azl4: rollback and servicing pipeline support

.pipelines/templates/e2e-template.yml

@@ -245,6 +245,7 @@ stages:
   # Test Runtime Updates and Rollback on VMs
   - template: stages/testing_rollback/vm-testing.yml
     parameters:
+      includeAzl4: true
       includeQemu: true
       includeUKI: true
       micBuildType: ${{ parameters.micBuildType }}
@@ -260,6 +261,7 @@ stages:
   # Test Servicing on VMs
   - template: stages/testing_servicing/vm-testing.yml
     parameters:
+      includeAzl4: true
       includeQemu: true
       includeUKI: true
       includeAzure: ${{ parameters.includeAzure }}

.pipelines/templates/stages/build_image/build-image-template.yml

@@ -19,6 +19,7 @@ parameters:
     values:
       - "2.0"
       - "3.0"
+      - "4.0-preview"
     default: "3.0"
 
   - name: micBuildType
@@ -101,57 +102,42 @@ steps:
 # Note: DHCP packages are not being installed in this image template.
 # If needed use template download-dhcp.yml on test-images.
 
-  - template: common/base-images-download-template.yaml@platform-pipelines
+  - ${{ if ne(parameters.azureLinuxVersion, '4.0-preview') }}:
+    - template: common/base-images-download-template.yaml@platform-pipelines
+      parameters:
+        buildType: ${{ parameters.baseimgBuildType }}
+        baseImageType: $(baseImageType)
+        imageVersion: ${{ parameters.baseimgVersion }}
+        azureLinuxVersion: ${{ parameters.azureLinuxVersion }}
+
+    # For dev builds, the RPMs are not necessarily published, so download them here. The
+    # parameter is set based on a runtime variable, so we cannot use ${{ if }}, so the
+    # template is always run and contains logic to skip if not needed.
+    - template: common/rpms-download-template.yaml@platform-pipelines
+      parameters:
+        rpmsVersion: ${{ parameters.rpmsVersion }}
+        azureLinuxVersion: ${{ parameters.azureLinuxVersion }}
+        runtimeBuildType: ${{ parameters.baseimgBuildType }}
+  - ${{ else }}:
+    # download-azl4-base-vhdx.yml only fetches the azl4_qemu_guest VHDX,
+    # so fail fast if the image resolves to a different base image type.
+    - bash: |
+        set -euxo pipefail
+        if [[ "$(baseImageType)" != "azl4_qemu_guest" ]]; then
+          echo "ERROR: AZL4 preview only supports base image type 'azl4_qemu_guest', but '$(baseImageType)' was resolved for image '${{ parameters.imageName }}'."
+          exit 1
+        fi
+      displayName: "Validate AZL4 base image type"
+      workingDirectory: ${{ parameters.tridentSourceDirectory }}
+    - template: ../common_tasks/download-azl4-base-vhdx.yml
+      parameters:
+        tridentSourceDirectory: ${{ parameters.tridentSourceDirectory }}
+
+  - template: ../common_tasks/prepare-testimage-requirements.yml
     parameters:
-      buildType: ${{ parameters.baseimgBuildType }}
-      baseImageType: $(baseImageType)
-      imageVersion: ${{ parameters.baseimgVersion }}
+      tridentSourceDirectory: ${{ parameters.tridentSourceDirectory }}
       azureLinuxVersion: ${{ parameters.azureLinuxVersion }}
-
-  # For dev builds, the RPMs are not necessarily published, so download them here. The
-  # parameter is set based on a runtime variable, so we cannot use ${{ if }}, so the
-  # template is always run and contains logic to skip if not needed.
-  - template: common/rpms-download-template.yaml@platform-pipelines
-    parameters:
-      rpmsVersion: ${{ parameters.rpmsVersion }}
-      azureLinuxVersion: ${{ parameters.azureLinuxVersion }}
-      runtimeBuildType: ${{ parameters.baseimgBuildType }}
-
-  - bash: |
-      set -ex
-
-      # Move base VHDX to artifacts/ (builder expects artifacts/*.vhdx)
-      mkdir -p artifacts
-      if ls "$(Build.ArtifactStagingDirectory)/images" | grep -q ".*\.vhdx$"; then
-        mv $(Build.ArtifactStagingDirectory)/images/*.vhdx artifacts/
-        rm -rf $(Build.ArtifactStagingDirectory)/images
-      else
-        echo "No base image found"
-        exit 1
-      fi
-
-      # Move dev RPM overrides to artifacts/rpm-overrides/
-      if ls "$(Build.ArtifactStagingDirectory)/rpms/" 2>/dev/null | grep -q "rpms.tar.gz"; then
-        mkdir -p artifacts/rpm-overrides
-        tar -xvf $(Build.ArtifactStagingDirectory)/rpms/rpms.tar.gz \
-          --strip-components=2 \
-          -C artifacts/rpm-overrides
-        rm $(Build.ArtifactStagingDirectory)/rpms/rpms.tar.gz
-      fi
-
-      DISTRO=azl3
-      if [[ "${{ parameters.azureLinuxVersion }}" == "4.0-preview" ]]; then
-        DISTRO=azl4
-      fi
-
-      # Move Trident RPMs to bin/RPMS/ (builder expects bin/RPMS/*.rpm)
-      if [ -d "$(Build.ArtifactStagingDirectory)/trident" ]; then
-        mkdir -p bin/RPMS
-        find "$(Build.ArtifactStagingDirectory)/trident" -name "*${DISTRO}*.rpm" -exec mv {} bin/RPMS/ \;
-        rm -rf "$(Build.ArtifactStagingDirectory)/trident"
-      fi
-    displayName: "Prepare and move requirements"
-    workingDirectory: ${{ parameters.tridentSourceDirectory }}
+      stageSshKeys: false
 
   - bash: |
       set -ex

.pipelines/templates/stages/build_image/build-image.yml

@@ -24,6 +24,15 @@ parameters:
     type: string
     default: "*.*.*"
 
+  - name: azureLinuxVersion
+    displayName: Version of AzureLinux for the Base Image
+    type: string
+    values:
+      - "2.0"
+      - "3.0"
+      - "4.0-preview"
+    default: "3.0"
+
   - name: clones
     displayName: "Number of clones to generate"
     type: number
@@ -59,7 +68,6 @@ stages:
         variables:
           ob_outputDirectory: /tmp/output
           ob_artifactBaseName: ${{ parameters.imageName }}
-          BASEIMG_AZURE_LINUX_VERSION: "3.0"
 
         steps:
           - template: ../common_tasks/checkout_trident.yml
@@ -84,7 +92,7 @@ stages:
               baseimgBuildType: $(BASEIMG_BUILD_TYPE)
               baseimgVersion: $(BASEIMG_VERSION)
               rpmsVersion: $(RPMS_VERSION)
-              azureLinuxVersion: ${{ variables.BASEIMG_AZURE_LINUX_VERSION }}
+              azureLinuxVersion: ${{ parameters.azureLinuxVersion }}
               micBuildType: ${{ parameters.micBuildType }}
               micVersion: ${{ parameters.micVersion }}
               clones: ${{ parameters.clones }}

.pipelines/templates/stages/common_tasks/download-azl4-base-vhdx.yml

@@ -0,0 +1,48 @@
+parameters:
+  - name: tridentSourceDirectory
+    type: string
+
+steps:
+  # Download a preview AZL4 base VHDX from storage account.
+  - task: AzureCLI@2
+    displayName: "Download AZL4 base VHDX from blob"
+    inputs:
+      azureSubscription: azlinuxbmpstaging-storage-account-read
+      scriptType: bash
+      scriptLocation: inlineScript
+      workingDirectory: ${{ parameters.tridentSourceDirectory }}
+      inlineScript: |
+        set -euxo pipefail
+
+        mkdir -p $(Build.ArtifactStagingDirectory)/images
+        az storage blob download \
+          --max-connections 10 \
+          --auth-mode login \
+          --account-name azlinuxbmpstaging \
+          --container-name azl4-qemu-guest \
+          --name azl4_qemu_guest.vhdx \
+          --file $(Build.ArtifactStagingDirectory)/images/azl4_qemu_guest.vhdx
+        ls -la $(Build.ArtifactStagingDirectory)/images/azl4_qemu_guest.vhdx
+
+  # AZL4 netplan (1.1.2) is incompatible with systemd (258.4). 1.1.2 is the current
+  # release of netplan in AZL4, but netplan 1.2.1 fixes the problem. Our
+  # tests depend on netplan, so workaround this for now with cached RPMs.
+  - task: AzureCLI@2
+    displayName: "Download override AZL4 RPMs from blob"
+    inputs:
+      azureSubscription: azlinuxbmpstaging-storage-account-read
+      scriptType: bash
+      scriptLocation: inlineScript
+      workingDirectory: ${{ parameters.tridentSourceDirectory }}
+      inlineScript: |
+        set -euxo pipefail
+
+        mkdir -p ${{ parameters.tridentSourceDirectory }}/artifacts/rpm-overrides
+        az storage blob download-batch \
+          --max-connections 10 \
+          --auth-mode login \
+          --account-name azlinuxbmpstaging \
+          --source azl4-override-rpms \
+          --pattern "*.rpm" \
+          --destination ${{ parameters.tridentSourceDirectory }}/artifacts/rpm-overrides
+        ls -la ${{ parameters.tridentSourceDirectory }}/artifacts/rpm-overrides

.pipelines/templates/stages/common_tasks/prepare-testimage-requirements.yml

@@ -0,0 +1,74 @@
+parameters:
+  - name: tridentSourceDirectory
+    type: string
+
+  - name: azureLinuxVersion
+    displayName: Version of AzureLinux for the Base Image
+    type: string
+    default: "3.0"
+
+  - name: stageSshKeys
+    type: boolean
+    default: false
+
+steps:
+  - ${{ if eq(parameters.stageSshKeys, true) }}:
+    # Stage SSH keys into the testimage tree so they get baked into the image
+    # and are available for tests to use.
+    - bash: |
+        set -euxo pipefail
+        SSH_DEST="${{ parameters.tridentSourceDirectory }}/tests/images/trident-vm-testimage/base/files"
+        SSH_SRC="${{ parameters.tridentSourceDirectory }}/artifacts"
+
+        if [ ! -f "$SSH_SRC/id_rsa.pub" ]; then
+          echo "ssh keys not found at $SSH_SRC"
+          echo "Available files:"
+          find "$SSH_SRC" -type f 2>/dev/null | head -20 || true
+          exit 1
+        fi
+
+        # Stage only the public key. The image configs reference only
+        # files/id_rsa.pub (injected as an authorized key); the private
+        # key is used host-side by the test runner and must not be baked
+        # into the image.
+        mkdir -p "$SSH_DEST"
+        cp "$SSH_SRC/id_rsa.pub" "$SSH_DEST/"
+        chmod 644 "$SSH_DEST/id_rsa.pub"
+      displayName: "Stage SSH keys into testimage tree"
+      workingDirectory: ${{ parameters.tridentSourceDirectory }}
+
+  - bash: |
+      set -euxo pipefail
+
+      # Move base VHDX to artifacts/ (builder expects artifacts/*.vhdx)
+      mkdir -p artifacts
+      if ls "$(Build.ArtifactStagingDirectory)/images" | grep -q ".*\.vhdx$"; then
+        mv $(Build.ArtifactStagingDirectory)/images/*.vhdx artifacts/
+        rm -rf $(Build.ArtifactStagingDirectory)/images
+      else
+        echo "No base image found"
+        exit 1
+      fi
+
+      # Move dev RPM overrides to artifacts/rpm-overrides/
+      if ls "$(Build.ArtifactStagingDirectory)/rpms/" 2>/dev/null | grep -q "rpms.tar.gz"; then
+        mkdir -p artifacts/rpm-overrides
+        tar -xvf $(Build.ArtifactStagingDirectory)/rpms/rpms.tar.gz \
+          --strip-components=2 \
+          -C artifacts/rpm-overrides
+        rm $(Build.ArtifactStagingDirectory)/rpms/rpms.tar.gz
+      fi
+
+      DISTRO=azl3
+      if [[ "${{ parameters.azureLinuxVersion }}" == "4.0-preview" ]]; then
+        DISTRO=azl4
+      fi
+
+      # Move Trident RPMs to bin/RPMS/ (builder expects bin/RPMS/*.rpm)
+      if [ -d "$(Build.ArtifactStagingDirectory)/trident" ]; then
+        mkdir -p bin/RPMS
+        find "$(Build.ArtifactStagingDirectory)/trident" -name "*${DISTRO}*.rpm" -exec mv {} bin/RPMS/ \;
+        rm -rf "$(Build.ArtifactStagingDirectory)/trident"
+      fi
+    displayName: "Prepare and move requirements"
+    workingDirectory: ${{ parameters.tridentSourceDirectory }}

.pipelines/templates/stages/testing_rollback/testing-template.yml

@@ -25,6 +25,7 @@ parameters:
     type: string
     values:
       - qemu-grub
+      - grubazl4
       - qemu
       - uki
 
@@ -160,7 +161,10 @@ jobs:
           fi
           if [ "${{ parameters.flavor }}" != "uki" ]; then
             if [[ "${{ parameters.testSecureBoot }}" == 'True' ]]; then
-              STORM_DYNAMIC_FLAGS="$STORM_DYNAMIC_FLAGS --secure-boot"
+              # grubazl4 is skipped: its base image does not support secure boot yet.
+              if [[ "${{ parameters.flavor }}" != 'grubazl4' ]]; then
+                STORM_DYNAMIC_FLAGS="$STORM_DYNAMIC_FLAGS --secure-boot"
+              fi
             fi
           fi
           if [ "${{ parameters.skipManualRollbackTesting }}" == "true" ]; then
@@ -195,7 +199,7 @@ jobs:
             --force-cleanup
         displayName: "Rollback test (${{ parameters.platform }})"
         workingDirectory: $(TRIDENT_SOURCE_DIR)
-        timeoutInMinutes: 5
+        timeoutInMinutes: 10
 
       - bash: |
           set -eux

.pipelines/templates/stages/testing_rollback/vm-testing.yml

@@ -32,6 +32,11 @@ parameters:
     type: boolean
     default: false
 
+  - name: includeAzl4
+    displayName: "Include qemu azl4 testing"
+    type: boolean
+    default: false
+
   - name: includeUKI
     displayName: "Include UKI testing"
     type: boolean
@@ -74,7 +79,7 @@ stages:
                   - ${{ parameters.dependsOnStage }}
 
             jobs:
-              - template: ../testing_servicing/build-image.yml
+              - template: ../trident_images/build-image.yml
                 parameters:
                   label: "qemu-grub-base"
                   makeTarget: "artifacts/trident-vm-grub-testimage.qcow2"
@@ -84,7 +89,7 @@ stages:
                   micVersion: ${{ parameters.micVersion }}
                   useStagedSshKeys: true
 
-              - template: ../testing_servicing/build-image.yml
+              - template: ../trident_images/build-image.yml
                 parameters:
                   label: "qemu-grub-update-a"
                   makeTarget: "artifacts/trident-vm-grub-testimage.cosi"
@@ -103,6 +108,8 @@ stages:
           - BuildingTools
           - ${{ if eq(parameters.includeQemuGrub, true) }}:
               - BuildImagesQemuGrub
+          - ${{ if eq(parameters.includeAzl4, true) }}:
+              - BuildImagesQemuGrubAzl4
           - ${{ if eq(parameters.includeQemu, true) }}:
               - BuildImagesQemu
           - ${{ if eq(parameters.includeUKI, true) }}:
@@ -128,6 +135,16 @@ stages:
               micBuildType: ${{ parameters.micBuildType }}
               micVersion: ${{ parameters.micVersion }}
               testSecureBoot: ${{ parameters.testSecureBoot }}
+      - ${{ if eq(parameters.includeAzl4, true) }}:
+          - template: testing-template.yml
+            parameters:
+              updateCheckTimeoutInMinutes: ${{ parameters.updateCheckTimeoutInMinutes }}
+              verboseLogging: ${{ parameters.verboseLogging }}
+              platform: qemu
+              flavor: grubazl4
+              micBuildType: ${{ parameters.micBuildType }}
+              micVersion: ${{ parameters.micVersion }}
+              testSecureBoot: ${{ parameters.testSecureBoot }}
       - ${{ if eq(parameters.includeQemu, true) }}:
           - template: testing-template.yml
             parameters:

.pipelines/templates/stages/testing_servicing/testing-template.yml

@@ -40,6 +40,7 @@ parameters:
     displayName: Image flavor
     type: string
     values:
+      - grubazl4
       - qemu
       - azure
       - uki
@@ -167,7 +168,10 @@ jobs:
           fi
           if [ "${{ parameters.flavor }}" != "uki" ]; then
             if [[ "${{ parameters.testSecureBoot }}" == 'True' ]]; then
-              FLAGS="$FLAGS --secure-boot"
+              # grubazl4 is skipped: its base image does not support secure boot yet.
+              if [[ "${{ parameters.flavor }}" != 'grubazl4' ]]; then
+                FLAGS="$FLAGS --secure-boot"
+              fi
             fi
           fi
           if [ "${{ parameters.rollbackTesting }}" == "True" ]; then