feat: enable Artifact Streaming on Flatcar

This uses Flatcar's own systemd system extension for overlaybd and Azure
Linux's RPM for acr and the configuration scripts. It's not perfect, but
we cannot improve on this until acr changes its build process or goes
open source.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>

Author: chewi

parts/linux/cloud-init/artifacts/cse_config.sh

@@ -418,6 +418,7 @@ ensureTeleportd() {
 }
 
 ensureArtifactStreaming() {
+  systemctl unmask overlaybd-{tcmu,snapshotter}.service # Flatcar masks these initially.
   retrycmd_if_failure 120 5 25 time systemctl --quiet enable --now  acr-mirror overlaybd-tcmu overlaybd-snapshotter
   time /opt/acr/bin/acr-config --enable-containerd 'azurecr.io'
 }

vhdbuilder/packer/flatcar-customdata.json

@@ -1 +1 @@
-{"ignition":{"version":"3.4.0"},"kernelArguments":{"shouldNotExist":["flatcar.autologin"]},"storage":{"files":[{"path":"/etc/extensions/aks-sysext/usr/lib/extension-release.d/extension-release.aks-sysext","contents":{"compression":"","source":"data:,ID%3Dflatcar%0ASYSEXT_LEVEL%3D1.0%0A"},"mode":420},{"overwrite":true,"path":"/etc/flatcar/update.conf","contents":{"compression":"","source":"data:,SERVER%3Ddisabled%0A"},"mode":420},{"path":"/etc/systemd/system/containerd.service.d/50-default-config.conf","contents":{"compression":"","source":"data:,%5BService%5D%0AEnvironment%3DCONTAINERD_CONFIG%3D%2Fetc%2Fcontainerd%2Fconfig.toml%0A"},"mode":420},{"path":"/etc/tmpfiles.d/protocols.conf","contents":{"compression":"","source":"data:,C%20%2Fetc%2Fprotocols%20-%20-%20-%20-%20%2Fusr%2Fshare%2Fbaselayout%2Fprotocols%0A"},"mode":420},{"overwrite":true,"path":"/etc/nsswitch.conf","contents":{"compression":"gzip","source":"data:;base64,H4sIAAAAAAAC/3yP0U7DMAxF3/0VkXhn7/sbk3o0ookjX4dof4+yFJgGXZ+qe46i45dwEo+nAvTkcX2NWi5nospAX87h9l3SJggNNn8ABFzhkhfCyov2Q4/eTVvd8bN3aFU4DsR8HbRwlrAUUBHvah/TflAHJ4h9pij/CVRNXaNuN/jArMbvgj+MxFcx3F86QjLjPmRMvyfP6U3VKxvn4c2Jm2vWVvwngnhLjD15n74CAAD//8ytimubAQAA"},"mode":420}],"links":[{"path":"/etc/extensions/aks-sysext/usr/local/bin","hard":false,"target":"/opt/bin"}]},"systemd":{"units":[{"dropins":[{"contents":"[Unit]\nConditionPathIsSymbolicLink=\nConditionPathIsSymbolicLink=/etc/ssl/certs/ca-certificates.crt\n","name":"10-ensure-ca-file.conf"}],"enabled":true,"name":"update-ca-certificates.service"}]}}
+{"ignition":{"version":"3.4.0"},"kernelArguments":{"shouldNotExist":["flatcar.autologin"]},"storage":{"files":[{"path":"/etc/extensions/aks-sysext/usr/lib/extension-release.d/extension-release.aks-sysext","contents":{"compression":"","source":"data:,ID%3Dflatcar%0ASYSEXT_LEVEL%3D1.0%0A"},"mode":420},{"path":"/etc/flatcar/enabled-sysext.conf","contents":{"compression":"","source":"data:,overlaybd%0A"}},{"overwrite":true,"path":"/etc/flatcar/update.conf","contents":{"compression":"","source":"data:,SERVER%3Ddisabled%0A"},"mode":420},{"path":"/etc/systemd/system/containerd.service.d/50-default-config.conf","contents":{"compression":"","source":"data:,%5BService%5D%0AEnvironment%3DCONTAINERD_CONFIG%3D%2Fetc%2Fcontainerd%2Fconfig.toml%0A"},"mode":420},{"path":"/etc/tmpfiles.d/protocols.conf","contents":{"compression":"","source":"data:,C%20%2Fetc%2Fprotocols%20-%20-%20-%20-%20%2Fusr%2Fshare%2Fbaselayout%2Fprotocols%0A"},"mode":420},{"overwrite":true,"path":"/etc/nsswitch.conf","contents":{"compression":"gzip","source":"data:;base64,H4sIAAAAAAAC/3yP0U7DMAxF3/0VkXhn7/sbk3o0ookjX4dof4+yFJgGXZ+qe46i45dwEo+nAvTkcX2NWi5nospAX87h9l3SJggNNn8ABFzhkhfCyov2Q4/eTVvd8bN3aFU4DsR8HbRwlrAUUBHvah/TflAHJ4h9pij/CVRNXaNuN/jArMbvgj+MxFcx3F86QjLjPmRMvyfP6U3VKxvn4c2Jm2vWVvwngnhLjD15n74CAAD//8ytimubAQAA"},"mode":420}],"links":[{"path":"/etc/extensions/aks-sysext/usr/local/bin","hard":false,"target":"/opt/bin"}]},"systemd":{"units":[{"mask":true,"name":"overlaybd-tcmu.service"},{"mask":true,"name":"overlaybd-snapshotter.service"},{"dropins":[{"contents":"[Unit]\nConditionPathIsSymbolicLink=\nConditionPathIsSymbolicLink=/etc/ssl/certs/ca-certificates.crt\n","name":"10-ensure-ca-file.conf"}],"enabled":true,"name":"update-ca-certificates.service"}]}}

vhdbuilder/packer/flatcar-customdata.yaml

@@ -11,6 +11,10 @@ storage:
       inline: |
         ID=flatcar
         SYSEXT_LEVEL=1.0
+  - path: /etc/flatcar/enabled-sysext.conf
+    contents:
+      inline: |
+        overlaybd
   - path: /etc/flatcar/update.conf
     mode: 0644
     overwrite: true
@@ -60,6 +64,10 @@ storage:
     hard: false
 systemd:
   units:
+  - name: overlaybd-tcmu.service
+    mask: true
+  - name: overlaybd-snapshotter.service
+    mask: true
   - name: update-ca-certificates.service
     enabled: true
     dropins:

vhdbuilder/packer/install-dependencies.sh

@@ -467,21 +467,35 @@ installAndConfigureArtifactStreaming() {
   MIRROR_DOWNLOAD_PATH="./$1.$2"
   MIRROR_PROXY_URL="https://acrstreamingpackage.z5.web.core.windows.net/${MIRROR_PROXY_VERSION}/${PACKAGE_NAME}.${PACKAGE_EXTENSION}"
   retrycmd_curl_file 10 5 60 $MIRROR_DOWNLOAD_PATH $MIRROR_PROXY_URL || exit ${ERR_ARTIFACT_STREAMING_DOWNLOAD}
-  if [ "$2" = "deb" ]; then
+
+  if isFlatcar "$OS"; then
+    bsdtar -C / -xf "${MIRROR_DOWNLOAD_PATH}" opt/ ||
+      exit $ERR_ARTIFACT_STREAMING_DOWNLOAD
+    bsdtar -Oxf "${MIRROR_DOWNLOAD_PATH}" usr/lib/systemd/system/acr-mirror.service | install -m0644 /dev/stdin /etc/systemd/system/acr-mirror.service ||
+      exit $ERR_ARTIFACT_STREAMING_DOWNLOAD
+    env -C /opt/acr/bin ./acr init --min-init
+  elif [ "$2" = "deb" ]; then
     apt_get_install 30 1 600 $MIRROR_DOWNLOAD_PATH || exit $ERR_ARTIFACT_STREAMING_DOWNLOAD
   elif [ "$2" = "rpm" ]; then
     dnf_install 30 1 600 $MIRROR_DOWNLOAD_PATH || exit $ERR_ARTIFACT_STREAMING_DOWNLOAD
   fi
   rm $MIRROR_DOWNLOAD_PATH
 
-  /opt/acr/tools/overlaybd/install.sh
+  if ! isFlatcar "$OS"; then
+    /opt/acr/tools/overlaybd/install.sh
+    systemctl link /opt/overlaybd/overlaybd-tcmu.service /opt/overlaybd/snapshotter/overlaybd-snapshotter.service
+  fi
+
   /opt/acr/tools/overlaybd/config-user-agent.sh azure
   /opt/acr/tools/overlaybd/enable-http-auth.sh
   /opt/acr/tools/overlaybd/config.sh download.enable false
   /opt/acr/tools/overlaybd/config.sh cacheConfig.cacheSizeGB 32
   /opt/acr/tools/overlaybd/config.sh exporterConfig.enable true
   /opt/acr/tools/overlaybd/config.sh exporterConfig.port 9863
-  systemctl link /opt/overlaybd/overlaybd-tcmu.service /opt/overlaybd/snapshotter/overlaybd-snapshotter.service
+
+  if isFlatcar "$OS"; then
+    rm -r /opt/acr/tools
+  fi
 }
 
 UBUNTU_MAJOR_VERSION=$(echo $UBUNTU_RELEASE | cut -d. -f1)
@@ -493,7 +507,7 @@ fi
 # Artifact Streaming enabled for Azure Linux 2.0 and 3.0
 if [ "$OS" = "$MARINER_OS_NAME" ] && [ "$OS_VERSION" = "2.0" ] && ! isARM64; then
   installAndConfigureArtifactStreaming acr-mirror-mariner rpm
-elif ! isAzureLinuxOSGuard "$OS" "$OS_VARIANT" && [ "$OS" = "$AZURELINUX_OS_NAME" ] && [ "$OS_VERSION" = "3.0" ] && ! isARM64; then
+elif isFlatcar "$OS" || { ! isAzureLinuxOSGuard "$OS" "$OS_VARIANT" && [ "$OS" = "$AZURELINUX_OS_NAME" ] && [ "$OS_VERSION" = "3.0" ]; } && ! isARM64; then
   installAndConfigureArtifactStreaming acr-mirror-azurelinux3 rpm
 fi