feat: support new ACL os-release (ID=azurelinux, VARIANT_ID=azurecontainerlinux)#8123
Merged
cameronmeissner merged 1 commit intomainfrom Mar 20, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds support across VHD build + provisioning scripts for the updated Azure Container Linux /etc/os-release format where ID=azurelinux and VARIANT_ID=azurecontainerlinux.
Changes:
- Update ACL detection logic in Linux cloud-init artifacts to recognize
ID=azurelinux+VARIANT_ID=azurecontainerlinux. - Propagate/use
OS_VARIANT(fromVARIANT_ID) in packer scripts and VHD content tests to keep ACL-specific branching correct. - Refresh e2e validations, packer ACL customdata, pipeline SIG source variables, and golden testdata snapshots to match the new os-release format.
Reviewed changes
Copilot reviewed 23 out of 87 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
vhdbuilder/packer/test/linux-vhd-content-test.sh |
Treat ACL as AZURELINUX with an ACL variant and update sysext validation logic to use isACL. |
vhdbuilder/packer/pre-install-dependencies.sh |
Capture OS_VARIANT from VARIANT_ID for downstream branching. |
vhdbuilder/packer/post-install-dependencies.sh |
Capture OS_VARIANT and use isACL "$OS" "$OS_VARIANT" for disk sizing logic. |
vhdbuilder/packer/post-deprovision-walinuxagent.sh |
Defensively skip WALinuxAgent manifest install when VARIANT_ID=AZURECONTAINERLINUX. |
vhdbuilder/packer/packer_source.sh |
Update ACL checks to pass the OS variant into isACL. |
vhdbuilder/packer/install-ig.sh |
Skip IG installation for ACL using isACL "${OS}" "${OS_VARIANT}". |
vhdbuilder/packer/install-dependencies.sh |
Exclude ACL from AzureLinux3 artifact streaming configuration. |
vhdbuilder/packer/acl-customdata.yaml / acl-customdata.json |
Update sysext extension-release ID to azurelinux. |
pkg/agent/testdata/**/CustomData |
Update snapshot testdata payloads to reflect new ACL os-release values. |
parts/linux/cloud-init/artifacts/init-aks-custom-cloud*.sh |
Detect ACL when ID=azurelinux and VARIANT_ID=azurecontainerlinux. |
parts/linux/cloud-init/artifacts/cse_helpers.sh |
Introduce ACL variant constant; ensure isAzureLinux*/isMarinerOrAzureLinux exclude ACL; extend isACL to match new format; adjust package URI selection for ACL. |
parts/linux/cloud-init/artifacts/cse_config.sh / cis.sh |
Pass OS_VARIANT into isACL checks. |
e2e/scenario_test.go |
Validate ACL /etc/os-release contains both ID=azurelinux and VARIANT_ID=azurecontainerlinux. |
.pipelines/.vsts-vhd-builder-release.yaml |
Update ACL SIG source image name/version to aclpreview and new versions. |
aadhar-agarwal
force-pushed
the
aadagarwal/update-osrelease-acl
branch
from
1c29af3 to
c40490c
Compare
aadhar-agarwal
requested review from
AbelHu,
Devinwong,
YaoC,
awesomenix,
calvin197,
cameronmeissner,
djsly,
ganeshkumarashok,
junjiezhang1997,
lilypan26,
mxj220,
pdamianov-dev,
phealy,
r2k1,
sulixu,
surajssd,
timmy-wright,
yewmsft and
zachary-bailey
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates OS detection across VHD build, provisioning (CSE/cloud-init), and tests to support the Azure Container Linux /etc/os-release change from ID=azurecontainerlinux to ID=azurelinux with VARIANT_ID=azurecontainerlinux, while keeping legacy detection working.
Changes:
- Extend
isACL()to accept/useOS_VARIANTand match both legacy and new os-release formats; update key call sites to passOS_VARIANT. - Explicitly exclude ACL from Azure Linux detection paths (
isMarinerOrAzureLinux/isAzureLinux) to avoid treating ACL as mutable Azure Linux. - Update ACL ignition/customdata and e2e/pipeline inputs to validate and build against the new os-release format and preview source images.
Reviewed changes
Copilot reviewed 23 out of 87 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
parts/linux/cloud-init/artifacts/cse_helpers.sh |
Updates isACL() signature/logic; ensures AzureLinux detection helpers exclude ACL; adjusts package URI selection for ACL to use Flatcar entries. |
parts/linux/cloud-init/artifacts/init-aks-custom-cloud.sh |
Detects ACL by either legacy ID=azurecontainerlinux or new ID=azurelinux + VARIANT_ID=azurecontainerlinux. |
parts/linux/cloud-init/artifacts/init-aks-custom-cloud-operation-requests.sh |
Same ACL detection update as above. |
parts/linux/cloud-init/artifacts/cse_config.sh |
Passes OS_VARIANT into isACL for ACL-specific CA trust handling. |
parts/linux/cloud-init/artifacts/cis.sh |
Passes OS_VARIANT into isACL when deciding to skip Ubuntu-only CIS steps. |
vhdbuilder/packer/pre-install-dependencies.sh |
Captures OS_VARIANT from VARIANT_ID for downstream detection use during VHD build. |
vhdbuilder/packer/post-install-dependencies.sh |
Uses isACL "$OS" "$OS_VARIANT" when applying Flatcar/ACL-specific disk sizing logic. |
vhdbuilder/packer/packer_source.sh |
Updates multiple file-copy skip conditions to call isACL with OS_VARIANT. |
vhdbuilder/packer/install-dependencies.sh |
Ensures Azure Linux-specific flows exclude ACL (e.g., Artifact Streaming gating) and relies on OS_VARIANT parsing. |
vhdbuilder/packer/install-ig.sh |
Skips IG installation for ACL using isACL "${OS}" "${OS_VARIANT}". |
vhdbuilder/packer/post-deprovision-walinuxagent.sh |
Adds a defensive skip for ACL based on VARIANT_ID=AZURECONTAINERLINUX; improves skip log message. |
vhdbuilder/packer/test/linux-vhd-content-test.sh |
Treats ACL as OS=AZURELINUX with OS_VARIANT=AZURECONTAINERLINUX; uses isACL for Flatcar/ACL system-extension expectations. |
vhdbuilder/packer/acl-customdata.yaml |
Updates sysext extension-release ID to azurelinux. |
vhdbuilder/packer/acl-customdata.json |
Regenerates ignition JSON to reflect ID=azurelinux in extension-release payload. |
e2e/scenario_test.go |
Updates ACL scenario validation to expect ID=azurelinux and VARIANT_ID=azurecontainerlinux in /etc/os-release. |
.pipelines/.vsts-vhd-builder-release.yaml |
Switches ACL source SIG images to aclpreview / aclpreview-arm64 and updates versions. |
pkg/agent/testdata/MarinerV2+Kata/CustomData |
Regenerated snapshot test data (compressed custom data). |
pkg/agent/testdata/CustomizedImage/CustomData |
Regenerated snapshot test data (compressed custom data). |
aadhar-agarwal
force-pushed
the
aadagarwal/update-osrelease-acl
branch
from
c40490c to
930dcfc
Compare
henryli001
reviewed
Mar 19, 2026
parts/linux/cloud-init/artifacts/init-aks-custom-cloud-operation-requests.sh
Show resolved
Hide resolved
henryli001
reviewed
Mar 19, 2026
aadhar-agarwal
force-pushed
the
aadagarwal/update-osrelease-acl
branch
from
930dcfc to
3bddde6
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates OS detection across AgentBaker provisioning scripts, VHD build scripts, and tests to support Azure Container Linux (ACL) switching /etc/os-release from ID=azurecontainerlinux to ID=azurelinux with VARIANT_ID=azurecontainerlinux, while ensuring ACL does not accidentally follow Azure Linux code paths.
Changes:
- Extended ACL detection (
isACL) to accept/use an OS variant and recognize both legacy and new/etc/os-releaseformats. - Updated VHD builder scripts/tests and packer logic to pass/use
OS_VARIANTso ACL is handled correctly whenID=azurelinux. - Updated ACL-related customdata and e2e assertions, plus regenerated snapshot testdata (
make generate).
Reviewed changes
Copilot reviewed 23 out of 87 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| vhdbuilder/packer/test/linux-vhd-content-test.sh | Treat ACL as OS=AZURELINUX + OS_VARIANT=AZURECONTAINERLINUX and use isACL for sysext checks. |
| vhdbuilder/packer/pre-install-dependencies.sh | Read VARIANT_ID and pass it into isACL gating. |
| vhdbuilder/packer/post-install-dependencies.sh | Read VARIANT_ID and use isACL for sizing logic. |
| vhdbuilder/packer/post-deprovision-walinuxagent.sh | Add defensive skip when VARIANT_ID=AZURECONTAINERLINUX. |
| vhdbuilder/packer/packer_source.sh | Pass OS_VARIANT into isACL call sites during file staging. |
| vhdbuilder/packer/install-ig.sh | Use isACL "${OS}" "${OS_VARIANT}" to skip IG on ACL. |
| vhdbuilder/packer/install-dependencies.sh | Pass OS_VARIANT into isACL call sites; exclude ACL from AzureLinux-only paths. |
| vhdbuilder/packer/acl-customdata.yaml | Update extension-release ID to azurelinux. |
| vhdbuilder/packer/acl-customdata.json | Regenerated ignition JSON reflecting ID=azurelinux. |
| pkg/agent/testdata/MarinerV2+Kata/CustomData | Snapshot regeneration output. |
| pkg/agent/testdata/CustomizedImage/CustomData | Snapshot regeneration output. |
| parts/linux/cloud-init/artifacts/init-aks-custom-cloud.sh | Detect ACL by (ID=azurelinux && VARIANT_ID=azurecontainerlinux) in addition to legacy. |
| parts/linux/cloud-init/artifacts/init-aks-custom-cloud-operation-requests.sh | Same ACL detection update as above. |
| parts/linux/cloud-init/artifacts/cse_helpers.sh | Update isACL signature/logic; exclude ACL from AzureLinux code paths; adjust package URI selection for ACL. |
| parts/linux/cloud-init/artifacts/cse_config.sh | Pass OS_VARIANT into isACL for CA-trust behavior. |
| parts/linux/cloud-init/artifacts/cis.sh | Pass OS_VARIANT into isACL. |
| e2e/scenario_test.go | Validate new /etc/os-release format (ID + VARIANT_ID). |
| .pipelines/.vsts-vhd-builder-release.yaml | Switch ACL build source images to aclpreview / aclpreview-arm64. |
aadhar-agarwal
force-pushed
the
aadagarwal/update-osrelease-acl
branch
from
3bddde6 to
682c060
Compare
Contributor
Author
|
The 2 ACL AgentBaker E2E failures are expected as we are changing the id to be azurelinux instead of azurecontainerlinux |
cameronmeissner
approved these changes
Mar 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ACL is changing its
/etc/os-releasefromID=azurecontainerlinuxtoID=azurelinux+VARIANT_ID=azurecontainerlinux. This PR updates all detection logic to support both formats. This is similar to how OSGuard has its os-release.Key Changes
isACL()now acceptsOS_VARIANTand matches either the legacy or new os-release formatisMarinerOrAzureLinux()/isAzureLinux()explicitly exclude ACL to prevent it from entering Azure Linux code paths (since ACL is Flatcar-based). Without this, there would be a lot of changes which does not make sense because it is an immutable os.isACLcall sites updated to pass$OS_VARIANTacross provisioning scripts, VHD build scripts, and packer configsID=azurelinuxaclpreview/aclpreview-arm64source images - replicated to westus, westus2, westus3 and eastusmake generateBackward Compatibility
isACL()still matches legacyID=azurecontainerlinux, so older VHDs continue to work - We can remove this check later onTesting
[TEST All VHDs] AKS Linux VHD Build - Msft Tenant
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #