Azure · Devinwong · Feb 3, 2026 · Feb 3, 2026 · Feb 3, 2026 · Feb 3, 2026
diff --git a/parts/common/components.json b/parts/common/components.json
@@ -1148,23 +1148,58 @@
       }
     },
     {
-      "name": "cni-plugins",
+      "name": "containernetworking-plugins",
       "downloadLocation": "/opt/cni/downloads",
       "downloadURIs": {
         "windows": {
           "default": {
             "versionsV2": []
           }
         },
-        "default": {
-          "current": {
+        "ubuntu": {
+          "r2004": {
             "versionsV2": [
               {
-                "renovateTag": "<DO_NOT_UPDATE>",
-                "latestVersion": "1.6.2"
+                "renovateTag": "name=containernetworking-plugins, repository=production, os=ubuntu, release=20.04",
+                "latestVersion": "1.9.0-ubuntu20.04u1"
               }
-            ],
-            "downloadURL": "https://packages.aks.azure.com/cni-plugins/v${version}/binaries/cni-plugins-linux-${CPU_ARCH}-v${version}.tgz"
+            ]
+          },
+          "r2204": {
+            "versionsV2": [
+              {
+                "renovateTag": "name=containernetworking-plugins, repository=production, os=ubuntu, release=22.04",
+                "latestVersion": "1.9.0-ubuntu22.04u1"
+              }
+            ]
+          },
+          "r2404": {
+            "versionsV2": [
+              {
+                "renovateTag": "name=containernetworking-plugins, repository=production, os=ubuntu, release=24.04",
+                "latestVersion": "1.9.0-ubuntu24.04u1"
+              }
+            ]
+          }
+        },
+        "azurelinux": {
+          "v3.0": {
+            "versionsV2": [
+              {
+                "renovateTag": "RPM_registry=https://packages.microsoft.com/azurelinux/3.0/prod/cloud-native/x86_64/repodata, name=containernetworking-plugins, os=azurelinux, release=3.0",
+                "latestVersion": "1.9.0-1.azl3"
+              }
+            ]
+          }
+        },
+        "azurelinuxkata": {
+          "v3.0": {
+            "versionsV2": [
+              {
+                "renovateTag": "RPM_registry=https://packages.microsoft.com/azurelinux/3.0/prod/cloud-native/x86_64/repodata, name=containernetworking-plugins, os=azurelinux, release=3.0",
+                "latestVersion": "1.9.0-1.azl3"
+              }
+            ]
           }
         }
       }

@@ -93,6 +93,12 @@ installCriCtlPackage() {
     stub
 }
 
+installCNI() {
+    retrycmd_get_tarball 120 5 "${CNI_DOWNLOADS_DIR}/refcni.tar.gz" "https://${PACKAGE_DOWNLOAD_BASE_URL}/cni-plugins/v1.6.2/binaries/cni-plugins-linux-amd64-v1.6.2.tgz" || exit $ERR_CNI_DOWNLOAD_TIMEOUT
+    extract_tarball "${CNI_DOWNLOADS_DIR}/refcni.tar.gz" "$CNI_BIN_DIR"
+}
+
+
 installStandaloneContainerd() {
     stub
 }

@@ -140,8 +140,6 @@ installNetworkPlugin() {
     if [ "${NETWORK_PLUGIN}" = "azure" ]; then
         installAzureCNI
     fi
-    installCNI #reference plugins. Mostly for kubenet but loopback plugin is used by containerd until containerd 2
-    rm -rf $CNI_DOWNLOADS_DIR &
 }
 
 # downloadCredentialProvider is always called during build time by install-dependencies.sh.
@@ -384,62 +382,6 @@ setupCNIDirs() {
 }
 
 
-# Reference CNI plugins is used by kubenet and the loopback plugin used by containerd 1.0 (dependency gone in 2.0)
-# The version used to be deteremined by RP/toggle but are now just hadcoded in vhd as they rarely change and require a node image upgrade anyways
-# Latest VHD should have the untar, older should have the tgz. And who knows will have neither.
-installCNI() {
-    # Old versions of VHDs will not have components.json. If it does not exist, we will fall back to the hardcoded download for CNI.
-    # Network Isolated Cluster / Bring Your Own ACR will not work with a vhd that requres a hardcoded CNI download.
-    if [ ! -f "$COMPONENTS_FILEPATH" ] || ! jq '.Packages[] | select(.name == "cni-plugins")' < $COMPONENTS_FILEPATH > /dev/null; then
-        echo "WARNING: no cni-plugins components present falling back to hard coded download of 1.4.1. This should error eventually"
-        # could we fail if not Ubuntu2204Gen2ContainerdPrivateKubePkg vhd? Are there others?
-        # definitely not handling arm here.
-        retrycmd_get_tarball 120 5 "${CNI_DOWNLOADS_DIR}/refcni.tar.gz" "https://${PACKAGE_DOWNLOAD_BASE_URL}/cni-plugins/v1.4.1/binaries/cni-plugins-linux-amd64-v1.4.1.tgz" || exit $ERR_CNI_DOWNLOAD_TIMEOUT
-        extract_tarball "${CNI_DOWNLOADS_DIR}/refcni.tar.gz" "$CNI_BIN_DIR"
-        return
-    fi
-
-    #always just use what is listed in components.json so we don't have to sync.
-    cniPackage=$(jq ".Packages" "$COMPONENTS_FILEPATH" | jq ".[] | select(.name == \"cni-plugins\")") || exit $ERR_CNI_VERSION_INVALID
-
-    #CNI doesn't really care about this but wanted to reuse updatePackageVersions which requires it.
-    os=${UBUNTU_OS_NAME}
-    if [ -z "$UBUNTU_RELEASE" ]; then
-        os=${OS}
-        os_version="current"
-    fi
-    os_version="${UBUNTU_RELEASE}"
-    if isMarinerOrAzureLinux "${OS}" && [ "${IS_KATA}" = "true" ]; then
-        os=${MARINER_KATA_OS_NAME}
-    fi
-    PACKAGE_VERSIONS=()
-    updatePackageVersions "${cniPackage}" "${os}" "${os_version}"
-
-    #should change to ne
-    # shellcheck disable=SC3010
-    if [[ ${#PACKAGE_VERSIONS[@]} -gt 1 ]]; then
-        echo "WARNING: containerd package versions array has more than one element. Installing the last element in the array."
-        exit $ERR_CONTAINERD_VERSION_INVALID
-    fi
-    packageVersion=${PACKAGE_VERSIONS[0]}
-
-    # Is there a ${arch} variable I can use instead of the iff
-    if [ "$(isARM64)" -eq 1 ]; then
-        CNI_DIR_TMP="cni-plugins-linux-arm64-v${packageVersion}"
-    else
-        CNI_DIR_TMP="cni-plugins-linux-amd64-v${packageVersion}"
-    fi
-
-    if [ -d "$CNI_DOWNLOADS_DIR/${CNI_DIR_TMP}" ]; then
-        #not clear to me when this would ever happen. assume its related to the line above Latest VHD should have the untar, older should have the tgz.
-        mv ${CNI_DOWNLOADS_DIR}/${CNI_DIR_TMP}/* $CNI_BIN_DIR
-    else
-        echo "CNI tarball should already be unzipped by components.json"
-        exit $ERR_CNI_VERSION_INVALID
-    fi
-
-    chown -R root:root $CNI_BIN_DIR
-}
 
 installAzureCNI() {
     CNI_TGZ_TMP=${VNET_CNI_PLUGINS_URL##*/} # Use bash builtin ## to remove all chars ("*") up to the final "/"

@@ -12,6 +12,14 @@ installCriCtlPackage() {
     stub
 }
 
+installCNI() {
+    #This is an old version because dalec needs to be updated for osguard/flatcar
+    # https://github.com/Azure/dalec-build-defs/blob/main/specs/containernetworking-plugins/containernetworking-plugins-1.9.0.yaml
+    retrycmd_get_tarball 120 5 "${CNI_DOWNLOADS_DIR}/refcni.tar.gz" "https://${PACKAGE_DOWNLOAD_BASE_URL}/cni-plugins/v1.6.2/binaries/cni-plugins-linux-amd64-v1.6.2.tgz" || exit $ERR_CNI_DOWNLOAD_TIMEOUT
+    extract_tarball "${CNI_DOWNLOADS_DIR}/refcni.tar.gz" "$CNI_BIN_DIR"
+}
+
+
 # CSE+VHD can dictate the containerd version, users don't care as long as it works
 installStandaloneContainerd() {
     local desiredVersion="${1:-}"

@@ -68,6 +68,48 @@ installDeps() {
     fi
 }
 
-
+
+# The version used to be determined by RP/toggle but is now just hardcoded in the VHD as it rarely changes and requires a node image upgrade anyway
+# Latest VHD should have the untar, older should have the tgz. And who knows will have neither.
-
+
+# The version used to be determined by RP/toggle but is now just hardcoded in the VHD as it rarely changes and requires a node image upgrade anyway
+# Latest VHD should have the untar, older should have the tgz. And who knows will have neither.
+# Reference CNI plugins is used by kubenet and the loopback plugin used by containerd 1.0 (dependency gone in 2.0)
+# The version used to be determined by RP/toggle but is now just hardcoded in the VHD as it rarely changes and requires a node image upgrade anyway
+# Latest VHD should have the untar, older should have the tgz. And who knows will have neither.
+installCNI() {
+    echo "installing mariner containernetworking-plugins"
+    # Old versions of VHDs will not have components.json. If it does not exist, we will fall back to the hardcoded download for CNI.
+    # Network Isolated Cluster / Bring Your Own ACR will not work with a vhd that requires a hardcoded CNI download.
+    if [ ! -f "$COMPONENTS_FILEPATH" ] || ! jq '.Packages[] | select(.name == "containernetworking-plugins")' < $COMPONENTS_FILEPATH > /dev/null; then
+        # For older VHDs which do not have containernetworking-plugins in components.json, it should have the older cni-plugins tgz extracted and installed at VHD build time.
+        # We will just use what is already installed on the VHD.
+        echo "components.json not found or containernetworking-plugins not found in components.json, assuming older VHD with cni-plugins already installed."
+        return
+    fi
+
+    #always just use what is listed in components.json so we don't have to sync.
+    cniPackage=$(jq ".Packages" "$COMPONENTS_FILEPATH" | jq ".[] | select(.name == \"containernetworking-plugins\")") || exit $ERR_CNI_VERSION_INVALID
+
+    os=${OS}
+    os_version="${OS_VERSION}"
+    PACKAGE_VERSIONS=()
+    updatePackageVersions "${cniPackage}" "${os}" "${os_version}"
+
+    if [ ${#PACKAGE_VERSIONS[@]} -eq 0 ]; then
+        echo "no containernetworking-plugins versions for ${os} ${os_version}"
+        return
+    fi
+    # shellcheck disable=SC3010
+    if [ ${#PACKAGE_VERSIONS[@]} -gt 1 ]; then
+        echo "WARNING: containernetworking-plugins package versions array has more than one element."
-        echo "WARNING: containernetworking-plugins package versions array has more than one element."
+        echo "ERROR: containernetworking-plugins package versions array has more than one element."
-        echo "WARNING: containernetworking-plugins package versions array has more than one element."
+        echo "ERROR: containernetworking-plugins package versions array has more than one element."
+        exit $ERR_CNI_VERSION_INVALID
+    fi
+    packageVersion=${PACKAGE_VERSIONS[0]}
+
+    # - between name and version unlike apt which uses =
+    packageName="containernetworking-plugins-${packageVersion}"
+    echo "Installing ${packageName} with dnf"
+    dnf_install 30 1 600 ${packageName} || exit $ERR_CNI_VERSION_INVALID
+
+    mv /usr/bin/containernetworking-plugins/* $CNI_BIN_DIR
+    chown -R root:root $CNI_BIN_DIR
+}
+
 installKataDeps() {
     if [ "$OS_VERSION" != "1.0" ]; then
       if ! dnf_install 30 1 600 kata-packages-host; then
@@ -152,7 +194,7 @@ downloadGPUDrivers() {
         echo "No CUDA package found for kernel ${KERNEL_VERSION} (vm_sku=${VM_SKU})"
         exit $ERR_MISSING_CUDA_PACKAGE
     fi
-    
+
     echo "Installing: ${CUDA_PACKAGE}"
     dnf_install 30 1 600 ${CUDA_PACKAGE} || exit $ERR_APT_INSTALL_TIMEOUT
 }

@@ -52,6 +52,49 @@ installDeps() {
     fi
 }
 
+# Reference CNI plugins is used by kubenet and the loopback plugin used by containerd 1.0 (dependency gone in 2.0)
+# The version used to be deteremined by RP/toggle but are now just hardcoded in vhd as they rarely change and require a node image upgrade anyways
+# Latest VHD should have the untar, older should have the tgz. And who knows will have neither.
+installCNI() {
+    echo "installing ubuntu containernetworking-plugins"
+    # Old versions of VHDs will not have components.json. If it does not exist, we will fall back to the hardcoded download for CNI.
+    # Network Isolated Cluster / Bring Your Own ACR will not work with a vhd that requires a hardcoded CNI download.
+    if [ ! -f "$COMPONENTS_FILEPATH" ] || ! jq '.Packages[] | select(.name == "containernetworking-plugins")' < $COMPONENTS_FILEPATH > /dev/null; then
+        # For older VHDs which do not have containernetworking-plugins in components.json, it should have the older cni-plugins tgz extracted and installed at VHD build time.
+        # We will just use what is already installed on the VHD.
+        echo "components.json not found or containernetworking-plugins not found in components.json, assuming older VHD with cni-plugins already installed."
+        return
+    fi
+
+    #always just use what is listed in components.json so we don't have to sync.
+    cniPackage=$(jq ".Packages" "$COMPONENTS_FILEPATH" | jq ".[] | select(.name == \"containernetworking-plugins\")") || exit $ERR_CNI_VERSION_INVALID
+
+    os=${OS}
+    os_version=${UBUNTU_RELEASE}
+    PACKAGE_VERSIONS=()
+    updatePackageVersions "${cniPackage}" "${os}" "${os_version}"
+    if [ ${#PACKAGE_VERSIONS[@]} -eq 0 ]; then
+        echo "no containernetworking-plugins versions for ${os} ${os_version}"
+        return
+    fi
+
+    # Ensure exactly one containernetworking-plugins package version is present; multiple versions are not supported.
+    # shellcheck disable=SC3010
+    if [ ${#PACKAGE_VERSIONS[@]} -gt 1 ]; then
+        echo "WARNING: containernetworking-plugins package versions array has more than one element."
-        echo "WARNING: containernetworking-plugins package versions array has more than one element."
+        echo "ERROR: containernetworking-plugins package versions array has more than one element."
-        echo "WARNING: containernetworking-plugins package versions array has more than one element."
+        echo "ERROR: containernetworking-plugins package versions array has more than one element."
+        exit $ERR_CNI_VERSION_INVALID
+    fi
+    packageVersion=${PACKAGE_VERSIONS[0]}
+
+    packageName="containernetworking-plugins=${packageVersion}"
+    echo "Installing ${packageName} with apt-get"
+    apt_get_install 20 30 120 ${packageName} || exit $ERR_CNI_VERSION_INVALID
+
+    mv /usr/bin/containernetworking-plugins/* $CNI_BIN_DIR
+
+    chown -R root:root $CNI_BIN_DIR
+}
+
 updateAptWithMicrosoftPkg() {
     retrycmd_silent 120 5 25 curl https://packages.microsoft.com/config/ubuntu/${UBUNTU_RELEASE}/prod.list > /tmp/microsoft-prod.list || exit $ERR_MOBY_APT_LIST_TIMEOUT
     retrycmd_if_failure 10 5 10 cp /tmp/microsoft-prod.list /etc/apt/sources.list.d/ || exit $ERR_MOBY_APT_LIST_TIMEOUT