你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
使用 az networkcloud baremetalmachine run-data-extract
命令排查裸机计算机问题
在某些情况下,用户可能需要调查和解决本地裸机计算机的问题。 Azure 运营商关系通过 az networkcloud baremetalmachine run-data-extract
提供一组指定的数据提取命令。 用户可以通过这些命令从裸机计算机获取诊断数据。
该命令生成包含数据提取结果的输出文件。 默认情况下,数据将发送到群集管理器存储帐户。 还有一种预览方法,用户可以使用有权访问存储帐户的存储帐户和标识来配置群集资源来接收输出。
先决条件
- 本文假定已安装 Azure 命令行接口和
networkcloud
命令行接口扩展。 有关详细信息,请参阅如何安装 CLI 扩展。 - 目标裸机已启动并准备就绪。
- 这些命令的语法基于
az networkcloud
CLI 的 0.3.0+ 版本。 - 获取为群集资源创建的群集受管理资源组名称 (cluster_MRG)。
验证是否有权访问群集管理器的存储帐户
注意
在群集载入到受信任的服务完成,并且完全支持用户托管存储选项后,群集管理器存储帐户输出方法将来将弃用。
如果使用群集管理器存储方法,请验证你是否有权访问群集管理器的存储帐户:
- 在 Azure 门户中,导航到群集管理器的存储帐户。
- 在存储帐户详细信息中,从左侧的导航菜单中选择“存储浏览器”。
- 在存储浏览器详细信息中,选择“blob 容器”。
- 如果在访问存储帐户时遇到问题
403 This request is not authorized to perform this operation.
,则需要更新存储帐户的防火墙设置以包含公共 IP 地址。 - 通过群集管理器资源上的门户创建支持票证来请求访问权限。 提供需要访问的公共 IP 地址。
预览版:将命令输出发送到用户指定的存储帐户
重要
请注意,为命令输出指定用户帐户的此方法处于预览状态。 此方法应仅用于未启用防火墙的用户存储帐户。 如果环境需要启用存储帐户防火墙,请使用现有的群集管理器输出方法。
创建和配置存储资源
- 创建存储帐户,或标识要使用的现有存储帐户。 请参阅创建 Azure 存储帐户。
- 在存储帐户中创建 Blob 存储容器。 请参阅创建容器。
- 将“存储 Blob 数据参与者”角色分配给需要访问 run-data-extract 输出的用户和托管标识。
- 请参阅分配 Azure 角色以访问 blob 数据。 该角色还必须分配给用户分配的托管标识或群集自己的系统分配托管标识。
- 有关托管标识的详细信息,请参阅 Azure 资源的托管标识。
- 如果使用群集的系统分配标识,则需要将系统分配的标识添加到群集,然后才能授予其访问权限。
- 将角色分配给群集的系统分配标识时,请确保选择类型为“Cluster (Operator Nexus)”的资源。
将群集配置为使用用户分配的托管标识进行存储访问
使用此命令创建具有用户托管存储帐户和用户分配标识的群集。 请注意,此示例是一个缩写命令,它仅突出显示与添加用户托管存储相关的字段。 这不是完整的群集创建命令。
az networkcloud cluster create --name "<cluster-name>" \
--resource-group "<cluster-resource-group>" \
...
--mi-user-assigned "<user-assigned-identity-resource-id>" \
--command-output-settings identity-type="UserAssignedIdentity" \
identity-resource-id="<user-assigned-identity-resource-id>" \
container-url="<container-url>" \
...
--subscription "<subscription>"
使用此命令为用户提供的存储帐户和用户分配的标识配置现有群集。 更新命令还可用于根据需要更改存储帐户位置和标识。
az networkcloud cluster update --name "<cluster-name>" \
--resource-group "<cluster-resource-group>" \
--mi-user-assigned "<user-assigned-identity-resource-id>" \
--command-output-settings identity-type="UserAssignedIdentity" \
identity-resource-id="<user-assigned-identity-resource-id>" \
container-url="<container-url>" \
--subscription "<subscription>"
将群集配置为使用系统分配的托管标识进行存储访问
使用此命令创建具有用户托管存储帐户和系统分配标识的群集。 请注意,此示例是一个缩写命令,它仅突出显示与添加用户托管存储相关的字段。 这不是完整的群集创建命令。
az networkcloud cluster create --name "<cluster-name>" \
--resource-group "<cluster-resource-group>" \
...
--mi-system-assigned true \
--command-output-settings identity-type="SystemAssignedIdentity" \
container-url="<container-url>" \
...
--subscription "<subscription>"
使用此命令为用户提供的存储帐户配置现有群集,并使用其自己的系统分配标识。 更新命令还可用于更改存储帐户位置和标识。
az networkcloud cluster update --name "<cluster-name>" \
--resource-group "<cluster-resource-group>" \
--mi-system-assigned true \
--command-output-settings identity-type="SystemAssignedIdentity" \
container-url="<container-url>" \
--subscription "<subscription>"
若要将群集从用户分配的标识更改为系统分配的标识,必须先使用下一部分中的命令清除 CommandOutputSettings,然后使用此命令进行设置。
清除群集的 CommandOutputSettings
可以清除 CommandOutputSettings,将 run-data-extract 输出定向回群集管理器的存储。 但是,不建议这样做,因为不太安全,并且该选项将在将来的版本中删除。
但是,如果从用户分配的标识切换到系统分配的标识,则需要清除 CommandOutputSettings。
使用此命令清除 CommandOutputSettings:
az rest --method patch \
--url "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<cluster-resource-group>/providers/Microsoft.NetworkCloud/clusters/<cluster-name>?api-version=2024-08-01-preview" \
--body '{"properties": {"commandOutputSettings":null}}'
查看托管标识的主体 ID
可以通过在标识资源上选择“JSON 视图”来找到标识资源 ID;ID 位于显示的面板顶部。 可以在容器资源的“设置 - > 属性”选项卡上找到容器 URL。
CLI 还可用于查看群集中的标识和关联的主体 ID 数据。
示例:
az networkcloud cluster show --ids /subscriptions/<Subscription ID>/resourceGroups/<Cluster Resource Group Name>/providers/Microsoft.NetworkCloud/clusters/<Cluster Name>
系统分配的标识示例:
"identity": {
"principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222",
"tenantId": "aaaabbbb-0000-cccc-1111-dddd2222eeee",
"type": "SystemAssigned"
},
用户分配的标识示例:
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/<subscriptionID>/resourcegroups/<resourceGroupName>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<userAssignedIdentityName>": {
"clientId": "00001111-aaaa-2222-bbbb-3333cccc4444",
"principalId": "bbbbbbbb-cccc-dddd-2222-333333333333"
}
}
},
执行 run-data-extract 命令
运行数据提取命令执行一个或多个预定义脚本,以便从裸机计算机中提取数据。
警告
Microsoft 不提供或支持任何需要提供纯文本用户名和密码的 Operator Nexus API 调用。 请注意,将会记录发送的任何值,并将其视为应当轮换和撤销的公开机密。 安全使用机密的 Microsoft 记录方法是将它们存储在 Azure 密钥保管库中,如有具体问题或疑问,请通过 Azure 门户提交请求。
以下是受支持命令的当前列表
用于 Dell 故障排除的 SupportAssist/TSR 集合
命令名称:hardware-support-data-collection
参数:请求的日志类型SysInfo
- 系统信息TTYLog
- 存储 TTYLog 数据Debug
- 调试日志
收集 Microsoft Defender for Endpoints (MDE) 代理信息
命令名称:mde-agent-information
参数:无收集 MDE 诊断支持日志
命令名称:mde-support-diagnostics
参数:无收集 Dell 硬件汇总状态
命令名称:hardware-rollup-status
参数:无生成群集 CVE 报表
命令名称:cluster-cve-report
参数:无收集 Helm 版本
命令名称:collect-helm-releases
参数:无收集
systemctl status
输出
命令名称:platform-services-status
参数:无
命令语法为:
az networkcloud baremetalmachine run-data-extract --name "<machine-name>" \
--resource-group "<cluster_MRG>" \
--subscription "<subscription>" \
--commands '[{"arguments":["<arg1>","<arg2>"],"command":"<command1>"}]' \
--limit-time-seconds "<timeout>"
在 --commands
选项中使用 json 格式指定多个命令。 每个 command
指定命令和参数。 对于具有多个参数的命令,请以列表的形式提供给 arguments
参数。 有关构造 --commands
结构的说明,请参阅 Azure CLI 简写。
这些命令可以长时间运行,因此建议将 --limit-time-seconds
设置为至少 600 秒(10 分钟)。 Debug
选项或运行多个提取可能需要 10 分钟以上。
在响应中,该操作以异步方式执行,并返回 HTTP 状态代码 202。 有关如何跟踪命令完成和查看输出文件的详细信息,请参阅查看输出部分。
硬件支持数据收集
以下示例执行 hardware-support-data-collection
命令,并从 Dell 服务器获取 SysInfo
和 TTYLog
日志。 该脚本在指定的裸机计算机上执行 racadm supportassist collect
命令。 生成的 tar.gz 文件包含 hardware-support-data-<timestamp>.zip
中压缩的提取命令文件输出。
az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
--resource-group "cluster_MRG" \
--subscription "subscription" \
--commands '[{"arguments":["SysInfo", "TTYLog"],"command":"hardware-support-data-collection"}]' \
--limit-time-seconds 600
hardware-support-data-collection
输出
====Action Command Output====
Executing hardware-support-data-collection command
Getting following hardware support logs: SysInfo,TTYLog
Job JID_814372800396 is running, waiting for it to complete ...
Job JID_814372800396 Completed.
---------------------------- JOB -------------------------
[Job ID=JID_814372800396]
Job Name=SupportAssist Collection
Status=Completed
Scheduled Start Time=[Not Applicable]
Expiration Time=[Not Applicable]
Actual Start Time=[Thu, 13 Apr 2023 20:54:40]
Actual Completion Time=[Thu, 13 Apr 2023 20:59:51]
Message=[SRV088: The SupportAssist Collection Operation is completed successfully.]
Percent Complete=[100]
----------------------------------------------------------
Deleting Job JID_814372800396
Collection successfully exported to /hostfs/tmp/runcommand/hardware-support-data-2023-04-13T21:00:01.zip
================================
Script execution result can be found in storage account:
https://cm2p9bctvhxnst.blob.core.windows.net/bmm-run-command-output/dd84df50-7b02-4d10-a2be-46782cbf4eef-action-bmmdataextcmd.tar.gz?se=2023-04-14T01%3A00%3A15Zandsig=ZJcsNoBzvOkUNL0IQ3XGtbJSaZxYqmtd%2BM6rmxDFqXE%3Dandsp=randspr=httpsandsr=bandst=2023-04-13T21%3A00%3A15Zandsv=2019-12-12
收集的硬件支持文件的示例列表
Archive: TSR20240227164024_FM56PK3.pl.zip
creating: tsr/hardware/
creating: tsr/hardware/spd/
creating: tsr/hardware/sysinfo/
creating: tsr/hardware/sysinfo/inventory/
inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_BIOSAttribute.xml
inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_Sensor.xml
inflating: tsr/hardware/sysinfo/inventory/sysinfo_DCIM_View.xml
inflating: tsr/hardware/sysinfo/inventory/sysinfo_DCIM_SoftwareIdentity.xml
inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_Capabilities.xml
inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_StatisticalData.xml
creating: tsr/hardware/sysinfo/lcfiles/
inflating: tsr/hardware/sysinfo/lcfiles/lclog_0.xml.gz
inflating: tsr/hardware/sysinfo/lcfiles/curr_lclog.xml
creating: tsr/hardware/psu/
creating: tsr/hardware/idracstateinfo/
inflating: tsr/hardware/idracstateinfo/avc.log
extracting: tsr/hardware/idracstateinfo/avc.log.persistent.1
[..snip..]
收集 MDE 代理信息
使用 mde-agent-information
命令收集数据,并将其格式化为 JSON 到 /hostfs/tmp/runcommand/mde-agent-information.json
。 JSON 文件位于存储帐户中的数据提取 zip 文件中。 该脚本在指定的裸机计算机上执行一系列 mdatp
命令。
以下示例在没有参数的情况下执行 mde-agent-information
命令。
az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
--resource-group "cluster_MRG" \
--subscription "subscription" \
--commands '[{"command":"mde-agent-information"}]' \
--limit-time-seconds 600
mde-agent-information
输出
====Action Command Output====
Executing mde-agent-information command
MDE agent is running, proceeding with data extract
Getting MDE agent information for bareMetalMachine
Writing to /hostfs/tmp/runcommand
================================
Script execution result can be found in storage account:
https://cmzhnh6bdsfsdwpbst.blob.core.windows.net/bmm-run-command-output/f5962f18-2228-450b-8cf7-cb8344fdss63b0-action-bmmdataextcmd.tar.gz?se=2023-07-26T19%3A07%3A22Z&sig=X9K3VoNWRFP78OKqFjvYoxubp65BbNTq%2BGnlHclI9Og%3D&sp=r&spr=https&sr=b&st=2023-07-26T15%3A07%3A22Z&sv=2019-12-12
收集示例 JSON 对象
{
"diagnosticInformation": {
"realTimeProtectionStats": $real_time_protection_stats,
"eventProviderStats": $event_provider_stats
},
"mdeDefinitions": $mde_definitions,
"generalHealth": $general_health,
"mdeConfiguration": $mde_config,
"scanList": $scan_list,
"threatInformation": {
"list": $threat_info_list,
"quarantineList": $threat_info_quarantine_list
}
}
收集 MDE 支持诊断
从 mde-support-diagnostics
命令收集的数据使用 MDE 客户端分析器工具捆绑来自 mdatp
命令和相关日志文件的信息。 存储帐户 tgz
文件将包含名为 mde-support-diagnostics-<hostname>.zip
的 zip
文件。 zip
应与任何支持请求一起发送,以确保支持团队可以根据需要使用日志进行故障排除和根本原因分析。
以下示例在没有参数的情况下执行 mde-support-diagnostics
命令。
az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
--resource-group "cluster_MRG" \
--subscription "subscription" \
--commands '[{"command":"mde-support-diagnostics"}]' \
--limit-time-seconds 600
mde-support-diagnostics
输出
====Action Command Output====
Executing mde-support-diagnostics command
[2024-01-23 16:07:37.588][INFO] XMDEClientAnalyzer Version: 1.3.2
[2024-01-23 16:07:38.367][INFO] Top Command output: [/tmp/top_output_2024_01_23_16_07_37mel0nue0.txt]
[2024-01-23 16:07:38.367][INFO] Top Command Summary: [/tmp/top_summary_2024_01_23_16_07_370zh7dkqn.txt]
[2024-01-23 16:07:38.367][INFO] Top Command Outliers: [/tmp/top_outlier_2024_01_23_16_07_37aypcfidh.txt]
[2024-01-23 16:07:38.368][INFO] [MDE Diagnostic]
[2024-01-23 16:07:38.368][INFO] Collecting MDE Diagnostic
[2024-01-23 16:07:38.613][WARNING] mde is not running
[2024-01-23 16:07:41.343][INFO] [SLEEP] [3sec] waiting for agent to create diagnostic package
[2024-01-23 16:07:44.347][INFO] diagnostic package path: /var/opt/microsoft/mdatp/wdavdiag/5b1edef9-3b2a-45c1-a45d-9e7e4b6b869e.zip
[2024-01-23 16:07:44.347][INFO] Successfully created MDE diagnostic zip
[2024-01-23 16:07:44.348][INFO] Adding mde_diagnostic.zip to report directory
[2024-01-23 16:07:44.348][INFO] Collecting MDE Health
[...snip...]
================================
Script execution result can be found in storage account:
https://cmmj627vvrzkst.blob.core.windows.net/bmm-run-command-output/7c5557b9-b6b6-a4a4-97ea-752c38918ded-action-bmmdataextcmd.tar.gz?se=2024-01-23T20%3A11%3A32Z&sig=9h20XlZO87J7fCr0S1234xcyu%2Fl%2BVuaDh1BE0J6Yfl8%3D&sp=r&spr=https&sr=b&st=2024-01-23T16%3A11%3A32Z&sv=2019-12-12
下载执行结果文件后,可以解压缩支持文件进行分析。
MDE 客户端分析器收集的信息示例列表
Archive: mde-support-diagnostics-rack1compute02.zip
inflating: mde_diagnostic.zip
inflating: process_information.txt
inflating: auditd_info.txt
inflating: auditd_log_analysis.txt
inflating: auditd_logs.zip
inflating: ebpf_kernel_config.txt
inflating: ebpf_enabled_func.txt
inflating: ebpf_syscalls.zip
inflating: ebpf_raw_syscalls.zip
inflating: messagess.zip
inflating: conflicting_processes_information.txt
[...snip...]
硬件汇总状态
使用 hardware-rollup-status
命令收集数据,并将其格式化为 JSON 到 /hostfs/tmp/runcommand/rollupStatus.json
。 JSON 文件位于存储帐户中的数据提取 zip 文件中。 收集的数据会显示计算机子系统的健康状况。
以下示例在没有参数的情况下执行 hardware-rollup-status
命令。
az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
--resource-group "clusete_MRG" \
--subscription "subscription" \
--commands '[{"command":"hardware-rollup-status"}]' \
--limit-time-seconds 600
hardware-rollup-status
输出
====Action Command Output====
Executing hardware-rollup-status command
Getting rollup status logs for b37dev03a1c002
Writing to /hostfs/tmp/runcommand
================================
Script execution result can be found in storage account:
https://cmkfjft8twwpst.blob.core.windows.net/bmm-run-command-output/20b217b5-ea38-4394-9db1-21a0d392eff0-action-bmmdataextcmd.tar.gz?se=2023-09-19T18%3A47%3A17Z&sig=ZJcsNoBzvOkUNL0IQ3XGtbJSaZxYqmtd%3D&sp=r&spr=https&sr=b&st=2023-09-19T14%3A47%3A17Z&sv=2019-12-12
收集的 JSON 示例
{
"@odata.context" : "/redfish/v1/$metadata#DellRollupStatusCollection.DellRollupStatusCollection",
"@odata.id" : "/redfish/v1/Systems/System.Embedded.1/Oem/Dell/DellRollupStatus",
"@odata.type" : "#DellRollupStatusCollection.DellRollupStatusCollection",
"Description" : "A collection of DellRollupStatus resource",
"Members" :
[
{
"@odata.context" : "/redfish/v1/$metadata#DellRollupStatus.DellRollupStatus",
"@odata.id" : "/redfish/v1/Systems/System.Embedded.1/Oem/Dell/DellRollupStatus/iDRAC.Embedded.1_0x23_SubSystem.1_0x23_Current",
"@odata.type" : "#DellRollupStatus.v1_0_0.DellRollupStatus",
"CollectionName" : "CurrentRollupStatus",
"Description" : "Represents the subcomponent roll-up statuses.",
"Id" : "iDRAC.Embedded.1_0x23_SubSystem.1_0x23_Current",
"InstanceID" : "iDRAC.Embedded.1#SubSystem.1#Current",
"Name" : "DellRollupStatus",
"RollupStatus" : "Ok",
"SubSystem" : "Current"
},
{
"@odata.context" : "/redfish/v1/$metadata#DellRollupStatus.DellRollupStatus",
"@odata.id" : "/redfish/v1/Systems/System.Embedded.1/Oem/Dell/DellRollupStatus/iDRAC.Embedded.1_0x23_SubSystem.1_0x23_Voltage",
"@odata.type" : "#DellRollupStatus.v1_0_0.DellRollupStatus",
"CollectionName" : "VoltageRollupStatus",
"Description" : "Represents the subcomponent roll-up statuses.",
"Id" : "iDRAC.Embedded.1_0x23_SubSystem.1_0x23_Voltage",
"InstanceID" : "iDRAC.Embedded.1#SubSystem.1#Voltage",
"Name" : "DellRollupStatus",
"RollupStatus" : "Ok",
"SubSystem" : "Voltage"
},
[..snip..]
生成群集 CVE 报表
漏洞数据是使用 cluster-cve-report
命令收集的,并格式化为 {year}-{month}-{day}-nexus-cluster-vulnerability-report.json
的 JSON 格式。 JSON 文件位于存储帐户中的数据提取 zip 文件中。 收集的数据包括群集中每个容器映像的漏洞数据。
以下示例在没有参数的情况下执行 cluster-cve-report
命令。
注意
目标计算机必须是控制平面节点,否则不会执行该操作。
az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
--resource-group "cluster_MRG" \
--subscription "subscription" \
--commands '[{"command":"cluster-cve-report"}]' \
--limit-time-seconds 600
cluster-cve-report
输出
====Action Command Output====
Nexus cluster vulnerability report saved.
================================
Script execution result can be found in storage account:
https://cmkfjft8twwpst.blob.core.windows.net/bmm-run-command-output/20b217b5-ea38-4394-9db1-21a0d392eff0-action-bmmdataextcmd.tar.gz?se=2023-09-19T18%3A47%3A17Z&sig=ZJcsNoBzvOkUNL0IQ3XGtbJSaZxYqmtd%3D&sp=r&spr=https&sr=b&st=2023-09-19T14%3A47%3A17Z&sv=2019-12-12
CVE 报表架构
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Vulnerability Report",
"type": "object",
"properties": {
"metadata": {
"type": "object",
"properties": {
"dateRetrieved": {
"type": "string",
"format": "date-time",
"description": "The date and time when the data was retrieved."
},
"platform": {
"type": "string",
"description": "The name of the platform."
},
"resource": {
"type": "string",
"description": "The name of the resource."
},
"runtimeVersion": {
"type": "string",
"description": "The version of the runtime."
},
"managementVersion": {
"type": "string",
"description": "The version of the management software."
},
"vulnerabilitySummary": {
"type": "object",
"properties": {
"criticalCount": {
"type": "integer",
"description": "Number of critical vulnerabilities."
},
"highCount": {
"type": "integer",
"description": "Number of high severity vulnerabilities."
},
"mediumCount": {
"type": "integer",
"description": "Number of medium severity vulnerabilities."
},
"lowCount": {
"type": "integer",
"description": "Number of low severity vulnerabilities."
},
"noneCount": {
"type": "integer",
"description": "Number of vulnerabilities with no severity."
},
"unknownCount": {
"type": "integer",
"description": "Number of vulnerabilities with unknown severity."
}
},
"required": ["criticalCount", "highCount", "mediumCount", "lowCount", "noneCount", "unknownCount"]
}
},
"required": ["dateRetrieved", "platform", "resource", "runtimeVersion", "managementVersion", "vulnerabilitySummary"]
},
"containers": {
"type": "object",
"additionalProperties": {
"type": "array",
"items": {
"type": "object",
"properties": {
"namespace": {
"type": "string",
"description": "The namespace of the container."
},
"digest": {
"type": "string",
"description": "The digest of the container image."
},
"os": {
"type": "object",
"properties": {
"family": {
"type": "string",
"description": "The family of the operating system."
}
},
"required": ["family"]
},
"summary": {
"type": "object",
"properties": {
"criticalCount": {
"type": "integer",
"description": "Number of critical vulnerabilities in this container."
},
"highCount": {
"type": "integer",
"description": "Number of high severity vulnerabilities in this container."
},
"lowCount": {
"type": "integer",
"description": "Number of low severity vulnerabilities in this container."
},
"mediumCount": {
"type": "integer",
"description": "Number of medium severity vulnerabilities in this container."
},
"noneCount": {
"type": "integer",
"description": "Number of vulnerabilities with no severity in this container."
},
"unknownCount": {
"type": "integer",
"description": "Number of vulnerabilities with unknown severity in this container."
}
},
"required": ["criticalCount", "highCount", "lowCount", "mediumCount", "noneCount", "unknownCount"]
},
"vulnerabilities": {
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"description": "Title of the vulnerability."
},
"vulnerabilityID": {
"type": "string",
"description": "Identifier of the vulnerability."
},
"fixedVersion": {
"type": "string",
"description": "The version in which the vulnerability is fixed."
},
"installedVersion": {
"type": "string",
"description": "The currently installed version."
},
"referenceLink": {
"type": "string",
"format": "uri",
"description": "Link to the vulnerability details."
},
"publishedDate": {
"type": "string",
"format": "date-time",
"description": "The date when the vulnerability was published."
},
"score": {
"type": "number",
"description": "The CVSS score of the vulnerability."
},
"severity": {
"type": "string",
"description": "The severity level of the vulnerability."
},
"resource": {
"type": "string",
"description": "The resource affected by the vulnerability."
},
"target": {
"type": "string",
"description": "The target of the vulnerability."
},
"packageType": {
"type": "string",
"description": "The type of the package."
},
"exploitAvailable": {
"type": "boolean",
"description": "Indicates if an exploit is available for the vulnerability."
}
},
"required": ["title", "vulnerabilityID", "fixedVersion", "installedVersion", "referenceLink", "publishedDate", "score", "severity", "resource", "target", "packageType", "exploitAvailable"]
}
}
},
"required": ["namespace", "digest", "os", "summary", "vulnerabilities"]
}
}
}
},
"required": ["metadata", "containers"]
}
CVE 数据详细信息
CVE 数据每 24 小时刷新一次,或者在引用映像的 Kubernetes 资源发生更改时刷新每个容器映像。
收集 Helm 版本
Helm 版本数据是使用 collect-helm-releases
命令收集的,并作为 json 格式化为 {year}-{month}-{day}-helm-releases.json
。 JSON 文件位于存储帐户中的数据提取 zip 文件中。 收集的数据包括群集中的所有 helm 版本信息,其中包括运行命令 helm list
时返回的标准数据。
以下示例在没有参数的情况下执行 collect-helm-releases
命令。
注意
目标计算机必须是控制平面节点,否则不会执行该操作。
az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
--resource-group "cluster_MRG" \
--subscription "subscription" \
--commands '[{"command":"collect-helm-releases"}]' \
--limit-time-seconds 600
collect-helm-releases
输出
====Action Command Output====
Helm releases report saved.
================================
Script execution result can be found in storage account:
https://cmcr5xp3mbn7st.blob.core.windows.net/bmm-run-command-output/a29dcbdb-5524-4172-8b55-88e0e5ec93ff-action-bmmdataextcmd.tar.gz?se=2024-10-30T02%3A09%3A54Z&sig=v6cjiIDBP9viEijs%2B%2BwJDrHIAbLEmuiVmCEEDHEi%2FEc%3D&sp=r&spr=https&sr=b&st=2024-10-29T22%3A09%3A54Z&sv=2023-11-03
Helm 版本架构
{
"$schema": "http://json-schema.org/schema#",
"type": "object",
"properties": {
"metadata": {
"type": "object",
"properties": {
"dateRetrieved": {
"type": "string"
},
"platform": {
"type": "string"
},
"resource": {
"type": "string"
},
"clusterId": {
"type": "string"
},
"runtimeVersion": {
"type": "string"
},
"managementVersion": {
"type": "string"
}
},
"required": [
"clusterId",
"dateRetrieved",
"managementVersion",
"platform",
"resource",
"runtimeVersion"
]
},
"helmReleases": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"namespace": {
"type": "string"
},
"revision": {
"type": "string"
},
"updated": {
"type": "string"
},
"status": {
"type": "string"
},
"chart": {
"type": "string"
},
"app_version": {
"type": "string"
}
},
"required": [
"app_version",
"chart",
"name",
"namespace",
"revision",
"status",
"updated"
]
}
}
},
"required": [
"helmReleases",
"metadata"
]
}
收集 Systemctl 状态输出
服务状态使用 platform-services-status
命令收集。 输出采用纯文本格式,它会返回主机上服务的状态概览以及每个找到的服务的 systemctl status
。
以下示例在没有参数的情况下执行 platform-services-status
命令。
az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
--resource-group "clusete_MRG" \
--subscription "subscription" \
--commands '[{"command":"platform-services-status"}]' \
--limit-time-seconds 600
--output-directory "/path/to/local/directory"
platform-services-status
输出
====Action Command Output====
UNIT LOAD ACTIVE SUB DESCRIPTION
aods-infra-vf-config.service not-found inactive dead aods-infra-vf-config.service
aods-pnic-config-infra.service not-found inactive dead aods-pnic-config-infra.service
aods-pnic-config-workload.service not-found inactive dead aods-pnic-config-workload.service
arc-unenroll-file-semaphore.service loaded active exited Arc-unenrollment upon shutdown service
atop-rotate.service loaded inactive dead Restart atop daemon to rotate logs
atop.service loaded active running Atop advanced performance monitor
atopacct.service loaded active running Atop process accounting daemon
audit.service loaded inactive dead Audit service
auditd.service loaded active running Security Auditing Service
azurelinux-sysinfo.service loaded inactive dead Azure Linux Sysinfo Service
blk-availability.service loaded inactive dead Availability of block devices
[..snip..]
-------
● arc-unenroll-file-semaphore.service - Arc-unenrollment upon shutdown service
Loaded: loaded (/etc/systemd/system/arc-unenroll-file-semaphore.service; enabled; vendor preset: enabled)
Active: active (exited) since Tue 2024-11-12 06:33:40 UTC; 11h ago
Main PID: 11663 (code=exited, status=0/SUCCESS)
CPU: 5ms
Nov 12 06:33:39 rack1compute01 systemd[1]: Starting Arc-unenrollment upon shutdown service...
Nov 12 06:33:40 rack1compute01 systemd[1]: Finished Arc-unenrollment upon shutdown service.
-------
○ atop-rotate.service - Restart atop daemon to rotate logs
Loaded: loaded (/usr/lib/systemd/system/atop-rotate.service; static)
Active: inactive (dead)
TriggeredBy: ● atop-rotate.timer
[..snip..]
查看输出
此命令提供链接(如果使用群集管理器存储)或其他命令(如果使用用户提供的存储)来下载完整输出。 tar.gz 文件还包含压缩的提取命令文件输出。 通过在可选参数 --output-directory
中指定目录路径,将输出文件从存储 blob 下载到本地目录。
警告
使用 --output-directory
参数将覆盖与所创建新文件同名的本地目录中的任何文件。