fullPackageVersion} "${downloadDir}"
downloadPkgFromVersion "${packageName}" "${fullPackageVersion}" "${downloadDir}"
rpmFile=$(ls "${downloadDir}" | grep "${packageName}" | grep "${desiredVersion}" | sort -V | tail -n 1) || rpmFile=""
fi
if [ -z "${rpmFile}" ]; then
Expand All @@ -436,41 +474,7 @@ installRPMPackageFromFile() {
fi

rpmFile="${downloadDir}/${rpmFile}"
local rpmArgs=("${rpmFile}")
local -a cachedRpmFiles=()
mapfile -t cachedRpmFiles < <(find "${downloadDir}" -maxdepth 1 -type f -name "*.rpm" -print 2>/dev/null | sort)

# selecting the correct version of dependency rpms from the cache
for cachedRpm in "${cachedRpmFiles[@]}"; do
if [ "${cachedRpm}" = "${rpmFile}" ]; then
continue
fi

local cachedBaseName
cachedBaseName=$(basename "${cachedRpm}")

case "${cachedBaseName}" in
*${packageName}*)
echo "Skipping cached ${packageName} rpm ${cachedBaseName} because it does not match desired version ${desiredVersion}"
continue
;;
esac

rpmArgs+=("${cachedRpm}")
done

if [ ${#rpmArgs[@]} -gt 1 ]; then
echo "Installing ${packageName} with cached dependency RPMs: ${rpmArgs[*]}"
fi

# When dependency RPMs are cached, they are included in the argument list to dnf_install.
# When no dependency RPM is cached, only the main package RPM is included.
# And dnf_install will handle installing dependencies from configured repos (downloading from network) as needed.
if ! dnf_install 30 1 600 "${rpmArgs[@]}"; then
exit $ERR_APT_INSTALL_TIMEOUT
fi
mkdir -p /opt/bin
ln -snf "/usr/bin/${packageName}" "/opt/bin/${packageName}"
logs_to_events "AKS.CSE.install${packageName}.extractBinaryFromRPM" "extractBinaryFromRPM ${rpmFile} ${packageName} ${targetPath}" || exit "$ERR_APT_INSTALL_TIMEOUT"
rm -rf "${downloadDir}"
}

Expand Down
68 changes: 49 additions & 19 deletions parts/linux/cloud-init/artifacts/ubuntu/cse_install_ubuntu.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -217,14 +217,14 @@ installCredentialProviderFromPkg() {
echo "installing azure-acr-credential-provider package version: $packageVersion"
mkdir -p "${CREDENTIAL_PROVIDER_BIN_DIR}"
chown -R root:root "${CREDENTIAL_PROVIDER_BIN_DIR}"
installPkgWithAptGet "azure-acr-credential-provider" "${packageVersion}" || exit $ERR_CREDENTIAL_PROVIDER_DOWNLOAD_TIMEOUT
ln -snf /usr/bin/azure-acr-credential-provider "$CREDENTIAL_PROVIDER_BIN_DIR/acr-credential-provider"
installPkgWithAptGet "azure-acr-credential-provider" "${packageVersion}" "${CREDENTIAL_PROVIDER_BIN_DIR}/acr-credential-provider" || exit "$ERR_CREDENTIAL_PROVIDER_DOWNLOAD_TIMEOUT"
Copy link

Copilot AI Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description focuses on kubelet/kubectl caching and avoiding package installs, but this change also alters credential provider installation semantics (extracting a binary to a new target path rather than installing the package and symlinking /usr/bin). If this is intentional, it should be called out in the PR description (and any assumptions about runtime deps / postinst behavior should be validated). If not intentional, consider scoping this change back to kubelet/kubectl-only.

Copilot uses AI. Check for mistakes.
}

installKubeletKubectlFromPkg() {
k8sVersion="${1}"
installPkgWithAptGet "kubelet" "${k8sVersion}" || exit $ERR_KUBELET_INSTALL_FAIL
installPkgWithAptGet "kubectl" "${k8sVersion}" || exit $ERR_KUBECTL_INSTALL_FAIL
local k8sVersion="${1}"

installPkgWithAptGet "kubelet" "${k8sVersion}" "/opt/bin/kubelet" || exit "$ERR_KUBELET_INSTALL_FAIL"
installPkgWithAptGet "kubectl" "${k8sVersion}" "/opt/bin/kubectl" || exit "$ERR_KUBECTL_INSTALL_FAIL"
}

installToolFromLocalRepo() {
Expand Down Expand Up @@ -289,23 +289,55 @@ installCredentialProviderPackageFromBootstrapProfileRegistry() {
fi
}

extractDebBinaryFromFile() {
local debFile="${1}"
local packageName="${2}"
local targetPath="${3:-/opt/bin/${packageName}}"
local extractDir

extractDir=$(mktemp -d) || return 1
if ! dpkg-deb -x "${debFile}" "${extractDir}"; then
rm -rf "${extractDir}"
return 1
fi

local sourceBinary="${extractDir}/usr/bin/${packageName}"
if [ ! -f "${sourceBinary}" ]; then
echo "Failed to locate usr/bin/${packageName} in ${debFile}"
Copy link

Copilot AI Apr 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor: the error message says usr/bin/${packageName} but the intended path is /usr/bin/${packageName} (leading slash missing). Fixing this makes failures clearer when a .deb doesn’t contain the expected binary path.

Suggested change
echo "Failed to locate usr/bin/${packageName} in ${debFile}"
echo "Failed to locate /usr/bin/${packageName} in ${debFile}"

Copilot uses AI. Check for mistakes.
rm -rf "${extractDir}"
return 1
fi

mkdir -p "$(dirname "${targetPath}")"

mv "${sourceBinary}" "${targetPath}"
chown root:root "${targetPath}"
chmod 0755 "${targetPath}"

rm -rf "${extractDir}"
}

installPkgWithAptGet() {
Copy link

Copilot AI Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

installPkgWithAptGet no longer installs a package with apt/dpkg; it now (a) optionally uses the versioned binary fallback, otherwise (b) locates/downloads a .deb and extracts/moves a single binary out of it. Recommendation (mandatory): rename/split the function to reflect the new behavior (e.g., installBinaryFromDeb / extractDebBinaryFromFile + a separate “download deb” step), and keep the old name only if it still performs apt-based installation.

Copilot uses AI. Check for mistakes.
packageName="${1:-}"
packageVersion="${2}"
downloadDir="/opt/${packageName}/downloads"
local packageName="${1:-}"
local packageVersion="${2}"
local targetPath="${3:-/opt/bin/${packageName}}"
local downloadDir="/opt/${packageName}/downloads"
local debFile=""
local fullPackageVersion=""

if fallbackToKubeBinaryInstall "${packageName}" "${packageVersion}" "${targetPath}"; then
echo "Successfully installed ${packageName} version ${packageVersion} from binary fallback"
rm -rf "${downloadDir}"
return 0
fi
Comment thread
awesomenix marked this conversation as resolved.

debFile=$(ls "${downloadDir}" | grep "${packageName}" | grep "${packageVersion}" | sort -V | tail -n 1) || debFile=""
if [ -z "${debFile}" ]; then
if fallbackToKubeBinaryInstall "${packageName}" "${packageVersion}"; then
echo "Successfully installed ${packageName} version ${packageVersion} from binary fallback"
rm -rf ${downloadDir}
return 0
fi

# update pmc repo to get latest versions
updatePMCRepository ${packageVersion}
updatePMCRepository "${packageVersion}"
# query all package versions and get the latest version for matching k8s version
fullPackageVersion=$(apt list ${packageName} --all-versions | grep ${packageVersion} | awk '{print $2}' | sort -V | tail -n 1)
fullPackageVersion=$(apt list "${packageName}" --all-versions | grep "${packageVersion}" | awk '{print $2}' | sort -V | tail -n 1)
if [ -z "${fullPackageVersion}" ]; then
echo "Failed to find valid ${packageName} version for ${packageVersion}"
return 1
Expand All @@ -321,11 +353,9 @@ installPkgWithAptGet() {
fi

debFile="${downloadDir}/${debFile}"
logs_to_events "AKS.CSE.install${packageName}.installDebPackageFromFile" "installDebPackageFromFile ${debFile}" || exit $ERR_APT_INSTALL_TIMEOUT
logs_to_events "AKS.CSE.install${packageName}.extractDebBinaryFromFile" "extractDebBinaryFromFile ${debFile} ${packageName} ${targetPath}" || exit "$ERR_APT_INSTALL_TIMEOUT"
Copy link

Copilot AI Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description says CSE should “fall back to existing package install behavior when the cache is not present” and that SHOULD_ENFORCE_KUBE_PMC_INSTALL=true still forces the “package path”. After this change, the non-cached path no longer installs packages via the package manager (it downloads the .deb then extracts only /usr/bin/<tool>), so it won’t execute the existing install behavior (and may skip package-provided dependencies/metadata). Recommendation (mandatory): keep the “cached versioned binary” shortcut, but when the versioned binary is not present (or when enforcement is enabled), revert to the prior dpkg/apt-based install path (or explicitly document and implement dependency handling if extraction is intended to replace package install).

Copilot uses AI. Check for mistakes.

mkdir -p /opt/bin
ln -snf "/usr/bin/${packageName}" "/opt/bin/${packageName}"
rm -rf ${downloadDir}
rm -rf "${downloadDir}"
}

downloadPkgFromVersion() {
Expand Down
Loading
Loading