From 9768283319bcdabad1f088302971668d9e48692c Mon Sep 17 00:00:00 2001 From: Nikola Bojanic Date: Tue, 2 Jun 2026 22:45:59 +0000 Subject: [PATCH 1/3] Merged PR 27634: fix: use 'az tag update' in SELinux toggle test azure-cli 2.87.0 wired zone-movement into 'az vm update' (Azure/ azure-cli#33242). The new PUT body trips a BadRequest from regions/ subs where zone movement isn't enabled, breaking our tag flip. Switch to 'az tag update', which hits the generic ARM tag endpoint and doesn't touch the Compute provider. Verified live on a westus2 Standard_D2s_v5 ACL VM with az 2.87.0. ---- #### AI description (iteration 1) #### PR Classification Bug fix to resolve Azure VM provisioning failures during SELinux toggle tests by switching from a VM-specific update command to a generic ARM tag update endpoint. #### PR Summary This PR fixes Azure VM provisioning failures caused by unsupported zone movement operations when setting IMDS tags during SELinux testing. The fix changes the tag update mechanism to avoid round-tripping the entire VM resource through the Compute RP, which was triggering the incompatibility error. - `run-selinux-toggle-test.sh`: Replaced `az vm update` commands with `az tag update` using the generic ARM tag endpoint to modify the `acl-node-security-profile` tag - `run-selinux-toggle-test.sh`: Added VM resource ID retrieval via `az vm show` to support the new tag update approach - `run-selinux-toggle-test.sh`: Changed tag deletion to use `--operation delete` and tag setting to use `--operation merge` for more targeted updates Related work items: #20481 --- acl/tests/run-selinux-toggle-test.sh | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/acl/tests/run-selinux-toggle-test.sh b/acl/tests/run-selinux-toggle-test.sh index 0abe1ef4910..5866409fd02 100755 --- a/acl/tests/run-selinux-toggle-test.sh +++ b/acl/tests/run-selinux-toggle-test.sh @@ -44,22 +44,28 @@ boot_id() { ssh_cmd 'cat /proc/sys/kernel/random/boot_id' 2>/dev/null } -# Set (or remove) the tag on the VM, then wait for in-guest IMDS to converge +# Set (or remove) the tag on the VM, then wait for in-guest IMDS to converge. +# +# Uses the generic ARM tag endpoint (`az tag update`) rather than +# `az vm update --set tags.…`. The latter round-trips the whole VM resource +# through the Compute RP, so it can fail on unrelated VM properties. set_selinux_tag() { local value="$1" + local vm_id + vm_id=$(az vm show --resource-group "$VM_RG" --name "$VM_NAME" --query id -o tsv) if [[ -z "$value" ]]; then info "Removing acl-node-security-profile tag..." - az vm update \ - --resource-group "$VM_RG" \ - --name "$VM_NAME" \ - --remove tags.acl-node-security-profile \ + az tag update \ + --resource-id "$vm_id" \ + --operation delete \ + --tags "acl-node-security-profile=" \ --output none else info "Setting acl-node-security-profile=${value}..." - az vm update \ - --resource-group "$VM_RG" \ - --name "$VM_NAME" \ - --set "tags.acl-node-security-profile=${value}" \ + az tag update \ + --resource-id "$vm_id" \ + --operation merge \ + --tags "acl-node-security-profile=${value}" \ --output none fi info "Waiting for in-guest IMDS to report tag='${value:-}'..." From 358c46e6cfcc0699ab4f2fe6fa34eb29d0c114f1 Mon Sep 17 00:00:00 2001 From: Nikola Bojanic Date: Wed, 3 Jun 2026 00:38:44 +0000 Subject: [PATCH 2/3] Merged PR 27637: enforcing: exempt discovery.etcd.io-dependent tests on Azure The etcd project has declared the public v2 discovery service no longer maintained (https://etcd.io/blog/2025/announcing-etcd-3.6/). Add platforms:[azure] exceptions for: - acl.etcd-member.discovery - acl.flannel.udp - acl.flannel.vxlan - cl.etcd-member.v2-backup-restore Related work items: #20438 --- acl/tests/kola_enforcing.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/acl/tests/kola_enforcing.yaml b/acl/tests/kola_enforcing.yaml index 6064941b0ad..532e14f7a30 100644 --- a/acl/tests/kola_enforcing.yaml +++ b/acl/tests/kola_enforcing.yaml @@ -26,16 +26,22 @@ tests: - platforms: [qemu] architectures: [aarch64] reason: 3-node etcd cluster on TCG-emulated arm64 races systemd's DefaultDeviceTimeoutSec for /dev/disk/by-label/OEM; tracked by the OEM fsck conditional dropin work + - platforms: [azure] + reason: Azure version depends on discovery.etcd.io, which is unmaintained. - name: acl.flannel.udp exceptions: - architectures: [aarch64] reason: Flannel UDP coverage is registered only for amd64 + - platforms: [azure] + reason: Azure version depends on discovery.etcd.io, which is unmaintained. - name: acl.flannel.vxlan exceptions: - platforms: [qemu] architectures: [aarch64] reason: Flakiness on TCG-emulated arm64 in aclmain, failures due to slow device enumeration. + - platforms: [azure] + reason: Azure version depends on discovery.etcd.io, which is unmaintained. - name: acl.internet exceptions: @@ -90,6 +96,9 @@ tests: - name: cl.etcd-member.etcdctlv3 - name: cl.etcd-member.v2-backup-restore + exceptions: + - platforms: [azure] + reason: Azure version depends on discovery.etcd.io, which is unmaintained. - name: cl.filesystem exceptions: From 01f99fdbb9a59084a3deaf9d5d34eb29a720844b Mon Sep 17 00:00:00 2001 From: Mayank Singh Date: Thu, 4 Jun 2026 04:58:45 +0000 Subject: [PATCH 3/3] Merged PR 27647: add irqbalance pkg in base image add irqbalance pkg in base image for ACL. Please check the https://dev.azure.com/mariner-org/ACL/_workitems/edit/20485/ for analysis. Signed-off-by: Mayank Singh Related work items: #20485 --- build_library/rpm/package_catalog.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/build_library/rpm/package_catalog.yaml b/build_library/rpm/package_catalog.yaml index 3cf80d22c67..9bddf920d7e 100644 --- a/build_library/rpm/package_catalog.yaml +++ b/build_library/rpm/package_catalog.yaml @@ -30,6 +30,7 @@ packages: - selinux-policy - policycoreutils - ca-certificates + - irqbalance sys-libs/systemd-libs: systemd-libs sys-apps/systemd-networkd: systemd-networkd net-misc/systemd-networkd: systemd-networkd