แก้ไข

แชร์ผ่าน


Harden a Linux image to remove Azure guest agent

Applies to: ✔️ Linux Images

Azure supports two provisioning agents cloud-init, and the Azure Linux Agent (WALA), which forms the prerequisites for creating the generalized images (Azure Compute Gallery or Managed Image). The Azure Linux Agent contains Provisioning Agent code and Extension Handling code in one package.

It's crucial to comprehend what functionalities the VM loses before deciding to remove the Azure Linux Agent. Removal of the guest agent removes the functionality enumerated at Azure Linux Agent.

This "how to" shows you steps to remove guest agent from the Linux image.

Prerequisites

Remove Azure Linux Agent and prepare a generalized Linux image

Steps to create an image that removes the Azure Linux Agent are as follows:

  1. Download an Ubuntu image.

    How to download a Linux VHD from Azure

  2. Mount the image.

    Follow the instructions in step 2 of remove sudo users from the Linux Image to mount the image.

  3. Remove the Azure Linux agent

    Run as root to remove the Azure Linux Agent

    For Ubuntu 18.04+

    sudo chroot /mnt/dev/$imagedevice/ apt -y remove walinuxagent
    

Note

If you know you will not reinstall the Linux Agent again remove the Azure Linux Agent artifacts, you can run the following steps.

  1. (Optional) Remove the Azure Linux Agent artifacts.

    If you know you will not reinstall the Linux Agent again, then you can run the following else skip this step:

    For Ubuntu 18.04+

    sudo chroot /mnt/dev/$imagedevice/ rm -rf /var/lib/walinuxagent
    sudo chroot /mnt/dev/$imagedevice/ rm -rf /etc/ walinuxagent.conf
    sudo chroot /mnt/dev/$imagedevice/ rm -rf /var/log/ walinuxagent.log
    
  2. Create a systemd service to provision the VM.

    Since we are removing the Azure Linux Agent, we need to provide a mechanism to report ready. Copy the contents of the bash script or python script located here to the mounted image and make the file executable (i.e, grant execute permission on the file - chmod).

    sudo chmod +x /mnt/dev/$imagedevice/usr/local/azure-provisioning.sh
    

    To ensure report ready mechanism, create a systemd service unit and add the following to the /etc/systemd/system (this example names the unit file azure-provisioning.service)

    sudo chroot /mnt/dev/$imagedevice/ systemctl enable azure-provisioning.service
    

    Now the image is generalized and can be used to create a VM.

  3. Unmount the image.

    umount /mnt/dev/$imagedevice
    

    The image prepared does not include Azure Linux Agent anymore.

  4. Use the prepared image to deploy a confidential VM.

    Follow the steps starting from 4 in the Create a custom image for Azure confidential VM document to deploy the agent-less confidential VM.

Note

If you are looking to deploy cvm scaled scale using the custom image, please note that some features related to auto scaling will be restricted. Will manual scaling rules continue to work as expected, the autoscaling ability will be limited due to the agentless custom image. More details on the restrictions can be found here for the provisioning agent. Alternatively, you can navigate to the metrics tab on the azure portal and confirm the same.

Next Steps

Create a custom image for Azure confidential VM