feat: run aks node controller at boot time faster by 15s

[awesomenix]

Summary

• move scriptless AKS node controller startup earlier by switching generated custom data to cloud-boothook
• Savings of 30s
• update the baked aks-node-controller.service ordering to match the earlier-start model while keeping the VHD enable path intact
• update the e2e hack path to mirror the same boothook-driven startup pattern

Details

• aks-node-controller/pkg/nodeconfigutils/utils.go now writes the config from boothook and starts aks-node-controller.service immediately
• parts/linux/cloud-init/artifacts/aks-node-controller.service now waits on network-online.target and stays active (exited) after the one-shot run
• e2e/vmss.go switches the hack flow from runcmd to a boothook-dropped service and wrapper
• generate-testdata was run to refresh generated snapshot data impacted by the pkg change

Timings

Latest rerun timings: 16CPU, 32GB RAM

   - boot → CSE start: 13.000s
   - CSE start: +0.000s
   - configureKubeletAndKubectl done: +1.627s
    - installKubeletKubectlFromURL: 5ms
   - ensureContainerd done: +2.137s
   - ensureKubelet done: +4.548s
   - ensureNoDupOnPromiscuBridge done: +7.934s
   - configureNodeExporter done: +8.768s
   - CSE finish: +10.874s
   - containerd started: +7.000s
   - kubelet started: +7.000s
   - first kubelet log: +7.000s
   - runtime initialized: +12.000s
   - main sync loop: +12.000s
   - node registered: +12.000s
   - NodeReady: +13.000s


   Latest rerun: 2CPU, 8GB RAM

   - boot → CSE start: 16.000s
   - CSE start: +0.000s
   - configureKubeletAndKubectl done: +2.910s
    - installKubeletKubectlFromURL: 7ms
   - ensureContainerd done: +3.677s
   - ensureKubelet done: +6.281s
   - ensureNoDupOnPromiscuBridge done: +12.761s
   - configureNodeExporter done: +14.115s
   - CSE finish: +17.789s
   - containerd started: +12.000s
   - kubelet started: +12.000s
   - runtime initialized: +20.000s
   - node registered: +20.000s
   - NodeReady: +21.000s

[Copilot]

Pull request overview

Adjusts the e2e VMSS provisioning flow to run the aks-node-controller hack in the foreground (synchronously) and alters how provisioning status is validated during scenario setup.

Changes:

• Run /opt/azure/bin/aks-node-controller-hack provision ... synchronously in cloud-init instead of backgrounding it.
• Stop setting the VMSS CustomScript commandToExecute when provisioning via AKSNodeConfig (commented out).
• Disable the post-create Custom Script Extension status check (commented out).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
e2e/vmss.go	Runs aks-node-controller-hack provision synchronously; comments out CSE command wiring when using AKSNodeConfig.
e2e/test_helpers.go	Comments out the VMSS Custom Script Extension status validation after VMSS creation.

Comments suppressed due to low confidence (1)

e2e/vmss.go:158

• cse is no longer set when s.Runtime.AKSNodeConfig != nil. In the DisableScriptLessCompilation path this results in generating CustomData that only writes the aks-node-controller config file, but does not execute aks-node-controller (the VMSS CustomScript extension is skipped because cseCmd is empty). This will prevent the node from being provisioned. Restore wiring so scriptless mode still executes /opt/azure/containers/aks-node-controller provision-wait (or alternatively ensure CustomDataWithHack runs the equivalent of provision-wait). Note: leaving cse empty can also lead to a nil dereference in getBaseVMSSModel for Windows, which assumes an ExtensionProfile exists.

	if s.Runtime.AKSNodeConfig != nil {
		//cse = nodeconfigutils.CSE
		customData = func() string {
			if config.Config.DisableScriptLessCompilation {
				data, err := nodeconfigutils.CustomData(s.Runtime.AKSNodeConfig)
				require.NoError(s.T, err, "failed to generate custom data from AKSNodeConfig")

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

The README states aks-node-controller.service remains enabled on the VHD as a fallback boot hook, but this PR’s unit file change removes the [Install] section (so systemctl enable aks-node-controller.service fails during VHD build). Either update this doc to match the new enable/start model, or restore an enable-able unit definition so the fallback claim is accurate.

Suggested change

	1. `aks-node-controller.service`: systemd unit that can be started directly by cloud-boothook as soon as the config file is written, while remaining enabled on the VHD as a fallback boot hook.
	1. `aks-node-controller.service`: systemd unit that is started directly by cloud-boothook as soon as the config file is written; it is started explicitly by the provisioning flow rather than being persistently enabled on the VHD as a fallback boot hook.

[Copilot]

Pull request overview

Copilot reviewed 33 out of 84 changed files in this pull request and generated 7 comments.

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

Copilot reviewed 33 out of 85 changed files in this pull request and generated 13 comments.

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

Copilot reviewed 27 out of 89 changed files in this pull request and generated 7 comments.

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

[lilypan26]

wala lol

nit: SKIP_WAAGENT_HOLD? more clear what ur referring to

[lilypan26]

what does MIME stand for? can we had a comment explaining

[lilypan26]

nit: add a comment explaining why different for flatcar?

[Devinwong]

I understand the effort in this PR is somewhat remove the hard dependency with cloud-init status ready. However, the cloud-init-status-check.sh was added by a repair item for some intermittent sev2. Not meaning we can't remove it, just need to be aware that it could cause intermittent sev2.

[awesomenix]

we run the service before even cloud init is finished, so waiting for it doesnt make sense.

[awesomenix]

may be add this part of provision-wait?

[Devinwong]

aks-node-controller doesn't depend on it. The status check is more for the provisioning scripts cse_*.sh, which was what I saw from that sev2.

[Devinwong]

Sync'd offline. Nishchay checked with the original owner of cloud-init-status-check.sh and confirmed this is no longer needed.

[Devinwong]

Would this not cause the sev2 that @SriHarsha001 encountered with lower end VMs in early Feb?

[awesomenix]

we arent dependent on WAAGENT anymore since we run way early

[Devinwong]

aks-node-controller doesn't depends on waagent, but the scripts may still depend on it? Anyway, if we can use the lower end vm to do multiple runs, then we may have a better understanding of the impact.

[awesomenix]

Will test on A series VM. Also we are no dependent on WAagent like phase1 since cse scripts are not executed as part of waagent and there was a worry there might be a restart of waagent in middle of execution of cse, right now we only wait.

[Devinwong]

Question: what is the reason we need it to be multipart MIME?
IIUC, the first part is the cloud-boothook which tries to write the aks-node-config to the node asap. Is the second part only to print a message currently? Are we going to use this second part for other purpose in the future?

[awesomenix]

idea is to bundle our current nodecustomdata.yaml probably for hotfixing doesnt work since hotfixing needs to use boothook as well.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

[Copilot]

Switching the unit to WantedBy=basic.target while keeping ConditionPathExists=/opt/azure/containers/aks-node-controller-config.json can prevent the service from ever running on flows where the config is only written later by cloud-init (e.g., older/custom data that uses write_files). systemd will skip the unit when the condition fails at basic.target time and won’t automatically retry when the file appears. Consider keeping the enable/fallback path tied to cloud-init.target (as before) and rely on the boothook’s explicit systemctl start for early-start, or add a path/trigger that starts the service when the config file is created.

[Copilot]

The boothook creates and enables aks-node-controller-hack.service but never starts it. systemctl enable does not start the unit, and depending on when the boothook runs relative to basic.target, the unit may not run on the first boot at all. To mirror the main boothook flow and make this deterministic, start the unit explicitly (e.g., systemctl start --no-block ...) or use systemctl enable --now ....

Suggested change

	systemctl daemon-reload
	systemctl enable aks-node-controller-hack.service
	`
	systemctl daemon-reload
	systemctl enable --now aks-node-controller-hack.service
	`