你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn

使用 az networkcloud baremetalmachine run-data-extract 命令排查裸机计算机问题

在某些情况下,用户可能需要调查和解决本地裸机计算机的问题。 Azure 运营商关系通过 az networkcloud baremetalmachine run-data-extract 提供一组指定的数据提取命令。 用户可以通过这些命令从裸机计算机获取诊断数据。

该命令生成包含数据提取结果的输出文件。 默认情况下,数据将发送到群集管理器存储帐户。 还有一种预览方法,用户可以使用有权访问存储帐户的存储帐户和标识来配置群集资源来接收输出。

先决条件

  • 本文假定已安装 Azure 命令行接口和 networkcloud 命令行接口扩展。 有关详细信息,请参阅如何安装 CLI 扩展
  • 目标裸机已启动并准备就绪。
  • 这些命令的语法基于 az networkcloud CLI 的 0.3.0+ 版本。
  • 获取为群集资源创建的群集受管理资源组名称 (cluster_MRG)。

验证是否有权访问群集管理器的存储帐户

注意

在群集载入到受信任的服务完成,并且完全支持用户托管存储选项后,群集管理器存储帐户输出方法将来将弃用。

如果使用群集管理器存储方法,请验证你是否有权访问群集管理器的存储帐户:

  1. 在 Azure 门户中,导航到群集管理器的存储帐户。
  2. 在存储帐户详细信息中,从左侧的导航菜单中选择“存储浏览器”
  3. 在存储浏览器详细信息中,选择“blob 容器”
  4. 如果在访问存储帐户时遇到问题 403 This request is not authorized to perform this operation. ,则需要更新存储帐户的防火墙设置以包含公共 IP 地址。
  5. 通过群集管理器资源上的门户创建支持票证来请求访问权限。 提供需要访问的公共 IP 地址。

预览版:将命令输出发送到用户指定的存储帐户

重要

请注意,为命令输出指定用户帐户的此方法处于预览状态。 此方法应仅用于未启用防火墙的用户存储帐户。 如果环境需要启用存储帐户防火墙,请使用现有的群集管理器输出方法。

创建和配置存储资源

  1. 创建存储帐户,或标识要使用的现有存储帐户。 请参阅创建 Azure 存储帐户
  2. 在存储帐户中创建 Blob 存储容器。 请参阅创建容器
  3. 将“存储 Blob 数据参与者”角色分配给需要访问 run-data-extract 输出的用户和托管标识。
    1. 请参阅分配 Azure 角色以访问 blob 数据。 该角色还必须分配给用户分配的托管标识或群集自己的系统分配托管标识。
    2. 有关托管标识的详细信息,请参阅 Azure 资源的托管标识
    3. 如果使用群集的系统分配标识,则需要将系统分配的标识添加到群集,然后才能授予其访问权限。
    4. 将角色分配给群集的系统分配标识时,请确保选择类型为“Cluster (Operator Nexus)”的资源。

将群集配置为使用用户分配的托管标识进行存储访问

使用此命令创建具有用户托管存储帐户和用户分配标识的群集。 请注意,此示例是一个缩写命令,它仅突出显示与添加用户托管存储相关的字段。 这不是完整的群集创建命令。

az networkcloud cluster create --name "<cluster-name>" \
  --resource-group "<cluster-resource-group>" \
  ...
  --mi-user-assigned "<user-assigned-identity-resource-id>" \
  --command-output-settings identity-type="UserAssignedIdentity" \
  identity-resource-id="<user-assigned-identity-resource-id>" \
  container-url="<container-url>" \
  ...
  --subscription "<subscription>"

使用此命令为用户提供的存储帐户和用户分配的标识配置现有群集。 更新命令还可用于根据需要更改存储帐户位置和标识。

az networkcloud cluster update --name "<cluster-name>" \
  --resource-group "<cluster-resource-group>" \
  --mi-user-assigned "<user-assigned-identity-resource-id>" \
  --command-output-settings identity-type="UserAssignedIdentity" \
  identity-resource-id="<user-assigned-identity-resource-id>" \
  container-url="<container-url>" \
  --subscription "<subscription>"

将群集配置为使用系统分配的托管标识进行存储访问

使用此命令创建具有用户托管存储帐户和系统分配标识的群集。 请注意,此示例是一个缩写命令,它仅突出显示与添加用户托管存储相关的字段。 这不是完整的群集创建命令。

az networkcloud cluster create --name "<cluster-name>" \
  --resource-group "<cluster-resource-group>" \
  ...
  --mi-system-assigned true \
  --command-output-settings identity-type="SystemAssignedIdentity" \
  container-url="<container-url>" \
  ...
  --subscription "<subscription>"

使用此命令为用户提供的存储帐户配置现有群集,并使用其自己的系统分配标识。 更新命令还可用于更改存储帐户位置和标识。

az networkcloud cluster update --name "<cluster-name>" \
  --resource-group "<cluster-resource-group>" \
  --mi-system-assigned true \
  --command-output-settings identity-type="SystemAssignedIdentity" \
  container-url="<container-url>" \
  --subscription "<subscription>"

若要将群集从用户分配的标识更改为系统分配的标识,必须先使用下一部分中的命令清除 CommandOutputSettings,然后使用此命令进行设置。

清除群集的 CommandOutputSettings

可以清除 CommandOutputSettings,将 run-data-extract 输出定向回群集管理器的存储。 但是,不建议这样做,因为不太安全,并且该选项将在将来的版本中删除。

但是,如果从用户分配的标识切换到系统分配的标识,则需要清除 CommandOutputSettings。

使用此命令清除 CommandOutputSettings:

az rest --method patch \
  --url  "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<cluster-resource-group>/providers/Microsoft.NetworkCloud/clusters/<cluster-name>?api-version=2024-08-01-preview" \
  --body '{"properties": {"commandOutputSettings":null}}'

查看托管标识的主体 ID

可以通过在标识资源上选择“JSON 视图”来找到标识资源 ID;ID 位于显示的面板顶部。 可以在容器资源的“设置 - > 属性”选项卡上找到容器 URL。

CLI 还可用于查看群集中的标识和关联的主体 ID 数据。

示例:

az networkcloud cluster show --ids /subscriptions/<Subscription ID>/resourceGroups/<Cluster Resource Group Name>/providers/Microsoft.NetworkCloud/clusters/<Cluster Name>

系统分配的标识示例:

    "identity": {
        "principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222",
        "tenantId": "aaaabbbb-0000-cccc-1111-dddd2222eeee",
        "type": "SystemAssigned"
    },

用户分配的标识示例:

    "identity": {
        "type": "UserAssigned",
        "userAssignedIdentities": {
            "/subscriptions/<subscriptionID>/resourcegroups/<resourceGroupName>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<userAssignedIdentityName>": {
                "clientId": "00001111-aaaa-2222-bbbb-3333cccc4444",
                "principalId": "bbbbbbbb-cccc-dddd-2222-333333333333"
            }
        }
    },

执行 run-data-extract 命令

运行数据提取命令执行一个或多个预定义脚本,以便从裸机计算机中提取数据。

警告

Microsoft 不提供或支持任何需要提供纯文本用户名和密码的 Operator Nexus API 调用。 请注意,将会记录发送的任何值,并将其视为应当轮换和撤销的公开机密。 安全使用机密的 Microsoft 记录方法是将它们存储在 Azure 密钥保管库中,如有具体问题或疑问,请通过 Azure 门户提交请求。

以下是受支持命令的当前列表

命令语法为:

az networkcloud baremetalmachine run-data-extract --name "<machine-name>"  \
  --resource-group "<cluster_MRG>" \
  --subscription "<subscription>" \
  --commands '[{"arguments":["<arg1>","<arg2>"],"command":"<command1>"}]'  \
  --limit-time-seconds "<timeout>"

--commands 选项中使用 json 格式指定多个命令。 每个 command 指定命令和参数。 对于具有多个参数的命令,请以列表的形式提供给 arguments 参数。 有关构造 --commands 结构的说明,请参阅 Azure CLI 简写

这些命令可以长时间运行,因此建议将 --limit-time-seconds 设置为至少 600 秒(10 分钟)。 Debug 选项或运行多个提取可能需要 10 分钟以上。

在响应中,该操作以异步方式执行,并返回 HTTP 状态代码 202。 有关如何跟踪命令完成和查看输出文件的详细信息,请参阅查看输出部分。

硬件支持数据收集

以下示例执行 hardware-support-data-collection 命令,并从 Dell 服务器获取 SysInfoTTYLog 日志。 该脚本在指定的裸机计算机上执行 racadm supportassist collect 命令。 生成的 tar.gz 文件包含 hardware-support-data-<timestamp>.zip 中压缩的提取命令文件输出。

az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
  --resource-group "cluster_MRG" \
  --subscription "subscription" \
  --commands '[{"arguments":["SysInfo", "TTYLog"],"command":"hardware-support-data-collection"}]' \
  --limit-time-seconds 600

hardware-support-data-collection 输出

====Action Command Output====
Executing hardware-support-data-collection command
Getting following hardware support logs: SysInfo,TTYLog
Job JID_814372800396 is running, waiting for it to complete ...
Job JID_814372800396 Completed.
---------------------------- JOB -------------------------
[Job ID=JID_814372800396]
Job Name=SupportAssist Collection
Status=Completed
Scheduled Start Time=[Not Applicable]
Expiration Time=[Not Applicable]
Actual Start Time=[Thu, 13 Apr 2023 20:54:40]
Actual Completion Time=[Thu, 13 Apr 2023 20:59:51]
Message=[SRV088: The SupportAssist Collection Operation is completed successfully.]
Percent Complete=[100]
----------------------------------------------------------
Deleting Job JID_814372800396
Collection successfully exported to /hostfs/tmp/runcommand/hardware-support-data-2023-04-13T21:00:01.zip

================================
Script execution result can be found in storage account:
https://cm2p9bctvhxnst.blob.core.windows.net/bmm-run-command-output/dd84df50-7b02-4d10-a2be-46782cbf4eef-action-bmmdataextcmd.tar.gz?se=2023-04-14T01%3A00%3A15Zandsig=ZJcsNoBzvOkUNL0IQ3XGtbJSaZxYqmtd%2BM6rmxDFqXE%3Dandsp=randspr=httpsandsr=bandst=2023-04-13T21%3A00%3A15Zandsv=2019-12-12

收集的硬件支持文件的示例列表

Archive:  TSR20240227164024_FM56PK3.pl.zip
   creating: tsr/hardware/
   creating: tsr/hardware/spd/
   creating: tsr/hardware/sysinfo/
   creating: tsr/hardware/sysinfo/inventory/
  inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_BIOSAttribute.xml
  inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_Sensor.xml
  inflating: tsr/hardware/sysinfo/inventory/sysinfo_DCIM_View.xml
  inflating: tsr/hardware/sysinfo/inventory/sysinfo_DCIM_SoftwareIdentity.xml
  inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_Capabilities.xml
  inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_StatisticalData.xml
   creating: tsr/hardware/sysinfo/lcfiles/
  inflating: tsr/hardware/sysinfo/lcfiles/lclog_0.xml.gz
  inflating: tsr/hardware/sysinfo/lcfiles/curr_lclog.xml
   creating: tsr/hardware/psu/
   creating: tsr/hardware/idracstateinfo/
  inflating: tsr/hardware/idracstateinfo/avc.log
 extracting: tsr/hardware/idracstateinfo/avc.log.persistent.1
[..snip..]

收集 MDE 代理信息

使用 mde-agent-information 命令收集数据,并将其格式化为 JSON 到 /hostfs/tmp/runcommand/mde-agent-information.json。 JSON 文件位于存储帐户中的数据提取 zip 文件中。 该脚本在指定的裸机计算机上执行一系列 mdatp 命令。

以下示例在没有参数的情况下执行 mde-agent-information 命令。

az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
  --resource-group "cluster_MRG" \
  --subscription "subscription" \
  --commands '[{"command":"mde-agent-information"}]' \
  --limit-time-seconds 600

mde-agent-information 输出

====Action Command Output====
Executing mde-agent-information command
MDE agent is running, proceeding with data extract
Getting MDE agent information for bareMetalMachine
Writing to /hostfs/tmp/runcommand

================================
Script execution result can be found in storage account:
 https://cmzhnh6bdsfsdwpbst.blob.core.windows.net/bmm-run-command-output/f5962f18-2228-450b-8cf7-cb8344fdss63b0-action-bmmdataextcmd.tar.gz?se=2023-07-26T19%3A07%3A22Z&sig=X9K3VoNWRFP78OKqFjvYoxubp65BbNTq%2BGnlHclI9Og%3D&sp=r&spr=https&sr=b&st=2023-07-26T15%3A07%3A22Z&sv=2019-12-12

收集示例 JSON 对象

{
  "diagnosticInformation": {
      "realTimeProtectionStats": $real_time_protection_stats,
      "eventProviderStats": $event_provider_stats
      },
  "mdeDefinitions": $mde_definitions,
  "generalHealth": $general_health,
  "mdeConfiguration": $mde_config,
  "scanList": $scan_list,
  "threatInformation": {
      "list": $threat_info_list,
      "quarantineList": $threat_info_quarantine_list
    }
}

收集 MDE 支持诊断

mde-support-diagnostics 命令收集的数据使用 MDE 客户端分析器工具捆绑来自 mdatp 命令和相关日志文件的信息。 存储帐户 tgz 文件将包含名为 mde-support-diagnostics-<hostname>.zipzip 文件。 zip 应与任何支持请求一起发送,以确保支持团队可以根据需要使用日志进行故障排除和根本原因分析。

以下示例在没有参数的情况下执行 mde-support-diagnostics 命令。

az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
  --resource-group "cluster_MRG" \
  --subscription "subscription" \
  --commands '[{"command":"mde-support-diagnostics"}]' \
  --limit-time-seconds 600

mde-support-diagnostics 输出

====Action Command Output====
Executing mde-support-diagnostics command
[2024-01-23 16:07:37.588][INFO] XMDEClientAnalyzer Version: 1.3.2
[2024-01-23 16:07:38.367][INFO] Top Command output: [/tmp/top_output_2024_01_23_16_07_37mel0nue0.txt]
[2024-01-23 16:07:38.367][INFO] Top Command Summary: [/tmp/top_summary_2024_01_23_16_07_370zh7dkqn.txt]
[2024-01-23 16:07:38.367][INFO] Top Command Outliers: [/tmp/top_outlier_2024_01_23_16_07_37aypcfidh.txt]
[2024-01-23 16:07:38.368][INFO] [MDE Diagnostic]
[2024-01-23 16:07:38.368][INFO]   Collecting MDE Diagnostic
[2024-01-23 16:07:38.613][WARNING] mde is not running
[2024-01-23 16:07:41.343][INFO] [SLEEP] [3sec] waiting for agent to create diagnostic package
[2024-01-23 16:07:44.347][INFO] diagnostic package path: /var/opt/microsoft/mdatp/wdavdiag/5b1edef9-3b2a-45c1-a45d-9e7e4b6b869e.zip
[2024-01-23 16:07:44.347][INFO] Successfully created MDE diagnostic zip
[2024-01-23 16:07:44.348][INFO]   Adding mde_diagnostic.zip to report directory
[2024-01-23 16:07:44.348][INFO]   Collecting MDE Health
[...snip...]
================================
Script execution result can be found in storage account:
 https://cmmj627vvrzkst.blob.core.windows.net/bmm-run-command-output/7c5557b9-b6b6-a4a4-97ea-752c38918ded-action-bmmdataextcmd.tar.gz?se=2024-01-23T20%3A11%3A32Z&sig=9h20XlZO87J7fCr0S1234xcyu%2Fl%2BVuaDh1BE0J6Yfl8%3D&sp=r&spr=https&sr=b&st=2024-01-23T16%3A11%3A32Z&sv=2019-12-12

下载执行结果文件后,可以解压缩支持文件进行分析。

MDE 客户端分析器收集的信息示例列表

Archive:  mde-support-diagnostics-rack1compute02.zip
  inflating: mde_diagnostic.zip
  inflating: process_information.txt
  inflating: auditd_info.txt
  inflating: auditd_log_analysis.txt
  inflating: auditd_logs.zip
  inflating: ebpf_kernel_config.txt
  inflating: ebpf_enabled_func.txt
  inflating: ebpf_syscalls.zip
  inflating: ebpf_raw_syscalls.zip
  inflating: messagess.zip
  inflating: conflicting_processes_information.txt
[...snip...]

硬件汇总状态

使用 hardware-rollup-status 命令收集数据,并将其格式化为 JSON 到 /hostfs/tmp/runcommand/rollupStatus.json。 JSON 文件位于存储帐户中的数据提取 zip 文件中。 收集的数据会显示计算机子系统的健康状况。

以下示例在没有参数的情况下执行 hardware-rollup-status 命令。

az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
  --resource-group "clusete_MRG" \
  --subscription "subscription" \
  --commands '[{"command":"hardware-rollup-status"}]' \
  --limit-time-seconds 600

hardware-rollup-status 输出

====Action Command Output====
Executing hardware-rollup-status command
Getting rollup status logs for b37dev03a1c002
Writing to /hostfs/tmp/runcommand

================================
Script execution result can be found in storage account:
https://cmkfjft8twwpst.blob.core.windows.net/bmm-run-command-output/20b217b5-ea38-4394-9db1-21a0d392eff0-action-bmmdataextcmd.tar.gz?se=2023-09-19T18%3A47%3A17Z&sig=ZJcsNoBzvOkUNL0IQ3XGtbJSaZxYqmtd%3D&sp=r&spr=https&sr=b&st=2023-09-19T14%3A47%3A17Z&sv=2019-12-12

收集的 JSON 示例

{
	"@odata.context" : "/redfish/v1/$metadata#DellRollupStatusCollection.DellRollupStatusCollection",
	"@odata.id" : "/redfish/v1/Systems/System.Embedded.1/Oem/Dell/DellRollupStatus",
	"@odata.type" : "#DellRollupStatusCollection.DellRollupStatusCollection",
	"Description" : "A collection of DellRollupStatus resource",
	"Members" :
	[
		{
			"@odata.context" : "/redfish/v1/$metadata#DellRollupStatus.DellRollupStatus",
			"@odata.id" : "/redfish/v1/Systems/System.Embedded.1/Oem/Dell/DellRollupStatus/iDRAC.Embedded.1_0x23_SubSystem.1_0x23_Current",
			"@odata.type" : "#DellRollupStatus.v1_0_0.DellRollupStatus",
			"CollectionName" : "CurrentRollupStatus",
			"Description" : "Represents the subcomponent roll-up statuses.",
			"Id" : "iDRAC.Embedded.1_0x23_SubSystem.1_0x23_Current",
			"InstanceID" : "iDRAC.Embedded.1#SubSystem.1#Current",
			"Name" : "DellRollupStatus",
			"RollupStatus" : "Ok",
			"SubSystem" : "Current"
		},
		{
			"@odata.context" : "/redfish/v1/$metadata#DellRollupStatus.DellRollupStatus",
			"@odata.id" : "/redfish/v1/Systems/System.Embedded.1/Oem/Dell/DellRollupStatus/iDRAC.Embedded.1_0x23_SubSystem.1_0x23_Voltage",
			"@odata.type" : "#DellRollupStatus.v1_0_0.DellRollupStatus",
			"CollectionName" : "VoltageRollupStatus",
			"Description" : "Represents the subcomponent roll-up statuses.",
			"Id" : "iDRAC.Embedded.1_0x23_SubSystem.1_0x23_Voltage",
			"InstanceID" : "iDRAC.Embedded.1#SubSystem.1#Voltage",
			"Name" : "DellRollupStatus",
			"RollupStatus" : "Ok",
			"SubSystem" : "Voltage"
		},
[..snip..]

生成群集 CVE 报表

漏洞数据是使用 cluster-cve-report 命令收集的,并格式化为 {year}-{month}-{day}-nexus-cluster-vulnerability-report.json 的 JSON 格式。 JSON 文件位于存储帐户中的数据提取 zip 文件中。 收集的数据包括群集中每个容器映像的漏洞数据。

以下示例在没有参数的情况下执行 cluster-cve-report 命令。

注意

目标计算机必须是控制平面节点,否则不会执行该操作。

az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
  --resource-group "cluster_MRG" \
  --subscription "subscription" \
  --commands '[{"command":"cluster-cve-report"}]' \
  --limit-time-seconds 600

cluster-cve-report 输出

====Action Command Output====
Nexus cluster vulnerability report saved.


================================
Script execution result can be found in storage account:
https://cmkfjft8twwpst.blob.core.windows.net/bmm-run-command-output/20b217b5-ea38-4394-9db1-21a0d392eff0-action-bmmdataextcmd.tar.gz?se=2023-09-19T18%3A47%3A17Z&sig=ZJcsNoBzvOkUNL0IQ3XGtbJSaZxYqmtd%3D&sp=r&spr=https&sr=b&st=2023-09-19T14%3A47%3A17Z&sv=2019-12-12

CVE 报表架构

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "Vulnerability Report",
  "type": "object",
  "properties": {
    "metadata": {
      "type": "object",
      "properties": {
        "dateRetrieved": {
          "type": "string",
          "format": "date-time",
          "description": "The date and time when the data was retrieved."
        },
        "platform": {
          "type": "string",
          "description": "The name of the platform."
        },
        "resource": {
          "type": "string",
          "description": "The name of the resource."
        },
        "runtimeVersion": {
          "type": "string",
          "description": "The version of the runtime."
        },
        "managementVersion": {
          "type": "string",
          "description": "The version of the management software."
        },
        "vulnerabilitySummary": {
          "type": "object",
          "properties": {
            "criticalCount": {
              "type": "integer",
              "description": "Number of critical vulnerabilities."
            },
            "highCount": {
              "type": "integer",
              "description": "Number of high severity vulnerabilities."
            },
            "mediumCount": {
              "type": "integer",
              "description": "Number of medium severity vulnerabilities."
            },
            "lowCount": {
              "type": "integer",
              "description": "Number of low severity vulnerabilities."
            },
            "noneCount": {
              "type": "integer",
              "description": "Number of vulnerabilities with no severity."
            },
            "unknownCount": {
              "type": "integer",
              "description": "Number of vulnerabilities with unknown severity."
            }
          },
          "required": ["criticalCount", "highCount", "mediumCount", "lowCount", "noneCount", "unknownCount"]
        }
      },
      "required": ["dateRetrieved", "platform", "resource", "runtimeVersion", "managementVersion", "vulnerabilitySummary"]
    },
    "containers": {
      "type": "object",
      "additionalProperties": {
        "type": "array",
        "items": {
          "type": "object",
          "properties": {
            "namespace": {
              "type": "string",
              "description": "The namespace of the container."
            },
            "digest": {
              "type": "string",
              "description": "The digest of the container image."
            },
            "os": {
              "type": "object",
              "properties": {
                "family": {
                  "type": "string",
                  "description": "The family of the operating system."
                }
              },
              "required": ["family"]
            },
            "summary": {
              "type": "object",
              "properties": {
                "criticalCount": {
                  "type": "integer",
                  "description": "Number of critical vulnerabilities in this container."
                },
                "highCount": {
                  "type": "integer",
                  "description": "Number of high severity vulnerabilities in this container."
                },
                "lowCount": {
                  "type": "integer",
                  "description": "Number of low severity vulnerabilities in this container."
                },
                "mediumCount": {
                  "type": "integer",
                  "description": "Number of medium severity vulnerabilities in this container."
                },
                "noneCount": {
                  "type": "integer",
                  "description": "Number of vulnerabilities with no severity in this container."
                },
                "unknownCount": {
                  "type": "integer",
                  "description": "Number of vulnerabilities with unknown severity in this container."
                }
              },
              "required": ["criticalCount", "highCount", "lowCount", "mediumCount", "noneCount", "unknownCount"]
            },
            "vulnerabilities": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "title": {
                    "type": "string",
                    "description": "Title of the vulnerability."
                  },
                  "vulnerabilityID": {
                    "type": "string",
                    "description": "Identifier of the vulnerability."
                  },
                  "fixedVersion": {
                    "type": "string",
                    "description": "The version in which the vulnerability is fixed."
                  },
                  "installedVersion": {
                    "type": "string",
                    "description": "The currently installed version."
                  },
                  "referenceLink": {
                    "type": "string",
                    "format": "uri",
                    "description": "Link to the vulnerability details."
                  },
                  "publishedDate": {
                    "type": "string",
                    "format": "date-time",
                    "description": "The date when the vulnerability was published."
                  },
                  "score": {
                    "type": "number",
                    "description": "The CVSS score of the vulnerability."
                  },
                  "severity": {
                    "type": "string",
                    "description": "The severity level of the vulnerability."
                  },
                  "resource": {
                    "type": "string",
                    "description": "The resource affected by the vulnerability."
                  },
                  "target": {
                    "type": "string",
                    "description": "The target of the vulnerability."
                  },
                  "packageType": {
                    "type": "string",
                    "description": "The type of the package."
                  },
                  "exploitAvailable": {
                    "type": "boolean",
                    "description": "Indicates if an exploit is available for the vulnerability."
                  }
                },
                "required": ["title", "vulnerabilityID", "fixedVersion", "installedVersion", "referenceLink", "publishedDate", "score", "severity", "resource", "target", "packageType", "exploitAvailable"]
              }
            }
          },
          "required": ["namespace", "digest", "os", "summary", "vulnerabilities"]
        }
      }
    }
  },
  "required": ["metadata", "containers"]
}

CVE 数据详细信息

CVE 数据每 24 小时刷新一次,或者在引用映像的 Kubernetes 资源发生更改时刷新每个容器映像。

收集 Helm 版本

Helm 版本数据是使用 collect-helm-releases 命令收集的,并作为 json 格式化为 {year}-{month}-{day}-helm-releases.json。 JSON 文件位于存储帐户中的数据提取 zip 文件中。 收集的数据包括群集中的所有 helm 版本信息,其中包括运行命令 helm list 时返回的标准数据。

以下示例在没有参数的情况下执行 collect-helm-releases 命令。

注意

目标计算机必须是控制平面节点,否则不会执行该操作。

az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
  --resource-group "cluster_MRG" \
  --subscription "subscription" \
  --commands '[{"command":"collect-helm-releases"}]' \
  --limit-time-seconds 600

collect-helm-releases 输出

====Action Command Output====
Helm releases report saved.


================================
Script execution result can be found in storage account:
https://cmcr5xp3mbn7st.blob.core.windows.net/bmm-run-command-output/a29dcbdb-5524-4172-8b55-88e0e5ec93ff-action-bmmdataextcmd.tar.gz?se=2024-10-30T02%3A09%3A54Z&sig=v6cjiIDBP9viEijs%2B%2BwJDrHIAbLEmuiVmCEEDHEi%2FEc%3D&sp=r&spr=https&sr=b&st=2024-10-29T22%3A09%3A54Z&sv=2023-11-03

Helm 版本架构

{
  "$schema": "http://json-schema.org/schema#",
  "type": "object",
  "properties": {
    "metadata": {
      "type": "object",
      "properties": {
        "dateRetrieved": {
          "type": "string"
        },
        "platform": {
          "type": "string"
        },
        "resource": {
          "type": "string"
        },
        "clusterId": {
          "type": "string"
        },
        "runtimeVersion": {
          "type": "string"
        },
        "managementVersion": {
          "type": "string"
        }
      },
      "required": [
        "clusterId",
        "dateRetrieved",
        "managementVersion",
        "platform",
        "resource",
        "runtimeVersion"
      ]
    },
    "helmReleases": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "name": {
            "type": "string"
          },
          "namespace": {
            "type": "string"
          },
          "revision": {
            "type": "string"
          },
          "updated": {
            "type": "string"
          },
          "status": {
            "type": "string"
          },
          "chart": {
            "type": "string"
          },
          "app_version": {
            "type": "string"
          }
        },
        "required": [
          "app_version",
          "chart",
          "name",
          "namespace",
          "revision",
          "status",
          "updated"
        ]
      }
    }
  },
  "required": [
    "helmReleases",
    "metadata"
  ]
}

收集 Systemctl 状态输出

服务状态使用 platform-services-status 命令收集。 输出采用纯文本格式,它会返回主机上服务的状态概览以及每个找到的服务的 systemctl status

以下示例在没有参数的情况下执行 platform-services-status 命令。

az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
  --resource-group "clusete_MRG" \
  --subscription "subscription" \
  --commands '[{"command":"platform-services-status"}]' \
  --limit-time-seconds 600
  --output-directory "/path/to/local/directory"

platform-services-status 输出

====Action Command Output====
UNIT                                                                                          LOAD      ACTIVE   SUB     DESCRIPTION
aods-infra-vf-config.service                                                                  not-found inactive dead    aods-infra-vf-config.service
aods-pnic-config-infra.service                                                                not-found inactive dead    aods-pnic-config-infra.service
aods-pnic-config-workload.service                                                             not-found inactive dead    aods-pnic-config-workload.service
arc-unenroll-file-semaphore.service                                                           loaded    active   exited  Arc-unenrollment upon shutdown service
atop-rotate.service                                                                           loaded    inactive dead    Restart atop daemon to rotate logs
atop.service                                                                                  loaded    active   running Atop advanced performance monitor
atopacct.service                                                                              loaded    active   running Atop process accounting daemon
audit.service                                                                                 loaded    inactive dead    Audit service
auditd.service                                                                                loaded    active   running Security Auditing Service
azurelinux-sysinfo.service                                                                    loaded    inactive dead    Azure Linux Sysinfo Service
blk-availability.service                                                                      loaded    inactive dead    Availability of block devices
[..snip..]


-------
● arc-unenroll-file-semaphore.service - Arc-unenrollment upon shutdown service
     Loaded: loaded (/etc/systemd/system/arc-unenroll-file-semaphore.service; enabled; vendor preset: enabled)
     Active: active (exited) since Tue 2024-11-12 06:33:40 UTC; 11h ago
   Main PID: 11663 (code=exited, status=0/SUCCESS)
        CPU: 5ms

Nov 12 06:33:39 rack1compute01 systemd[1]: Starting Arc-unenrollment upon shutdown service...
Nov 12 06:33:40 rack1compute01 systemd[1]: Finished Arc-unenrollment upon shutdown service.


-------
○ atop-rotate.service - Restart atop daemon to rotate logs
     Loaded: loaded (/usr/lib/systemd/system/atop-rotate.service; static)
     Active: inactive (dead)
TriggeredBy: ● atop-rotate.timer
[..snip..]

查看输出

此命令提供链接(如果使用群集管理器存储)或其他命令(如果使用用户提供的存储)来下载完整输出。 tar.gz 文件还包含压缩的提取命令文件输出。 通过在可选参数 --output-directory 中指定目录路径,将输出文件从存储 blob 下载到本地目录。

警告

使用 --output-directory 参数将覆盖与所创建新文件同名的本地目录中的任何文件。

注意

由于网络或防火墙限制,存储帐户可能会锁定,从而导致 403 This request is not authorized to perform this operation.。 有关验证访问权限的过程,请参阅群集管理器存储用户托管存储部分。