Merge pull request #18213 from MicrosoftDocs/main

sethmanheim · web-flow · commit 9531bff56b35 · 2025-06-16T10:17:18.000-07:00
Sync release-local-2506 with main
diff --git a/AKS-Arc/concepts-storage.md b/AKS-Arc/concepts-storage.md
@@ -3,7 +3,7 @@ title: Concepts - Storage options for applications in AKS enabled by Azure Arc
 description: Storage options for applications in AKS enabled by Azure Arc.
 author: sethmanheim
 ms.topic: conceptual
-ms.date: 06/24/2024
+ms.date: 06/16/2025
 ms.author: sethm 
 ms.lastreviewed: 1/14/2022
 ms.reviewer: abha
@@ -112,6 +112,23 @@ volumeMounts:
           name: k-dir 
 ```
 
+## Secure pod access to mounted volumes
+
+For your applications to run correctly, pods should run as a defined user or group and not as *root*. The `securityContext` for a pod or container lets you define settings such as *fsGroup* to assume the appropriate permissions on the mounted volumes.
+
+**fsGroup** is a field within the `securityContext` of a Kubernetes pod specification. It defines a supplemental group ID that Kubernetes assigns to all processes in the pod, and recursively to the files in mounted volumes. This ensures that the pod has the correct group-level access to shared storage volumes.
+
+When a volume is mounted, Kubernetes changes the ownership of the volume's contents to match the **fsGroup** value. This is particularly useful when containers run as non-root users and need write access to shared volumes.
+
+The following example YAML shows the **fsgroup** value:
+
+```yaml
+securityContext:
+  fsGroup: 2000
+```
+
+In this example, all files in mounted volumes are accessible by GID 2000.
+
 ## Next steps
 
 - [Use the AKS on Azure Local disk Container Storage Interface (CSI) drivers](./container-storage-interface-disks.md).
diff --git a/AKS-Arc/container-storage-interface-files.md b/AKS-Arc/container-storage-interface-files.md
@@ -3,7 +3,7 @@ title: Use Container Storage Interface (CSI) file drivers in AKS enabled by Azur
 description: Learn how to use Container Storage Interface (CSI) drivers to manage files in AKS Arc.
 author: sethmanheim
 ms.topic: how-to
-ms.date: 08/20/2024
+ms.date: 06/16/2025
 ms.author: sethm 
 ms.lastreviewed: 01/14/2022
 ms.reviewer: abha
@@ -31,7 +31,7 @@ If multiple nodes need concurrent access to the same storage volumes in AKS Arc,
 
 ### [AKS on Azure Local](#tab/local)
 
-1. Make sure the SMB driver is deployed. The SMB CSI driver is installed by default when you create a Kubernetes cluster using the Azure portal or the `az aksarc create` command. If you create a Kubernetes cluster by using `--disable-smb-driver`, you must enable the SMB driver on this cluster using the `az aksarc update` command:
+1. Make sure the SMB driver is deployed. The SMB CSI driver is installed by default when you create a Kubernetes cluster using the `az aksarc create` command. If you create a Kubernetes cluster by using the Azure portal, Azure Resource Manager (ARM) template, or Terraform, or by using the `az aksarc create` command with `--disable-smb-driver`, you must enable the SMB driver on this cluster using the `az aksarc update` command:
 
    ```azurecli
    az aksarc update -n $aksclustername -g $resource_group --enable-smb-driver
@@ -78,7 +78,7 @@ If multiple nodes need concurrent access to the same storage volumes in AKS Arc,
 
 ### [AKS on Azure Local](#tab/local)
 
-1. Make sure the NFS driver is deployed. The NFS CSI driver is installed by default when you create a Kubernetes cluster using the Azure portal or the `az aksarc create` command. If you create a Kubernetes cluster by using `--disable-nfs-driver`, you must enable the the NFS driver on this cluster using the `az aksarc update` command:
+1. Make sure the NFS driver is deployed. The NFS CSI driver is installed by default when you create a Kubernetes cluster using the `az aksarc create` command. If you create a Kubernetes cluster by using the Azure portal, Azure Resource Manager (ARM) template, or Terraform, or by using the `az aksarc create` command with `--disable-nfs-driver`, you must enable the the NFS driver on this cluster using the `az aksarc update` command:
 
    ```azurecli
    az aksarc update -n $aksclustername -g $resource_group --enable-nfs-driver
diff --git a/azure-local/known-issues.md b/azure-local/known-issues.md
diff --git a/azure-local/manage/manage-secrets-rotation.md b/azure-local/manage/manage-secrets-rotation.md
@@ -4,7 +4,7 @@ description: This article describes how to manage internal secret rotation on Az
 author:  alkohli
 ms.author:  alkohli
 ms.topic: how-to
-ms.date: 04/09/2025
+ms.date: 06/16/2025
 ms.service: azure-local
 ---
 
@@ -190,14 +190,14 @@ The exact steps for secret rotation are different depending on the software vers
     Start-SecretRotation
     ```
 
-### Azure Local instance running 2408.2 to 2405.3
+### Azure Local instance running 2408.2 or earlier
 
 1. Sign in to one of the Azure Local nodes using deployment user credentials.
 1. Update the CA Certificate password in ECE store. Run the following PowerShell command:
 
     ```PowerShell
     $SecureSecretText = ConvertTo-SecureString -String "<Replace with a strong password>" -AsPlainText -Force
-    $CACertCred = New-Object -Type PSCredential -ArgumentList "CACertificateCred,$SecureSecretText"
+    $CACertCred = New-Object -Type PSCredential -ArgumentList (CACertificateCred),$SecureSecretText
     Set-ECEServiceSecret -ContainerName CACertificateCred -Credential $CACertCred
     ```
 
diff --git a/azure-local/media/release-information-23h2/release-trains-supported-update-paths.png b/azure-local/media/release-information-23h2/release-trains-supported-update-paths.png
diff --git a/azure-local/overview.md b/azure-local/overview.md
@@ -77,7 +77,6 @@ Customers often choose Azure Local in the following scenarios.
 | Highly performant SQL Server | Azure Local provides an additional layer of resiliency to highly available, mission-critical Always On availability groups-based deployments of SQL Server. This approach also offers extra benefits associated with the single-vendor approach, including simplified support and performance optimizations built into the underlying platform. To learn more, see [Deploy SQL Server on Azure Local](./deploy/sql-server-23h2.md). |
 | Trusted enterprise virtualization | Azure Local satisfies the trusted enterprise virtualization requirements through its built-in support for Virtualization-based Security (VBS). VBS relies on Hyper-V to implement the mechanism referred to as virtual secure mode, which forms a dedicated, isolated memory region within its guest VMs. By using programming techniques, it's possible to perform designated, security-sensitive operations in this dedicated memory region while blocking access to it from the host OS. This considerably limits potential vulnerability to kernel-based exploits. To learn more, see [About Trusted Launch for Azure Local VMs enabled by Arc](./manage/trusted-launch-vm-overview.md). |
 | Scale-out storage | Storage Spaces Direct is a core technology of Azure Local that uses industry-standard servers with locally attached drives to offer high availability, performance, and scalability. Using Storage Spaces Direct results in significant cost reductions compared with competing offers based on storage area network (SAN) or network-attached storage (NAS) technologies. These benefits result from an innovative design and a wide range of enhancements, such as persistent read/write cache drives, mirror-accelerated parity, nested resiliency, and deduplication. |
-| Disaster recovery for virtualized workloads | A stretched cluster of Azure Local (functionality only available in Azure Stack HCI OS, version 22H2) provides automatic failover of virtualized workloads to a secondary site following a primary site failure. Synchronous replication ensures crash consistency of VM disks. |
 | Data center consolidation and modernization | Refreshing and consolidating aging virtualization hosts with Azure Local can improve scalability and make your environment easier to manage and secure. It's also an opportunity to retire legacy SAN storage to reduce footprint and total cost of ownership. Operations and systems administration are simplified with unified tools and interfaces and a single point of support. |
 | Branch office and edge | For branch office and edge workloads, you can minimize infrastructure costs by deploying two-node clusters with inexpensive witness options, such as a cloud witness. Another factor that contributes to the lower cost of two-node clusters is support for switchless networking, which relies on crossover cable between cluster nodes instead of more expensive high-speed switches. Customers can also centrally view remote Azure Local deployments in the Azure portal. To learn more, see [Deploy branch office and edge on Azure Local](deploy/branch-office-edge.md). |
 
diff --git a/azure-local/upgrade/install-solution-upgrade.md b/azure-local/upgrade/install-solution-upgrade.md
@@ -3,7 +3,7 @@ title: Install solution upgrade on Azure Local
 description: Learn how to install the solution upgrade on your Azure Local instance.
 author: alkohli
 ms.topic: how-to
-ms.date: 06/11/2025
+ms.date: 06/13/2025
 ms.author: alkohli
 ms.reviewer: alkohli
 ms.service: azure-local
@@ -28,9 +28,6 @@ Throughout this article, we refer to OS version 23H2 as the *new* version and ve
 Before you install the solution upgrade, make sure that you:
 
 - Validate the system using the Environment Checker as per the instructions in [Assess solution upgrade readiness](./validate-solution-upgrade-readiness.md#run-the-validation).
-- Verify that latest `AzureEdgeLifecycleManager` extension on each machine is installed as per the instructions in [Check the Azure Arc extension](./validate-solution-upgrade-readiness.md#remediation-9-check-the-azure-arc-lifecycle-extension).
-
-    :::image type="content" source="media/install-solution-upgrade/verify-lcmextension-installed.png" alt-text="Screenshot of Extensions page showing AzureEdgeLifeCycleManager extension install on an Azure Local machine." lightbox="./media/install-solution-upgrade/verify-lcmextension-installed.png":::
 - Have failover cluster name between 3 to 15 characters.
 - Create an Active Directory Lifecycle Manager (LCM) user account that's a member of the local Administrator group. For instructions, see [Prepare Active Directory for Azure Local deployment](../deploy/deployment-prep-active-directory.md).
 - Have IPv4 network range that matches your host IP address subnet with six, contiguous IP addresses available for new Azure Arc services. Work with your network administrator to ensure that the IP addresses aren't in use and meet the outbound connectivity requirement.
diff --git a/azure-local/upgrade/media/install-solution-upgrade/verify-lcmextension-installed.png b/azure-local/upgrade/media/install-solution-upgrade/verify-lcmextension-installed.png
diff --git a/azure-local/upgrade/validate-solution-upgrade-readiness.md b/azure-local/upgrade/validate-solution-upgrade-readiness.md
@@ -150,9 +150,9 @@ Use the following commands for each machine to install the required features. If
 $windowsFeature =  @( 
 
                 "Failover-Clustering",
-                "FileServerVSSAgent", 
-                "FSRM-Infrastructure", 
-                "Microsoft-Windows-GroupPolicy-ServerAdminTools-Update", 
+                "FS-VSS-Agent", 
+                "FS-Resource-Manager", 
+                "GPMC", 
                 "NetworkATC", 
                 "NetworkController",
                 "RSAT-AD-Powershell", 
