From f05f3afc0014d966ff935d9c61a0d54f6142ec3b Mon Sep 17 00:00:00 2001
From: Dhia Gharsallaoui <gharsallaoui.dhia@gmail.com>
Date: Mon, 15 Jun 2026 10:27:17 +0200
Subject: [PATCH 01/16] fix(npd): point node-problem-detector at the real
 kubelet kubeconfig

NPD was configured with a doubled path segment,
"/var/lib/kubelet/kubelet/kubeconfig", so its in-cluster client paniced
on startup on every flex node and the systemd unit crash-looped forever:

  panic: stat /var/lib/kubelet/kubelet/kubeconfig: no such file or directory
  node-problem-detector.service: Main process exited, status=2/INVALIDARGUMENT
  node-problem-detector.service: Scheduled restart job, restart counter is at 46793.

The kubelet writes its kubeconfig to /var/lib/kubelet/kubeconfig. The
imported agent library already defines this as the canonical
goalstates.KubeletKubeconfigPath and wires the kubelet to it, so the npd
package's separate copy of the constant was both redundant and wrong.

Drop the local constant and reuse goalstates.KubeletKubeconfigPath to fix
the path and remove the duplicate source of truth. Add regression tests
covering the wired path and the rendered systemd unit's auth parameter.
---
 pkg/npd/start.go      |  6 ++---
 pkg/npd/start_test.go | 61 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+), 3 deletions(-)
 create mode 100644 pkg/npd/start_test.go

diff --git a/pkg/npd/start.go b/pkg/npd/start.go
index 0b3958c1..2fe76d11 100644
--- a/pkg/npd/start.go
+++ b/pkg/npd/start.go
@@ -14,6 +14,7 @@ import (
 	"github.com/Azure/AKSFlexNode/pkg/config"
 	"github.com/Azure/AKSFlexNode/pkg/utils/utilexec"
 	"github.com/Azure/AKSFlexNode/pkg/utils/utilio"
+	"github.com/Azure/unbounded/pkg/agent/goalstates"
 	"github.com/Azure/unbounded/pkg/agent/phases"
 )
 
@@ -21,8 +22,7 @@ import (
 var serviceTemplate string
 
 const (
-	KubeletKubeconfigPath = "/var/lib/kubelet/kubelet/kubeconfig"
-	systemdUnitNPD        = "node-problem-detector.service"
+	systemdUnitNPD = "node-problem-detector.service"
 )
 
 var tmpl = template.Must(template.New("npd-service").Parse(serviceTemplate))
@@ -42,7 +42,7 @@ func Start(cfg *config.Config, log *slog.Logger, machineDir, machineName string)
 	return &startTask{
 		log:            log,
 		apiServer:      cfg.Node.Kubelet.ServerURL,
-		kubeconfigPath: KubeletKubeconfigPath,
+		kubeconfigPath: goalstates.KubeletKubeconfigPath,
 		machineDir:     machineDir,
 		machineName:    machineName,
 	}
diff --git a/pkg/npd/start_test.go b/pkg/npd/start_test.go
new file mode 100644
index 00000000..6301a8f9
--- /dev/null
+++ b/pkg/npd/start_test.go
@@ -0,0 +1,61 @@
+package npd
+
+import (
+	"log/slog"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/Azure/AKSFlexNode/pkg/config"
+	"github.com/Azure/unbounded/pkg/agent/goalstates"
+)
+
+// wantKubeconfigPath is the path the kubelet actually writes its kubeconfig to.
+// The historical bug used a doubled segment ("/var/lib/kubelet/kubelet/kubeconfig"),
+// which made node-problem-detector panic on startup and crash-loop forever:
+//
+//	panic: stat /var/lib/kubelet/kubelet/kubeconfig: no such file or directory
+const wantKubeconfigPath = "/var/lib/kubelet/kubeconfig"
+
+// TestCanonicalKubeletKubeconfigPath guards the value of the shared library
+// constant so the doubled-segment typo cannot reappear from a dependency bump.
+func TestCanonicalKubeletKubeconfigPath(t *testing.T) {
+	if goalstates.KubeletKubeconfigPath != wantKubeconfigPath {
+		t.Fatalf("goalstates.KubeletKubeconfigPath = %q, want %q",
+			goalstates.KubeletKubeconfigPath, wantKubeconfigPath)
+	}
+}
+
+// TestRenderedNPDUnitUsesCanonicalKubeconfig drives Start() through the real
+// service-file rendering and asserts on the kubeconfig path that ends up in the
+// node-problem-detector systemd unit's ExecStart. Asserting on the rendered unit
+// (the externally observable artifact) rather than internal fields keeps the
+// test stable across refactors while still exercising the Start() wiring.
+func TestRenderedNPDUnitUsesCanonicalKubeconfig(t *testing.T) {
+	cfg := &config.Config{}
+	cfg.Node.Kubelet.ServerURL = "https://example.hcp.westus.azmk8s.io:443"
+
+	machineDir := t.TempDir()
+	task, ok := Start(cfg, slog.Default(), machineDir, "kube1").(*startTask)
+	if !ok {
+		t.Fatalf("Start did not return *startTask")
+	}
+	if _, err := task.ensureServiceFile(); err != nil {
+		t.Fatalf("ensureServiceFile: %v", err)
+	}
+
+	unitPath := filepath.Join(machineDir, "etc/systemd/system", systemdUnitNPD)
+	data, err := os.ReadFile(unitPath) //nolint:gosec // path built from test TempDir
+	if err != nil {
+		t.Fatalf("read rendered unit: %v", err)
+	}
+	rendered := string(data)
+
+	if !strings.Contains(rendered, "auth="+wantKubeconfigPath) {
+		t.Fatalf("rendered unit missing auth=%s:\n%s", wantKubeconfigPath, rendered)
+	}
+	if strings.Contains(rendered, "kubelet/kubelet") {
+		t.Fatalf("rendered unit contains doubled 'kubelet' segment:\n%s", rendered)
+	}
+}

From 68265d61322d7d53910323455c01a8309e856335 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 16 Jun 2026 23:03:37 +0000
Subject: [PATCH 02/16] Initial plan


From 3aad1705f8ba4ce7631097acd9a39910da48b759 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 16 Jun 2026 23:08:20 +0000
Subject: [PATCH 03/16] Validate NPD in e2e flow

---
 hack/e2e/README.md       |  4 +--
 hack/e2e/lib/validate.sh | 65 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+), 2 deletions(-)

diff --git a/hack/e2e/README.md b/hack/e2e/README.md
index c328a0cb..bbcfa15c 100644
--- a/hack/e2e/README.md
+++ b/hack/e2e/README.md
@@ -29,7 +29,7 @@ The default `all` command runs:
 1. Build the local `aks-flex-node` binary unless `--binary` or `--skip-build` is used.
 2. Deploy AKS and three VMs with Bicep.
 3. Join all three VMs.
-4. Validate node readiness and run smoke workloads.
+4. Validate node readiness, node-problem-detector status, and run smoke workloads.
 5. Unjoin all Flex Nodes and verify they are absent.
 6. Rejoin all Flex Nodes and validate again.
 7. Run local-machine-driven repave validation.
@@ -51,7 +51,7 @@ The default `all` command runs:
 | `unjoin-msi` | Unjoin only the managed-identity node. |
 | `unjoin-token` | Unjoin only the bootstrap-token node. |
 | `unjoin-kubeadm` | Unjoin only the kubeadm-style node. |
-| `validate` | Verify joined nodes and run smoke tests. |
+| `validate` | Verify joined nodes, node-problem-detector status, and run smoke tests. |
 | `validate-absent` | Verify Flex Node objects are absent after unjoin. |
 | `smoke` | Run smoke workloads only. |
 | `upgrade-drift` | Validate local-machine-driven repave to the alternate nspawn side. |
diff --git a/hack/e2e/lib/validate.sh b/hack/e2e/lib/validate.sh
index 3bf60097..c53ba2b8 100755
--- a/hack/e2e/lib/validate.sh
+++ b/hack/e2e/lib/validate.sh
@@ -5,6 +5,7 @@
 # Functions:
 #   validate_node_joined  <vm_name>  - Wait for a specific node to appear in kubectl
 #   validate_all_nodes                - Verify MSI, token, and kubeadm nodes joined
+#   validate_npd_status   <vm_name> <vm_ip> - Verify node-problem-detector is active
 #   validate_node_absent  <vm_name>  - Wait for a node to disappear from kubectl
 #   validate_all_nodes_absent         - Verify all flex nodes are gone after unjoin
 #   smoke_test            <vm_name> <label>  - Schedule an nginx pod on a node
@@ -73,6 +74,63 @@ validate_node_ip() {
   return 1
 }
 
+# ---------------------------------------------------------------------------
+# validate_npd_status - Ensure node-problem-detector is active and reporting
+# ---------------------------------------------------------------------------
+validate_npd_status() {
+  local vm_name="$1"
+  local vm_ip="$2"
+  local timeout="${E2E_NODE_JOIN_TIMEOUT}"
+  local elapsed=0
+
+  log_info "Validating node-problem-detector on '${vm_name}'..."
+
+  remote_exec "${vm_ip}" "VM_NAME=${vm_name} E2E_NODE_JOIN_TIMEOUT=${E2E_NODE_JOIN_TIMEOUT} bash -s" <<'REMOTE'
+set -euo pipefail
+
+deadline=$((SECONDS + E2E_NODE_JOIN_TIMEOUT))
+while true; do
+  active_machine="$(sudo sed -n 's/.*"activeMachine"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p' /etc/aks-flex-node/daemon-state.json 2>/dev/null || true)"
+  if [[ -n "${active_machine}" ]] && machinectl show "${active_machine}" &>/dev/null; then
+    status="$(sudo systemd-run --machine="${active_machine}" --quiet --pipe systemctl is-active node-problem-detector.service 2>/dev/null || true)"
+    if [[ "${status}" == "active" ]]; then
+      echo "node-problem-detector.service is active in ${active_machine}"
+      exit 0
+    fi
+  fi
+
+  if (( SECONDS >= deadline )); then
+    echo "node-problem-detector.service did not become active on ${VM_NAME}"
+    machinectl list --no-pager || true
+    if [[ -n "${active_machine:-}" ]]; then
+      sudo systemd-run --machine="${active_machine}" --quiet --pipe systemctl status node-problem-detector.service --no-pager -l || true
+      sudo systemd-run --machine="${active_machine}" --quiet --pipe journalctl -u node-problem-detector.service -n 50 --no-pager || true
+    fi
+    exit 1
+  fi
+
+  sleep 5
+done
+REMOTE
+
+  while [[ "${elapsed}" -lt "${timeout}" ]]; do
+    local kernel_deadlock
+    kernel_deadlock="$(kubectl get node "${vm_name}" -o jsonpath='{.status.conditions[?(@.type=="KernelDeadlock")].status}' 2>/dev/null || true)"
+    if [[ "${kernel_deadlock}" == "False" ]]; then
+      log_success "node-problem-detector is active and reporting on '${vm_name}'"
+      return 0
+    fi
+
+    sleep 10
+    elapsed=$((elapsed + 10))
+    log_debug "Waiting for node-problem-detector condition on ${vm_name}... (${elapsed}/${timeout}s)"
+  done
+
+  log_error "node-problem-detector did not report KernelDeadlock=False on '${vm_name}' within ${timeout}s"
+  kubectl describe node "${vm_name}" 2>&1 || true
+  return 1
+}
+
 # ---------------------------------------------------------------------------
 # validate_all_nodes - Check all MSI, token, and kubeadm VMs joined
 # ---------------------------------------------------------------------------
@@ -91,10 +149,14 @@ validate_all_nodes() {
     --admin
 
   local msi_vm_name token_vm_name kubeadm_vm_name
+  local msi_vm_ip token_vm_ip kubeadm_vm_ip
   local token_vm_private_ip
   msi_vm_name="$(state_get msi_vm_name)"
   token_vm_name="$(state_get token_vm_name)"
   kubeadm_vm_name="$(state_get kubeadm_vm_name)"
+  msi_vm_ip="$(state_get msi_vm_ip)"
+  token_vm_ip="$(state_get token_vm_ip)"
+  kubeadm_vm_ip="$(state_get kubeadm_vm_ip)"
   token_vm_private_ip="$(state_get token_vm_private_ip)"
 
   local failed=0
@@ -102,6 +164,9 @@ validate_all_nodes() {
   validate_node_joined "${token_vm_name}" || failed=1
   validate_node_joined "${kubeadm_vm_name}" || failed=1
   validate_node_ip "${token_vm_name}" "${token_vm_private_ip}" || failed=1
+  validate_npd_status "${msi_vm_name}" "${msi_vm_ip}" || failed=1
+  validate_npd_status "${token_vm_name}" "${token_vm_ip}" || failed=1
+  validate_npd_status "${kubeadm_vm_name}" "${kubeadm_vm_ip}" || failed=1
 
   if [[ "${failed}" -eq 1 ]]; then
     log_error "One or more nodes failed to join"

From 58bfa492c689f962ad5c8c4b18a0ab3ea422c73c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 16 Jun 2026 23:09:04 +0000
Subject: [PATCH 04/16] Address NPD validation review feedback

---
 hack/e2e/lib/validate.sh | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/hack/e2e/lib/validate.sh b/hack/e2e/lib/validate.sh
index c53ba2b8..82d1fdff 100755
--- a/hack/e2e/lib/validate.sh
+++ b/hack/e2e/lib/validate.sh
@@ -85,12 +85,17 @@ validate_npd_status() {
 
   log_info "Validating node-problem-detector on '${vm_name}'..."
 
-  remote_exec "${vm_ip}" "VM_NAME=${vm_name} E2E_NODE_JOIN_TIMEOUT=${E2E_NODE_JOIN_TIMEOUT} bash -s" <<'REMOTE'
+  remote_exec "${vm_ip}" "E2E_NODE_JOIN_TIMEOUT=${E2E_NODE_JOIN_TIMEOUT} bash -s" <<'REMOTE'
 set -euo pipefail
 
 deadline=$((SECONDS + E2E_NODE_JOIN_TIMEOUT))
 while true; do
-  active_machine="$(sudo sed -n 's/.*"activeMachine"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p' /etc/aks-flex-node/daemon-state.json 2>/dev/null || true)"
+  active_machine="$(sudo python3 - <<'PY' 2>/dev/null || true
+import json
+with open("/etc/aks-flex-node/daemon-state.json", encoding="utf-8") as state:
+    print(json.load(state).get("activeMachine", ""))
+PY
+)"
   if [[ -n "${active_machine}" ]] && machinectl show "${active_machine}" &>/dev/null; then
     status="$(sudo systemd-run --machine="${active_machine}" --quiet --pipe systemctl is-active node-problem-detector.service 2>/dev/null || true)"
     if [[ "${status}" == "active" ]]; then
@@ -100,7 +105,7 @@ while true; do
   fi
 
   if (( SECONDS >= deadline )); then
-    echo "node-problem-detector.service did not become active on ${VM_NAME}"
+    echo "node-problem-detector.service did not become active"
     machinectl list --no-pager || true
     if [[ -n "${active_machine:-}" ]]; then
       sudo systemd-run --machine="${active_machine}" --quiet --pipe systemctl status node-problem-detector.service --no-pager -l || true
@@ -113,8 +118,8 @@ while true; do
 done
 REMOTE
 
+  local kernel_deadlock
   while [[ "${elapsed}" -lt "${timeout}" ]]; do
-    local kernel_deadlock
     kernel_deadlock="$(kubectl get node "${vm_name}" -o jsonpath='{.status.conditions[?(@.type=="KernelDeadlock")].status}' 2>/dev/null || true)"
     if [[ "${kernel_deadlock}" == "False" ]]; then
       log_success "node-problem-detector is active and reporting on '${vm_name}'"

From c4ef0d41c53a5c73691df5f3a585d47978e13f79 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 16 Jun 2026 23:09:55 +0000
Subject: [PATCH 05/16] Refine NPD validation checks

---
 hack/e2e/lib/validate.sh | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/hack/e2e/lib/validate.sh b/hack/e2e/lib/validate.sh
index 82d1fdff..8785a9fd 100755
--- a/hack/e2e/lib/validate.sh
+++ b/hack/e2e/lib/validate.sh
@@ -82,10 +82,16 @@ validate_npd_status() {
   local vm_ip="$2"
   local timeout="${E2E_NODE_JOIN_TIMEOUT}"
   local elapsed=0
+  local npd_condition_jsonpath='{.status.conditions[?(@.type=="KernelDeadlock")].status}'
 
   log_info "Validating node-problem-detector on '${vm_name}'..."
 
-  remote_exec "${vm_ip}" "E2E_NODE_JOIN_TIMEOUT=${E2E_NODE_JOIN_TIMEOUT} bash -s" <<'REMOTE'
+  if ! [[ "${timeout}" =~ ^[0-9]+$ ]]; then
+    log_error "E2E_NODE_JOIN_TIMEOUT must be numeric, got '${timeout}'"
+    return 1
+  fi
+
+  remote_exec "${vm_ip}" "E2E_NODE_JOIN_TIMEOUT=${timeout} bash -s" <<'REMOTE'
 set -euo pipefail
 
 deadline=$((SECONDS + E2E_NODE_JOIN_TIMEOUT))
@@ -120,7 +126,7 @@ REMOTE
 
   local kernel_deadlock
   while [[ "${elapsed}" -lt "${timeout}" ]]; do
-    kernel_deadlock="$(kubectl get node "${vm_name}" -o jsonpath='{.status.conditions[?(@.type=="KernelDeadlock")].status}' 2>/dev/null || true)"
+    kernel_deadlock="$(kubectl get node "${vm_name}" -o jsonpath="${npd_condition_jsonpath}" 2>/dev/null || true)"
     if [[ "${kernel_deadlock}" == "False" ]]; then
       log_success "node-problem-detector is active and reporting on '${vm_name}'"
       return 0

From 92f521c2a2f634faf37b8a58f4cb7e50b1c5048c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 16 Jun 2026 23:10:54 +0000
Subject: [PATCH 06/16] Harden NPD validation script

---
 hack/e2e/lib/validate.sh | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/hack/e2e/lib/validate.sh b/hack/e2e/lib/validate.sh
index 8785a9fd..bb46072e 100755
--- a/hack/e2e/lib/validate.sh
+++ b/hack/e2e/lib/validate.sh
@@ -83,6 +83,7 @@ validate_npd_status() {
   local timeout="${E2E_NODE_JOIN_TIMEOUT}"
   local elapsed=0
   local npd_condition_jsonpath='{.status.conditions[?(@.type=="KernelDeadlock")].status}'
+  local quoted_timeout
 
   log_info "Validating node-problem-detector on '${vm_name}'..."
 
@@ -90,13 +91,15 @@ validate_npd_status() {
     log_error "E2E_NODE_JOIN_TIMEOUT must be numeric, got '${timeout}'"
     return 1
   fi
+  printf -v quoted_timeout "%q" "${timeout}"
 
-  remote_exec "${vm_ip}" "E2E_NODE_JOIN_TIMEOUT=${timeout} bash -s" <<'REMOTE'
+  remote_exec "${vm_ip}" "E2E_NODE_JOIN_TIMEOUT=${quoted_timeout} bash -s" <<'REMOTE'
 set -euo pipefail
 
 deadline=$((SECONDS + E2E_NODE_JOIN_TIMEOUT))
+active_machine_error="/tmp/aks-flex-node-e2e-active-machine.err"
 while true; do
-  active_machine="$(sudo python3 - <<'PY' 2>/dev/null || true
+  active_machine="$(sudo python3 - <<'PY' 2>"${active_machine_error}" || true
 import json
 with open("/etc/aks-flex-node/daemon-state.json", encoding="utf-8") as state:
     print(json.load(state).get("activeMachine", ""))
@@ -112,6 +115,9 @@ PY
 
   if (( SECONDS >= deadline )); then
     echo "node-problem-detector.service did not become active"
+    if [[ -s "${active_machine_error}" ]]; then
+      cat "${active_machine_error}"
+    fi
     machinectl list --no-pager || true
     if [[ -n "${active_machine:-}" ]]; then
       sudo systemd-run --machine="${active_machine}" --quiet --pipe systemctl status node-problem-detector.service --no-pager -l || true

From 0af12f89e6797d301ed7fef8d375c3930558d1f9 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 16 Jun 2026 23:16:47 +0000
Subject: [PATCH 07/16] Improve NPD validation diagnostics

---
 hack/e2e/lib/validate.sh | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/hack/e2e/lib/validate.sh b/hack/e2e/lib/validate.sh
index bb46072e..12bd8868 100755
--- a/hack/e2e/lib/validate.sh
+++ b/hack/e2e/lib/validate.sh
@@ -83,6 +83,7 @@ validate_npd_status() {
   local timeout="${E2E_NODE_JOIN_TIMEOUT}"
   local elapsed=0
   local npd_condition_jsonpath='{.status.conditions[?(@.type=="KernelDeadlock")].status}'
+  local condition_error="${E2E_WORK_DIR}/npd-condition-${vm_name}.err"
   local quoted_timeout
 
   log_info "Validating node-problem-detector on '${vm_name}'..."
@@ -97,16 +98,22 @@ validate_npd_status() {
 set -euo pipefail
 
 deadline=$((SECONDS + E2E_NODE_JOIN_TIMEOUT))
-active_machine_error="/tmp/aks-flex-node-e2e-active-machine.err"
+active_machine_error="/tmp/aks-flex-node-e2e-active-machine-$$.err"
+status_error="/tmp/aks-flex-node-e2e-npd-status-$$.err"
 while true; do
-  active_machine="$(sudo python3 - <<'PY' 2>"${active_machine_error}" || true
+  if [[ ! -f /etc/aks-flex-node/daemon-state.json ]]; then
+    active_machine=""
+    echo "/etc/aks-flex-node/daemon-state.json is missing" > "${active_machine_error}"
+  else
+    active_machine="$(sudo python3 - <<'PY' 2>"${active_machine_error}" || true
 import json
 with open("/etc/aks-flex-node/daemon-state.json", encoding="utf-8") as state:
     print(json.load(state).get("activeMachine", ""))
 PY
 )"
+  fi
   if [[ -n "${active_machine}" ]] && machinectl show "${active_machine}" &>/dev/null; then
-    status="$(sudo systemd-run --machine="${active_machine}" --quiet --pipe systemctl is-active node-problem-detector.service 2>/dev/null || true)"
+    status="$(sudo systemd-run --machine="${active_machine}" --quiet --pipe systemctl is-active node-problem-detector.service 2>"${status_error}" || true)"
     if [[ "${status}" == "active" ]]; then
       echo "node-problem-detector.service is active in ${active_machine}"
       exit 0
@@ -118,6 +125,9 @@ PY
     if [[ -s "${active_machine_error}" ]]; then
       cat "${active_machine_error}"
     fi
+    if [[ -s "${status_error}" ]]; then
+      cat "${status_error}"
+    fi
     machinectl list --no-pager || true
     if [[ -n "${active_machine:-}" ]]; then
       sudo systemd-run --machine="${active_machine}" --quiet --pipe systemctl status node-problem-detector.service --no-pager -l || true
@@ -132,7 +142,7 @@ REMOTE
 
   local kernel_deadlock
   while [[ "${elapsed}" -lt "${timeout}" ]]; do
-    kernel_deadlock="$(kubectl get node "${vm_name}" -o jsonpath="${npd_condition_jsonpath}" 2>/dev/null || true)"
+    kernel_deadlock="$(kubectl get node "${vm_name}" -o jsonpath="${npd_condition_jsonpath}" 2>"${condition_error}" || true)"
     if [[ "${kernel_deadlock}" == "False" ]]; then
       log_success "node-problem-detector is active and reporting on '${vm_name}'"
       return 0
@@ -144,6 +154,9 @@ REMOTE
   done
 
   log_error "node-problem-detector did not report KernelDeadlock=False on '${vm_name}' within ${timeout}s"
+  if [[ -s "${condition_error}" ]]; then
+    cat "${condition_error}" >&2
+  fi
   kubectl describe node "${vm_name}" 2>&1 || true
   return 1
 }

From 6831aead32ef038f4a438f8a54516759c1be9a90 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 17 Jun 2026 00:18:24 +0000
Subject: [PATCH 08/16] Collect NPD logs in E2E

---
 hack/e2e/README.md      |  2 +-
 hack/e2e/lib/cleanup.sh | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/hack/e2e/README.md b/hack/e2e/README.md
index bbcfa15c..b7e7725b 100644
--- a/hack/e2e/README.md
+++ b/hack/e2e/README.md
@@ -197,6 +197,6 @@ Logs are collected under `$E2E_WORK_DIR/logs/`.
 - **Missing prerequisites:** run `./hack/e2e/run.sh --help` and confirm `az`, `jq`, `kubectl`, `ssh`, `scp`, and `openssl` are available.
 - **Azure auth failures:** run `az account show` and `az login` if needed.
 - **SSH failures:** inspect `state.json` for VM public IPs and confirm the SSH key configured by `E2E_SSH_KEY_FILE` is available.
-- **Node join failures:** run `./hack/e2e/run.sh logs` and inspect agent, bootstrap unit, kubelet, and containerd logs.
+- **Node join failures:** run `./hack/e2e/run.sh logs` and inspect agent, bootstrap unit, kubelet, containerd, and node-problem-detector logs.
 - **Repave failures:** check `aks-flex-node-agent` logs, `machinectl list`, and kubelet versions inside `kube1` and `kube2`.
 - **Leftover resources:** run `E2E_RESOURCE_GROUP=<rg> ./hack/e2e/run.sh cleanup`.
diff --git a/hack/e2e/lib/cleanup.sh b/hack/e2e/lib/cleanup.sh
index fcc98f9a..835be7da 100755
--- a/hack/e2e/lib/cleanup.sh
+++ b/hack/e2e/lib/cleanup.sh
@@ -52,6 +52,20 @@ _collect_vm_logs() {
      fi" \
     > "${E2E_LOG_DIR}/${prefix}-containerd.log" 2>/dev/null || true
 
+  remote_exec "${vm_ip}" "bash -s" <<'REMOTE' > "${E2E_LOG_DIR}/${prefix}-npd.log" 2>/dev/null || true
+machine="$(sudo python3 - <<'PY' 2>/dev/null || true
+import json
+with open("/etc/aks-flex-node/daemon-state.json", encoding="utf-8") as state:
+    print(json.load(state).get("activeMachine", ""))
+PY
+)"
+if [ -n "${machine}" ]; then
+  sudo systemd-run --machine="${machine}" --quiet --pipe journalctl -u node-problem-detector.service -n 500 --no-pager 2>/dev/null
+else
+  sudo journalctl -u node-problem-detector.service -n 500 --no-pager 2>/dev/null
+fi
+REMOTE
+
   # Collect CNI config and nspawn machine state for networking diagnostics.
   # Read directly from the nspawn rootfs at /var/lib/machines/kube1/.
   local kube1_root="/var/lib/machines/kube1"

From be31c15b37cef242d52a9ee3af902fd775a009f1 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 17 Jun 2026 00:19:16 +0000
Subject: [PATCH 09/16] Surface NPD log collection errors

---
 hack/e2e/lib/cleanup.sh | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/hack/e2e/lib/cleanup.sh b/hack/e2e/lib/cleanup.sh
index 835be7da..52d687fe 100755
--- a/hack/e2e/lib/cleanup.sh
+++ b/hack/e2e/lib/cleanup.sh
@@ -52,17 +52,27 @@ _collect_vm_logs() {
      fi" \
     > "${E2E_LOG_DIR}/${prefix}-containerd.log" 2>/dev/null || true
 
-  remote_exec "${vm_ip}" "bash -s" <<'REMOTE' > "${E2E_LOG_DIR}/${prefix}-npd.log" 2>/dev/null || true
-machine="$(sudo python3 - <<'PY' 2>/dev/null || true
+  remote_exec "${vm_ip}" "bash -s" <<'REMOTE' > "${E2E_LOG_DIR}/${prefix}-npd.log" 2>&1 || true
+machine_error="$(mktemp)"
+machine="$(sudo python3 - <<'PY' 2>"${machine_error}" || true
 import json
 with open("/etc/aks-flex-node/daemon-state.json", encoding="utf-8") as state:
     print(json.load(state).get("activeMachine", ""))
 PY
 )"
+if [ -s "${machine_error}" ]; then
+  echo "warning: unable to read active machine from daemon state"
+  cat "${machine_error}"
+fi
+rm -f "${machine_error}"
 if [ -n "${machine}" ]; then
-  sudo systemd-run --machine="${machine}" --quiet --pipe journalctl -u node-problem-detector.service -n 500 --no-pager 2>/dev/null
+  echo "=== node-problem-detector.service logs (${machine}) ==="
+  sudo systemd-run --machine="${machine}" --quiet --pipe journalctl -u node-problem-detector.service -n 500 --no-pager || \
+    echo "warning: failed to collect node-problem-detector logs from ${machine}"
 else
-  sudo journalctl -u node-problem-detector.service -n 500 --no-pager 2>/dev/null
+  echo "warning: active machine unknown; falling back to host journal"
+  sudo journalctl -u node-problem-detector.service -n 500 --no-pager || \
+    echo "warning: failed to collect host node-problem-detector logs"
 fi
 REMOTE
 

From cf2a5add0b625653c4dbc30e1e4e52ab05e42235 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 17 Jun 2026 00:20:12 +0000
Subject: [PATCH 10/16] Harden NPD log diagnostics

---
 hack/e2e/lib/cleanup.sh | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/hack/e2e/lib/cleanup.sh b/hack/e2e/lib/cleanup.sh
index 52d687fe..a5fe73dd 100755
--- a/hack/e2e/lib/cleanup.sh
+++ b/hack/e2e/lib/cleanup.sh
@@ -54,19 +54,29 @@ _collect_vm_logs() {
 
   remote_exec "${vm_ip}" "bash -s" <<'REMOTE' > "${E2E_LOG_DIR}/${prefix}-npd.log" 2>&1 || true
 machine_error="$(mktemp)"
-machine="$(sudo python3 - <<'PY' 2>"${machine_error}" || true
+trap 'rm -f "${machine_error}"' EXIT
+machine="$(sudo python3 - <<'PY' 2>"${machine_error}"
 import json
-with open("/etc/aks-flex-node/daemon-state.json", encoding="utf-8") as state:
-    print(json.load(state).get("activeMachine", ""))
+import sys
+
+try:
+    with open("/etc/aks-flex-node/daemon-state.json", encoding="utf-8") as state:
+        print(json.load(state).get("activeMachine", ""))
+except FileNotFoundError as exc:
+    print(f"daemon state not found: {exc}", file=sys.stderr)
+except json.JSONDecodeError as exc:
+    print(f"daemon state is not valid JSON: {exc}", file=sys.stderr)
+except PermissionError as exc:
+    print(f"daemon state permission denied: {exc}", file=sys.stderr)
 PY
 )"
 if [ -s "${machine_error}" ]; then
   echo "warning: unable to read active machine from daemon state"
   cat "${machine_error}"
 fi
-rm -f "${machine_error}"
 if [ -n "${machine}" ]; then
   echo "=== node-problem-detector.service logs (${machine}) ==="
+  # Match the agent and kubelet log depth; NPD entries are sparse but useful across node lifecycle phases.
   sudo systemd-run --machine="${machine}" --quiet --pipe journalctl -u node-problem-detector.service -n 500 --no-pager || \
     echo "warning: failed to collect node-problem-detector logs from ${machine}"
 else

From 4db154d3255b1a3e603aada31c82189b16639855 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 17 Jun 2026 00:20:52 +0000
Subject: [PATCH 11/16] Tighten NPD log cleanup

---
 hack/e2e/lib/cleanup.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/hack/e2e/lib/cleanup.sh b/hack/e2e/lib/cleanup.sh
index a5fe73dd..b19d6679 100755
--- a/hack/e2e/lib/cleanup.sh
+++ b/hack/e2e/lib/cleanup.sh
@@ -74,6 +74,8 @@ if [ -s "${machine_error}" ]; then
   echo "warning: unable to read active machine from daemon state"
   cat "${machine_error}"
 fi
+rm -f "${machine_error}"
+trap - EXIT
 if [ -n "${machine}" ]; then
   echo "=== node-problem-detector.service logs (${machine}) ==="
   # Match the agent and kubelet log depth; NPD entries are sparse but useful across node lifecycle phases.
@@ -82,7 +84,7 @@ if [ -n "${machine}" ]; then
 else
   echo "warning: active machine unknown; falling back to host journal"
   sudo journalctl -u node-problem-detector.service -n 500 --no-pager || \
-    echo "warning: failed to collect host node-problem-detector logs"
+    echo "warning: failed to collect node-problem-detector logs from host"
 fi
 REMOTE
 

From aed10a0be3b04c72ff926cb052aa05c6fd35451f Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 17 Jun 2026 00:21:40 +0000
Subject: [PATCH 12/16] Simplify NPD log diagnostics

---
 hack/e2e/lib/cleanup.sh | 27 ++++++++++++---------------
 1 file changed, 12 insertions(+), 15 deletions(-)

diff --git a/hack/e2e/lib/cleanup.sh b/hack/e2e/lib/cleanup.sh
index b19d6679..2de190cf 100755
--- a/hack/e2e/lib/cleanup.sh
+++ b/hack/e2e/lib/cleanup.sh
@@ -53,15 +53,18 @@ _collect_vm_logs() {
     > "${E2E_LOG_DIR}/${prefix}-containerd.log" 2>/dev/null || true
 
   remote_exec "${vm_ip}" "bash -s" <<'REMOTE' > "${E2E_LOG_DIR}/${prefix}-npd.log" 2>&1 || true
-machine_error="$(mktemp)"
-trap 'rm -f "${machine_error}"' EXIT
-machine="$(sudo python3 - <<'PY' 2>"${machine_error}"
+service="node-problem-detector.service"
+machine="$(sudo python3 - <<'PY'
 import json
 import sys
 
 try:
     with open("/etc/aks-flex-node/daemon-state.json", encoding="utf-8") as state:
-        print(json.load(state).get("activeMachine", ""))
+        active_machine = json.load(state).get("activeMachine", "")
+    if active_machine:
+        print(active_machine)
+    else:
+        print("daemon state does not include activeMachine", file=sys.stderr)
 except FileNotFoundError as exc:
     print(f"daemon state not found: {exc}", file=sys.stderr)
 except json.JSONDecodeError as exc:
@@ -70,21 +73,15 @@ except PermissionError as exc:
     print(f"daemon state permission denied: {exc}", file=sys.stderr)
 PY
 )"
-if [ -s "${machine_error}" ]; then
-  echo "warning: unable to read active machine from daemon state"
-  cat "${machine_error}"
-fi
-rm -f "${machine_error}"
-trap - EXIT
 if [ -n "${machine}" ]; then
-  echo "=== node-problem-detector.service logs (${machine}) ==="
+  echo "=== ${service} logs (${machine}) ==="
   # Match the agent and kubelet log depth; NPD entries are sparse but useful across node lifecycle phases.
-  sudo systemd-run --machine="${machine}" --quiet --pipe journalctl -u node-problem-detector.service -n 500 --no-pager || \
-    echo "warning: failed to collect node-problem-detector logs from ${machine}"
+  sudo systemd-run --machine="${machine}" --quiet --pipe journalctl -u "${service}" -n 500 --no-pager || \
+    echo "warning: failed to collect ${service} logs from ${machine}"
 else
   echo "warning: active machine unknown; falling back to host journal"
-  sudo journalctl -u node-problem-detector.service -n 500 --no-pager || \
-    echo "warning: failed to collect node-problem-detector logs from host"
+  sudo journalctl -u "${service}" -n 500 --no-pager || \
+    echo "warning: failed to collect ${service} logs from host"
 fi
 REMOTE
 

From d89a6317d2f3500615f4c8e5f9139c826bece1d0 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 17 Jun 2026 00:22:18 +0000
Subject: [PATCH 13/16] Clarify NPD log variables

---
 hack/e2e/lib/cleanup.sh | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/hack/e2e/lib/cleanup.sh b/hack/e2e/lib/cleanup.sh
index 2de190cf..f4957e60 100755
--- a/hack/e2e/lib/cleanup.sh
+++ b/hack/e2e/lib/cleanup.sh
@@ -53,8 +53,8 @@ _collect_vm_logs() {
     > "${E2E_LOG_DIR}/${prefix}-containerd.log" 2>/dev/null || true
 
   remote_exec "${vm_ip}" "bash -s" <<'REMOTE' > "${E2E_LOG_DIR}/${prefix}-npd.log" 2>&1 || true
-service="node-problem-detector.service"
-machine="$(sudo python3 - <<'PY'
+npd_service="node-problem-detector.service"
+active_machine="$(sudo python3 - <<'PY'
 import json
 import sys
 
@@ -73,15 +73,15 @@ except PermissionError as exc:
     print(f"daemon state permission denied: {exc}", file=sys.stderr)
 PY
 )"
-if [ -n "${machine}" ]; then
-  echo "=== ${service} logs (${machine}) ==="
+if [ -n "${active_machine}" ]; then
+  echo "=== ${npd_service} logs (${active_machine}) ==="
   # Match the agent and kubelet log depth; NPD entries are sparse but useful across node lifecycle phases.
-  sudo systemd-run --machine="${machine}" --quiet --pipe journalctl -u "${service}" -n 500 --no-pager || \
-    echo "warning: failed to collect ${service} logs from ${machine}"
+  sudo systemd-run --machine="${active_machine}" --quiet --pipe journalctl -u "${npd_service}" -n 500 --no-pager || \
+    echo "warning: failed to collect ${npd_service} logs from ${active_machine}"
 else
   echo "warning: active machine unknown; falling back to host journal"
-  sudo journalctl -u "${service}" -n 500 --no-pager || \
-    echo "warning: failed to collect ${service} logs from host"
+  sudo journalctl -u "${npd_service}" -n 500 --no-pager || \
+    echo "warning: failed to collect ${npd_service} logs from host"
 fi
 REMOTE
 

From b66d2dfcb47dbbcf0e906338af259162feed42b2 Mon Sep 17 00:00:00 2001
From: Baichao He <bahe@microsoft.com>
Date: Wed, 17 Jun 2026 01:52:03 +0000
Subject: [PATCH 14/16] fix(npd): override hostname with node name

---
 pkg/npd/assets/node-problem-detector.service | 2 +-
 pkg/npd/start.go                             | 3 +++
 pkg/npd/start_test.go                        | 4 ++++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/pkg/npd/assets/node-problem-detector.service b/pkg/npd/assets/node-problem-detector.service
index cc17ac99..beb414d2 100644
--- a/pkg/npd/assets/node-problem-detector.service
+++ b/pkg/npd/assets/node-problem-detector.service
@@ -3,7 +3,7 @@ Description=Node Problem Detector
 After=network.target
 
 [Service]
-ExecStart={{.NPDBinaryPath}} --apiserver-override="{{.APIServerURL}}?inClusterConfig=false&auth={{.KubeconfigPath}}" --config.system-log-monitor={{.NPDConfigPath}}
+ExecStart={{.NPDBinaryPath}} --hostname-override={{.NodeName}} --apiserver-override="{{.APIServerURL}}?inClusterConfig=false&auth={{.KubeconfigPath}}" --config.system-log-monitor={{.NPDConfigPath}}
 Restart=on-failure
 RestartSec=5s
 
diff --git a/pkg/npd/start.go b/pkg/npd/start.go
index 2fe76d11..ac9fd11e 100644
--- a/pkg/npd/start.go
+++ b/pkg/npd/start.go
@@ -33,6 +33,7 @@ type startTask struct {
 	kubeconfigPath string
 	machineDir     string
 	machineName    string
+	nodeName       string
 }
 
 // Start returns a task that renders the NPD systemd unit file into the
@@ -45,6 +46,7 @@ func Start(cfg *config.Config, log *slog.Logger, machineDir, machineName string)
 		kubeconfigPath: goalstates.KubeletKubeconfigPath,
 		machineDir:     machineDir,
 		machineName:    machineName,
+		nodeName:       cfg.Agent.NodeName,
 	}
 }
 
@@ -66,6 +68,7 @@ func (t *startTask) ensureServiceFile() (updated bool, err error) {
 		"APIServerURL":   t.apiServer,
 		"KubeconfigPath": t.kubeconfigPath,
 		"NPDConfigPath":  npdConfigPath,
+		"NodeName":       t.nodeName,
 	}); err != nil {
 		return false, fmt.Errorf("render npd service template: %w", err)
 	}
diff --git a/pkg/npd/start_test.go b/pkg/npd/start_test.go
index 6301a8f9..10b9a698 100644
--- a/pkg/npd/start_test.go
+++ b/pkg/npd/start_test.go
@@ -34,6 +34,7 @@ func TestCanonicalKubeletKubeconfigPath(t *testing.T) {
 // test stable across refactors while still exercising the Start() wiring.
 func TestRenderedNPDUnitUsesCanonicalKubeconfig(t *testing.T) {
 	cfg := &config.Config{}
+	cfg.Agent.NodeName = "vm-e2e-token-1781659839"
 	cfg.Node.Kubelet.ServerURL = "https://example.hcp.westus.azmk8s.io:443"
 
 	machineDir := t.TempDir()
@@ -58,4 +59,7 @@ func TestRenderedNPDUnitUsesCanonicalKubeconfig(t *testing.T) {
 	if strings.Contains(rendered, "kubelet/kubelet") {
 		t.Fatalf("rendered unit contains doubled 'kubelet' segment:\n%s", rendered)
 	}
+	if !strings.Contains(rendered, "--hostname-override=vm-e2e-token-1781659839") {
+		t.Fatalf("rendered unit missing hostname override:\n%s", rendered)
+	}
 }

From 599fab525cada6d34f14c66e6397e42067680555 Mon Sep 17 00:00:00 2001
From: Baichao He <bahe@microsoft.com>
Date: Wed, 17 Jun 2026 03:28:22 +0000
Subject: [PATCH 15/16] refactor(npd): use resolved node goal state

---
 pkg/daemon/nodeoperator.go |  2 +-
 pkg/daemon/start.go        |  2 +-
 pkg/npd/start.go           | 11 +++++------
 pkg/npd/start_test.go      | 15 +++++++++------
 4 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/pkg/daemon/nodeoperator.go b/pkg/daemon/nodeoperator.go
index b7a35a3f..4b8aba0e 100644
--- a/pkg/daemon/nodeoperator.go
+++ b/pkg/daemon/nodeoperator.go
@@ -52,7 +52,7 @@ func (o *nspawnNodeOperator) RestartNode(ctx context.Context, log *slog.Logger)
 		nodestop.StopNode(log, active.Name),
 		nodestart.StartNode(log, gs.NodeStart),
 		nodestart.WaitForKubelet(log, active.Name),
-		npd.Start(cfg, log, gs.RootFS.MachineDir, active.Name),
+		npd.Start(log, gs.NodeStart),
 	).Do(ctx)
 }
 
diff --git a/pkg/daemon/start.go b/pkg/daemon/start.go
index 6d202e43..916fb12a 100644
--- a/pkg/daemon/start.go
+++ b/pkg/daemon/start.go
@@ -47,7 +47,7 @@ func StartNode(
 		),
 		nodestart.StartNode(log, gs.NodeStart),
 		nodestart.WaitForKubelet(log, machineName),
-		npd.Start(cfg, log, gs.RootFS.MachineDir, machineName),
+		npd.Start(log, gs.NodeStart),
 		saveState(store, state),
 	)
 }
diff --git a/pkg/npd/start.go b/pkg/npd/start.go
index ac9fd11e..8c093708 100644
--- a/pkg/npd/start.go
+++ b/pkg/npd/start.go
@@ -11,7 +11,6 @@ import (
 	"path/filepath"
 	"text/template"
 
-	"github.com/Azure/AKSFlexNode/pkg/config"
 	"github.com/Azure/AKSFlexNode/pkg/utils/utilexec"
 	"github.com/Azure/AKSFlexNode/pkg/utils/utilio"
 	"github.com/Azure/unbounded/pkg/agent/goalstates"
@@ -39,14 +38,14 @@ type startTask struct {
 // Start returns a task that renders the NPD systemd unit file into the
 // nspawn machine rootfs and ensures the service is running inside the
 // container via systemd-run --machine.
-func Start(cfg *config.Config, log *slog.Logger, machineDir, machineName string) phases.Task {
+func Start(log *slog.Logger, nodeStart *goalstates.NodeStart) phases.Task {
 	return &startTask{
 		log:            log,
-		apiServer:      cfg.Node.Kubelet.ServerURL,
+		apiServer:      nodeStart.Kubelet.APIServer,
 		kubeconfigPath: goalstates.KubeletKubeconfigPath,
-		machineDir:     machineDir,
-		machineName:    machineName,
-		nodeName:       cfg.Agent.NodeName,
+		machineDir:     nodeStart.MachineDir,
+		machineName:    nodeStart.MachineName,
+		nodeName:       nodeStart.NodeName,
 	}
 }
 
diff --git a/pkg/npd/start_test.go b/pkg/npd/start_test.go
index 10b9a698..af742951 100644
--- a/pkg/npd/start_test.go
+++ b/pkg/npd/start_test.go
@@ -7,7 +7,6 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/Azure/AKSFlexNode/pkg/config"
 	"github.com/Azure/unbounded/pkg/agent/goalstates"
 )
 
@@ -33,12 +32,16 @@ func TestCanonicalKubeletKubeconfigPath(t *testing.T) {
 // (the externally observable artifact) rather than internal fields keeps the
 // test stable across refactors while still exercising the Start() wiring.
 func TestRenderedNPDUnitUsesCanonicalKubeconfig(t *testing.T) {
-	cfg := &config.Config{}
-	cfg.Agent.NodeName = "vm-e2e-token-1781659839"
-	cfg.Node.Kubelet.ServerURL = "https://example.hcp.westus.azmk8s.io:443"
-
 	machineDir := t.TempDir()
-	task, ok := Start(cfg, slog.Default(), machineDir, "kube1").(*startTask)
+	nodeStart := &goalstates.NodeStart{
+		MachineDir:  machineDir,
+		MachineName: "kube1",
+		NodeName:    "vm-e2e-token-1781659839",
+		Kubelet: goalstates.Kubelet{
+			APIServer: "https://example.hcp.westus.azmk8s.io:443",
+		},
+	}
+	task, ok := Start(slog.Default(), nodeStart).(*startTask)
 	if !ok {
 		t.Fatalf("Start did not return *startTask")
 	}

From 0b3d5766276bf7beadb216e38571d60385c3ff68 Mon Sep 17 00:00:00 2001
From: hbc <bahe@microsoft.com>
Date: Wed, 17 Jun 2026 10:18:40 -0700
Subject: [PATCH 16/16] Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 hack/e2e/lib/validate.sh | 4 ++--
 pkg/npd/start_test.go    | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/hack/e2e/lib/validate.sh b/hack/e2e/lib/validate.sh
index 12bd8868..4b24edda 100755
--- a/hack/e2e/lib/validate.sh
+++ b/hack/e2e/lib/validate.sh
@@ -112,7 +112,7 @@ with open("/etc/aks-flex-node/daemon-state.json", encoding="utf-8") as state:
 PY
 )"
   fi
-  if [[ -n "${active_machine}" ]] && machinectl show "${active_machine}" &>/dev/null; then
+  if [[ -n "${active_machine}" ]] && sudo machinectl show "${active_machine}" &>/dev/null; then
     status="$(sudo systemd-run --machine="${active_machine}" --quiet --pipe systemctl is-active node-problem-detector.service 2>"${status_error}" || true)"
     if [[ "${status}" == "active" ]]; then
       echo "node-problem-detector.service is active in ${active_machine}"
@@ -128,7 +128,7 @@ PY
     if [[ -s "${status_error}" ]]; then
       cat "${status_error}"
     fi
-    machinectl list --no-pager || true
+    sudo machinectl list --no-pager || true
     if [[ -n "${active_machine:-}" ]]; then
       sudo systemd-run --machine="${active_machine}" --quiet --pipe systemctl status node-problem-detector.service --no-pager -l || true
       sudo systemd-run --machine="${active_machine}" --quiet --pipe journalctl -u node-problem-detector.service -n 50 --no-pager || true
diff --git a/pkg/npd/start_test.go b/pkg/npd/start_test.go
index af742951..ae1be511 100644
--- a/pkg/npd/start_test.go
+++ b/pkg/npd/start_test.go
@@ -20,6 +20,7 @@ const wantKubeconfigPath = "/var/lib/kubelet/kubeconfig"
 // TestCanonicalKubeletKubeconfigPath guards the value of the shared library
 // constant so the doubled-segment typo cannot reappear from a dependency bump.
 func TestCanonicalKubeletKubeconfigPath(t *testing.T) {
+	t.Parallel()
 	if goalstates.KubeletKubeconfigPath != wantKubeconfigPath {
 		t.Fatalf("goalstates.KubeletKubeconfigPath = %q, want %q",
 			goalstates.KubeletKubeconfigPath, wantKubeconfigPath)
@@ -32,6 +33,7 @@ func TestCanonicalKubeletKubeconfigPath(t *testing.T) {
 // (the externally observable artifact) rather than internal fields keeps the
 // test stable across refactors while still exercising the Start() wiring.
 func TestRenderedNPDUnitUsesCanonicalKubeconfig(t *testing.T) {
+	t.Parallel()
 	machineDir := t.TempDir()
 	nodeStart := &goalstates.NodeStart{
 		MachineDir:  machineDir,