Merge pull request #255965 from MicrosoftDocs/main

10/24 11:00 AM IST Publishing

Author: Saisang

articles/ai-services/document-intelligence/concept-add-on-capabilities.md

@@ -22,11 +22,13 @@ monikerRange: 'doc-intel-3.1.0'
 
 > [!NOTE]
 >
-> Add-on capabilities for Document Intelligence Studio are available with the Read and Layout models starting with the `2023-02-28-preview` and later releases.
+> Add-on capabilities for Document Intelligence Studio are available with the Read and Layout models starting with the `2023-07-31 (GA)` and later releases.
 >
 > Add-on capabilities are available within all models except for the [Business card model](concept-business-card.md).
 
-Document Intelligence now supports more sophisticated analysis capabilities. These optional capabilities can be enabled and disabled depending on the scenario of the document extraction. The following add-on capabilities are available for`2023-02-28-preview` and later releases:
+Document Intelligence supports more sophisticated analysis capabilities. These optional features can be enabled and disabled depending on the scenario of the document extraction. The following add-on capabilities are available for `2023-07-31 (GA)` and later releases:
+
+Document Intelligence now supports more sophisticated analysis capabilities. These optional capabilities can be enabled and disabled depending on the scenario of the document extraction. The following add-on capabilities are available for `2023-07-31 (GA)` and later releases:
 
 * [`ocr.highResolution`](#high-resolution-extraction)
 

articles/ai-services/document-intelligence/overview.md

@@ -38,7 +38,7 @@ Azure AI Document Intelligence is a cloud-based [Azure AI service](../../ai-serv
 
 | ✔️ [**Document analysis models**](#document-analysis-models) | ✔️ [**Prebuilt models**](#prebuilt-models) | ✔️ [**Custom models**](#custom-model-overview) |
 
-### Document analysis models
+## Document analysis models
 
 Document analysis models enable text extraction from forms and documents and return structured business-ready content ready for your organization's action, use, or progress.
 
@@ -57,7 +57,7 @@ Document analysis models enable text extraction from forms and documents and ret
    :::column-end:::
 :::row-end:::
 
-### Prebuilt models
+## Prebuilt models
 
 Prebuilt models enable you to add intelligent document processing to your apps and flows without having to train and build your own models.
 
@@ -110,7 +110,7 @@ Prebuilt models enable you to add intelligent document processing to your apps a
    :::column-end:::
 :::row-end:::
 
-### Custom models
+## Custom models
 
 Custom models are trained using your labeled datasets to extract distinct data from forms and documents, specific to your use cases. Standalone custom models can be combined to create composed models.
 
@@ -363,7 +363,17 @@ You can use Document Intelligence to automate document processing in application
 > [!div class="nextstepaction"]
 > [Return to custom model types](#custom-models)
 
-### Add-on capabilities
+## Add-on capabilities
+
+Document Intelligence supports optional features that can be enabled and disabled depending on the document extraction scenario. The following add-on capabilities are available for`2023-07-31 (GA)` and later releases:
+
+* [`ocr.highResolution`](concept-add-on-capabilities.md#high-resolution-extraction)
+
+* [`ocr.formula`](concept-add-on-capabilities.md#formula-extraction)
+
+* [`ocr.font`](concept-add-on-capabilities.md#font-property-extraction)
+
+* [`ocr.barcode`](concept-add-on-capabilities.md#barcode-property-extraction)
 
 :::moniker-end
 

articles/aks/image-cleaner.md

@@ -5,12 +5,12 @@ ms.author: nickoman
 author: nickomang
 ms.topic: article
 ms.custom: devx-track-azurecli
-ms.date: 06/02/2023
+ms.date: 10/22/2023
 ---
 
 # Use Image Cleaner to clean up stale images on your Azure Kubernetes Service (AKS) cluster
 
-It's common to use pipelines to build and deploy images on Azure Kubernetes Service (AKS) clusters. While great for image creation, this process often doesn't account for the stale images left behind and can lead to image bloat on cluster nodes. These images may contain vulnerabilities, which may create security issues. To remove security risks in your clusters, you can clean these unreferenced images. Manually cleaning images can be time intensive. Image Cleaner performs automatic image identification and removal, which mitigates the risk of stale images and reduces the time required to clean them up.
+It's common to use pipelines to build and deploy images on Azure Kubernetes Service (AKS) clusters. While great for image creation, this process often doesn't account for the stale images left behind and can lead to image bloat on cluster nodes. These images might contain vulnerabilities, which might create security issues. To remove security risks in your clusters, you can clean these unreferenced images. Manually cleaning images can be time intensive. Image Cleaner performs automatic image identification and removal, which mitigates the risk of stale images and reduces the time required to clean them up.
 
 > [!NOTE]
 > Image Cleaner is a feature based on [Eraser](https://eraser-dev.github.io/eraser).
@@ -27,20 +27,38 @@ Image Cleaner doesn't yet support Windows node pools or AKS virtual nodes.
 
 ## How Image Cleaner works
 
-When you enable Image Cleaner, it deploys an `eraser-controller-manager` pod, which generates an `ImageList` CRD. The eraser pods running on each node clean up any unreferenced and vulnerable images according to the `ImageList`. A [trivy][trivy] scan helps determine vulnerability and flags images with a classification of `LOW`, `MEDIUM`, `HIGH`, or `CRITICAL`. Image Cleaner automatically generates an updated `ImageList` based on a set time interval and can also be supplied manually. Once Image Cleaner generates an `ImageList`, it removes all images in the list from node VMs.
+After you enable Image Cleaner, there will be a controller manager pod named `eraser-controller-manager` deployed to your cluster.
 
-:::image type="content" source="./media/image-cleaner/image-cleaner.jpg" alt-text="Screenshot of a diagram showing ImageCleaner's workflow. The ImageCleaner pods running on the cluster can generate an ImageList, or manual input can be provided.":::
-
-## Configuration options
+:::image type="content" source="./media/image-cleaner/Image-cleaner-1015.png" alt-text="Screenshot of a diagram showing ImageCleaner's workflow. The ImageCleaner pods running on the cluster can generate an ImageList, or manual input can be provided.":::
 
 With Image Cleaner, you can choose between manual and automatic mode and the following configuration options:
 
+## Configuration options
+
 |Name|Description|Required|
 |----|-----------|--------|
 |`--enable-image-cleaner`|Enable the Image Cleaner feature for an AKS cluster|Yes, unless disable is specified|
 |`--disable-image-cleaner`|Disable the Image Cleaner feature for an AKS cluster|Yes, unless enable is specified|
 |`--image-cleaner-interval-hours`|This parameter determines the interval time (in hours) Image Cleaner uses to run. The default value for Azure CLI is one week, the minimum value is 24 hours and the maximum is three months.|Not required for Azure CLI, required for ARM template or other clients|
 
+### Automatic mode
+Once `eraser-controller-manager` is deployed,
+
+  - it will start first time's clean up immediately and create worker pods per node named like `eraser-aks-xxxxx`
+  - inside each worker pod, there are 3 containers:
+    - collector: collect unused images
+    - trivy-scanner: leverage [trivy](https://github.com/aquasecurity/trivy) to scan image vulnerabilities
+    - remover: remove used images with vulnerabilities 
+  - after clean up, worker pod will be deleted and its next schedule up is after the `--image-cleaner-interval-hours` you have set
+
+### Manual mode
+
+You can also manually trigger the clean up by defining a CRD object `ImageList`. Then `eraser-contoller-manager` will create worker pod per node as well to finish manual removal.
+
+:::image type="content" source="./media/image-cleaner/Image-cleaner-1015.png" alt-text="Screenshot of a diagram showing ImageCleaner's workflow. The ImageCleaner pods running on the cluster can generate an ImageList, or manual input can be provided.":::
+
+
+
 > [!NOTE]
 > After disabling Image Cleaner, the old configuration still exists. This means if you enable the feature again without explicitly passing configuration, the existing value is used instead of the default.
 
@@ -51,7 +69,9 @@ With Image Cleaner, you can choose between manual and automatic mode and the fol
 * Enable Image Cleaner on a new AKS cluster using the [`az aks create`][az-aks-create] command with the `--enable-image-cleaner` parameter.
 
     ```azurecli-interactive
-    az aks create -g myResourceGroup -n myManagedCluster \
+    az aks create \
+      --resource-group myResourceGroup \
+      --name myManagedCluster \
       --enable-image-cleaner
     ```
 
@@ -60,7 +80,9 @@ With Image Cleaner, you can choose between manual and automatic mode and the fol
 * Enable Image Cleaner on an existing AKS cluster using the [`az aks update`][az-aks-update] command.
 
     ```azurecli-interactive
-    az aks update -g myResourceGroup -n myManagedCluster \
+    az aks update \
+      --resource-group myResourceGroup \
+      --name myManagedCluster \
       --enable-image-cleaner
     ```
 
@@ -69,46 +91,37 @@ With Image Cleaner, you can choose between manual and automatic mode and the fol
 * Update the Image Cleaner interval on a new or existing AKS cluster using the  `--image-cleaner-interval-hours` parameter.
 
     ```azurecli-interactive
-    # Update the interval on a new cluster
-    az aks create -g myResourceGroup -n myManagedCluster \
+    # Create a new cluster with specifying the interval
+    az aks create \
+      --resource-group myResourceGroup \
+      --name myManagedCluster \
       --enable-image-cleaner \
       --image-cleaner-interval-hours 48
+
     # Update the interval on an existing cluster
-    az aks update -g myResourceGroup -n myManagedCluster \
+    az aks update \
+      --resource-group myResourceGroup \
+      --name myManagedCluster \
+      --enable-image-cleaner \
       --image-cleaner-interval-hours 48
     ```
 
-After you enable the feature, the `eraser-controller-manager-xxx` pod and `collector-aks-xxx` pod are deployed. The `eraser-aks-xxx` pod contains *three* containers:
-
-  - **Scanner container**: Performs vulnerability image scans
-  - **Collector container**: Collects nonrunning and unused images
-  - **Remover container**: Removes these images from cluster nodes
-
-Image Cleaner generates an `ImageList` containing nonrunning and vulnerable images at the desired interval based on your configuration. Image Cleaner automatically removes these images from cluster nodes.
-
 ## Manually remove images using Image Cleaner
 
-1. Create an `ImageList` using the following example YAML named `image-list.yml`.
+* Example to manually remove image `docker.io/library/alpine:3.7.3` if it is unused.
 
-    ```yml
-    apiVersion: eraser.sh/v1alpha1
+    ```bash
+    cat <<EOF | kubectl apply -f -
+    apiVersion: eraser.sh/v1
     kind: ImageList
     metadata:
       name: imagelist
     spec:
       images:
         - docker.io/library/alpine:3.7.3
-    // You can also use "*" to specify all non-running images
-    ```
-
-2. Apply the `ImageList` to your cluster using the `kubectl apply` command.
-
-    ```bash
-    kubectl apply -f image-list.yml
+    EOF
     ```
 
-    Applying the `ImageList` triggers a job named `eraser-aks-xxx`, which causes Image Cleaner to remove the desired images from all nodes. Unlike the `eraser-aks-xxx` pod under autoclean with *three* containers, the eraser-pod here has only *one* container.
-
 ## Image exclusion list
 
 Images specified in the exclusion list aren't removed from the cluster. Image Cleaner supports system and user-defined exclusion lists. It's not supported to edit the system exclusion list.
@@ -118,7 +131,7 @@ Images specified in the exclusion list aren't removed from the cluster. Image Cl
 * Check the system exclusion list using the following `kubectl get` command.
 
      ```bash
-    kubectl get -n kube-system cm eraser-system-exclusion -o yaml
+    kubectl get -n kube-system configmap eraser-system-exclusion -o yaml
     ```
 
 ### Create a user-defined exclusion list
@@ -138,76 +151,97 @@ Images specified in the exclusion list aren't removed from the cluster. Image Cl
     kubectl label configmap excluded eraser.sh/exclude.list=true -n kube-system
     ```
 
-3. Verify the images are in the exclusion list using the following `kubectl logs` command.
-
-    ```bash
-    kubectl logs -n kube-system <eraser-pod-name>
-    ```
-
-## Image Cleaner image logs
-
-Deletion image logs are stored in `eraser-aks-nodepool-xxx` pods for manually deleted images and in `collector-aks-nodes-xxx` pods for automatically deleted images.
-
-You can view these logs using the `kubectl logs <pod name> -n kubesystem` command. However, this command may return only the most recent logs, since older logs are routinely deleted. To view all logs, follow these steps to enable the [Azure Monitor add-on](./monitor-aks.md) and use the Container Insights pod log table.
-
-1. Ensure Azure Monitoring is enabled on your cluster. For detailed steps, see [Enable Container Insights on AKS clusters](../azure-monitor/containers/container-insights-enable-aks.md#existing-aks-cluster).
-
-2. Get the Log Analytics resource ID using the [`az aks show`][az-aks-show] command.
-
-   ```azurecli
-   az aks show -g myResourceGroup -n myManagedCluster
-   ```
-
-   After a few minutes, the command returns JSON-formatted information about the solution, including the workspace resource ID.
-
-    ```json
-   "addonProfiles": {
-    "omsagent": {
-      "config": {
-        "logAnalyticsWorkspaceResourceID": "/subscriptions/<WorkspaceSubscription>/resourceGroups/<DefaultWorkspaceRG>/providers/Microsoft.OperationalInsights/workspaces/<defaultWorkspaceName>"
-      },
-      "enabled": true
-    }
-   }
-    ```
-
-3. In the Azure portal, search for the workspace resource ID, then select **Logs**.
-
-4. Copy this query into the table, replacing `name` with either `eraser-aks-nodepool-xxx` (for manual mode) or `collector-aks-nodes-xxx` (for automatic mode).
-
-   ```kusto
-      let startTimestamp = ago(1h);
-   KubePodInventory
-   | where TimeGenerated > startTimestamp
-   | project ContainerID, PodName=Name, Namespace
-   | where PodName contains "name" and Namespace startswith "kube-system"
-   | distinct ContainerID, PodName
-   | join
-   (
-       ContainerLog
-       | where TimeGenerated > startTimestamp
-   )
-   on ContainerID
-   // at this point before the next pipe, columns from both tables are available to be "projected". Due to both
-   // tables having a "Name" column, we assign an alias as PodName to one column which we actually want
-   | project TimeGenerated, PodName, LogEntry, LogEntrySource
-   | summarize by TimeGenerated, LogEntry
-   | order by TimeGenerated desc
-   ```
-
-5. Select **Run**. Any deleted image logs appear in the **Results** area.
-
-   :::image type="content" source="media/image-cleaner/eraser-log-analytics.png" alt-text="Screenshot showing deleted image logs in the Azure portal." lightbox="media/image-cleaner/eraser-log-analytics.png":::
-
 ## Disable Image Cleaner
 
 * Disable Image Cleaner on your cluster using the [`az aks update`][az-aks-update] command with the `--disable-image-cleaner` parameter.
 
     ```azurecli-interactive
-    az aks update -g myResourceGroup -n myManagedCluster \
+    az aks update \
+      --resource-group myResourceGroup \
+      --name myManagedCluster \
       --disable-image-cleaner
     ```
 
+## FAQ
+
+### How to check eraser version is using?
+```
+kubectl get configmap -n kube-system eraser-manager-config | grep tag -C 3
+```
+
+### Does Image Cleaner support other vulnerability scanners besides trivy-scanner?
+No.
+
+### Can I specify vulnerability levels for images to clean?
+Currently no. The default settings for vulnerablity levels are:
+- `LOW`
+- `MEDIUM`
+- `HIGH`
+- `CRITICAL`
+
+And they cannot be customized.
+
+### How to review images were cleaned up by Image Cleaner?
+
+Image logs are stored in worker pod - `eraser-aks-xxxxx` and
+
+- when `eraser-aks-xxxxx` is alive, you can run below commands to view deletion logs.
+```bash
+kubectl logs -n kube-system <worker-pod-name> -c collector
+kubectl logs -n kube-system <worker-pod-name> -c trivy-scanner
+kubectl logs -n kube-system <worker-pod-name> -c remover
+```
+
+- when `eraser-aks-xxxxx` was deleted, you can follow these steps to enable the [Azure Monitor add-on](./monitor-aks.md) and use the Container Insights pod log table to view historical pod logs.
+  1. Ensure Azure Monitoring is enabled on your cluster. For detailed steps, see [Enable Container Insights on AKS clusters](../azure-monitor/containers/container-insights-enable-aks.md#existing-aks-cluster).
+
+  2. Get the Log Analytics resource ID using the [`az aks show`][az-aks-show] command.
+
+     ```azurecli
+     az aks show -g myResourceGroup -n myManagedCluster
+     ```
+
+     After a few minutes, the command returns JSON-formatted information about the solution, including the workspace resource ID.
+
+     ```json
+     "addonProfiles": {
+       "omsagent": {
+         "config": {
+           "logAnalyticsWorkspaceResourceID": "/subscriptions/<WorkspaceSubscription>/resourceGroups/<DefaultWorkspaceRG>/providers/Microsoft.OperationalInsights/workspaces/<defaultWorkspaceName>"
+         },
+         "enabled": true
+       }
+     }
+     ```
+
+  3. In the Azure portal, search for the workspace resource ID, then select **Logs**.
+
+  4. Copy this query into the table, replacing `name` with `eraser-aks-xxxxx` (worker pod name).
+
+     ```kusto
+     let startTimestamp = ago(1h);
+     KubePodInventory
+     | where TimeGenerated > startTimestamp
+     | project ContainerID, PodName=Name, Namespace
+     | where PodName contains "name" and Namespace startswith "kube-system"
+     | distinct ContainerID, PodName
+     | join
+     (
+         ContainerLog
+         | where TimeGenerated > startTimestamp
+     )
+     on ContainerID
+     // at this point before the next pipe, columns from both tables are available to be "projected". Due to both
+     // tables having a "Name" column, we assign an alias as PodName to one column which we actually want
+     | project TimeGenerated, PodName, LogEntry, LogEntrySource
+     | summarize by TimeGenerated, LogEntry
+     | order by TimeGenerated desc
+     ```
+
+  5. Select **Run**. Any deleted image logs appear in the **Results** area.
+
+     :::image type="content" source="media/image-cleaner/eraser-log-analytics.png" alt-text="Screenshot showing deleted image logs in the Azure portal." lightbox="media/image-cleaner/eraser-log-analytics.png":::
+
 <!-- LINKS -->
 
 [azure-cli-install]: /cli/azure/install-azure-cli

articles/azure-arc/servers/api-extended-security-updates.md

@@ -1,7 +1,7 @@
 ---
 title: Programmatically deploy and manage Azure Arc Extended Security Updates licenses
 description: Learn how to programmatically deploy and manage Azure Arc Extended Security Updates licenses for Windows Server 2012.
-ms.date: 10/02/2023
+ms.date: 10/23/2023
 ms.topic: conceptual
 ---
 
@@ -64,7 +64,6 @@ https://management.azure.com/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOUR
   "location": "SAME_REGION_AS_MACHINE",
   "properties": {
     "esuProfile": {
-      "assignedLicense": ""
     }
   }
 }