使用 az networkcloud baremetalmachine run-data-extract
命令針對裸機電腦問題進行疑難排解
在某些情況下,使用者可能需要調查並解決內部部署裸機計算機的問題。 Azure 運算子連接點會透過 az networkcloud baremetalmachine run-data-extract
提供一組指定的資料擷取命令。 這些命令可讓使用者從裸機電腦取得診斷資料。
此命令會產生包含數據擷取結果的輸出檔案。 根據預設,數據會傳送至叢集管理員記憶體帳戶。 另外還有預覽方法,使用者可以使用記憶體帳戶和身分識別來設定叢集資源,而該記憶體帳戶可以存取記憶體帳戶以接收輸出。
必要條件
- 本文假設已安裝 Azure 命令行介面和
networkcloud
命令行介面延伸模組。 如需詳細資訊,請參閱如何安裝 CLI 延伸模組。 - 目標裸機機器已開啟並就緒。
- 這些命令的語法是以
az networkcloud
CLI 的 0.3.0+ 版本為基礎。 - 取得您為叢集資源建立的叢集受控資源群組名稱 (cluster_MRG)。
確認叢集管理員記憶體帳戶的存取權
注意
叢集管理員記憶體帳戶輸出方法將會在未來淘汰,一旦叢集上線至信任的服務完成,且完全支援使用者管理的記憶體選項。
如果使用叢集管理員記憶體方法,請確認您具有叢集管理員記憶體帳戶的存取權:
- 從 Azure 入口網站,瀏覽至叢集管理員的儲存體帳戶。
- 在 [儲存體帳戶詳細資料] 中,從左側導覽功能表中選取 [儲存體瀏覽器]。
- 在儲存體瀏覽器詳細資料中,選取 [Blob 容器]。
- 如果您在存取儲存體帳戶時遇到
403 This request is not authorized to perform this operation.
,則必須更新儲存體帳戶的防火牆設定,以包含公用 IP 位址。 - 透過叢集管理員資源上的入口網站,建立支援票證來要求存取權。 提供需要存取權的公用 IP 位址。
預覽: 將命令輸出傳送至使用者指定的記憶體帳戶
重要
請注意,為命令輸出指定使用者記憶體帳戶的這個方法處於預覽狀態。 這個方法應該只與未啟用防火牆的用戶帳戶搭配使用。 如果您的環境需要啟用記憶體帳戶防火牆,請使用現有的叢集管理員輸出方法。
建立和設定記憶體資源
- 建立記憶體帳戶,或識別您想要使用的現有記憶體帳戶。 請參閱 建立 Azure 記憶體帳戶。
- 在記憶體帳戶中建立 Blob 記憶體容器。 請參閱 建立容器。
- 將「記憶體 Blob 數據參與者」角色指派給需要存取 run-data-extract 輸出的使用者和受控識別。
- 請參閱指派 Azure 角色以存取 blob 資料。 角色也必須指派給使用者指派的受控識別或叢集本身系統指派的受控識別。
- 如需受控識別的相關詳細資訊,請參閱適用於 Azure 資源的受控識別。
- 如果使用叢集的系統指派身分識別,系統指派的身分識別必須先新增至叢集,才能獲得存取權。
- 將角色指派給叢集的系統指派身分識別時,請確定您選取類型為「叢集」的資源(操作員 Nexus)。
設定叢集以使用使用者指派的受控識別進行記憶體存取
使用此命令建立具有使用者受控記憶體帳戶和使用者指派身分識別的叢集。 請注意,此範例是縮寫的命令,只會反白顯示與新增使用者受控記憶體相關的欄位。 這不是完整的叢集建立命令。
az networkcloud cluster create --name "<cluster-name>" \
--resource-group "<cluster-resource-group>" \
...
--mi-user-assigned "<user-assigned-identity-resource-id>" \
--command-output-settings identity-type="UserAssignedIdentity" \
identity-resource-id="<user-assigned-identity-resource-id>" \
container-url="<container-url>" \
...
--subscription "<subscription>"
使用此命令為使用者提供的記憶體帳戶和使用者指派的身分識別設定現有的叢集。 更新命令也可用來視需要變更記憶體帳戶位置和身分識別。
az networkcloud cluster update --name "<cluster-name>" \
--resource-group "<cluster-resource-group>" \
--mi-user-assigned "<user-assigned-identity-resource-id>" \
--command-output-settings identity-type="UserAssignedIdentity" \
identity-resource-id="<user-assigned-identity-resource-id>" \
container-url="<container-url>" \
--subscription "<subscription>"
設定叢集以使用系統指派的受控識別進行記憶體存取
使用此命令建立具有使用者受控記憶體帳戶和系統指派身分識別的叢集。 請注意,此範例是縮寫的命令,只會反白顯示與新增使用者受控記憶體相關的欄位。 這不是完整的叢集建立命令。
az networkcloud cluster create --name "<cluster-name>" \
--resource-group "<cluster-resource-group>" \
...
--mi-system-assigned true \
--command-output-settings identity-type="SystemAssignedIdentity" \
container-url="<container-url>" \
...
--subscription "<subscription>"
使用此命令為使用者提供的記憶體帳戶設定現有的叢集,並使用自己的系統指派身分識別。 update 命令也可用來變更記憶體帳戶位置。
az networkcloud cluster update --name "<cluster-name>" \
--resource-group "<cluster-resource-group>" \
--mi-system-assigned true \
--command-output-settings identity-type="SystemAssignedIdentity" \
container-url="<container-url>" \
--subscription "<subscription>"
若要將叢集從使用者指派的身分識別變更為系統指派的身分識別,必須先使用下一節中的 命令清除 CommandOutputSettings,然後使用此命令進行設定。
清除叢集的 CommandOutputSettings
您可以清除 CommandOutputSettings,將 run-data-extract 輸出導向至叢集管理員的記憶體。 不過,不建議使用此選項,因為它較不安全,且選項將在未來的版本中移除。
不過,從使用者指派的身分識別切換到系統指派的身分識別時,必須清除 CommandOutputSettings。
使用此命令清除 CommandOutputSettings:
az rest --method patch \
--url "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<cluster-resource-group>/providers/Microsoft.NetworkCloud/clusters/<cluster-name>?api-version=2024-08-01-preview" \
--body '{"properties": {"commandOutputSettings":null}}'
檢視受控識別的主體標識碼
您可以在身分識別資源上選取 [JSON 檢視] 來找到識別資源標識符;標識元位於出現的面板頂端。 您可以在容器資源的 [設定 -> 屬性] 索引標籤上找到容器 URL。
CLI 也可以用來檢視叢集中的身分識別和相關聯的主體標識符數據。
範例:
az networkcloud cluster show --ids /subscriptions/<Subscription ID>/resourceGroups/<Cluster Resource Group Name>/providers/Microsoft.NetworkCloud/clusters/<Cluster Name>
系統指派的身分識別範例:
"identity": {
"principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222",
"tenantId": "aaaabbbb-0000-cccc-1111-dddd2222eeee",
"type": "SystemAssigned"
},
使用者指派的身分識別範例:
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/<subscriptionID>/resourcegroups/<resourceGroupName>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<userAssignedIdentityName>": {
"clientId": "00001111-aaaa-2222-bbbb-3333cccc4444",
"principalId": "bbbbbbbb-cccc-dddd-2222-333333333333"
}
}
},
執行 run-data-extract 命令
run data extract 命令會執行一或多個預先定義的指令碼,以從裸機電腦擷取資料。
警告
Microsoft 不提供或支援任何運算子連接點 API 呼叫,其預期會提供純文字使用者名稱和/或密碼。 請注意,傳送的任何值都會記錄下來,並視為公開的祕密,應加以輪換和撤銷。 Microsoft 記錄的祕密的安全使用方法,是將祕密儲存在 Azure Key Vault 中,如果您有特定問題或疑慮,請透過 Azure 入口網站提交要求。
受支援命令的目前清單為
用於 Dell 疑難排解的 SupportAssist/TSR 集合
命令名稱:hardware-support-data-collection
引數:要求的記錄類型SysInfo
- 系統資訊TTYLog
- 儲存體 TTYLog 資料Debug
- 偵錯記錄
收集適用於端點的 Microsoft Defender (MDE) 代理程式資訊
命令名稱:mde-agent-information
引數:無收集 MDE 診斷支援記錄
命令名稱:mde-support-diagnostics
引數:無收集 Dell 硬體彙總狀態
命令名稱:hardware-rollup-status
引數:無產生叢集 CVE 報告
命令名稱:cluster-cve-report
引數:無收集 Helm 版本
命令名稱:collect-helm-releases
引數:無收集
systemctl status
輸出
命令名稱:platform-services-status
引數:無
命令語法為:
az networkcloud baremetalmachine run-data-extract --name "<machine-name>" \
--resource-group "<cluster_MRG>" \
--subscription "<subscription>" \
--commands '[{"arguments":["<arg1>","<arg2>"],"command":"<command1>"}]' \
--limit-time-seconds "<timeout>"
在 --commands
選項中使用 json 格式指定多個命令。 每個 command
都會指定命令和引數。 針對具有多個引數的命令,以清單形式提供給 arguments
參數。 如需建構 --commands
結構的指示,請參閱 Azure CLI 縮寫。
這些命令可以長時間執行,因此建議將 --limit-time-seconds
設定為至少 600 秒 (10 分鐘)。 執行多個擷取的 Debug
選項可能需要超過 10 分鐘的時間。
在回應中,作業會以非同步方式執行,並傳回 HTTP 狀態碼 202。 如需有關如何追蹤命令完成和檢視輸出檔案的詳細資料,請參閱檢視輸出一節。
硬體支援資料收集
此範例會執行 hardware-support-data-collection
命令,並從 Dell 伺服器取得 SysInfo
和 TTYLog
記錄。 腳本會在 racadm supportassist collect
指定的裸機電腦上執行命令。 產生的 tar.gz 檔案包含 hardware-support-data-<timestamp>.zip
中壓縮的 extract 命令檔案輸出。
az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
--resource-group "cluster_MRG" \
--subscription "subscription" \
--commands '[{"arguments":["SysInfo", "TTYLog"],"command":"hardware-support-data-collection"}]' \
--limit-time-seconds 600
hardware-support-data-collection
輸出
====Action Command Output====
Executing hardware-support-data-collection command
Getting following hardware support logs: SysInfo,TTYLog
Job JID_814372800396 is running, waiting for it to complete ...
Job JID_814372800396 Completed.
---------------------------- JOB -------------------------
[Job ID=JID_814372800396]
Job Name=SupportAssist Collection
Status=Completed
Scheduled Start Time=[Not Applicable]
Expiration Time=[Not Applicable]
Actual Start Time=[Thu, 13 Apr 2023 20:54:40]
Actual Completion Time=[Thu, 13 Apr 2023 20:59:51]
Message=[SRV088: The SupportAssist Collection Operation is completed successfully.]
Percent Complete=[100]
----------------------------------------------------------
Deleting Job JID_814372800396
Collection successfully exported to /hostfs/tmp/runcommand/hardware-support-data-2023-04-13T21:00:01.zip
================================
Script execution result can be found in storage account:
https://cm2p9bctvhxnst.blob.core.windows.net/bmm-run-command-output/dd84df50-7b02-4d10-a2be-46782cbf4eef-action-bmmdataextcmd.tar.gz?se=2023-04-14T01%3A00%3A15Zandsig=ZJcsNoBzvOkUNL0IQ3XGtbJSaZxYqmtd%2BM6rmxDFqXE%3Dandsp=randspr=httpsandsr=bandst=2023-04-13T21%3A00%3A15Zandsv=2019-12-12
收集的硬體支援檔案範例清單
Archive: TSR20240227164024_FM56PK3.pl.zip
creating: tsr/hardware/
creating: tsr/hardware/spd/
creating: tsr/hardware/sysinfo/
creating: tsr/hardware/sysinfo/inventory/
inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_BIOSAttribute.xml
inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_Sensor.xml
inflating: tsr/hardware/sysinfo/inventory/sysinfo_DCIM_View.xml
inflating: tsr/hardware/sysinfo/inventory/sysinfo_DCIM_SoftwareIdentity.xml
inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_Capabilities.xml
inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_StatisticalData.xml
creating: tsr/hardware/sysinfo/lcfiles/
inflating: tsr/hardware/sysinfo/lcfiles/lclog_0.xml.gz
inflating: tsr/hardware/sysinfo/lcfiles/curr_lclog.xml
creating: tsr/hardware/psu/
creating: tsr/hardware/idracstateinfo/
inflating: tsr/hardware/idracstateinfo/avc.log
extracting: tsr/hardware/idracstateinfo/avc.log.persistent.1
[..snip..]
收集 MDE 代理程式資訊
資料是使用 mde-agent-information
命令收集的,並以 JSON 形式格式化為 /hostfs/tmp/runcommand/mde-agent-information.json
。 JSON 檔案可在位於儲存體帳戶的資料擷取 ZIP 檔案中找到。 腳本會在指定的裸機電腦上執行一連串 mdatp
的命令。
此範例會執行沒有引數的 mde-agent-information
命令。
az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
--resource-group "cluster_MRG" \
--subscription "subscription" \
--commands '[{"command":"mde-agent-information"}]' \
--limit-time-seconds 600
mde-agent-information
輸出
====Action Command Output====
Executing mde-agent-information command
MDE agent is running, proceeding with data extract
Getting MDE agent information for bareMetalMachine
Writing to /hostfs/tmp/runcommand
================================
Script execution result can be found in storage account:
https://cmzhnh6bdsfsdwpbst.blob.core.windows.net/bmm-run-command-output/f5962f18-2228-450b-8cf7-cb8344fdss63b0-action-bmmdataextcmd.tar.gz?se=2023-07-26T19%3A07%3A22Z&sig=X9K3VoNWRFP78OKqFjvYoxubp65BbNTq%2BGnlHclI9Og%3D&sp=r&spr=https&sr=b&st=2023-07-26T15%3A07%3A22Z&sv=2019-12-12
收集的 JSON 物件範例
{
"diagnosticInformation": {
"realTimeProtectionStats": $real_time_protection_stats,
"eventProviderStats": $event_provider_stats
},
"mdeDefinitions": $mde_definitions,
"generalHealth": $general_health,
"mdeConfiguration": $mde_config,
"scanList": $scan_list,
"threatInformation": {
"list": $threat_info_list,
"quarantineList": $threat_info_quarantine_list
}
}
收集 MDE 支援診斷
從 mde-support-diagnostics
命令收集到的資料會使用 MDE Client Analyzer 工具,將 mdatp
命令和相關記錄檔的資訊組合在一起。 記憶體帳戶 tgz
檔案包含 zip
名為 的 mde-support-diagnostics-<hostname>.zip
檔案。 zip
應連同任何支援要求一起傳送,以確保支援小組可以視需要使用記錄來進行疑難排解和根本原因分析。
此範例會執行沒有引數的 mde-support-diagnostics
命令。
az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
--resource-group "cluster_MRG" \
--subscription "subscription" \
--commands '[{"command":"mde-support-diagnostics"}]' \
--limit-time-seconds 600
mde-support-diagnostics
輸出
====Action Command Output====
Executing mde-support-diagnostics command
[2024-01-23 16:07:37.588][INFO] XMDEClientAnalyzer Version: 1.3.2
[2024-01-23 16:07:38.367][INFO] Top Command output: [/tmp/top_output_2024_01_23_16_07_37mel0nue0.txt]
[2024-01-23 16:07:38.367][INFO] Top Command Summary: [/tmp/top_summary_2024_01_23_16_07_370zh7dkqn.txt]
[2024-01-23 16:07:38.367][INFO] Top Command Outliers: [/tmp/top_outlier_2024_01_23_16_07_37aypcfidh.txt]
[2024-01-23 16:07:38.368][INFO] [MDE Diagnostic]
[2024-01-23 16:07:38.368][INFO] Collecting MDE Diagnostic
[2024-01-23 16:07:38.613][WARNING] mde is not running
[2024-01-23 16:07:41.343][INFO] [SLEEP] [3sec] waiting for agent to create diagnostic package
[2024-01-23 16:07:44.347][INFO] diagnostic package path: /var/opt/microsoft/mdatp/wdavdiag/5b1edef9-3b2a-45c1-a45d-9e7e4b6b869e.zip
[2024-01-23 16:07:44.347][INFO] Successfully created MDE diagnostic zip
[2024-01-23 16:07:44.348][INFO] Adding mde_diagnostic.zip to report directory
[2024-01-23 16:07:44.348][INFO] Collecting MDE Health
[...snip...]
================================
Script execution result can be found in storage account:
https://cmmj627vvrzkst.blob.core.windows.net/bmm-run-command-output/7c5557b9-b6b6-a4a4-97ea-752c38918ded-action-bmmdataextcmd.tar.gz?se=2024-01-23T20%3A11%3A32Z&sig=9h20XlZO87J7fCr0S1234xcyu%2Fl%2BVuaDh1BE0J6Yfl8%3D&sp=r&spr=https&sr=b&st=2024-01-23T16%3A11%3A32Z&sv=2019-12-12
下載執行結果檔之後,可以解壓縮支援檔案進行分析。
MDE Client Analyzer 所收集資訊的範例清單
Archive: mde-support-diagnostics-rack1compute02.zip
inflating: mde_diagnostic.zip
inflating: process_information.txt
inflating: auditd_info.txt
inflating: auditd_log_analysis.txt
inflating: auditd_logs.zip
inflating: ebpf_kernel_config.txt
inflating: ebpf_enabled_func.txt
inflating: ebpf_syscalls.zip
inflating: ebpf_raw_syscalls.zip
inflating: messagess.zip
inflating: conflicting_processes_information.txt
[...snip...]
硬體彙總狀態
資料是使用 hardware-rollup-status
命令收集的,並以 JSON 形式格式化為 /hostfs/tmp/runcommand/rollupStatus.json
。 JSON 檔案可在位於儲存體帳戶的資料擷取 ZIP 檔案中找到。 收集的數據會顯示機器子系統的健康情況。
此範例會執行沒有引數的 hardware-rollup-status
命令。
az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
--resource-group "clusete_MRG" \
--subscription "subscription" \
--commands '[{"command":"hardware-rollup-status"}]' \
--limit-time-seconds 600
hardware-rollup-status
輸出
====Action Command Output====
Executing hardware-rollup-status command
Getting rollup status logs for b37dev03a1c002
Writing to /hostfs/tmp/runcommand
================================
Script execution result can be found in storage account:
https://cmkfjft8twwpst.blob.core.windows.net/bmm-run-command-output/20b217b5-ea38-4394-9db1-21a0d392eff0-action-bmmdataextcmd.tar.gz?se=2023-09-19T18%3A47%3A17Z&sig=ZJcsNoBzvOkUNL0IQ3XGtbJSaZxYqmtd%3D&sp=r&spr=https&sr=b&st=2023-09-19T14%3A47%3A17Z&sv=2019-12-12
收集到的範例 JSON
{
"@odata.context" : "/redfish/v1/$metadata#DellRollupStatusCollection.DellRollupStatusCollection",
"@odata.id" : "/redfish/v1/Systems/System.Embedded.1/Oem/Dell/DellRollupStatus",
"@odata.type" : "#DellRollupStatusCollection.DellRollupStatusCollection",
"Description" : "A collection of DellRollupStatus resource",
"Members" :
[
{
"@odata.context" : "/redfish/v1/$metadata#DellRollupStatus.DellRollupStatus",
"@odata.id" : "/redfish/v1/Systems/System.Embedded.1/Oem/Dell/DellRollupStatus/iDRAC.Embedded.1_0x23_SubSystem.1_0x23_Current",
"@odata.type" : "#DellRollupStatus.v1_0_0.DellRollupStatus",
"CollectionName" : "CurrentRollupStatus",
"Description" : "Represents the subcomponent roll-up statuses.",
"Id" : "iDRAC.Embedded.1_0x23_SubSystem.1_0x23_Current",
"InstanceID" : "iDRAC.Embedded.1#SubSystem.1#Current",
"Name" : "DellRollupStatus",
"RollupStatus" : "Ok",
"SubSystem" : "Current"
},
{
"@odata.context" : "/redfish/v1/$metadata#DellRollupStatus.DellRollupStatus",
"@odata.id" : "/redfish/v1/Systems/System.Embedded.1/Oem/Dell/DellRollupStatus/iDRAC.Embedded.1_0x23_SubSystem.1_0x23_Voltage",
"@odata.type" : "#DellRollupStatus.v1_0_0.DellRollupStatus",
"CollectionName" : "VoltageRollupStatus",
"Description" : "Represents the subcomponent roll-up statuses.",
"Id" : "iDRAC.Embedded.1_0x23_SubSystem.1_0x23_Voltage",
"InstanceID" : "iDRAC.Embedded.1#SubSystem.1#Voltage",
"Name" : "DellRollupStatus",
"RollupStatus" : "Ok",
"SubSystem" : "Voltage"
},
[..snip..]
產生叢集 CVE 報告
弱點資料是使用 cluster-cve-report
命令收集的,並以 JSON 形式格式化為 {year}-{month}-{day}-nexus-cluster-vulnerability-report.json
。 JSON 檔案可在位於儲存體帳戶的資料擷取 ZIP 檔案中找到。 收集的數據包括叢集中每個容器映像的弱點數據。
此範例會執行沒有引數的 cluster-cve-report
命令。
注意
目標電腦必須是控制平面節點,否則動作將不會執行。
az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
--resource-group "cluster_MRG" \
--subscription "subscription" \
--commands '[{"command":"cluster-cve-report"}]' \
--limit-time-seconds 600
cluster-cve-report
輸出
====Action Command Output====
Nexus cluster vulnerability report saved.
================================
Script execution result can be found in storage account:
https://cmkfjft8twwpst.blob.core.windows.net/bmm-run-command-output/20b217b5-ea38-4394-9db1-21a0d392eff0-action-bmmdataextcmd.tar.gz?se=2023-09-19T18%3A47%3A17Z&sig=ZJcsNoBzvOkUNL0IQ3XGtbJSaZxYqmtd%3D&sp=r&spr=https&sr=b&st=2023-09-19T14%3A47%3A17Z&sv=2019-12-12
CVE 報表結構描述
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Vulnerability Report",
"type": "object",
"properties": {
"metadata": {
"type": "object",
"properties": {
"dateRetrieved": {
"type": "string",
"format": "date-time",
"description": "The date and time when the data was retrieved."
},
"platform": {
"type": "string",
"description": "The name of the platform."
},
"resource": {
"type": "string",
"description": "The name of the resource."
},
"runtimeVersion": {
"type": "string",
"description": "The version of the runtime."
},
"managementVersion": {
"type": "string",
"description": "The version of the management software."
},
"vulnerabilitySummary": {
"type": "object",
"properties": {
"criticalCount": {
"type": "integer",
"description": "Number of critical vulnerabilities."
},
"highCount": {
"type": "integer",
"description": "Number of high severity vulnerabilities."
},
"mediumCount": {
"type": "integer",
"description": "Number of medium severity vulnerabilities."
},
"lowCount": {
"type": "integer",
"description": "Number of low severity vulnerabilities."
},
"noneCount": {
"type": "integer",
"description": "Number of vulnerabilities with no severity."
},
"unknownCount": {
"type": "integer",
"description": "Number of vulnerabilities with unknown severity."
}
},
"required": ["criticalCount", "highCount", "mediumCount", "lowCount", "noneCount", "unknownCount"]
}
},
"required": ["dateRetrieved", "platform", "resource", "runtimeVersion", "managementVersion", "vulnerabilitySummary"]
},
"containers": {
"type": "object",
"additionalProperties": {
"type": "array",
"items": {
"type": "object",
"properties": {
"namespace": {
"type": "string",
"description": "The namespace of the container."
},
"digest": {
"type": "string",
"description": "The digest of the container image."
},
"os": {
"type": "object",
"properties": {
"family": {
"type": "string",
"description": "The family of the operating system."
}
},
"required": ["family"]
},
"summary": {
"type": "object",
"properties": {
"criticalCount": {
"type": "integer",
"description": "Number of critical vulnerabilities in this container."
},
"highCount": {
"type": "integer",
"description": "Number of high severity vulnerabilities in this container."
},
"lowCount": {
"type": "integer",
"description": "Number of low severity vulnerabilities in this container."
},
"mediumCount": {
"type": "integer",
"description": "Number of medium severity vulnerabilities in this container."
},
"noneCount": {
"type": "integer",
"description": "Number of vulnerabilities with no severity in this container."
},
"unknownCount": {
"type": "integer",
"description": "Number of vulnerabilities with unknown severity in this container."
}
},
"required": ["criticalCount", "highCount", "lowCount", "mediumCount", "noneCount", "unknownCount"]
},
"vulnerabilities": {
"type": "array",
"items": {
"type": "object",
"properties": {
"title": {
"type": "string",
"description": "Title of the vulnerability."
},
"vulnerabilityID": {
"type": "string",
"description": "Identifier of the vulnerability."
},
"fixedVersion": {
"type": "string",
"description": "The version in which the vulnerability is fixed."
},
"installedVersion": {
"type": "string",
"description": "The currently installed version."
},
"referenceLink": {
"type": "string",
"format": "uri",
"description": "Link to the vulnerability details."
},
"publishedDate": {
"type": "string",
"format": "date-time",
"description": "The date when the vulnerability was published."
},
"score": {
"type": "number",
"description": "The CVSS score of the vulnerability."
},
"severity": {
"type": "string",
"description": "The severity level of the vulnerability."
},
"resource": {
"type": "string",
"description": "The resource affected by the vulnerability."
},
"target": {
"type": "string",
"description": "The target of the vulnerability."
},
"packageType": {
"type": "string",
"description": "The type of the package."
},
"exploitAvailable": {
"type": "boolean",
"description": "Indicates if an exploit is available for the vulnerability."
}
},
"required": ["title", "vulnerabilityID", "fixedVersion", "installedVersion", "referenceLink", "publishedDate", "score", "severity", "resource", "target", "packageType", "exploitAvailable"]
}
}
},
"required": ["namespace", "digest", "os", "summary", "vulnerabilities"]
}
}
}
},
"required": ["metadata", "containers"]
}
CVE 資料詳細資料
每 24 小時或參考映射的 Kubernetes 資源變更時,CVE 數據會每隔 24 小時重新整理一次。
收集 Helm 版本
Helm 發行數據會使用 collect-helm-releases
命令收集,並格式化為 json 至 {year}-{month}-{day}-helm-releases.json
。 JSON 檔案可在位於儲存體帳戶的資料擷取 ZIP 檔案中找到。 收集的數據報含叢集中的所有 helm 發行資訊,其中包含執行 命令 helm list
時傳回的標準數據。
此範例會執行沒有引數的 collect-helm-releases
命令。
注意
目標電腦必須是控制平面節點,否則動作將不會執行。
az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
--resource-group "cluster_MRG" \
--subscription "subscription" \
--commands '[{"command":"collect-helm-releases"}]' \
--limit-time-seconds 600
collect-helm-releases
輸出
====Action Command Output====
Helm releases report saved.
================================
Script execution result can be found in storage account:
https://cmcr5xp3mbn7st.blob.core.windows.net/bmm-run-command-output/a29dcbdb-5524-4172-8b55-88e0e5ec93ff-action-bmmdataextcmd.tar.gz?se=2024-10-30T02%3A09%3A54Z&sig=v6cjiIDBP9viEijs%2B%2BwJDrHIAbLEmuiVmCEEDHEi%2FEc%3D&sp=r&spr=https&sr=b&st=2024-10-29T22%3A09%3A54Z&sv=2023-11-03
Helm 發行架構
{
"$schema": "http://json-schema.org/schema#",
"type": "object",
"properties": {
"metadata": {
"type": "object",
"properties": {
"dateRetrieved": {
"type": "string"
},
"platform": {
"type": "string"
},
"resource": {
"type": "string"
},
"clusterId": {
"type": "string"
},
"runtimeVersion": {
"type": "string"
},
"managementVersion": {
"type": "string"
}
},
"required": [
"clusterId",
"dateRetrieved",
"managementVersion",
"platform",
"resource",
"runtimeVersion"
]
},
"helmReleases": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"namespace": {
"type": "string"
},
"revision": {
"type": "string"
},
"updated": {
"type": "string"
},
"status": {
"type": "string"
},
"chart": {
"type": "string"
},
"app_version": {
"type": "string"
}
},
"required": [
"app_version",
"chart",
"name",
"namespace",
"revision",
"status",
"updated"
]
}
}
},
"required": [
"helmReleases",
"metadata"
]
}
收集 Systemctl 狀態輸出
使用 命令收集 platform-services-status
服務狀態。 輸出格式為純文字格式,並傳回主機上服務的狀態概觀,以及 systemctl status
每個找到服務的 。
此範例會執行沒有引數的 platform-services-status
命令。
az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
--resource-group "clusete_MRG" \
--subscription "subscription" \
--commands '[{"command":"platform-services-status"}]' \
--limit-time-seconds 600
--output-directory "/path/to/local/directory"
platform-services-status
輸出
====Action Command Output====
UNIT LOAD ACTIVE SUB DESCRIPTION
aods-infra-vf-config.service not-found inactive dead aods-infra-vf-config.service
aods-pnic-config-infra.service not-found inactive dead aods-pnic-config-infra.service
aods-pnic-config-workload.service not-found inactive dead aods-pnic-config-workload.service
arc-unenroll-file-semaphore.service loaded active exited Arc-unenrollment upon shutdown service
atop-rotate.service loaded inactive dead Restart atop daemon to rotate logs
atop.service loaded active running Atop advanced performance monitor
atopacct.service loaded active running Atop process accounting daemon
audit.service loaded inactive dead Audit service
auditd.service loaded active running Security Auditing Service
azurelinux-sysinfo.service loaded inactive dead Azure Linux Sysinfo Service
blk-availability.service loaded inactive dead Availability of block devices
[..snip..]
-------
● arc-unenroll-file-semaphore.service - Arc-unenrollment upon shutdown service
Loaded: loaded (/etc/systemd/system/arc-unenroll-file-semaphore.service; enabled; vendor preset: enabled)
Active: active (exited) since Tue 2024-11-12 06:33:40 UTC; 11h ago
Main PID: 11663 (code=exited, status=0/SUCCESS)
CPU: 5ms
Nov 12 06:33:39 rack1compute01 systemd[1]: Starting Arc-unenrollment upon shutdown service...
Nov 12 06:33:40 rack1compute01 systemd[1]: Finished Arc-unenrollment upon shutdown service.
-------
○ atop-rotate.service - Restart atop daemon to rotate logs
Loaded: loaded (/usr/lib/systemd/system/atop-rotate.service; static)
Active: inactive (dead)
TriggeredBy: ● atop-rotate.timer
[..snip..]
檢視輸出
此命令會提供連結(如果使用叢集管理員記憶體),或另一個命令(如果使用使用者提供的記憶體),以下載完整的輸出。 tar.gz 檔案也包含壓縮的 extract 命令檔案輸出。 透過在選擇性引數 --output-directory
中指定目錄路徑,將輸出檔案從儲存體 Blob 下載到本機目錄。
警告
使用 自 --output-directory
變數會覆寫本機目錄中與所建立新檔案同名的任何檔案。
注意
儲存體帳戶可能會遭到鎖定,因為網路或防火牆限制而造成 403 This request is not authorized to perform this operation.
。 如需驗證存取的程式,請參閱叢集管理員記憶體或使用者受控記憶體區段。