fix: prevent CSE hang when curl verbose output blocks on unstable disks

[pdamianov-dev]

What this PR does / why we need it:

• Redirect CURL_OUTPUT to /dev/shm (tmpfs) instead of /tmp to avoid blocking on unstable OS disks. /dev/shm is kernel-mounted tmpfs (CONFIG_TMPFS=y on all Azure images) across all VM SKUs including CVM and ARM64.
• Add --max-time to curl in _retry_file_curl_internal so curl enforces its own deadline even if shell timeout cannot deliver signals.
• Add -k 5 to timeout in _retrycmd_internal and _retry_file_curl_internal to escalate to SIGKILL if SIGTERM is ignored (e.g. process in D-state).

Which issue(s) this PR fixes:
Bug 36680094: [Repair Item] Improve CSE script to handle curl timeouts and prevent blocking by redirecting verbose output away from unstable disks and enforcing strict timeout with forced kill signals.
Fixes #

[Copilot]

Pull request overview

This PR hardens Linux CSE download/retry behavior to reduce the chance of CSE hangs when storage is unstable by moving curl verbose logging to tmpfs and making timeout enforcement more aggressive.

Changes:

• Redirects CURL_OUTPUT to /dev/shm (tmpfs) when available, falling back to /tmp.
• Updates retry helpers to use timeout -k 5 (SIGKILL escalation) and adds curl --max-time in _retry_file_curl_internal.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
parts/linux/cloud-init/artifacts/cse_install.sh	Sets CURL_OUTPUT to prefer /dev/shm (tmpfs) over /tmp for verbose curl logs.
parts/linux/cloud-init/artifacts/cse_helpers.sh	Applies the same CURL_OUTPUT change and strengthens retry timeout behavior (timeout -k 5, curl --max-time).

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

[cameronmeissner]

can we log something out when /dev/shm is selected?

[aks-node-assistant]

🕵️ AgentBaker Linux Gate Detective — Build 168091952 FAILED at Setup Cue (cascading into Build VHD / Test, Scan, and Cleanup) — 2nd occurrence of go-toolchain-tls-handshake-timeout, infra-side, not caused by this PR.

TL;DR

• The pipeline's Setup Cue step needs Go 1.25.11 to go install cuelang.org/go/cmd/cue@latest. Build agent has Go 1.25.10 pre-installed, so Go auto-downloads the toolchain from storage.googleapis.com/proxy-golang-org-prod/... → TLS handshake timeout after ~10s.
• cue binary is therefore not on PATH; the next step cue export ./schemas/manifest.cue exits with cue: command not found (exit 127).
• Downstream Build VHD fails with SKU_NAME must be set for linux VHD builds because init-packer reads SKU_NAME from the Cue-generated manifest that was never produced — that's a cascading symptom, not the root cause.
• Matches existing wiki signature go-toolchain-tls-handshake-timeout (first seen on build 168010239 / PR chore(deps): bump github.com/onsi/gomega from 1.41.0 to 1.42.0 #8704).

3-level RCA

1. Surface symptom — Setup Cue log: go: download go1.25.11: golang.org/toolchain@v0.0.1-go1.25.11.linux-amd64: Get "https://storage.googleapis.com/proxy-golang-org-prod/...": net/http: TLS handshake timeout, then cue: command not found, exit 127. Build VHD log: SKU_NAME must be set for linux VHD builds from packer.mk:101: init-packer. Test, Scan, and Cleanup + Publish BCC Tools Installation Log fail downstream because no VHD was published.

2. Corroboration — Identical pattern to build 168010239 on PR #8704 (gomega dep bump) — same Go-toolchain auto-download to storage.googleapis.com/proxy-golang-org-prod/..., same net/http: TLS handshake timeout after ~10s. Hosted build agent egress to the Google module-proxy CDN is flaky; first occurrence was 2 days ago. This PR doesn't change cuelang.org/go version requirements (CUE module requires Go 1.25.0, and the toolchain selector picked 1.25.11 which is the newest minor available at module-resolution time).

3. Root-cause challenge — Strongest alternative: PR-caused regression via the curl/CSE change. Why less likely: the PR touches CSE bash scripts (cse_helpers.sh / cse_cmd.sh curl behavior to prevent hangs on unstable disks); it does not modify go.mod, Cue schemas, or anything Go-toolchain related. Failure occurs at Setup Cue — the very first task that requires Go — before any AgentBaker source code from the PR is even compiled. Cascading SKU_NAME must be set is a Make-time consequence, not a Packer/script bug.

Classification

• Test infrastructure / build-agent egress flakiness (Google module-proxy TLS handshake)
• Wiki signature: go-toolchain-tls-handshake-timeout (Count → 2)
• Confidence: High that the failure mechanism is network-side; High that PR is unrelated.

Recommended next action

• For this PR: rerun the gate — toolchain downloads usually succeed on retry.
• Owner of the underlying issue: AgentBaker E2E build infra — recurrence in <72h on a distinct pipeline path (Setup Cue, not just Run AgentBaker E2E) confirms this is worth pre-baking Go 1.25.11 + 1.26.4 into the agent image, or constraining GOTOOLCHAIN=local and bumping the host Go install separately.

Evidence

• Failed run: https://msazure.visualstudio.com/CloudNativeCompute/_build/results?buildId=168091952
• Failed tasks: Setup Cue (root), Build VHD (cascading), Test, Scan, and Cleanup (cascading), Publish BCC Tools Installation Log (cascading)
• Source commit: ac7ebd9ca01f1450652566cb4229ef261f417711
• Prior occurrence on PR chore(deps): bump github.com/onsi/gomega from 1.41.0 to 1.42.0 #8704 (gomega bump): build 168010239 comment

Posted by Clawpilot AgentBaker Linux Gate Detective Watcher.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

[aks-node-assistant]

🕵️ AgentBaker Linux Gate Detective — Build 168131287 FAILED at Test, Scan, and Cleanup / build2004fipsgen2containerd — new signature trivy-db-mcr-unauthorized, infra-side, not caused by this PR.

TL;DR

The post-build VHD scan step runs trivy --scanners vuln rootfs -f json --db-repository mcr.microsoft.com/mirror/ghcr/aquasecurity/trivy-db:2,... on the built VHD. The Trivy DB download from mcr.microsoft.com consistently returns:

OCI repository error: GET https://mcrprod.azurecr.io/oauth2/token?scope=repository%3Amirror%2Fghcr%2Faquasecurity%2Ftrivy-db%3Apull&service=mcrprod.azurecr.io: UNAUTHORIZED: authentication required

Retried 10 times with 30s sleep, all 10 attempts fail identically. Downstream vhd-scanning.sh exited with code 1, blob ref not uploaded → "ERROR: The specified blob does not exist", Test, Scan, and Cleanup exits 2.

This PR fixes a CSE curl-hang bug — completely unrelated to MCR auth or Trivy.

3-level RCA

1. Surface symptom — Test, Scan, and Cleanup task for SKU build2004fipsgen2containerd fails. Failed step: trivy vulnerability DB download (10 retries). Each retry returns HTTP 401 UNAUTHORIZED from mcrprod.azurecr.io token endpoint. CorrelationIds visible in the log (e.g. 5d0d06a2-aa1f-4a1b-9a3b-b16c62071247) — surface this to ACR ops if needed. vhd-scanning.sh exits 1, build aborts.

2. Corroboration — Only one SKU job failed (build2004fipsgen2containerd); other parallel SKU builds appear to have completed without this issue, suggesting either an intermittent MCR auth glitch or per-job-agent identity propagation problem. No corresponding entry in the wiki source-of-truth — new signature.

3. Root-cause challenge — Strongest alternative: PR-caused CSE script regression. Why less likely: the PR (fix: prevent CSE hang when curl verbose output blocks on unstable disks) modifies cse_helpers.sh / cse_cmd.sh to redirect curl verbose output away from blocking IO. That code only runs on the booted VM during CSE, not during the VHD-builder agent's post-build Trivy scan. The agent's MCR call uses the agent's managed identity, which is unaffected by anything in the PR. Trivy's exit is at HTTP-auth time, not at runtime — clearly an infra-side auth/network failure.

Classification

• Test infrastructure / VHD-builder agent MCR auth flakiness (new signature, first observed occurrence)
• Wiki signature: trivy-db-mcr-unauthorized (Count → 1, new row)
• Confidence: High that trivy DB download is the root cause; Medium about whether this is transient (per-agent MSI token) or persistent (MCR mirror access policy changed). Will be confirmed by next build on this PR or any other PR's build2004fipsgen2containerd job.

Recommended next action

• For this PR: rerun the gate — 10 retries within one job aren't enough if the agent's managed-identity token to mcrprod.azurecr.io is genuinely cold. A fresh build should re-acquire the token.
• Owner: AgentBaker E2E build infra — if it recurs, check the agent pool's managed-identity ACR-pull role assignment on mcrprod.azurecr.io/mirror/ghcr/aquasecurity/trivy-db and whether MCR's mirror policy recently changed to require auth where it previously was anonymous.

Evidence

• Failed run: https://msazure.visualstudio.com/CloudNativeCompute/_build/results?buildId=168131287
• Failed task: Test, Scan, and Cleanup for SKU build2004fipsgen2containerd
• Source commit: cd266014804fcac9277bb2e87551187f2a4f4f51
• Earlier build on this PR (168091952) hit a different infra signature (go-toolchain-tls-handshake-timeout) at Setup Cue: comment

Posted by Clawpilot AgentBaker Linux Gate Detective Watcher.

[pdamianov-dev]

It was determined that this PR and the associated work item were not needed to address the issue and did not fully match the result of the linked ticket