Change bootstrap to daemon mode (#26)

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: wenxuan0923

.github/workflows/pr-checks.yml

@@ -14,6 +14,7 @@ on:
 permissions:
   contents: read
   pull-requests: read
+  security-events: write
 
 jobs:
   build:

README.md

@@ -145,32 +145,27 @@ EOF
 
 | Command | Description | Usage |
 |---------|-------------|-------|
-| `bootstrap` | Transform VM into AKS node | `sudo aks-flex-node bootstrap` |
-| `unbootstrap` | Clean removal of all components | `sudo aks-flex-node unbootstrap` |
-| `version` | Show version information | `sudo aks-flex-node version` |
+| `agent` | Start agent daemon (bootstrap + monitoring) | `aks-flex-node agent --config /etc/aks-flex-node/config.json` |
+| `unbootstrap` | Clean removal of all components | `aks-flex-node unbootstrap --config /etc/aks-flex-node/config.json` |
+| `version` | Show version information | `aks-flex-node version` |
 
-#### Bootstrap
+#### Agent Command (Bootstrap + Daemon)
 ```bash
 # Option 1: Direct command execution
-aks-flex-node bootstrap
+aks-flex-node agent --config /etc/aks-flex-node/config.json
 cat /var/log/aks-flex-node/aks-flex-node.log
 
 # Option 2: Using systemd service
-sudo systemctl enable aks-flex-node@bootstrap.service; sudo systemctl start aks-flex-node@bootstrap
-journalctl -u aks-flex-node@bootstrap --since "1 minutes ago" -f
+sudo systemctl enable aks-flex-node-agent.service; sudo systemctl start aks-flex-node-agent
+journalctl -u aks-flex-node-agent --since "1 minutes ago" -f
 
 ```
 
 #### Unbootstrap
 ```bash
-# Option 1: Direct command execution
-aks-flex-node unbootstrap
+# Direct command execution
+aks-flex-node unbootstrap --config /etc/aks-flex-node/config.json
 cat /var/log/aks-flex-node/aks-flex-node.log
-
-# Option 2: Using systemd service
-sudo systemctl enable aks-flex-node@unbootstrap.service; sudo systemctl start aks-flex-node@unbootstrap
-journalctl -u aks-flex-node@unbootstrap --since "1 minutes ago" -f
-
 ```
 
 ## Authentication Flow:
@@ -206,14 +201,14 @@ The service principal must have the same permissions listed in the Prerequisites
 ### Complete Removal
 ```bash
 # First run unbootstrap to cleanly disconnect from Arc and AKS cluster
-aks-flex-node unbootstrap
+aks-flex-node unbootstrap --config /etc/aks-flex-node/config.json
 
 # Then run automated uninstall to remove all components
 curl -fsSL https://raw.githubusercontent.com/Azure/AKSFlexNode/main/scripts/uninstall.sh | sudo bash
 ```
 
 The uninstall script will:
-- Stop and disable aks-flex-node systemd services (bootstrap/unbootstrap)
+- Stop and disable aks-flex-node agent service
 - Remove the service user and permissions
 - Clean up all directories and configuration files
 - Remove the binary and systemd service files

aks-flex-node@.service aks-flex-node-agent.serviceaks-flex-node@.service renamed to aks-flex-node-agent.service

@@ -1,18 +1,26 @@
 [Unit]
-Description=AKS Flex Node Agent - %i
+Description=AKS Flex Node Agent
 After=network-online.target
 Wants=network-online.target
+# Restart on failure to enable auto-recovery
+StartLimitIntervalSec=300
+StartLimitBurst=5
 
 [Service]
 Type=simple
 RemainAfterExit=no
-ExecStart=/usr/local/bin/aks-flex-node %i --config /etc/aks-flex-node/config.json
-TimeoutStartSec=30
-TimeoutStopSec=3600
+ExecStart=/usr/local/bin/aks-flex-node agent --config /etc/aks-flex-node/config.json
+TimeoutStartSec=300
+TimeoutStopSec=60
+# Restart configuration for daemon resilience
+Restart=on-failure
+RestartSec=30
 User=aks-flex-node
 Group=aks-flex-node
 SupplementaryGroups=himds ubuntu
 Environment=AZURE_CONFIG_DIR=/home/ubuntu/.azure
+RuntimeDirectory=aks-flex-node
+RuntimeDirectoryMode=0755
 StandardOutput=journal
 StandardError=journal
 
@@ -38,7 +46,7 @@ RestrictSUIDSGID=false
 RemoveIPC=false
 
 # Allow access to specific paths that need modification (- prefix makes paths optional)
-ReadWritePaths=-/etc/kubernetes -/var/lib/kubelet -/var/lib/containerd -/etc/containerd -/opt/cni -/etc/cni -/etc/systemd/system -/etc/sysctl.d -/etc/modules-load.d -/var/log/aks-flex-node -/tmp
+ReadWritePaths=-/etc/kubernetes -/var/lib/kubelet -/var/lib/containerd -/etc/containerd -/opt/cni -/etc/cni -/etc/systemd/system -/etc/sysctl.d -/etc/modules-load.d -/var/log/aks-flex-node -/tmp -/etc/aks-flex-node -/run/aks-flex-node
 
 [Install]
 WantedBy=multi-user.target

aks-flex-node-sudoers

@@ -25,9 +25,30 @@ aks-flex-node ALL=(root) NOPASSWD:SETENV: /bin/systemctl restart kubelet
 aks-flex-node ALL=(root) NOPASSWD:SETENV: /bin/systemctl restart containerd
 aks-flex-node ALL=(root) NOPASSWD:SETENV: /bin/systemctl status kubelet
 aks-flex-node ALL=(root) NOPASSWD:SETENV: /bin/systemctl status containerd
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /bin/systemctl check kubelet
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /bin/systemctl check containerd
 aks-flex-node ALL=(root) NOPASSWD:SETENV: /bin/systemctl is-active *
 aks-flex-node ALL=(root) NOPASSWD:SETENV: /bin/systemctl is-enabled *
 aks-flex-node ALL=(root) NOPASSWD:SETENV: /bin/systemctl list-unit-files *
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/systemctl daemon-reload
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/systemctl enable kubelet
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/systemctl enable containerd
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/systemctl enable --now kubelet
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/systemctl enable --now containerd
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/systemctl disable kubelet
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/systemctl disable containerd
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/systemctl start kubelet
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/systemctl start containerd
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/systemctl stop kubelet
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/systemctl stop containerd
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/systemctl restart kubelet
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/systemctl restart containerd
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/systemctl status kubelet
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/systemctl status containerd
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/systemctl check kubelet
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/systemctl check containerd
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/systemctl is-active *
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/systemctl is-enabled *
 aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/systemctl list-unit-files *
 
 # Package management (for installing Kubernetes components)
@@ -47,16 +68,24 @@ aks-flex-node ALL=(root) NOPASSWD:SETENV: /bin/ln *, /usr/bin/ln *
 aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/install *, /bin/install *
 aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/curl *, /usr/bin/wget *
 aks-flex-node ALL=(root) NOPASSWD:SETENV: /bin/tar *, /usr/bin/unzip *
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /bin/ls *, /usr/bin/ls *
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/test *, /bin/test *
 
 # System configuration for Kubernetes
 aks-flex-node ALL=(root) NOPASSWD:SETENV: /sbin/sysctl --system
 aks-flex-node ALL=(root) NOPASSWD:SETENV: /sbin/modprobe overlay
 aks-flex-node ALL=(root) NOPASSWD:SETENV: /sbin/modprobe br_netfilter
 
-# Configuration file management
+# Configuration file management and reading
 aks-flex-node ALL=(root) NOPASSWD:SETENV: /bin/tee /etc/sysctl.d/k8s.conf
 aks-flex-node ALL=(root) NOPASSWD:SETENV: /bin/tee /etc/modules-load.d/k8s.conf
 aks-flex-node ALL=(root) NOPASSWD:SETENV: /bin/tee /etc/containerd/config.toml
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/cat /etc/default/kubelet
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/cat /etc/systemd/system/kubelet.service.d/*
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /usr/bin/cat /etc/kubernetes/*
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /bin/cat /etc/default/kubelet
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /bin/cat /etc/systemd/system/kubelet.service.d/*
+aks-flex-node ALL=(root) NOPASSWD:SETENV: /bin/cat /etc/kubernetes/*
 
 # Network operations for troubleshooting
 aks-flex-node ALL=(root) NOPASSWD:SETENV: /sbin/ip route

commands.go

@@ -2,14 +2,19 @@ package main
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
+	"os"
+	"path/filepath"
+	"time"
 
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	"go.goms.io/aks/AKSFlexNode/pkg/bootstrapper"
 	"go.goms.io/aks/AKSFlexNode/pkg/config"
 	"go.goms.io/aks/AKSFlexNode/pkg/logger"
+	"go.goms.io/aks/AKSFlexNode/pkg/status"
 )
 
 // Version information variables (set at build time)
@@ -19,14 +24,14 @@ var (
 	BuildTime = "unknown"
 )
 
-// NewBootstrapCommand creates a new bootstrap command
-func NewBootstrapCommand() *cobra.Command {
+// NewAgentCommand creates a new agent command
+func NewAgentCommand() *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "bootstrap",
-		Short: "Bootstrap AKS node with Arc connection",
-		Long:  "Initialize and configure this machine as an AKS node connected through Azure Arc",
+		Use:   "agent",
+		Short: "Start AKS node agent with Arc connection",
+		Long:  "Initialize and run the AKS node agent daemon with automatic status tracking and self-recovery",
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return runBootstrap(cmd.Context())
+			return runAgent(cmd.Context())
 		},
 	}
 
@@ -61,8 +66,8 @@ func NewVersionCommand() *cobra.Command {
 	return cmd
 }
 
-// runBootstrap executes the bootstrap process
-func runBootstrap(ctx context.Context) error {
+// runAgent executes the bootstrap process and then runs as daemon
+func runAgent(ctx context.Context) error {
 	logger := logger.GetLoggerFromContext(ctx)
 
 	cfg, err := config.LoadConfig(configPath)
@@ -76,8 +81,14 @@ func runBootstrap(ctx context.Context) error {
 		return err
 	}
 
-	// Handle and log the result
-	return handleExecutionResult(result, "bootstrap", logger)
+	// Handle and log the bootstrap result
+	if err := handleExecutionResult(result, "bootstrap", logger); err != nil {
+		return err
+	}
+
+	// After successful bootstrap, transition to daemon mode
+	logger.Info("Bootstrap completed successfully, transitioning to daemon mode...")
+	return runDaemonLoop(ctx, cfg)
 }
 
 // runUnbootstrap executes the unbootstrap process
@@ -107,6 +118,142 @@ func runVersion() {
 	fmt.Printf("Build Time: %s\n", BuildTime)
 }
 
+// runDaemonLoop runs the periodic status collection and bootstrap monitoring daemon
+func runDaemonLoop(ctx context.Context, cfg *config.Config) error {
+	logger := logger.GetLoggerFromContext(ctx)
+	// Create status file directory - using runtime directory for service or temp for development
+	statusFilePath := status.GetStatusFilePath()
+	statusDir := filepath.Dir(statusFilePath)
+	if err := os.MkdirAll(statusDir, 0750); err != nil {
+		return fmt.Errorf("failed to create status directory %s: %w", statusDir, err)
+	}
+
+	// Clean up any stale status file on daemon startup
+	if _, err := os.Stat(statusFilePath); err == nil {
+		logger.Info("Removing stale status file from previous daemon session...")
+		if err := os.Remove(statusFilePath); err != nil {
+			logger.Warnf("Failed to remove stale status file: %v", err)
+		} else {
+			logger.Info("Stale status file removed successfully")
+		}
+	}
+
+	logger.Info("Starting periodic status collection daemon (status: 1 minutes, bootstrap check: 2 minute)")
+
+	// Create tickers for different intervals
+	statusTicker := time.NewTicker(1 * time.Minute)
+	bootstrapTicker := time.NewTicker(2 * time.Minute)
+	defer statusTicker.Stop()
+	defer bootstrapTicker.Stop()
+
+	// Collect status immediately on start
+	if err := collectAndWriteStatus(ctx, cfg, statusFilePath); err != nil {
+		logger.Errorf("Failed to collect initial status: %v", err)
+	}
+
+	// Run the periodic collection and monitoring loop
+	for {
+		select {
+		case <-ctx.Done():
+			logger.Info("Daemon shutting down due to context cancellation")
+			return ctx.Err()
+		case <-statusTicker.C:
+			logger.Infof("Starting periodic status collection at %s...", time.Now().Format("2006-01-02 15:04:05"))
+			if err := collectAndWriteStatus(ctx, cfg, statusFilePath); err != nil {
+				logger.Errorf("Failed to collect status at %s: %v", time.Now().Format("2006-01-02 15:04:05"), err)
+				// Continue running even if status collection fails
+			} else {
+				logger.Infof("Status collection completed successfully at %s", time.Now().Format("2006-01-02 15:04:05"))
+			}
+		case <-bootstrapTicker.C:
+			logger.Infof("Starting bootstrap health check at %s...", time.Now().Format("2006-01-02 15:04:05"))
+			if err := checkAndBootstrap(ctx, cfg); err != nil {
+				logger.Errorf("Auto-bootstrap check failed at %s: %v", time.Now().Format("2006-01-02 15:04:05"), err)
+				// Continue running even if bootstrap check fails
+			} else {
+				logger.Infof("Bootstrap health check completed at %s", time.Now().Format("2006-01-02 15:04:05"))
+			}
+		}
+	}
+}
+
+// checkAndBootstrap checks if the node needs re-bootstrapping and performs it if necessary
+func checkAndBootstrap(ctx context.Context, cfg *config.Config) error {
+	logger := logger.GetLoggerFromContext(ctx)
+	// Create status collector to check bootstrap requirements
+	collector := status.NewCollector(cfg, logger, Version)
+
+	// Check if bootstrap is needed
+	needsBootstrap := collector.NeedsBootstrap(ctx)
+	if !needsBootstrap {
+		return nil // All good, no action needed
+	}
+
+	logger.Info("Node requires re-bootstrapping, initiating auto-bootstrap...")
+
+	// Perform bootstrap
+	bootstrapExecutor := bootstrapper.New(cfg, logger)
+	result, err := bootstrapExecutor.Bootstrap(ctx)
+	if err != nil {
+		// Bootstrap failed - remove status file so next check will detect the problem
+		removeStatusFile(ctx)
+		return fmt.Errorf("auto-bootstrap failed: %s", err)
+	}
+
+	// Handle and log the bootstrap result
+	if err := handleExecutionResult(result, "auto-bootstrap", logger); err != nil {
+		// Bootstrap execution failed - remove status file so next check will detect the problem
+		removeStatusFile(ctx)
+		return fmt.Errorf("auto-bootstrap execution failed: %s", err)
+	}
+
+	logger.Info("Auto-bootstrap completed successfully")
+	return nil
+}
+
+func removeStatusFile(ctx context.Context) {
+	logger := logger.GetLoggerFromContext(ctx)
+	statusFilePath := status.GetStatusFilePath()
+	if removeErr := os.Remove(statusFilePath); removeErr != nil {
+		logger.Debugf("Failed to remove status file: %s", removeErr)
+	} else {
+		logger.Debug("Removed status file successfully")
+	}
+}
+
+// collectAndWriteStatus collects current node status and writes it to the status file
+func collectAndWriteStatus(ctx context.Context, cfg *config.Config, statusFilePath string) error {
+	logger := logger.GetLoggerFromContext(ctx)
+
+	// Create status collector
+	collector := status.NewCollector(cfg, logger, Version)
+
+	// Collect comprehensive status
+	nodeStatus, err := collector.CollectStatus(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to collect node status: %w", err)
+	}
+
+	// Write status to JSON file
+	statusData, err := json.MarshalIndent(nodeStatus, "", "  ")
+	if err != nil {
+		return fmt.Errorf("failed to marshal status to JSON: %w", err)
+	}
+
+	// Write to temporary file first, then rename (atomic operation)
+	tempFile := statusFilePath + ".tmp"
+	if err := os.WriteFile(tempFile, statusData, 0600); err != nil {
+		return fmt.Errorf("failed to write status to temp file: %w", err)
+	}
+
+	if err := os.Rename(tempFile, statusFilePath); err != nil {
+		return fmt.Errorf("failed to rename temp status file: %w", err)
+	}
+
+	logger.Debugf("Status written to %s", statusFilePath)
+	return nil
+}
+
 // handleExecutionResult processes and logs execution results
 func handleExecutionResult(result *bootstrapper.ExecutionResult, operation string, logger *logrus.Logger) error {
 	if result == nil {