Describe the problem you are trying to solve:
Currently, Dataproc clusters are frequently flagged by Security Command Center (SCC) for OS-level vulnerabilities (e.g., CVE-2025-48384) due to the natural lag between upstream OS patches and the Dataproc base image build cycle.
Customers are forced to manually apply upgrades during cluster creation. However, many enterprise clusters are launched in private networks without internet access, making it difficult or impossible to reliably run apt-get upgrade or install unattended-upgrades at boot without failing. This limitation actively blocks enterprise deployments and Proof-of-Concepts (PoCs) that require strict security compliance and clean SCC scans.
Describe the solution you'd like:
We need a new harden initialization action that can apply standard OS hardening and remediation steps. Since Dataproc doesn't use a central configuration management system (like a Puppetmaster) to push updates to nodes, we need to ensure each node is capable of updating itself.
The init action should implement functions like refresh_package_list and install_latest_packages. Specifically, it needs to install and configure unattended-upgrades (for Debian/Ubuntu) and dnf-automatic (for Rocky Linux) on all nodes in the cluster.
A draft implementation for the initialization action could look like this:
function configure_unattended_upgrades() {
if [[ -f /etc/debian_version ]]; then
# Debian/Ubuntu
apt-get update
DEBIAN_FRONTEND=noninteractive apt-get upgrade -y
echo "unattended-upgrades unattended-upgrades/enable_auto_updates boolean true" | debconf-set-selections
DEBIAN_FRONTEND=noninteractive apt-get install -y unattended-upgrades
dpkg-reconfigure -f noninteractive unattended-upgrades
elif [[ -f /etc/redhat-release ]]; then
# Rocky Linux / RHEL
dnf upgrade -y
dnf install -y dnf-automatic
sed -i 's/apply_updates = no/apply_updates = yes/' /etc/dnf/automatic.conf
systemctl enable --now dnf-automatic.timer
else
echo "Unsupported OS"
exit 1
fi
}
configure_unattended_upgradesUltimately, these hardening steps should be baked directly into the Dataproc base image during the build-image.sh phase (e.g., by expanding the set of hardening functions around line 214). This ensures that clusters boot secure-by-default, even in air-gapped environments where fetching packages at boot time would fail.
Additional context:
This issue was highlighted by an escalated enterprise case where a customer was attempting to use SCC mute rules to hide vulnerabilities because stopping the cluster did not remediate the persistent boot disk. We must provide a robust, automated way for customers to deploy hardened clusters that pass security scans out-of-the-box.
Describe the problem you are trying to solve:
Currently, Dataproc clusters are frequently flagged by Security Command Center (SCC) for OS-level vulnerabilities (e.g., CVE-2025-48384) due to the natural lag between upstream OS patches and the Dataproc base image build cycle.
Customers are forced to manually apply upgrades during cluster creation. However, many enterprise clusters are launched in private networks without internet access, making it difficult or impossible to reliably run
apt-get upgradeor installunattended-upgradesat boot without failing. This limitation actively blocks enterprise deployments and Proof-of-Concepts (PoCs) that require strict security compliance and clean SCC scans.Describe the solution you'd like:
We need a new
hardeninitialization action that can apply standard OS hardening and remediation steps. Since Dataproc doesn't use a central configuration management system (like a Puppetmaster) to push updates to nodes, we need to ensure each node is capable of updating itself.The init action should implement functions like
refresh_package_listandinstall_latest_packages. Specifically, it needs to install and configureunattended-upgrades(for Debian/Ubuntu) anddnf-automatic(for Rocky Linux) on all nodes in the cluster.A draft implementation for the initialization action could look like this:
Ultimately, these hardening steps should be baked directly into the Dataproc base image during the
build-image.shphase (e.g., by expanding the set of hardening functions around line 214). This ensures that clusters boot secure-by-default, even in air-gapped environments where fetching packages at boot time would fail.Additional context:
This issue was highlighted by an escalated enterprise case where a customer was attempting to use SCC mute rules to hide vulnerabilities because stopping the cluster did not remediate the persistent boot disk. We must provide a robust, automated way for customers to deploy hardened clusters that pass security scans out-of-the-box.