Skip to content
This repository has been archived by the owner on Oct 24, 2023. It is now read-only.

Support configuration to inject unattended-upgrades into CSE. #4156

Closed
msjelly opened this issue Jan 12, 2021 · 7 comments · Fixed by #4217
Closed

Support configuration to inject unattended-upgrades into CSE. #4156

msjelly opened this issue Jan 12, 2021 · 7 comments · Fixed by #4217
Labels
enhancement New feature or request

Comments

@msjelly
Copy link

msjelly commented Jan 12, 2021

Describe the request
Support ability to optionally inject unattended-upgrades into CSE.
Explain why AKS Engine needs it
Aks-engine does not release patches of previous versions of AKS Engine images for patch releases of the OS. It is desirable to have the OS patches as early as possible after the nodes are provisioned.
Describe the solution you'd like
Add optional configuration in cluster definition to inject unattended-upgrades in CSE. Reboot sentinel e.g. /var/run/reboot-required would trigger CSE to reboot the node. https://github.com/Azure/aks-engine/blob/master/parts/k8s/cloud-init/artifacts/cse_main.sh#L272
Describe alternatives you've considered
https://github.com/jackfrancis/kamino
Additional context
Ideally, we need this to be configurable at the granularity of agentpool rather than as a cluster wide setting.
@msjelly msjelly added the enhancement New feature or request label Jan 12, 2021
@welcome
Copy link

welcome bot commented Jan 12, 2021

👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it.

@dmeytin
Copy link

dmeytin commented Jan 13, 2021

Janet, there is another alternative to keep cluster with the latest security patches:

  1. Boot a new VM using the cluster's SKU (VHD used to during the cluster's creation)
  2. Run unattended-upgrades
  3. Generalize the VM (az vm generalize --resource-group [ResourceGroup] --name [VmName])
  4. Upload the VM's image into Shared Image Gallery
  5. Upgrade VMSS with the image

This solution is similar to kamino, except the fact that the image is created once and then propagated to all environments

@msjelly
Copy link
Author

msjelly commented Jan 13, 2021

@dmeytin We dynamically add/delete agentpools with different configurations (e.g. CPU/GPU VM types/sizes) and prefer not to have to maintain pre-baked VM image for each configuration that we have to support.

@dmeytin
Copy link

dmeytin commented Jan 13, 2021

This is absolutely legit approach, with the only drawback of long scaling times that could be omitted by using pre-baked VM image.
Running CSE for each VM boot that end ups with reboot could take up to 5min

@msjelly
Copy link
Author

msjelly commented Jan 13, 2021
edited
Loading

I've seen agentpool creation take between 3min-40min depending on size of our agentpool. If the latency goes up to something like 8 minutes minimum, that's not desirable but may be tolerable... With the approach you propose (and kamino), is it the case that we'll need to create separate VM image for each VM size that we want to support and that we have to create such VM image for each cluster?

@dmeytin
Copy link

dmeytin commented Jan 13, 2021

VHD is for OS disk only.
The VM size is independent from OS image.

@msjelly
Copy link
Author

msjelly commented Jan 13, 2021

Same OS image can be used for upgrading CPU and GPU VMs?

@jackfrancis jackfrancis mentioned this issue Feb 2, 2021
Merged
8 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: run accelerated unattended-upgrade at node creation time jackfrancis/aks-engine
2 participants
@dmeytin @msjelly