Azure · jackfrancis · Feb 3, 2021 · Feb 2, 2021 · Feb 2, 2021 · Feb 3, 2021
diff --git a/docs/topics/clusterdefinitions.md b/docs/topics/clusterdefinitions.md
@@ -857,6 +857,7 @@ A cluster can have 0 to 12 agent pool profiles. Agent Pool Profiles are used for
 | adminUsername                    | yes      | Describes the username to be used on all linux clusters                                  |
 | ssh.publicKeys[].keyData         | yes      | The public SSH key used for authenticating access to all Linux nodes in the cluster      |
 | secrets                          | no       | Specifies an array of key vaults to pull secrets from and what secrets to pull from each |
+| runUnattendedUpgradesOnBootstrap | no       | Invoke an unattended-upgrade when each Linux node VM comes online for the first time. In practice this is accomplished by performing an `apt-get update`, followed by a manual invocation of `/usr/bin/unattended-upgrade`, to fetch updated apt configuration, and install all package updates provided by the unattended-upgrade facility, respectively. |
 | customSearchDomain.name          | no       | describes the search domain to be used on all linux clusters                             |
 | customSearchDomain.realmUser     | no       | describes the realm user with permissions to update dns registries on Windows Server DNS |
 | customSearchDomain.realmPassword | no       | describes the realm user password to update dns registries on Windows Server DNS         |

diff --git a/parts/k8s/cloud-init/artifacts/cse_helpers.sh b/parts/k8s/cloud-init/artifacts/cse_helpers.sh
@@ -193,6 +193,18 @@ apt_get_dist_upgrade() {
   done
   echo Executed apt-get dist-upgrade $i times
 }
+unattended_upgrade() {
+  retries=10
+  for i in $(seq 1 $retries); do
+    wait_for_apt_locks
+    /usr/bin/unattended-upgrade && break ||
+    if [ $i -eq $retries ]; then
+      return 1
+    else sleep 5
+    fi
+  done
+  echo Executed unattended-upgrade $i times
+}
 systemctl_restart() {
   retries=$1; wait_sleep=$2; timeout=$3 svcname=$4
   for i in $(seq 1 $retries); do

diff --git a/parts/k8s/cloud-init/artifacts/cse_main.sh b/parts/k8s/cloud-init/artifacts/cse_main.sh
@@ -276,6 +276,10 @@ if [[ $OS == $UBUNTU_OS_NAME ]]; then
 fi
 {{end}}
 
+{{- if RunUnattendedUpgrades}}
+apt_get_update && unattended_upgrade
+{{- end}}
+
 if [ -f /var/run/reboot-required ]; then
   trace_info "RebootRequired" "reboot=true"
   /bin/bash -c "shutdown -r 1 &"

diff --git a/pkg/api/converterfromapi.go b/pkg/api/converterfromapi.go
@@ -174,6 +174,7 @@ func convertLinuxProfileToVLabs(obj *LinuxProfile, vlabsProfile *vlabs.LinuxProf
 		vlabsProfile.CustomNodesDNS = &vlabs.CustomNodesDNS{}
 		vlabsProfile.CustomNodesDNS.DNSServer = obj.CustomNodesDNS.DNSServer
 	}
+	vlabsProfile.RunUnattendedUpgradesOnBootstrap = obj.RunUnattendedUpgradesOnBootstrap
 }
 
 func convertWindowsProfileToVLabs(api *WindowsProfile, vlabsProfile *vlabs.WindowsProfile) {

diff --git a/pkg/api/convertertoapi.go b/pkg/api/convertertoapi.go
@@ -169,6 +169,7 @@ func convertVLabsLinuxProfile(vlabs *vlabs.LinuxProfile, api *LinuxProfile) {
 		api.CustomNodesDNS = &CustomNodesDNS{}
 		api.CustomNodesDNS.DNSServer = vlabs.CustomNodesDNS.DNSServer
 	}
+	api.RunUnattendedUpgradesOnBootstrap = vlabs.RunUnattendedUpgradesOnBootstrap
 }
 
 func convertVLabsWindowsProfile(vlabs *vlabs.WindowsProfile, api *WindowsProfile) {

diff --git a/pkg/api/types.go b/pkg/api/types.go
@@ -133,12 +133,13 @@ type LinuxProfile struct {
 	SSH           struct {
 		PublicKeys []PublicKey `json:"publicKeys"`
 	} `json:"ssh"`
-	Secrets               []KeyVaultSecrets   `json:"secrets,omitempty"`
-	Distro                Distro              `json:"distro,omitempty"`
-	ScriptRootURL         string              `json:"scriptroot,omitempty"`
-	CustomSearchDomain    *CustomSearchDomain `json:"customSearchDomain,omitempty"`
-	CustomNodesDNS        *CustomNodesDNS     `json:"CustomNodesDNS,omitempty"`
-	IsSSHKeyAutoGenerated *bool               `json:"isSSHKeyAutoGenerated,omitempty"`
+	Secrets                          []KeyVaultSecrets   `json:"secrets,omitempty"`
+	Distro                           Distro              `json:"distro,omitempty"`
+	ScriptRootURL                    string              `json:"scriptroot,omitempty"`
+	CustomSearchDomain               *CustomSearchDomain `json:"customSearchDomain,omitempty"`
+	CustomNodesDNS                   *CustomNodesDNS     `json:"CustomNodesDNS,omitempty"`
+	IsSSHKeyAutoGenerated            *bool               `json:"isSSHKeyAutoGenerated,omitempty"`
+	RunUnattendedUpgradesOnBootstrap *bool               `json:"runUnattendedUpgradesOnBootstrap,omitempty"`
 }
 
 // PublicKey represents an SSH key for LinuxProfile

diff --git a/pkg/api/vlabs/types.go b/pkg/api/vlabs/types.go
@@ -136,10 +136,11 @@ type LinuxProfile struct {
 	SSH           struct {
 		PublicKeys []PublicKey `json:"publicKeys" validate:"required,min=1"`
 	} `json:"ssh" validate:"required"`
-	Secrets            []KeyVaultSecrets   `json:"secrets,omitempty"`
-	ScriptRootURL      string              `json:"scriptroot,omitempty"`
-	CustomSearchDomain *CustomSearchDomain `json:"customSearchDomain,omitempty"`
-	CustomNodesDNS     *CustomNodesDNS     `json:"customNodesDNS,omitempty"`
+	Secrets                          []KeyVaultSecrets   `json:"secrets,omitempty"`
+	ScriptRootURL                    string              `json:"scriptroot,omitempty"`
+	CustomSearchDomain               *CustomSearchDomain `json:"customSearchDomain,omitempty"`
+	CustomNodesDNS                   *CustomNodesDNS     `json:"customNodesDNS,omitempty"`
+	RunUnattendedUpgradesOnBootstrap *bool               `json:"runUnattendedUpgradesOnBootstrap,omitempty"`
 }
 
 // PublicKey represents an SSH key for LinuxProfile

diff --git a/pkg/engine/template_generator.go b/pkg/engine/template_generator.go
@@ -775,6 +775,12 @@ func getContainerServiceFuncMap(cs *api.ContainerService) template.FuncMap {
 		"GetLinuxCSELogPath": func() string {
 			return linuxCSELogPath
 		},
+		"RunUnattendedUpgrades": func() bool {
+			if cs.Properties.LinuxProfile != nil {
+				return to.Bool(cs.Properties.LinuxProfile.RunUnattendedUpgradesOnBootstrap)
+			}
+			return false
+		},
 		"OpenBraces": func() string {
 			return "{{"
 		},

diff --git a/pkg/engine/templates_generated.go b/pkg/engine/templates_generated.go
diff --git a/test/e2e/test_cluster_configs/everything.json b/test/e2e/test_cluster_configs/everything.json
@@ -146,6 +146,7 @@
 				}
 			],
 			"linuxProfile": {
+				"runUnattendedUpgradesOnBootstrap": true,
 				"adminUsername": "azureuser",
 				"ssh": {
 					"publicKeys": [