Azure · saewoni · Jan 8, 2026 · Jan 8, 2026 · Jan 9, 2026 · Jan 9, 2026
@@ -1171,6 +1171,17 @@ EOF
     echo "Enable localdns succeeded."
 }
 
+# This function enables and starts the mcr-hosts-setup timer.
+# The timer periodically resolves mcr.microsoft.com DNS records and populates /etc/hosts.testing.
+shouldEnableMCRHostsSetup() {
+    # Enable periodic resolution and caching of MCR (Microsoft Container Registry) DNS addresses
+    # Writes resolved IPs to /etc/hosts.testing which is read by LocalDNS corefile
+    # This reduces external DNS queries and improves reliability for container image pulls
+    echo "mcr-hosts-setup timer should be enabled."
+    systemctlEnableAndStart mcr-hosts-setup.timer 30 || exit $ERR_SYSTEMCTL_START_FAIL
+    echo "Enable mcr-hosts-setup timer succeeded."
+}
+
 configureManagedGPUExperience() {
     if [ "${GPU_NODE}" = "true" ] && [ "${skip_nvidia_driver_install}" != "true" ] && [ "${ENABLE_MANAGED_GPU_EXPERIENCE}" = "true" ]; then
         logs_to_events "AKS.CSE.installNvidiaManagedExpPkgFromCache" "installNvidiaManagedExpPkgFromCache" || exit $ERR_NVIDIA_DCGM_INSTALL

@@ -296,6 +296,10 @@ EOF
     # This is to enable localdns using scriptless.
     if [ "${SHOULD_ENABLE_LOCALDNS}" = "true" ]; then
         logs_to_events "AKS.CSE.shouldEnableLocalDns" shouldEnableLocalDns || exit $ERR_LOCALDNS_FAIL
+
+        # Enable mcr-hosts-setup timer to periodically resolve and cache MCR DNS addresses
+        # This only runs when LocalDNS is enabled since LocalDNS reads from /etc/hosts.testing
+        logs_to_events "AKS.CSE.shouldEnableMCRHostsSetup" shouldEnableMCRHostsSetup || exit $ERR_SYSTEMCTL_START_FAIL
     fi
 
     if [ "${ID}" != "mariner" ] && [ "${ID}" != "azurelinux" ]; then

@@ -0,0 +1,11 @@
+[Unit]
+Description=Populate /etc/hosts.testing with mcr.microsoft.com addresses
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/opt/azure/containers/mcr-hosts-setup.sh
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,60 @@
+#!/bin/bash
+set -euo pipefail
+
+# mcr-hosts-setup.sh
+# Resolves A and AAAA records for mcr.microsoft.com and populates /etc/hosts.testing
+
+HOSTS_FILE="/etc/hosts.testing"
+DOMAIN="mcr.microsoft.com"
+
+echo "Starting MCR hosts resolution at $(date)"
+
+# Get IPv4 addresses (A records)
+echo "Resolving IPv4 addresses for ${DOMAIN}..."
+IPV4_ADDRS=$(dig +short A "${DOMAIN}" | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' || true)
+
+# Get IPv6 addresses (AAAA records)
+echo "Resolving IPv6 addresses for ${DOMAIN}..."
+IPV6_ADDRS=$(dig +short AAAA "${DOMAIN}" | grep -E '^[0-9a-f:]+$' || true)
+
+# Check if we got any results
+if [[ -z "${IPV4_ADDRS}" ]] && [[ -z "${IPV6_ADDRS}" ]]; then
+    echo "WARNING: No IP addresses resolved for ${DOMAIN} at $(date)"
+    echo "This is likely a temporary DNS issue. Timer will retry later."
+    # Keep existing hosts file intact and exit successfully so systemd doesn't mark unit as failed
+    exit 0
+fi
+
+# Populate hosts file
+echo "Writing addresses to ${HOSTS_FILE}..."
+{
+    echo "# MCR addresses resolved at $(date)"
+    echo "# This file is automatically generated by mcr-hosts-setup.service"
+    echo ""
+
+    if [[ -n "${IPV4_ADDRS}" ]]; then
+        echo "# IPv4 addresses"
+        for addr in ${IPV4_ADDRS}; do
+            echo "${addr} ${DOMAIN}"
+        done
+    fi
+
+    if [[ -n "${IPV6_ADDRS}" ]]; then
+        echo ""
+        echo "# IPv6 addresses"
+        for addr in ${IPV6_ADDRS}; do
+            echo "${addr} ${DOMAIN}"
+        done
+    fi
+} > "${HOSTS_FILE}"
+
+# Log summary
+IPV4_COUNT=$(echo "${IPV4_ADDRS}" | wc -w)
+IPV6_COUNT=$(echo "${IPV6_ADDRS}" | wc -w)
+echo "Successfully updated ${HOSTS_FILE} with ${IPV4_COUNT} IPv4 and ${IPV6_COUNT} IPv6 addresses"
+
+# Optional: Log the actual addresses for debugging
+echo "IPv4 addresses: ${IPV4_ADDRS:-none}"
+echo "IPv6 addresses: ${IPV6_ADDRS:-none}"
+
+echo "MCR hosts resolution completed at $(date)"
@@ -0,0 +1,16 @@
+[Unit]
+Description=Run MCR hosts setup periodically
+Before=localdns.service
+
+[Timer]
+# Run immediately on boot
+OnBootSec=0
+# Run 5 minutes after the last activation (MCR IPs don't change frequently)
+OnUnitActiveSec=5min
+# Timer accuracy (how much systemd can delay)
+AccuracySec=1s
+# Add randomization to avoid thundering herd if multiple nodes boot simultaneously
+RandomizedDelaySec=60s
+
+[Install]
+WantedBy=timers.target
@@ -1824,6 +1824,10 @@ health-check.localdns.local:53 {
     log
     {{- end }}
     bind {{$.NodeListenerIP}}
+    # Check /etc/hosts.testing first for mcr.microsoft.com and other cached entries
+    hosts /etc/hosts.testing {
+        fallthrough
+    }
     {{- if $isRootDomain}}
     forward . {{$.AzureDNSIP}} {
     {{- else}}

@@ -589,6 +589,31 @@ Describe 'cse_config.sh'
         End
     End
 
+    Describe 'shouldEnableMCRHostsSetup'
+        setup() {
+            systemctlEnableAndStart() {
+                echo "systemctlEnableAndStart $@"
+                return 0
+            }
+        }
+
+        BeforeEach 'setup'
+
+        It 'should enable mcr-hosts-setup timer successfully'
+            When call shouldEnableMCRHostsSetup
+            The status should be success
+            The output should include "mcr-hosts-setup timer should be enabled."
+            The output should include "systemctlEnableAndStart mcr-hosts-setup.timer 30"
+            The output should include "Enable mcr-hosts-setup timer succeeded."
+        End
+
+        It 'should call systemctlEnableAndStart with correct parameters'
+            When call shouldEnableMCRHostsSetup
+            The status should be success
+            The output should include "systemctlEnableAndStart mcr-hosts-setup.timer 30"
+        End
+    End
+
     Describe 'configureAndStartSecureTLSBootstrapping'
         SECURE_TLS_BOOTSTRAPPING_DROP_IN="secure-tls-bootstrap.service.d/10-securetlsbootstrap.conf"
         API_SERVER_NAME="fqdn"

@@ -0,0 +1,101 @@
+#shellcheck shell=bash
+#shellcheck disable=SC2148
+
+Describe 'mcr-hosts-setup.sh'
+
+    Describe 'DNS resolution and hosts file creation'
+        # Mock dig command to return test IPs
+        dig() {
+            case "$3" in
+                A)
+                    echo "1.2.3.4"
+                    echo "5.6.7.8"
+                    ;;
+                AAAA)
+                    echo "2001:db8::1"
+                    echo "2001:db8::2"
+                    ;;
+            esac
+        }
+
+        setup() {
+            TEST_DIR="/tmp/mcrhostssetuptest"
+            mkdir -p "$TEST_DIR"
+
+            HOSTS_FILE="${TEST_DIR}/etc/hosts.testing"
+            mkdir -p "$(dirname "$HOSTS_FILE")"
+        }
+
+        cleanup() {
+            rm -rf "$TEST_DIR"
+        }
+
+        BeforeEach 'setup'
+        AfterEach 'cleanup'
+
+        It 'creates hosts file with resolved addresses'
+            DOMAIN="mcr.microsoft.com"
+
+            # Simulate script logic
+            IPV4_ADDRS=$(dig +short A "${DOMAIN}" | grep -E '^[0-9]+\.' || true)
+            IPV6_ADDRS=$(dig +short AAAA "${DOMAIN}" | grep -E '^[0-9a-f:]+' || true)
+
+            {
+                echo "# MCR addresses resolved at $(date)"
+                echo "# This file is automatically generated by mcr-hosts-setup.service"
+                echo ""
+
+                if [ -n "${IPV4_ADDRS}" ]; then
+                    echo "# IPv4 addresses"
+                    for addr in ${IPV4_ADDRS}; do
+                        echo "${addr} ${DOMAIN}"
+                    done
+                fi
+
+                if [ -n "${IPV6_ADDRS}" ]; then
+                    echo ""
+                    echo "# IPv6 addresses"
+                    for addr in ${IPV6_ADDRS}; do
+                        echo "${addr} ${DOMAIN}"
+                    done
+                fi
+            } > "${HOSTS_FILE}"
+
+            When call test -f "$HOSTS_FILE"
+            The status should be success
+            The file "$HOSTS_FILE" should be exist
+        End
+
+        It 'includes IPv4 addresses in hosts file'
+            Skip if "not implemented yet" test -z "$SKIP_THIS_TEST"
+
+            DOMAIN="mcr.microsoft.com"
+            IPV4_ADDRS=$(dig +short A "${DOMAIN}" | grep -E '^[0-9]+\.' || true)
+
+            {
+                for addr in ${IPV4_ADDRS}; do
+                    echo "${addr} ${DOMAIN}"
+                done
+            } > "${HOSTS_FILE}"
+
+            The contents of file "$HOSTS_FILE" should include "1.2.3.4 mcr.microsoft.com"
+            The contents of file "$HOSTS_FILE" should include "5.6.7.8 mcr.microsoft.com"
+        End
+
+        It 'includes IPv6 addresses in hosts file'
+            Skip if "not implemented yet" test -z "$SKIP_THIS_TEST"
+
+            DOMAIN="mcr.microsoft.com"
+            IPV6_ADDRS=$(dig +short AAAA "${DOMAIN}" | grep -E '^[0-9a-f:]+' || true)
+
+            {
+                for addr in ${IPV6_ADDRS}; do
+                    echo "${addr} ${DOMAIN}"
+                done
+            } > "${HOSTS_FILE}"
+
+            The contents of file "$HOSTS_FILE" should include "2001:db8::1 mcr.microsoft.com"
+            The contents of file "$HOSTS_FILE" should include "2001:db8::2 mcr.microsoft.com"
+        End
+    End
+End
@@ -294,6 +294,20 @@ copyPackerFiles() {
   cpAndMode $LOCALDNS_SERVICE_DELEGATE_SRC $LOCALDNS_SERVICE_DELEGATE_DEST 0644
 # ---------------------------------------------------------------------------------------
 
+# ------------------------- Files related to mcr-hosts-setup ----------------------------
+  MCR_HOSTS_SETUP_SCRIPT_SRC=/home/packer/mcr-hosts-setup.sh
+  MCR_HOSTS_SETUP_SCRIPT_DEST=/opt/azure/containers/mcr-hosts-setup.sh
+  cpAndMode $MCR_HOSTS_SETUP_SCRIPT_SRC $MCR_HOSTS_SETUP_SCRIPT_DEST 0755
+
+  MCR_HOSTS_SETUP_SERVICE_SRC=/home/packer/mcr-hosts-setup.service
+  MCR_HOSTS_SETUP_SERVICE_DEST=/etc/systemd/system/mcr-hosts-setup.service
+  cpAndMode $MCR_HOSTS_SETUP_SERVICE_SRC $MCR_HOSTS_SETUP_SERVICE_DEST 0644
+
+  MCR_HOSTS_SETUP_TIMER_SRC=/home/packer/mcr-hosts-setup.timer
+  MCR_HOSTS_SETUP_TIMER_DEST=/etc/systemd/system/mcr-hosts-setup.timer
+  cpAndMode $MCR_HOSTS_SETUP_TIMER_SRC $MCR_HOSTS_SETUP_TIMER_DEST 0644
+# ---------------------------------------------------------------------------------------
+
   # Install AKS diagnostic
   cpAndMode $AKS_DIAGNOSTIC_SCRIPT_SRC $AKS_DIAGNOSTIC_SCRIPT_DEST 755
 

@@ -633,8 +633,21 @@
       "source": "parts/linux/cloud-init/artifacts/localdns-delegate.conf",
       "destination": "/home/packer/localdns-delegate.conf"
     },
+    {      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/mcr-hosts-setup.sh",
+      "destination": "/home/packer/mcr-hosts-setup.sh"
+    },
     {
       "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/mcr-hosts-setup.service",
+      "destination": "/home/packer/mcr-hosts-setup.service"
+    },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/mcr-hosts-setup.timer",
+      "destination": "/home/packer/mcr-hosts-setup.timer"
+    },
+    {      "type": "file",
       "source": "parts/linux/cloud-init/artifacts/10_azure_nvidia",
       "destination": "/home/packer/10_azure_nvidia"
     },

@@ -641,6 +641,21 @@
       "source": "parts/linux/cloud-init/artifacts/localdns-delegate.conf",
       "destination": "/home/packer/localdns-delegate.conf"
     },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/mcr-hosts-setup.sh",
+      "destination": "/home/packer/mcr-hosts-setup.sh"
+    },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/mcr-hosts-setup.service",
+      "destination": "/home/packer/mcr-hosts-setup.service"
+    },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/mcr-hosts-setup.timer",
+      "destination": "/home/packer/mcr-hosts-setup.timer"
+    },
     {
       "type": "shell",
       "inline": [

@@ -645,6 +645,21 @@
       "source": "parts/linux/cloud-init/artifacts/localdns-delegate.conf",
       "destination": "/home/packer/localdns-delegate.conf"
     },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/mcr-hosts-setup.sh",
+      "destination": "/home/packer/mcr-hosts-setup.sh"
+    },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/mcr-hosts-setup.service",
+      "destination": "/home/packer/mcr-hosts-setup.service"
+    },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/mcr-hosts-setup.timer",
+      "destination": "/home/packer/mcr-hosts-setup.timer"
+    },
     {
       "type": "shell",
       "inline": [

@@ -639,6 +639,21 @@
       "source": "parts/linux/cloud-init/artifacts/localdns-delegate.conf",
       "destination": "/home/packer/localdns-delegate.conf"
     },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/mcr-hosts-setup.sh",
+      "destination": "/home/packer/mcr-hosts-setup.sh"
+    },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/mcr-hosts-setup.service",
+      "destination": "/home/packer/mcr-hosts-setup.service"
+    },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/mcr-hosts-setup.timer",
+      "destination": "/home/packer/mcr-hosts-setup.timer"
+    },
     {
       "type": "shell",
       "inline": [

@@ -644,6 +644,21 @@
       "source": "parts/linux/cloud-init/artifacts/localdns-delegate.conf",
       "destination": "/home/packer/localdns-delegate.conf"
     },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/mcr-hosts-setup.sh",
+      "destination": "/home/packer/mcr-hosts-setup.sh"
+    },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/mcr-hosts-setup.service",
+      "destination": "/home/packer/mcr-hosts-setup.service"
+    },
+    {
+      "type": "file",
+      "source": "parts/linux/cloud-init/artifacts/mcr-hosts-setup.timer",
+      "destination": "/home/packer/mcr-hosts-setup.timer"
+    },
     {
       "type": "shell",
       "inline": [