feat: install more components to /opt/bin instead of /usr/local/bin

chewi · chewi · commit 7342175f2eb2 · 2025-10-07T14:26:53.000+01:00
/usr/local/bin is generally read-only on immutable distributions. A
profile.d script has been added to ensure /opt/bin is in the PATH.
diff --git a/parts/common/components.json b/parts/common/components.json
@@ -842,7 +842,7 @@
     },
     {
       "name": "oras",
-      "downloadLocation": "/usr/local/bin",
+      "downloadLocation": "/opt/bin",
       "downloadURIs": {
         "default": {
           "current": {
diff --git a/parts/linux/cloud-init/artifacts/cse_helpers.sh b/parts/linux/cloud-init/artifacts/cse_helpers.sh
@@ -139,6 +139,9 @@ ERR_SECURE_TLS_BOOTSTRAP_START_FAILURE=220 # Error starting the secure TLS boots
 ERR_CLOUD_INIT_FAILED=223 # Error indicating that cloud-init returned exit code 1 in cse_cmd.sh
 ERR_NVIDIA_DRIVER_INSTALL=224 # Error determining if nvidia driver install should be skipped
 
+# This probably wasn't launched via a login shell, so ensure the PATH is correct.
+[ -f /etc/profile.d/path.sh ] && . /etc/profile.d/path.sh
+
 # For both Ubuntu and Mariner, /etc/*-release should exist.
 # For unit tests, the OS and OS_VERSION will be set in the unit test script.
 # So whether it's if or else actually doesn't matter to our unit test.
diff --git a/parts/linux/cloud-init/artifacts/cse_install.sh b/parts/linux/cloud-init/artifacts/cse_install.sh
@@ -7,7 +7,7 @@ CNI_BIN_DIR="/opt/cni/bin"
 #TODO pull this out of componetns.json too?
 CNI_DOWNLOADS_DIR="/opt/cni/downloads"
 CRICTL_DOWNLOAD_DIR="/opt/crictl/downloads"
-CRICTL_BIN_DIR="/usr/local/bin"
+CRICTL_BIN_DIR="/opt/bin"
 CONTAINERD_DOWNLOADS_DIR="/opt/containerd/downloads"
 RUNC_DOWNLOADS_DIR="/opt/runc/downloads"
 K8S_DOWNLOADS_DIR="/opt/kubernetes/downloads"
@@ -204,7 +204,7 @@ installCredentialProvider() {
 # TODO (alburgess) have oras version managed by dependant or Renovate
 installOras() {
     ORAS_DOWNLOAD_DIR="/opt/oras/downloads"
-    ORAS_EXTRACTED_DIR=${1} # Use components.json var for /usr/local/bin for linux-vhd-content-test.sh binary file checks.
+    ORAS_EXTRACTED_DIR=${1} # Use components.json var for /opt/bin for linux-vhd-content-test.sh binary file checks.
     ORAS_DOWNLOAD_URL=${2}
     ORAS_VERSION=${3}
 
diff --git a/parts/linux/cloud-init/artifacts/profile-d-path.sh b/parts/linux/cloud-init/artifacts/profile-d-path.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+case "${PATH}" in
+    /opt/bin:*) : ;;
+    *) PATH=/opt/bin:${PATH} ;;
+esac
diff --git a/pkg/agent/utils_test.go b/pkg/agent/utils_test.go
@@ -802,8 +802,8 @@ var _ = Describe("Assert datamodel.CSEStatus can be used to parse output JSON",
 var _ = Describe("Test removeComments", func() {
 
 	It("Should leave lines without comments unchanged", func() {
-		input := []byte("#!/bin/bash\n\nCC_SERVICE_IN_TMP=/opt/azure/containers/cc-proxy.service.in\nCC_SOCKET_IN_TMP=/opt/azure/containers/cc-proxy.socket.in\nCNI_CONFIG_DIR=\"/etc/cni/net.d\"\nCNI_BIN_DIR=\"/opt/cni/bin\"\nCNI_DOWNLOADS_DIR=\"/opt/cni/downloads\"\nCRICTL_DOWNLOAD_DIR=\"/opt/crictl/downloads\"\nCRICTL_BIN_DIR=\"/usr/local/bin\"\nCONTAINERD_DOWNLOADS_DIR=\"/opt/containerd/downloads\"\nRUNC_DOWNLOADS_DIR=\"/opt/runc/downloads\"\nK8S_DOWNLOADS_DIR=\"/opt/kubernetes/downloads\"\nUBUNTU_RELEASE=$(lsb_release -r -s)\nSECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_DOWNLOAD_DIR=\"/opt/azure/tlsbootstrap\"\nSECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_VERSION=\"v0.1.0-alpha.2\"\nTELEPORTD_PLUGIN_DOWNLOAD_DIR=\"/opt/teleportd/downloads\"\nTELEPORTD_PLUGIN_BIN_DIR=\"/opt/bin\"\nCONTAINERD_WASM_VERSIONS=\"v0.3.0 v0.5.1 v0.8.0\"\nMANIFEST_FILEPATH=\"/opt/azure/manifest.json\"\nMAN_DB_AUTO_UPDATE_FLAG_FILEPATH=\"/var/lib/man-db/auto-update\"\nCURL_OUTPUT=/tmp/curl_verbose.out")
-		expected := "#!/bin/bash\n\nCC_SERVICE_IN_TMP=/opt/azure/containers/cc-proxy.service.in\nCC_SOCKET_IN_TMP=/opt/azure/containers/cc-proxy.socket.in\nCNI_CONFIG_DIR=\"/etc/cni/net.d\"\nCNI_BIN_DIR=\"/opt/cni/bin\"\nCNI_DOWNLOADS_DIR=\"/opt/cni/downloads\"\nCRICTL_DOWNLOAD_DIR=\"/opt/crictl/downloads\"\nCRICTL_BIN_DIR=\"/usr/local/bin\"\nCONTAINERD_DOWNLOADS_DIR=\"/opt/containerd/downloads\"\nRUNC_DOWNLOADS_DIR=\"/opt/runc/downloads\"\nK8S_DOWNLOADS_DIR=\"/opt/kubernetes/downloads\"\nUBUNTU_RELEASE=$(lsb_release -r -s)\nSECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_DOWNLOAD_DIR=\"/opt/azure/tlsbootstrap\"\nSECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_VERSION=\"v0.1.0-alpha.2\"\nTELEPORTD_PLUGIN_DOWNLOAD_DIR=\"/opt/teleportd/downloads\"\nTELEPORTD_PLUGIN_BIN_DIR=\"/opt/bin\"\nCONTAINERD_WASM_VERSIONS=\"v0.3.0 v0.5.1 v0.8.0\"\nMANIFEST_FILEPATH=\"/opt/azure/manifest.json\"\nMAN_DB_AUTO_UPDATE_FLAG_FILEPATH=\"/var/lib/man-db/auto-update\"\nCURL_OUTPUT=/tmp/curl_verbose.out"
+		input := []byte("#!/bin/bash\n\nCC_SERVICE_IN_TMP=/opt/azure/containers/cc-proxy.service.in\nCC_SOCKET_IN_TMP=/opt/azure/containers/cc-proxy.socket.in\nCNI_CONFIG_DIR=\"/etc/cni/net.d\"\nCNI_BIN_DIR=\"/opt/cni/bin\"\nCNI_DOWNLOADS_DIR=\"/opt/cni/downloads\"\nCRICTL_DOWNLOAD_DIR=\"/opt/crictl/downloads\"\nCRICTL_BIN_DIR=\"/opt/bin\"\nCONTAINERD_DOWNLOADS_DIR=\"/opt/containerd/downloads\"\nRUNC_DOWNLOADS_DIR=\"/opt/runc/downloads\"\nK8S_DOWNLOADS_DIR=\"/opt/kubernetes/downloads\"\nUBUNTU_RELEASE=$(lsb_release -r -s)\nSECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_DOWNLOAD_DIR=\"/opt/azure/tlsbootstrap\"\nSECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_VERSION=\"v0.1.0-alpha.2\"\nTELEPORTD_PLUGIN_DOWNLOAD_DIR=\"/opt/teleportd/downloads\"\nTELEPORTD_PLUGIN_BIN_DIR=\"/opt/bin\"\nCONTAINERD_WASM_VERSIONS=\"v0.3.0 v0.5.1 v0.8.0\"\nMANIFEST_FILEPATH=\"/opt/azure/manifest.json\"\nMAN_DB_AUTO_UPDATE_FLAG_FILEPATH=\"/var/lib/man-db/auto-update\"\nCURL_OUTPUT=/tmp/curl_verbose.out")
+		expected := "#!/bin/bash\n\nCC_SERVICE_IN_TMP=/opt/azure/containers/cc-proxy.service.in\nCC_SOCKET_IN_TMP=/opt/azure/containers/cc-proxy.socket.in\nCNI_CONFIG_DIR=\"/etc/cni/net.d\"\nCNI_BIN_DIR=\"/opt/cni/bin\"\nCNI_DOWNLOADS_DIR=\"/opt/cni/downloads\"\nCRICTL_DOWNLOAD_DIR=\"/opt/crictl/downloads\"\nCRICTL_BIN_DIR=\"/opt/bin\"\nCONTAINERD_DOWNLOADS_DIR=\"/opt/containerd/downloads\"\nRUNC_DOWNLOADS_DIR=\"/opt/runc/downloads\"\nK8S_DOWNLOADS_DIR=\"/opt/kubernetes/downloads\"\nUBUNTU_RELEASE=$(lsb_release -r -s)\nSECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_DOWNLOAD_DIR=\"/opt/azure/tlsbootstrap\"\nSECURE_TLS_BOOTSTRAP_KUBELET_EXEC_PLUGIN_VERSION=\"v0.1.0-alpha.2\"\nTELEPORTD_PLUGIN_DOWNLOAD_DIR=\"/opt/teleportd/downloads\"\nTELEPORTD_PLUGIN_BIN_DIR=\"/opt/bin\"\nCONTAINERD_WASM_VERSIONS=\"v0.3.0 v0.5.1 v0.8.0\"\nMANIFEST_FILEPATH=\"/opt/azure/manifest.json\"\nMAN_DB_AUTO_UPDATE_FLAG_FILEPATH=\"/var/lib/man-db/auto-update\"\nCURL_OUTPUT=/tmp/curl_verbose.out"
 		result := removeComments(input)
 		Expect(string(result)).To(Equal(expected))
 	})
diff --git a/vhdbuilder/packer/packer_source.sh b/vhdbuilder/packer/packer_source.sh
@@ -29,6 +29,8 @@ copyPackerFiles() {
   PAM_D_SU_DEST=/etc/pam.d/su
   PROFILE_D_CIS_SH_SRC=/home/packer/profile-d-cis.sh
   PROFILE_D_CIS_SH_DEST=/etc/profile.d/CIS.sh
+  PROFILE_D_PATH_SH_SRC=/home/packer/profile-d-path.sh
+  PROFILE_D_PATH_SH_DEST=/etc/profile.d/path.sh
   CIS_SRC=/home/packer/cis.sh
   CIS_DEST=/opt/azure/containers/provision_cis.sh
   APT_PREFERENCES_SRC=/home/packer/apt-preferences
@@ -337,6 +339,7 @@ copyPackerFiles() {
   cpAndMode $MODPROBE_CIS_SRC $MODPROBE_CIS_DEST 644
   cpAndMode $PWQUALITY_CONF_SRC $PWQUALITY_CONF_DEST 600
   cpAndMode $PAM_D_SU_SRC $PAM_D_SU_DEST 644
+  cpAndMode $PROFILE_D_PATH_SH_SRC $PROFILE_D_PATH_SH_DEST 755
   cpAndMode $PROFILE_D_CIS_SH_SRC $PROFILE_D_CIS_SH_DEST 755
   cpAndMode $CIS_SRC $CIS_DEST 744
   cpAndMode $APT_PREFERENCES_SRC $APT_PREFERENCES_DEST 644
diff --git a/vhdbuilder/packer/test/linux-vhd-content-test.sh b/vhdbuilder/packer/test/linux-vhd-content-test.sh
@@ -279,8 +279,8 @@ testPackagesInstalled() {
         continue
       fi
 
-      # if the downloadLocation is /usr/local/bin verify that the package is installed
-      if [ "$downloadLocation" = "/usr/local/bin" ]; then
+      # if the downloadLocation is /opt/bin, verify the package is in the PATH
+      if [ "$downloadLocation" = /opt/bin ]; then
         if command -v "$name" >/dev/null 2>&1; then
           echo "$name is installed."
           continue
diff --git a/vhdbuilder/packer/vhd-image-builder-arm64-gen2.json b/vhdbuilder/packer/vhd-image-builder-arm64-gen2.json
@@ -407,6 +407,11 @@
       "source": "parts/linux/cloud-init/artifacts/profile-d-cis.sh",
       "destination": "/home/packer/profile-d-cis.sh"
     },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/profile-d-path.sh",
+      "destination": "/home/packer/profile-d-path.sh"
+    },
     {
       "type": "file",
       "source": "parts/linux/cloud-init/artifacts/disk_queue.service",
diff --git a/vhdbuilder/packer/vhd-image-builder-base.json b/vhdbuilder/packer/vhd-image-builder-base.json
@@ -420,6 +420,11 @@
       "source": "parts/linux/cloud-init/artifacts/profile-d-cis.sh",
       "destination": "/home/packer/profile-d-cis.sh"
     },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/profile-d-path.sh",
+      "destination": "/home/packer/profile-d-path.sh"
+    },
     {
       "type": "file",
       "source": "parts/linux/cloud-init/artifacts/disk_queue.service",
diff --git a/vhdbuilder/packer/vhd-image-builder-cvm.json b/vhdbuilder/packer/vhd-image-builder-cvm.json
@@ -424,6 +424,11 @@
       "source": "parts/linux/cloud-init/artifacts/profile-d-cis.sh",
       "destination": "/home/packer/profile-d-cis.sh"
     },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/profile-d-path.sh",
+      "destination": "/home/packer/profile-d-path.sh"
+    },
     {
       "type": "file",
       "source": "parts/linux/cloud-init/artifacts/disk_queue.service",
@@ -729,4 +734,4 @@
       ]
     }
   ]
-}
+}
diff --git a/vhdbuilder/packer/vhd-image-builder-flatcar-arm64.json b/vhdbuilder/packer/vhd-image-builder-flatcar-arm64.json
@@ -408,6 +408,11 @@
       "source": "parts/linux/cloud-init/artifacts/profile-d-cis.sh",
       "destination": "/home/packer/profile-d-cis.sh"
     },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/profile-d-path.sh",
+      "destination": "/home/packer/profile-d-path.sh"
+    },
     {
       "type": "file",
       "source": "parts/linux/cloud-init/artifacts/disk_queue.service",
diff --git a/vhdbuilder/packer/vhd-image-builder-flatcar.json b/vhdbuilder/packer/vhd-image-builder-flatcar.json
@@ -418,6 +418,11 @@
       "source": "parts/linux/cloud-init/artifacts/profile-d-cis.sh",
       "destination": "/home/packer/profile-d-cis.sh"
     },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/profile-d-path.sh",
+      "destination": "/home/packer/profile-d-path.sh"
+    },
     {
       "type": "file",
       "source": "parts/linux/cloud-init/artifacts/disk_queue.service",
diff --git a/vhdbuilder/packer/vhd-image-builder-mariner-arm64.json b/vhdbuilder/packer/vhd-image-builder-mariner-arm64.json
@@ -391,6 +391,11 @@
       "source": "parts/linux/cloud-init/artifacts/profile-d-cis.sh",
       "destination": "/home/packer/profile-d-cis.sh"
     },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/profile-d-path.sh",
+      "destination": "/home/packer/profile-d-path.sh"
+    },
     {
       "type": "file",
       "source": "parts/linux/cloud-init/artifacts/disk_queue.service",
diff --git a/vhdbuilder/packer/vhd-image-builder-mariner-cvm.json b/vhdbuilder/packer/vhd-image-builder-mariner-cvm.json
@@ -412,6 +412,11 @@
       "source": "parts/linux/cloud-init/artifacts/profile-d-cis.sh",
       "destination": "/home/packer/profile-d-cis.sh"
     },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/profile-d-path.sh",
+      "destination": "/home/packer/profile-d-path.sh"
+    },
     {
       "type": "file",
       "source": "parts/linux/cloud-init/artifacts/disk_queue.service",
diff --git a/vhdbuilder/packer/vhd-image-builder-mariner.json b/vhdbuilder/packer/vhd-image-builder-mariner.json
@@ -408,6 +408,11 @@
       "source": "parts/linux/cloud-init/artifacts/profile-d-cis.sh",
       "destination": "/home/packer/profile-d-cis.sh"
     },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/profile-d-path.sh",
+      "destination": "/home/packer/profile-d-path.sh"
+    },
     {
       "type": "file",
       "source": "parts/linux/cloud-init/artifacts/disk_queue.service",

Original file line number	Diff line number	Diff line change
`@@ -842,7 +842,7 @@`
`842`	`842`	`},`
`843`	`843`	`{`
`844`	`844`	`"name": "oras",`
`845`		`- "downloadLocation": "/usr/local/bin",`
	`845`	`+ "downloadLocation": "/opt/bin",`
`846`	`846`	`"downloadURIs": {`
`847`	`847`	`"default": {`
`848`	`848`	`"current": {`
Original file line number	Diff line number	Diff line change
`@@ -424,6 +424,11 @@`
`424`	`424`	`"source": "parts/linux/cloud-init/artifacts/profile-d-cis.sh",`
`425`	`425`	`"destination": "/home/packer/profile-d-cis.sh"`
`426`	`426`	`},`
	`427`	`+ {`
	`428`	`+ "type": "file",`
	`429`	`+ "source": "parts/linux/cloud-init/artifacts/profile-d-path.sh",`
	`430`	`+ "destination": "/home/packer/profile-d-path.sh"`
	`431`	`+ },`
`427`	`432`	`{`
`428`	`433`	`"type": "file",`
`429`	`434`	`"source": "parts/linux/cloud-init/artifacts/disk_queue.service",`
`@@ -729,4 +734,4 @@`
`729`	`734`	`]`
`730`	`735`	`}`
`731`	`736`	`]`
`732`		`-}`
	`737`	`+}`