canonical
azure: check azure-proxy-agent status
Proposed Commit Message
feat(azure): check azure-proxy-agent status
Azure Guest Proxy Agent is a new feature in Azure that offers a key exchange protocol
to secure communication between guest and host.
This PR checks the status of Azure Guest Proxy Agent and in case of an error it fails provisioning.
Additional Context
This PR depends on my previous PR https://github.com/canonical/cloud-init/pull/5126
Test Steps
Checklist
- [x] My code follows the process laid out in the documentation
- [x] I have updated or added any unit tests accordingly
- [ ] I have updated or added any documentation accordingly
Merge type
- [x] Squash merge using "Proposed Commit Message"
- [ ] Rebase and merge unique commits. Requires commit messages per-commit each referencing the pull request number (#<PR_NUM>)
Can you please add some context to this change?
A quick grep of the cloud-init codebase, the walinuxagent codebase and the first page of google doesn't show any hits for "azure-proxy-agent".
Which package is it installed by? Will this package need to be a new cloud-init requirement? Is it already installed in all of the distro images on Azure?
This PR depends on my previous one: https://github.com/canonical/cloud-init/pull/5126
Can you please add some context to this change? A quick grep of the cloud-init codebase, the walinuxagent codebase and the first page of google doesn't show any hits for "azure-proxy-agent". Which package is it installed by? Will this package need to be a new cloud-init requirement? Is it already installed in all of the distro images on Azure?
This PR depends on my previous one: #5126
That doesn't help me understand what this is for and what it does.
Can you please add some context to this change? A quick grep of the cloud-init codebase, the walinuxagent codebase and the first page of google doesn't show any hits for "azure-proxy-agent". Which package is it installed by? Will this package need to be a new cloud-init requirement? Is it already installed in all of the distro images on Azure?
This PR depends on my previous one: #5126
That doesn't help me understand what this is for and what it does.
Azure GuestProxyAgent is a new feature in Azure that offers key exchange protocol to secure communication between guest and host. It should come pre-installed on Azure endorsed images. This PR checks if agent works correctly, and if not it fails provisioning.
It should come pre-installed on Azure endorsed images.
Which images have this dependency installed?
I don't see this package available in any Linux distribution repos yet, but maybe I missed it somewhere.
This PR checks if agent works correctly, and if not it fails provisioning.
Do I understand correctly that after this change, cloud-init will be expected to fail if this dependency is not installed or does not work correctly?
Which images have this dependency installed?
Ubuntu does not install this at this time. It was just brought to the Canonical Public Cloud's team attention a few weeks ago, as a replacement for logic current in walinuxagent
@cjp256 Last I had heard, this package was not ready to be installed or used. It also isn't packaged yet for Ubuntu, so i think we have a bit of an ordering issue. Could you come to the next Canonical / Microsoft LSG sync and fill us in on current status?
Which images have this dependency installed?
Ubuntu does not install this at this time. It was just brought to the Canonical Public Cloud's team attention a few weeks ago, as a replacement for logic current in
walinuxagent
No-one has packaged it yet as it's under development and still in private preview phase. There is no equivalent logic in walinuxagent, Perhaps you are mistaking it for azure-init?
@cjp256 Last I had heard, this package was not ready to be installed or used. It also isn't packaged yet for Ubuntu, so i think we have a bit of an ordering issue. Could you come to the next Canonical / Microsoft LSG sync and fill us in on current status?
Absolutely.
Keep in mind this is a feature that's disabled by default and would only be enabled in a limited manner for the short-term. The expectation is that anyone using this feature would be required to use a custom image with this package installed. This PR is primary intended to improve the failure handling when the feature is enabled and either (a) proxy agent is not installed which will result in failure or (b) proxy agent is malfunctioning for whatever reason.
@KsenijaS @cjp256 is there any plan for GuestProxyAgent to support the BSDs? I only see support advertised for Linux 5.15+ and Windows.
cc @igalic
WALinuxAgent's FreeBSD support us rather spotty, and i haven't had time to dedicate to fixing it yet. It would be nice if we caught this one earlier
Hello! Thank you for this proposed change to cloud-init. This pull request is now marked as stale as it has not seen any activity in 14 days. If no activity occurs within the next 7 days, this pull request will automatically close.
If you are waiting for code review and you are seeing this message, apologies! Please reply, tagging TheRealFalcon, and he will ensure that someone takes a look soon.
(If the pull request is closed and you would like to continue working on it, please do tag TheRealFalcon to reopen it.)
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Can you please reopen this PR? This is not a default feature and it gracefully handle the case when proxy agent is not installed. Is there something else we need to do for this PR to be merged in the next release cycle? @holmanb
Adding this to milestone 24.3 to ensure we track and land this by next release. We will be uploading this to Ubuntu 24.10 (Oracular) devel images prior to our 24.3 upstream release date to give time to validate behavior
Adding this to milestone 24.3 to ensure we track and land this by next release. We will be uploading this to Ubuntu 24.10 (Oracular) devel images prior to our 24.3 upstream release date to give time to validate behavior
Thanks @blackboxsw ! Do you know if the proxy agent will be available for 24.10 too or are you just referring to cloud-init?
@KsenijaS @cjp256 What is the expected timeline of the proxy agent's availability in distro repositories?
This is not a default feature and it gracefully handle the case when proxy agent is not installed.
Not default because currently azure-proxy-agent is not enabled in the ovf-env.xml file, correct?
Currently if the proxy agent is not installed and the ovf-env.xml file enables azure-proxy-agent, a self._report_failure(reportable_error) is called, which would cause provisioning to fail, right?
Under what circumstances does azure plan to enable this feature? Can this feature be different per ami? by distro type?
@KsenijaS @cjp256 What is the expected timeline of the proxy agent's availability in distro repositories?
There is work being done right now to get it ready for submission to Debian, Fedora, etc. It is currently available in Azure Linux.
There are preview versions currently available in packages.microsoft.com for Ubuntu, for ex: https://packages.microsoft.com/repos/microsoft-ubuntu-focal-prod/pool/main/a/azure-proxy-agent/ https://packages.microsoft.com/repos/microsoft-ubuntu-jammy-prod/pool/main/a/azure-proxy-agent/
This is not a default feature and it gracefully handle the case when proxy agent is not installed.
Not default because currently azure-proxy-agent is not enabled in the ovf-env.xml file, correct?
Correct. If a customer turns on this feature while creating the VM, the flag will be set to true to indicate this is enabled.
Currently if the proxy agent is not installed and the ovf-env.xml file enables azure-proxy-agent, a
self._report_failure(reportable_error)is called, which would cause provisioning to fail, right?
Correct. At that point the customer's request to create the VM should return with the reported failure.
Under what circumstances does azure plan to enable this feature? Can this feature be different per ami? by distro type?
It will be configurable for all instances. There is currently no plan to gate this feature to particular set of images or vm sizes. The expectation is the customer can customize an image to include the necessary dependencies.
This PR is mostly about improving the failure experience (i.e. azure-proxy-agent not found) vs some more obscure failure (e.g. 401 http code when connecting to IMDS, etc.). It also prevents a race condition by giving proxy agent a chance to finish configuration before proceeding with calls to imds/wireserver.
Targeting to milestone 24.2 if we are able to get any outstanding review comments done By Wed June 25th
Thanks @blackboxsw ! Do you know if the proxy agent will be available for 24.10 too or are you just referring to cloud-init?
For clarity, this old comment was only referring to cloud-init published to 24.10. I believe there may be separate efforts to get the proxy agent into a releasable state in various downstream images in Ubuntu, but I have no knowledge of whether those efforts are in earnest for 24.10.