fix: prewarm containerd in boothook (#8604)

Author: awesomenix

parts/linux/cloud-init/artifacts/cse_config.sh

@@ -868,7 +868,7 @@ EOF
 }
 
 ensureSnapshotUpdate() {
-    systemctlEnableAndStart snapshot-update.timer 30 || exit $ERR_SNAPSHOT_UPDATE_START_FAIL
+    systemctlEnableAndStartNoBlock snapshot-update.timer 30 || exit $ERR_SNAPSHOT_UPDATE_START_FAIL
 }
 
 ensureMigPartition(){

parts/linux/cloud-init/artifacts/cse_main.sh

@@ -199,9 +199,6 @@ function basePrep {
     fi
     setupCNIDirs
 
-    # pre-warm containerd by checking its version.
-    nohup /bin/sh -c '/usr/bin/containerd --version >/dev/null 2>&1' >/dev/null 2>&1 &
-
     # Network plugin already installed on Azure Linux OS Guard
     if ! isAzureLinuxOSGuard "$OS" "$OS_VARIANT"; then
         logs_to_events "AKS.CSE.installNetworkPlugin" installNetworkPlugin
@@ -346,12 +343,6 @@ EOF
         disableVulnerableKernelModule "rxrpc" "DirtyFrag (RxRPC page-cache write, bypasses AppArmor userns)"
     fi
 
-    if ! isAzureLinuxOSGuard "$OS" "$OS_VARIANT"; then
-        if [ "$OS" = "$UBUNTU_OS_NAME" ] || isMarinerOrAzureLinux "$OS"; then
-            logs_to_events "AKS.CSE.ubuntuSnapshotUpdate" ensureSnapshotUpdate
-        fi
-    fi
-
     if [ "$FULL_INSTALL_REQUIRED" = "true" ]; then
         if [ "$OS" = "$UBUNTU_OS_NAME" ]; then
             # mitigation for bug https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1676635
@@ -587,10 +578,16 @@ function nodePrep {
     checkServiceHealth kubelet || exit $ERR_KUBELET_FAIL
 
     if systemctl cat aks-log-collector.timer &>/dev/null; then
-         systemctlEnableAndStartNoBlock aks-log-collector.timer 30 || echo "Warning: Could not start aks-log-collector.timer"
-     else
-         echo "aks-log-collector.timer not found on this VHD, skipping"
-     fi
+        systemctlEnableAndStartNoBlock aks-log-collector.timer 30 || echo "Warning: Could not start aks-log-collector.timer"
+    else
+        echo "aks-log-collector.timer not found on this VHD, skipping"
+    fi
+
+    if ! isAzureLinuxOSGuard "$OS" "$OS_VARIANT"; then
+        if [ "$OS" = "$UBUNTU_OS_NAME" ] || isMarinerOrAzureLinux "$OS"; then
+            logs_to_events "AKS.CSE.ubuntuSnapshotUpdate" ensureSnapshotUpdate
+        fi
+    fi
 
     if $REBOOTREQUIRED; then
         echo 'reboot required, rebooting node in 1 minute'

parts/linux/cloud-init/artifacts/cse_preload.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# cse_preload.sh warms binaries and containerd caches needed by CSE early in
+# boot so that node provisioning runs against an already-warm page cache.
+# This is best-effort: every command is backgrounded and its output and exit
+# status are intentionally ignored. It must never block or fail provisioning.
+
+/usr/bin/containerd --version >/dev/null 2>&1 &
+cat /var/lib/containerd/io.containerd.metadata.v1.bolt/meta.db >/dev/null 2>&1 &
+find /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots -maxdepth 1 >/dev/null 2>&1 &
+/sbin/modprobe overlay >/dev/null 2>&1 &
+
+wait

pkg/agent/baker.go

@@ -52,6 +52,8 @@ logger -t aks-boothook "boothook start $(date -Ins)"
 
 mkdir -p /opt/azure/containers
 
+nohup /bin/bash /opt/azure/containers/provision_preload.sh >/dev/null 2>&1 &
+
 cat <<'EOF' | base64 -d | gzip -d >%[1]s
 %[2]s
 EOF

pkg/agent/baker_test.go

@@ -1486,6 +1486,7 @@ var _ = Describe("getLinuxNodeBootstrappingPayload", func() {
 		Expect(string(decodedPayload)).To(ContainSubstring(nodeCustomDataPath))
 		Expect(string(decodedPayload)).To(ContainSubstring(encodedNodeCustomData))
 		Expect(string(decodedPayload)).To(ContainSubstring(nbcCmdFilePath))
+		Expect(string(decodedPayload)).To(ContainSubstring("/opt/azure/containers/provision_preload.sh"))
 	})
 
 	It("should render initAKSCustomCloud file in scriptless custom data for default cloud with Ubuntu", func() {

vhdbuilder/packer/imagecustomizer/azlosguard/azlosguard.yml

@@ -82,6 +82,9 @@ os:
     - source: /AgentBaker/parts/linux/cloud-init/artifacts/cse_main.sh
       destination: /opt/azure/containers/provision.sh
       permissions: 744
+    - source: /AgentBaker/parts/linux/cloud-init/artifacts/cse_preload.sh
+      destination: /opt/azure/containers/provision_preload.sh
+      permissions: 744
     - source: /AgentBaker/parts/linux/cloud-init/artifacts/cse_start.sh
       destination: /opt/azure/containers/provision_start.sh
       permissions: 744

vhdbuilder/packer/packer_source.sh

@@ -241,6 +241,10 @@ copyPackerFiles() {
   CSE_MAIN_DEST=/opt/azure/containers/provision.sh
   cpAndMode $CSE_MAIN_SRC $CSE_MAIN_DEST 0744
 
+  CSE_PRELOAD_SRC=/home/packer/provision_preload.sh
+  CSE_PRELOAD_DEST=/opt/azure/containers/provision_preload.sh
+  cpAndMode $CSE_PRELOAD_SRC $CSE_PRELOAD_DEST 0744
+
   CSE_START_SRC=/home/packer/provision_start.sh
   CSE_START_DEST=/opt/azure/containers/provision_start.sh
   cpAndMode $CSE_START_SRC $CSE_START_DEST 0744

vhdbuilder/packer/vhd-image-builder-acl-arm64.json

@@ -162,6 +162,11 @@
       "source": "parts/linux/cloud-init/artifacts/cse_main.sh",
       "destination": "/home/packer/provision.sh"
     },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/cse_preload.sh",
+      "destination": "/home/packer/provision_preload.sh"
+    },
     {
       "type": "file",
       "source": "parts/linux/cloud-init/artifacts/cse_start.sh",

vhdbuilder/packer/vhd-image-builder-acl.json

@@ -162,6 +162,11 @@
       "source": "parts/linux/cloud-init/artifacts/cse_main.sh",
       "destination": "/home/packer/provision.sh"
     },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/cse_preload.sh",
+      "destination": "/home/packer/provision_preload.sh"
+    },
     {
       "type": "file",
       "source": "parts/linux/cloud-init/artifacts/cse_start.sh",

vhdbuilder/packer/vhd-image-builder-arm64-gb.json

@@ -187,6 +187,11 @@
       "source": "parts/linux/cloud-init/artifacts/cse_main.sh",
       "destination": "/home/packer/provision.sh"
     },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/cse_preload.sh",
+      "destination": "/home/packer/provision_preload.sh"
+    },
     {
       "type": "file",
       "source": "parts/linux/cloud-init/artifacts/cse_start.sh",