fix: dynamically resolve root device within disk_queue.service (#7527)

Author: cameronmeissner

e2e/validation.go

@@ -50,7 +50,8 @@ func ValidateCommonLinux(ctx context.Context, s *Scenario) {
 	ValidateTLSBootstrapping(ctx, s)
 	ValidateKubeletServingCertificateRotation(ctx, s)
 	ValidateSystemdWatchdogForKubernetes132Plus(ctx, s)
-	ValidateSystemdUnitIsNotFailed(ctx, s, "aks-log-collector")
+	ValidateAKSLogCollector(ctx, s)
+	ValidateDiskQueueService(ctx, s)
 	ValidateLeakedSecrets(ctx, s)
 	ValidateIPTablesCompatibleWithCiliumEBPF(ctx, s)
 

e2e/validators.go

@@ -180,6 +180,14 @@ func ValidateSystemdWatchdogForKubernetes132Plus(ctx context.Context, s *Scenari
 	}
 }
 
+func ValidateAKSLogCollector(ctx context.Context, s *Scenario) {
+	ValidateSystemdUnitIsNotFailed(ctx, s, "aks-log-collector")
+}
+
+func ValidateDiskQueueService(ctx context.Context, s *Scenario) {
+	ValidateSystemdUnitIsRunning(ctx, s, "disk_queue.service")
+}
+
 func ValidateLeakedSecrets(ctx context.Context, s *Scenario) {
 	secrets := map[string]string{
 		"client private key":       base64.StdEncoding.EncodeToString([]byte(s.GetClientPrivateKey())),

parts/linux/cloud-init/artifacts/disk_queue.service

@@ -3,7 +3,7 @@ Description=Set nr_requests and queue_depth based on experimental tuning
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/env bash -c 'echo 128 > /sys/block/sda/queue/nr_requests && echo 128 > /sys/block/sda/device/queue_depth'
+ExecStart=sudo /bin/bash /opt/azure/containers/disk_queue.sh
 RemainAfterExit=true
 StandardOutput=journal
 

parts/linux/cloud-init/artifacts/disk_queue.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# SCSI systems will always have a "root" device link.
+# NVMe systems will always have an "os" device link.
+# In cases where both a "root" and "os" device link exist, they should always point to the same device.
+# details: https://learn.microsoft.com/en-us/azure/virtual-machines/linux/azure-virtual-machine-utilities
+if [ -L "/dev/disk/azure/root" ]; then
+    LINK_PATH="/dev/disk/azure/root"
+elif [ -L "/dev/disk/azure/os" ]; then
+    LINK_PATH="/dev/disk/azure/os"
+else
+    echo "no root or os device link found within /dev/disk/azure, cannot apply disk tuning"
+    exit 1
+fi
+
+echo "found device link: $LINK_PATH"
+DEV_NAME=$(basename "$(readlink -f "$LINK_PATH")")
+echo "resolved root device: $DEV_NAME"
+
+# shellcheck disable=SC3010
+if [[ "${DEV_NAME,,}" == *"nvme"* ]]; then
+    # Disk tuning doesn't currently work as expected on NVMe devices - namely that the /device/queue_depth parameter
+    # doesn't seem to be a settable option, and that the default /queue/nr_requests can actually be higher than what we
+    # currently set on SCSI (128), which could end up hurting IO performance rather than optimize it.
+    # TODO: reach out to NVMe team to see how we can better tune queue settings on NVMe devices.
+    echo "$DEV_NAME is an NVMe device, will not apply disk tuning"
+    exit 0
+fi
+
+if [ ! -d "/sys/block/$DEV_NAME/queue" ]; then
+    echo "queue settings directory for device: $DEV_NAME does not exist, unable to apply desired settings"
+    exit 1
+fi
+
+if [ ! -d "/sys/block/$DEV_NAME/device" ]; then
+    echo "device settings directory for device: $DEV_NAME does not exist, unable to apply desired settings"
+    exit 1
+fi
+
+echo "will apply settings to /sys/block/$DEV_NAME/queue/nr_requests and /sys/block/$DEV_NAME/device/queue_depth"
+echo 128 > "/sys/block/$DEV_NAME/queue/nr_requests"
+echo 128 > "/sys/block/$DEV_NAME/device/queue_depth"

vhdbuilder/packer/imagecustomizer/azlosguard/azlosguard.yml

@@ -186,6 +186,9 @@ os:
       destination: /etc/profile.d/CIS.sh
       permissions: 755
     # disk queue perf tuning
+    - source: /AgentBaker/parts/linux/cloud-init/artifacts/disk_queue.sh
+      destination: /opt/azure/containers/disk_queue.sh
+      permissions: 755
     - source: /AgentBaker/parts/linux/cloud-init/artifacts/disk_queue.service
       destination: /etc/systemd/system/disk_queue.service
       permissions: 644

vhdbuilder/packer/packer_source.sh

@@ -57,6 +57,8 @@ copyPackerFiles() {
   NVIDIA_MODPROBE_SERVICE_DEST=/etc/systemd/system/nvidia-modprobe.service
   NVIDIA_DOCKER_DAEMON_SRC=/home/packer/nvidia-docker-daemon.json
   NVIDIA_DOCKER_DAEMON_DEST=/etc/systemd/system/nvidia-docker-daemon.json
+  DISK_QUEUE_SCRIPT_SRC=/home/packer/disk_queue.sh
+  DISK_QUEUE_SCRIPT_DEST=/opt/azure/containers/disk_queue.sh
   DISK_QUEUE_SERVICE_SRC=/home/packer/disk_queue.service
   DISK_QUEUE_SERVICE_DEST=/etc/systemd/system/disk_queue.service
   CGROUP_MEMORY_TELEMETRY_SERVICE_SRC=/home/packer/cgroup-memory-telemetry.service
@@ -342,6 +344,7 @@ copyPackerFiles() {
   cpAndMode $KMS_SERVICE_SRC $KMS_SERVICE_DEST 644
   cpAndMode $MIG_PARTITION_SRC $MIG_PARTITION_DEST 544
   cpAndMode $CONTAINERD_EXEC_START_SRC $CONTAINERD_EXEC_START_DEST 644
+  cpAndMode $DISK_QUEUE_SCRIPT_SRC $DISK_QUEUE_SCRIPT_DEST 755
   cpAndMode $DISK_QUEUE_SERVICE_SRC $DISK_QUEUE_SERVICE_DEST 644
   cpAndMode $CGROUP_MEMORY_TELEMETRY_SERVICE_SRC $CGROUP_MEMORY_TELEMETRY_SERVICE_DEST 644
   cpAndMode $CGROUP_MEMORY_TELEMETRY_SCRIPT_SRC $CGROUP_MEMORY_TELEMETRY_SCRIPT_DEST 755

vhdbuilder/packer/test/linux-vhd-content-test.sh

@@ -1705,6 +1705,8 @@ checkLocaldnsScriptsAndConfigs() {
   return 0
 }
 
+#------------------------ End of test code related to localdns ------------------------
+
 # Check that no files have a numeric UID or GID, which would indicate a file ownership issue.
 testFileOwnership() {
   local test="testFileOwnership"
@@ -1724,7 +1726,18 @@ testFileOwnership() {
   return 0
 }
 
-#------------------------ End of test code related to localdns ------------------------
+testDiskQueueServiceIsActive() {
+  local test="testDiskQueueServiceIsActive"
+  echo "$test: Start"
+
+  if systemctl is-active --quiet disk_queue.service; then
+    echo $test "disk_queue.service is active, as expected"
+  else
+    err $test "disk_queue.service is not active, status: $(systemctl show -p SubState --value disk_queue.service)"
+  fi
+
+  echo "$test:Finish"
+}
 
 # As we call these tests, we need to bear in mind how the test results are processed by the
 # the caller in run-tests.sh. That code uses az vm run-command invoke to run this script
@@ -1777,3 +1790,4 @@ testCorednsBinaryExtractedAndCached $OS_VERSION
 checkLocaldnsScriptsAndConfigs
 testPackageDownloadURLFallbackLogic
 testFileOwnership $OS_SKU
+testDiskQueueServiceIsActive

vhdbuilder/packer/vhd-image-builder-arm64-gen2.json

@@ -418,6 +418,11 @@
       "source": "parts/linux/cloud-init/artifacts/profile-d-cis.sh",
       "destination": "/home/packer/profile-d-cis.sh"
     },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/disk_queue.sh",
+      "destination": "/home/packer/disk_queue.sh"
+    },
     {
       "type": "file",
       "source": "parts/linux/cloud-init/artifacts/disk_queue.service",

vhdbuilder/packer/vhd-image-builder-base.json

@@ -426,6 +426,11 @@
       "source": "parts/linux/cloud-init/artifacts/profile-d-cis.sh",
       "destination": "/home/packer/profile-d-cis.sh"
     },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/disk_queue.sh",
+      "destination": "/home/packer/disk_queue.sh"
+    },
     {
       "type": "file",
       "source": "parts/linux/cloud-init/artifacts/disk_queue.service",

vhdbuilder/packer/vhd-image-builder-cvm.json

@@ -430,6 +430,11 @@
       "source": "parts/linux/cloud-init/artifacts/profile-d-cis.sh",
       "destination": "/home/packer/profile-d-cis.sh"
     },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/disk_queue.sh",
+      "destination": "/home/packer/disk_queue.sh"
+    },
     {
       "type": "file",
       "source": "parts/linux/cloud-init/artifacts/disk_queue.service",