feat: install some services to /opt/bin instead of /usr/local/bin

chewi · chewi · commit 1bf769aefd80 · 2025-10-07T14:26:52.000+01:00
Namely, logrotate.sh, ci-syslog-watcher.sh, teleportd, and
aks-secure-tls-bootstrap-client. These are referenced by absolute path
in their systemd units and should therefore be safe to move.

/usr/local/bin is generally read-only on immutable distributions.
diff --git a/parts/common/components.json b/parts/common/components.json
@@ -859,7 +859,7 @@
     },
     {
       "name": "aks-secure-tls-bootstrap-client",
-      "downloadLocation": "/usr/local/bin",
+      "downloadLocation": "/opt/bin",
       "windowsDownloadLocation": "c:\\akse-cache\\aks-secure-tls-bootstrap-client\\",
       "downloadURIs": {
         "default": {
diff --git a/parts/linux/cloud-init/artifacts/aks-logrotate.service b/parts/linux/cloud-init/artifacts/aks-logrotate.service
@@ -1,4 +1,4 @@
 [Unit]
 Description=runs the logrotate utility for log rotation with a custom configuration
 [Service]
-ExecStart=/usr/local/bin/logrotate.sh
+ExecStart=/opt/bin/logrotate.sh
diff --git a/parts/linux/cloud-init/artifacts/aks-logrotate.sh b/parts/linux/cloud-init/artifacts/aks-logrotate.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # This script was originally generated by logrotate automatically and placed in /etc/cron.daily/logrotate
-# This will be saved on the target VM within /usr/local/bin/logrotate.sh and invoked by logrotate.service
+# This will be saved on the target VM within /opt/bin/logrotate.sh and invoked by logrotate.service
 
 # Clean non existent log file entries from status file
 test -d /var/lib/logrotate || mkdir -p /var/lib/logrotate
diff --git a/parts/linux/cloud-init/artifacts/ci-syslog-watcher.service b/parts/linux/cloud-init/artifacts/ci-syslog-watcher.service
@@ -3,7 +3,7 @@ Description=Update syslog config based on ContainerInsights syslog status change
 
 [Service]
 Type=oneshot
-ExecStart=/usr/local/bin/ci-syslog-watcher.sh
+ExecStart=/opt/bin/ci-syslog-watcher.sh
 
 [Install]
 WantedBy=multi-user.target
diff --git a/parts/linux/cloud-init/artifacts/cse_install.sh b/parts/linux/cloud-init/artifacts/cse_install.sh
@@ -18,11 +18,11 @@ UBUNTU_RELEASE=$(lsb_release -r -s 2>/dev/null || echo "")
 OS=$(if ls /etc/*-release 1> /dev/null 2>&1; then sort -r /etc/*-release | gawk 'match($0, /^(ID=(.*))$/, a) { print toupper(a[2]); exit }'; fi)
 OS_VARIANT=$(if ls /etc/*-release 1> /dev/null 2>&1; then sort -r /etc/*-release | gawk 'match($0, /^(VARIANT_ID=(.*))$/, a) { print toupper(a[2]); exit }' | tr -d '"'; fi)
 SECURE_TLS_BOOTSTRAP_CLIENT_DOWNLOAD_DIR="/opt/aks-secure-tls-bootstrap-client/downloads"
-SECURE_TLS_BOOTSTRAP_CLIENT_BIN_DIR="/usr/local/bin"
+SECURE_TLS_BOOTSTRAP_CLIENT_BIN_DIR="/opt/bin"
 TELEPORTD_PLUGIN_DOWNLOAD_DIR="/opt/teleportd/downloads"
 CREDENTIAL_PROVIDER_DOWNLOAD_DIR="/opt/credentialprovider/downloads"
 CREDENTIAL_PROVIDER_BIN_DIR="/var/lib/kubelet/credential-provider"
-TELEPORTD_PLUGIN_BIN_DIR="/usr/local/bin"
+TELEPORTD_PLUGIN_BIN_DIR="/opt/bin"
 MANIFEST_FILEPATH="/opt/azure/manifest.json"
 COMPONENTS_FILEPATH="/opt/azure/components.json"
 VHD_LOGS_FILEPATH="/opt/azure/vhd-install.complete"
diff --git a/parts/linux/cloud-init/artifacts/secure-tls-bootstrap.service b/parts/linux/cloud-init/artifacts/secure-tls-bootstrap.service
@@ -1,14 +1,14 @@
 [Unit]
 Description=AKS Secure TLS Bootstrap Client
-ConditionPathExists=/usr/local/bin/aks-secure-tls-bootstrap-client
+ConditionPathExists=/opt/bin/aks-secure-tls-bootstrap-client
 Wants=network-online.target
 After=network-online.target
 
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 
-ExecStart=/usr/local/bin/aks-secure-tls-bootstrap-client \
+ExecStart=/opt/bin/aks-secure-tls-bootstrap-client \
     --verbose \
     --ensure-authorized \
     --next-proto=aks-tls-bootstrap \
diff --git a/parts/linux/cloud-init/artifacts/teleportd.service b/parts/linux/cloud-init/artifacts/teleportd.service
@@ -2,7 +2,7 @@
 Description=teleportd teleport runtime
 After=network.target
 [Service]
-ExecStart=/usr/local/bin/teleportd --metrics --aksConfig /etc/kubernetes/azure.json
+ExecStart=/opt/bin/teleportd --metrics --aksConfig /etc/kubernetes/azure.json
 Delegate=yes
 KillMode=process
 Restart=always
diff --git a/pkg/agent/utils_test.go b/pkg/agent/utils_test.go
@@ -802,8 +802,8 @@ var _ = Describe("Assert datamodel.CSEStatus can be used to parse output JSON",
 var _ = Describe("Test removeComments", func() {
 
 	It("Should leave lines without comments unchanged", func() {
-		input := []byte("#!/bin/bash\n\nCC_SERVICE_IN_TMP=/opt/azure/containers/cc-proxy.service.in\nCC_SOCKET_IN_TMP=/opt/azure/containers/cc-proxy.socket.in\nCNI_CONFIG_DIR=\"/etc/cni/net.d\"\nCNI_BIN_DIR=\"/opt/cni/bin\"\nCNI_DOWNLOADS_DIR=\"/opt/cni/downloads\"\nCRICTL_DOWNLOAD_DIR=\"/opt/crictl/downloads\"\nCRICTL_BIN_DIR=\"/usr/local/bin\"\nCONTAINERD_DOWNLOADS_DIR=\"/opt/containerd/downloads\"\nRUNC_DOWNLOADS_DIR=\"/opt/runc/downloads\"\nK8S_DOWNLOADS_DIR=\"/opt/kubernetes/downloads\"\nUBUNTU_RELEASE=$(lsb_release -r -s)\nSECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_DOWNLOAD_DIR=\"/opt/azure/tlsbootstrap\"\nSECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_VERSION=\"v0.1.0-alpha.2\"\nTELEPORTD_PLUGIN_DOWNLOAD_DIR=\"/opt/teleportd/downloads\"\nTELEPORTD_PLUGIN_BIN_DIR=\"/usr/local/bin\"\nCONTAINERD_WASM_VERSIONS=\"v0.3.0 v0.5.1 v0.8.0\"\nMANIFEST_FILEPATH=\"/opt/azure/manifest.json\"\nMAN_DB_AUTO_UPDATE_FLAG_FILEPATH=\"/var/lib/man-db/auto-update\"\nCURL_OUTPUT=/tmp/curl_verbose.out")
-		expected := "#!/bin/bash\n\nCC_SERVICE_IN_TMP=/opt/azure/containers/cc-proxy.service.in\nCC_SOCKET_IN_TMP=/opt/azure/containers/cc-proxy.socket.in\nCNI_CONFIG_DIR=\"/etc/cni/net.d\"\nCNI_BIN_DIR=\"/opt/cni/bin\"\nCNI_DOWNLOADS_DIR=\"/opt/cni/downloads\"\nCRICTL_DOWNLOAD_DIR=\"/opt/crictl/downloads\"\nCRICTL_BIN_DIR=\"/usr/local/bin\"\nCONTAINERD_DOWNLOADS_DIR=\"/opt/containerd/downloads\"\nRUNC_DOWNLOADS_DIR=\"/opt/runc/downloads\"\nK8S_DOWNLOADS_DIR=\"/opt/kubernetes/downloads\"\nUBUNTU_RELEASE=$(lsb_release -r -s)\nSECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_DOWNLOAD_DIR=\"/opt/azure/tlsbootstrap\"\nSECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_VERSION=\"v0.1.0-alpha.2\"\nTELEPORTD_PLUGIN_DOWNLOAD_DIR=\"/opt/teleportd/downloads\"\nTELEPORTD_PLUGIN_BIN_DIR=\"/usr/local/bin\"\nCONTAINERD_WASM_VERSIONS=\"v0.3.0 v0.5.1 v0.8.0\"\nMANIFEST_FILEPATH=\"/opt/azure/manifest.json\"\nMAN_DB_AUTO_UPDATE_FLAG_FILEPATH=\"/var/lib/man-db/auto-update\"\nCURL_OUTPUT=/tmp/curl_verbose.out"
+		input := []byte("#!/bin/bash\n\nCC_SERVICE_IN_TMP=/opt/azure/containers/cc-proxy.service.in\nCC_SOCKET_IN_TMP=/opt/azure/containers/cc-proxy.socket.in\nCNI_CONFIG_DIR=\"/etc/cni/net.d\"\nCNI_BIN_DIR=\"/opt/cni/bin\"\nCNI_DOWNLOADS_DIR=\"/opt/cni/downloads\"\nCRICTL_DOWNLOAD_DIR=\"/opt/crictl/downloads\"\nCRICTL_BIN_DIR=\"/usr/local/bin\"\nCONTAINERD_DOWNLOADS_DIR=\"/opt/containerd/downloads\"\nRUNC_DOWNLOADS_DIR=\"/opt/runc/downloads\"\nK8S_DOWNLOADS_DIR=\"/opt/kubernetes/downloads\"\nUBUNTU_RELEASE=$(lsb_release -r -s)\nSECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_DOWNLOAD_DIR=\"/opt/azure/tlsbootstrap\"\nSECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_VERSION=\"v0.1.0-alpha.2\"\nTELEPORTD_PLUGIN_DOWNLOAD_DIR=\"/opt/teleportd/downloads\"\nTELEPORTD_PLUGIN_BIN_DIR=\"/opt/bin\"\nCONTAINERD_WASM_VERSIONS=\"v0.3.0 v0.5.1 v0.8.0\"\nMANIFEST_FILEPATH=\"/opt/azure/manifest.json\"\nMAN_DB_AUTO_UPDATE_FLAG_FILEPATH=\"/var/lib/man-db/auto-update\"\nCURL_OUTPUT=/tmp/curl_verbose.out")
+		expected := "#!/bin/bash\n\nCC_SERVICE_IN_TMP=/opt/azure/containers/cc-proxy.service.in\nCC_SOCKET_IN_TMP=/opt/azure/containers/cc-proxy.socket.in\nCNI_CONFIG_DIR=\"/etc/cni/net.d\"\nCNI_BIN_DIR=\"/opt/cni/bin\"\nCNI_DOWNLOADS_DIR=\"/opt/cni/downloads\"\nCRICTL_DOWNLOAD_DIR=\"/opt/crictl/downloads\"\nCRICTL_BIN_DIR=\"/usr/local/bin\"\nCONTAINERD_DOWNLOADS_DIR=\"/opt/containerd/downloads\"\nRUNC_DOWNLOADS_DIR=\"/opt/runc/downloads\"\nK8S_DOWNLOADS_DIR=\"/opt/kubernetes/downloads\"\nUBUNTU_RELEASE=$(lsb_release -r -s)\nSECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_DOWNLOAD_DIR=\"/opt/azure/tlsbootstrap\"\nSECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_VERSION=\"v0.1.0-alpha.2\"\nTELEPORTD_PLUGIN_DOWNLOAD_DIR=\"/opt/teleportd/downloads\"\nTELEPORTD_PLUGIN_BIN_DIR=\"/opt/bin\"\nCONTAINERD_WASM_VERSIONS=\"v0.3.0 v0.5.1 v0.8.0\"\nMANIFEST_FILEPATH=\"/opt/azure/manifest.json\"\nMAN_DB_AUTO_UPDATE_FLAG_FILEPATH=\"/var/lib/man-db/auto-update\"\nCURL_OUTPUT=/tmp/curl_verbose.out"
 		result := removeComments(input)
 		Expect(string(result)).To(Equal(expected))
 	})
diff --git a/vhdbuilder/packer/packer_source.sh b/vhdbuilder/packer/packer_source.sh
@@ -78,7 +78,7 @@ copyPackerFiles() {
   CI_SYSLOG_WATCHER_SERVICE_SRC=/home/packer/ci-syslog-watcher.service
   CI_SYSLOG_WATCHER_SERVICE_DEST=/etc/systemd/system/ci-syslog-watcher.service
   CI_SYSLOG_WATCHER_SCRIPT_SRC=/home/packer/ci-syslog-watcher.sh
-  CI_SYSLOG_WATCHER_SCRIPT_DEST=/usr/local/bin/ci-syslog-watcher.sh
+  CI_SYSLOG_WATCHER_SCRIPT_DEST=/opt/bin/ci-syslog-watcher.sh
   AKS_DIAGNOSTIC_SCRIPT_SRC=/home/packer/aks-diagnostic.py
   AKS_DIAGNOSTIC_SCRIPT_DEST=/opt/azure/containers/aks-diagnostic.py
   AKS_LOG_COLLECTOR_SCRIPT_SRC=/home/packer/aks-log-collector.sh
@@ -92,7 +92,7 @@ copyPackerFiles() {
   AKS_LOG_COLLECTOR_TIMER_SRC=/home/packer/aks-log-collector.timer
   AKS_LOG_COLLECTOR_TIMER_DEST=/etc/systemd/system/aks-log-collector.timer
   AKS_LOGROTATE_SCRIPT_SRC=/home/packer/logrotate.sh
-  AKS_LOGROTATE_SCRIPT_DEST=/usr/local/bin/logrotate.sh
+  AKS_LOGROTATE_SCRIPT_DEST=/opt/bin/logrotate.sh
   AKS_LOGROTATE_SERVICE_SRC=/home/packer/logrotate.service
   AKS_LOGROTATE_SERVICE_DEST=/etc/systemd/system/logrotate.service
   AKS_LOGROTATE_TIMER_SRC=/home/packer/logrotate.timer

Original file line number	Diff line number	Diff line change
`@@ -859,7 +859,7 @@`
`859`	`859`	`},`
`860`	`860`	`{`
`861`	`861`	`"name": "aks-secure-tls-bootstrap-client",`
`862`		`- "downloadLocation": "/usr/local/bin",`
	`862`	`+ "downloadLocation": "/opt/bin",`
`863`	`863`	`"windowsDownloadLocation": "c:\\akse-cache\\aks-secure-tls-bootstrap-client\\",`
`864`	`864`	`"downloadURIs": {`
`865`	`865`	`"default": {`