Add security updates to provisioning (#745)

parts/configure-swarm-cluster.sh

@@ -94,6 +94,9 @@ ensureAzureNetwork()
 ensureAzureNetwork
 HOSTADDR=`hostname -i`
 
+# apply all Canonical security updates during provisioning
+/usr/lib/apt/apt.systemd.daily
+
 ismaster ()
 {
   if [ "$MASTERPREFIX" == "$VMPREFIX" ]

parts/configure-swarmmode-cluster.sh

@@ -103,6 +103,9 @@ ensureAzureNetwork()
 ensureAzureNetwork
 HOSTADDR=`hostname -i`
 
+# apply all Canonical security updates during provisioning
+/usr/lib/apt/apt.systemd.daily
+
 ismaster ()
 {
   if [ "$MASTERPREFIX" == "$VMPREFIX" ]

parts/dcoscustomdata173.t

@@ -21,6 +21,7 @@ mounts:
 - - ephemeral0.2
   - /var/lib/docker
 runcmd:
+- /usr/lib/apt/apt.systemd.daily
 - - ln
   - -s
   - /bin/rm

parts/dcoscustomdata184.t

@@ -21,6 +21,7 @@ mounts:
 - - ephemeral0.2
   - /var/lib/docker
 runcmd:
+- /usr/lib/apt/apt.systemd.daily
 - - ln
   - -s
   - /bin/rm

parts/dcoscustomdata187.t

@@ -21,6 +21,7 @@ mounts:
 - - ephemeral0.2
   - /var/lib/docker
 runcmd:
+- /usr/lib/apt/apt.systemd.daily
 - - ln
   - -s
   - /bin/rm

parts/dcoscustomdata188.t

@@ -21,6 +21,7 @@ mounts:
 - - ephemeral0.2
   - /var/lib/docker
 runcmd:
+- /usr/lib/apt/apt.systemd.daily
 - - ln
   - -s
   - /bin/rm

parts/dcoscustomdata190.t

@@ -27,6 +27,7 @@ mounts:
 - - ephemeral0.3
   - /var/tmp
 runcmd:
+- /usr/lib/apt/apt.systemd.daily
 - - ln
   - -s
   - /bin/rm

parts/dcosmastervars.t

@@ -72,7 +72,7 @@
     "osImageOffer": "UbuntuServer", 
     "osImagePublisher": "Canonical", 
     "osImageSKU": "16.04-LTS", 
-    "osImageVersion": "16.04.201705080",
+    "osImageVersion": "16.04.201705160",
     "sshKeyPath": "[concat('/home/', variables('adminUsername'), '/.ssh/authorized_keys')]", 
     "sshRSAPublicKey": "[parameters('sshRSAPublicKey')]",
     "locations": [

parts/kubernetesagentcustomdata.yml

@@ -138,6 +138,7 @@ write_files:
     {{WrapAsVariable "provisionScript"}}
 
 runcmd:
+- /usr/lib/apt/apt.systemd.daily
 - apt-get update
 - apt-get install -y apt-transport-https ca-certificates nfs-common
 - systemctl enable rpcbind

parts/kubernetesmastercustomdata.yml

@@ -298,6 +298,7 @@ write_files:
     mount $MOUNTPOINT
 
 runcmd:
+- /usr/lib/apt/apt.systemd.daily
 - /bin/echo DAEMON_ARGS=--name "{{WrapAsVerbatim "variables('masterVMNames')[copyIndex(variables('masterOffset'))]"}}" --initial-advertise-peer-urls "{{WrapAsVerbatim "variables('masterEtcdPeerURLs')[copyIndex(variables('masterOffset'))]"}}" --listen-peer-urls "{{WrapAsVerbatim "variables('masterEtcdPeerURLs')[copyIndex(variables('masterOffset'))]"}}" --advertise-client-urls "{{WrapAsVerbatim "variables('masterEtcdClientURLs')[copyIndex(variables('masterOffset'))]"}}" --listen-client-urls "{{WrapAsVerbatim "concat(variables('masterEtcdClientURLs')[copyIndex(variables('masterOffset'))], ',http://127.0.0.1:', variables('masterEtcdClientPort'))"}}" --initial-cluster-token "k8s-etcd-cluster" --initial-cluster "{{WrapAsVerbatim "variables('masterEtcdClusterStates')[div(variables('masterCount'), 2)]"}} --data-dir "/var/lib/etcddisk"" --initial-cluster-state "new" | tee -a /etc/default/etcd
 - sudo /bin/chown -R etcd:etcd /var/lib/etcd/default
 - /opt/azure/containers/mountetcd.sh

parts/kubernetesmastercustomscript.sh

@@ -323,3 +323,13 @@ fi
 # If APISERVER_PRIVATE_KEY is empty, then we are not on the master
 echo "Install complete successfully"
 
+if [ -f /var/run/reboot-required ]; then
+  if [[ ! -z "${APISERVER_PRIVATE_KEY}" ]]; then
+    # wait 1 minute to restart master
+    echo 'reboot required, rebooting master in 1 minute'
+    /bin/bash -c "shutdown -r 1 &"
+  else
+    echo 'reboot required, rebooting agent in 1 minute'
+    shutdown -r now
+  fi
+fi

parts/kubernetesmastervars.t

@@ -49,7 +49,7 @@
     "osImageOffer": "UbuntuServer", 
     "osImagePublisher": "Canonical", 
     "osImageSKU": "16.04-LTS", 
-    "osImageVersion": "16.04.201705080",
+    "osImageVersion": "16.04.201705160",
     "resourceGroup": "[resourceGroup().name]", 
     "routeTableName": "[concat(variables('masterVMNamePrefix'),'routetable')]",
     "routeTableID": "[resourceId('Microsoft.Network/routeTables', variables('routeTableName'))]",
@@ -184,7 +184,7 @@
     "agentWindowsPublisher": "MicrosoftWindowsServer",
     "agentWindowsOffer": "WindowsServer",
     "agentWindowsSku": "2016-Datacenter-with-Containers",
-    "agentWindowsVersion": "2016.127.20170510",
+    "agentWindowsVersion": "latest",
     "singleQuote": "'",
     "windowsCustomScriptSuffix": " $inputFile = '%SYSTEMDRIVE%\\AzureData\\CustomData.bin' ; $outputFile = '%SYSTEMDRIVE%\\AzureData\\CustomDataSetupScript.ps1' ; Copy-Item $inputFile $outputFile ; Invoke-Expression('{0} {1}' -f $outputFile, $arguments) ; "
 {{end}}

parts/swarmmastervars.t

@@ -107,11 +107,11 @@
 {{if .OrchestratorProfile.IsSwarmMode}}
     "orchestratorName": "swarmm", 
     "osImageSKU": "16.04-LTS", 
-    "osImageVersion": "16.04.201705080",
+    "osImageVersion": "16.04.201705160",
 {{else}}
     "orchestratorName": "swarm", 
-    "osImageSKU": "14.04.4-LTS",
-    "osImageVersion": "14.04.201607140",  
+    "osImageSKU": "14.04.5-LTS",
+    "osImageVersion": "14.04.201705170",  
 {{end}}
     "locations": [
          "[resourceGroup().location]",