Azure · keith-ms · Mar 18, 2026 · Feb 20, 2026 · Feb 23, 2026 · Feb 23, 2026
@@ -0,0 +1,3 @@
+[Unit]
+Requires=format-mount-nvme-root.service
+After=format-mount-nvme-root.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Format NVMe local disk and mount Kubelet there
+Requires=mnt.mount
+After=mnt.mount
+
+[Service]
+Restart=on-failure
+RemainAfterExit=yes
+Type=oneshot
+ExecStart=/bin/bash /opt/azure/containers/format-mount-nvme-root.sh
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -o errexit
+set -o nounset
+set -o pipefail
+set -x
+
+# Bind mount kubelet to local NVMe storage specifically on startup.
+MOUNT_POINT="/mnt/aks"
+
+
+KUBELET_MOUNT_POINT="${MOUNT_POINT}/kubelet"
+KUBELET_DIR="/var/lib/kubelet"
+
+mkdir -p "${MOUNT_POINT}"
+
+SENTINEL_FILE="/opt/azure/containers/bind-sentinel"
+if [ ! -e "${SENTINEL_FILE}" ]; then
+    # Bond (via software RAID) and format the NVMe disks if that's not already done.
+    if [ -e /dev/disk/azure/local/by-index/1 ] && [ ! -e /dev/md0 ]; then
+        mdadm --create --verbose /dev/md0 --level=0 --raid-devices=4 /dev/disk/azure/local/by-index/1 /dev/disk/azure/local/by-index/2 /dev/disk/azure/local/by-index/3 /dev/disk/azure/local/by-index/4
+        mkfs.ext4 -F /dev/md0
+    fi
+    mount /dev/md0 "${MOUNT_POINT}"
+    mv "${KUBELET_DIR}" "${KUBELET_MOUNT_POINT}"
+    touch "${SENTINEL_FILE}"
+else
+    # On subsequent boots, the disk should already be partitioned and formatted, so just mount it.
+    mount /dev/md0 "${MOUNT_POINT}"
+fi
+
+# on every boot, bind mount the kubelet directory back to the expected
+# location before kubelet itself may start.
+mkdir -p "${KUBELET_DIR}"
+mount --bind "${KUBELET_MOUNT_POINT}" "${KUBELET_DIR}"
+chmod a+w "${KUBELET_DIR}"
@@ -278,6 +278,18 @@ copyPackerFiles() {
   CLOUD_INIT_STATUS_CHECK_DEST=/opt/azure/containers/cloud-init-status-check.sh
   cpAndMode $CLOUD_INIT_STATUS_CHECK_SRC $CLOUD_INIT_STATUS_CHECK_DEST 0744
 
+  if grep -q "GB200" <<< "$FEATURE_FLAGS"; then
+    FMT_SH_SRC=/home/packer/format-mount-nvme-root.sh
+    FMT_SH_DEST=/opt/azure/containers/format-mount-nvme-root.sh
+    cpAndMode $FMT_SH_SRC $FMT_SH_DEST 0544
+    FMT_SVC_SRC=/home/packer/format-mount-nvme-root.service
+    FMT_SVC_DEST=/etc/systemd/system/format-mount-nvme-root.service
+    cpAndMode $FMT_SVC_SRC $FMT_SVC_DEST 600
+    FMT_SVC_SRC=/home/packer/format-mount-kubelet.conf
+    FMT_SVC_DEST=/etc/systemd/system/kubelet.service.d/11-fmtmount.conf
+    cpAndMode $FMT_SVC_SRC $FMT_SVC_DEST 600
+  fi
+
   NOTICE_SRC=/home/packer/NOTICE.txt
   NOTICE_DEST=/NOTICE.txt
 

@@ -8,7 +8,7 @@ CVE_DIFF_QUERY_OUTPUT_PATH=${TRIVY_REPORT_DIRNAME}/cve-diff.txt
 CVE_LIST_QUERY_OUTPUT_PATH=${TRIVY_REPORT_DIRNAME}/cve-list.txt
 TRIVY_DB_REPOSITORIES="mcr.microsoft.com/mirror/ghcr/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db"
 
-TRIVY_VERSION="0.57.0"
+TRIVY_VERSION="0.69.2"
 TRIVY_ARCH=""
 
 MODULE_NAME="vuln-to-kusto-vhd"

@@ -108,6 +108,21 @@
       "source": "parts/linux/cloud-init/artifacts/cloud-init-status-check.sh",
       "destination": "/home/packer/cloud-init-status-check.sh"
     },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/ubuntu/format-mount-nvme-root.sh",
+      "destination": "/home/packer/format-mount-nvme-root.sh"
+    },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/ubuntu/format-mount-nvme-root.service",
+      "destination": "/home/packer/format-mount-nvme-root.service"
+    },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/ubuntu/format-mount-kubelet.conf",
+      "destination": "/home/packer/format-mount-kubelet.conf"
+    },
     {
       "type": "file",
       "source": "vhdbuilder/packer/prefetch.sh",