feat: install most components to /opt/bin instead of /usr/local/bin#7125
Merged
cameronmeissner merged 7 commits intomainfrom Jan 20, 2026
Merged
feat: install most components to /opt/bin instead of /usr/local/bin#7125cameronmeissner merged 7 commits intomainfrom
cameronmeissner merged 7 commits intomainfrom
Conversation
github-actions
Bot
added
the
components
chewi
requested review from
AbelHu,
Devinwong,
anujmaheshwari1,
bravebeaver,
cameronmeissner,
djsly,
ganeshkumarashok,
juan-lee,
junjiezhang1997,
lilypan26,
phealy,
r2k1,
timmy-wright,
yewmsft and
zachary-bailey
as code owners
Contributor
Author
|
|
Contributor
Author
|
I hadn't realised you could grab the scenario logs from these runs. Having a closer look now. |
Contributor
Author
|
I've fixed the major issue I was having. I didn't understand that systemd units referencing the new path were being applied to the older image with binaries at the old path. I have worked around this with a cloud-config I haven't been able to get an entirely clean pass here or with RP, but the few failures I've seen are due to availability or other unrelated issues. |
djsly
reviewed
Jan 15, 2026
djsly
reviewed
Jan 15, 2026
djsly
reviewed
Jan 15, 2026
djsly
reviewed
Jan 15, 2026
djsly
reviewed
Jan 15, 2026
It was prefixing lines with the wrong function name, which had me stumped for hours.
It is installed using dnf, so drop downloadLocation to avoid confusion.
Ignition runs in the initrd, whereas cloud-init typically doesn't. As such, there is no specific Ignition feature to execute commands after switching root, but this can still be done by adding a systemd unit. This change collects the cloud-config bootcmds into a single shell script and executes them via a unit. Failure is ignored because that's what cloud-init does. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Namely, logrotate.sh, ci-syslog-watcher.sh, teleportd, and aks-secure-tls-bootstrap-client. These are referenced by absolute path in their systemd units and should therefore be safe to move. /usr/local/bin is generally read-only on immutable distributions. The bootcmd in nodecustomdata.yml provides compatibility with existing images by creating symlinks in /opt/bin if necessary.
/usr/local/bin is generally read-only on immutable distributions. A profile.d script has been added to ensure /opt/bin is in the PATH.
/usr/local/bin is generally read-only on immutable distributions, so these binaries cannot be installed there. The packages published to PMC and the system extensions built from those install their binaries to /usr/bin. These were previously moved to /usr/local/bin, but since this is no longer possible, symlinks are now created in /opt/bin instead. Symlinks are not used when installing from a tarball because the versioned binaries (e.g. kubelet-*) are removed, leading to dangling links. The `install` command has been used to write these binaries because it removes the existing file first (rather than following a symlink) and takes care of making the new file executable.
hbeberman
approved these changes
Jan 20, 2026
Contributor
hbeberman
left a comment
hbeberman
left a comment
There was a problem hiding this comment.
Changes look good to me from an AZL/OSGuard perspective.
cameronmeissner
approved these changes
Jan 20, 2026
YaoC
approved these changes
Jan 20, 2026
This was referenced Jan 21, 2026
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind feature
What this PR does / why we need it:
/usr/local/bin is generally read-only on immutable distributions, so binaries cannot be installed there. This PR installs them to /opt/bin instead.
The packages published to PMC and the system extensions built from those install their binaries to /usr/bin. These were previously moved to /usr/local/bin, but since this is no longer possible, symlinks are now created in /opt/bin instead.
Symlinks are not used when installing from a tarball because the versioned binaries (e.g. kubelet-*) are removed, leading to dangling links.
The
installcommand has been used to write these binaries because it removes the existing file first (rather than following a symlink) and takes care of making the new file executable.As an aside, this also fixes a failing test that was introduced in #6995.Requirements:
Special notes for your reviewer:
This change is part of a wider effort to install binaries to Flatcar from systemd system extensions (sysexts) rather than binary tarballs, which are being phased out. There are too many changes to submit everything in this one PR, so another will follow this one.
I could not find any relevant documentation to update.
Regarding upgrades, I am not experienced enough with AKS to know how to test that. I don't believe the changes would cause any issue for upgrades because they only change how and where things are installed. There are practically no configuration changes besides some paths in the systemd units.
Release note:
Is one needed here? I don't know whether end users will see or care about these changes.