I tested the pre-sru-cases against Azure VMS with and amd64 server
custom image with the package proposed to be SRUed built on my ppa, per
LTSs series.
I did a script that covers the pre-srus listed at [1] . That validation
script directly addresses requirements (3), (4), and (5). It first
confirms that the azure-proxy-agent service is running correctly and
that no errors are present in its logs. Next, it simulates calls to the
Azure system endpoints (IMDS and WireServer) using different types of
users:
- Authorized users (with the right permissions) — the script confirms
their requests are intercepted by the agent (seen in the logs) and that
the endpoint returns a successful HTTP response (2xx), meaning the
request was allowed.
- Unauthorized users (without the required permissions) — the script
confirms their requests are also intercepted but the endpoint responds
with a failure HTTP code (such as 403/401), showing the request was
blocked.
In short, the test ensures the proxy agent is healthy, actively
intercepts all traffic, and enforces the rules correctly by allowing
only legitimate requests and rejecting everything else.
All series went OK (it chan be checked per series in the attachment):
⇒ (3) Checking azure-proxy-agent service status…
● azure-proxy-agent.service - Microsoft Azure GuestProxyAgent
Loaded: loaded (/usr/lib/systemd/system/azure-proxy-agent.service;
enabled; preset: enabled)
Active: active (running) since Thu 2025-10-02 15:12:34 UTC; 3min 49s ago
Docs: man:azure-proxy-agent(8)
Main PID: 478 (azure-proxy-age)
Tasks: 5 (limit: 9507)
Memory: 32.5M (peak: 46.9M)
CPU: 2.595s
CGroup: /system.slice/azure-proxy-agent.service
└─478 /usr/sbin/azure-proxy-agent
⇒ Final summary:
Test 1: ✔ IMDS authorized allowed (200) + logged
Test 2: ✔ IMDS unauthorized blocked (400/403) + logged
Test 3: ✔ WireServer authorized allowed (200/304) + logged
Test 4: ✔ WireServer unauthorized blocked (400/403) + logged (:32526)
Test 5: ✔ IMDS MSI direct blocked (400/401/403) + logged
Totals: PASSED=5 FAILED=0
✔ All tests passed ✅
[1] https://documentation.ubuntu.com/sru/en/latest/reference/exception-
Azure-Proxy-Agent-Updates/#pre-sru-test-cases
** Attachment added: "Script and logs (pre-sru-tests)"
https://bugs.launchpad.net/ubuntu/+source/azure-proxy-agent/+bug/2125930/+attachment/5914220/+files/gpa_validation_pre_sru.tar.xz
** Summary changed:
- azure-proxy-agent: fix service file ordering to avoid cycle with cloud-init
+ [SRU] azure-proxy-agent: fix service file ordering to avoid cycle with
cloud-init
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2125930
Title:
[SRU] azure-proxy-agent: fix service file ordering to avoid cycle with
cloud-init
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/azure-proxy-agent/+bug/2125930/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
