共用方式為


使用 az networkcloud baremetalmachine run-data-extract 命令針對裸機電腦問題進行疑難排解

在某些情況下,使用者可能需要調查並解決內部部署裸機計算機的問題。 Azure 運算子連接點會透過 az networkcloud baremetalmachine run-data-extract 提供一組指定的資料擷取命令。 這些命令可讓使用者從裸機電腦取得診斷資料。

此命令會產生包含數據擷取結果的輸出檔案。 根據預設,數據會傳送至叢集管理員記憶體帳戶。 另外還有預覽方法,使用者可以使用記憶體帳戶和身分識別來設定叢集資源,而該記憶體帳戶可以存取記憶體帳戶以接收輸出。

必要條件

  • 本文假設已安裝 Azure 命令行介面和 networkcloud 命令行介面延伸模組。 如需詳細資訊,請參閱如何安裝 CLI 延伸模組
  • 目標裸機機器已開啟並就緒。
  • 這些命令的語法是以 az networkcloud CLI 的 0.3.0+ 版本為基礎。
  • 取得您為叢集資源建立的叢集受控資源群組名稱 (cluster_MRG)。

確認叢集管理員記憶體帳戶的存取權

注意

叢集管理員記憶體帳戶輸出方法將會在未來淘汰,一旦叢集上線至信任的服務完成,且完全支援使用者管理的記憶體選項。

如果使用叢集管理員記憶體方法,請確認您具有叢集管理員記憶體帳戶的存取權:

  1. 從 Azure 入口網站,瀏覽至叢集管理員的儲存體帳戶。
  2. 在 [儲存體帳戶詳細資料] 中,從左側導覽功能表中選取 [儲存體瀏覽器]
  3. 在儲存體瀏覽器詳細資料中,選取 [Blob 容器]
  4. 如果您在存取儲存體帳戶時遇到 403 This request is not authorized to perform this operation.,則必須更新儲存體帳戶的防火牆設定,以包含公用 IP 位址。
  5. 透過叢集管理員資源上的入口網站,建立支援票證來要求存取權。 提供需要存取權的公用 IP 位址。

預覽: 將命令輸出傳送至使用者指定的記憶體帳戶

重要

請注意,為命令輸出指定使用者記憶體帳戶的這個方法處於預覽狀態。 這個方法應該只與未啟用防火牆的用戶帳戶搭配使用。 如果您的環境需要啟用記憶體帳戶防火牆,請使用現有的叢集管理員輸出方法。

建立和設定記憶體資源

  1. 建立記憶體帳戶,或識別您想要使用的現有記憶體帳戶。 請參閱 建立 Azure 記憶體帳戶
  2. 在記憶體帳戶中建立 Blob 記憶體容器。 請參閱 建立容器
  3. 將「記憶體 Blob 數據參與者」角色指派給需要存取 run-data-extract 輸出的使用者和受控識別。
    1. 請參閱指派 Azure 角色以存取 blob 資料。 角色也必須指派給使用者指派的受控識別或叢集本身系統指派的受控識別。
    2. 如需受控識別的相關詳細資訊,請參閱適用於 Azure 資源的受控識別
    3. 如果使用叢集的系統指派身分識別,系統指派的身分識別必須先新增至叢集,才能獲得存取權。
    4. 將角色指派給叢集的系統指派身分識別時,請確定您選取類型為「叢集」的資源(操作員 Nexus)。

設定叢集以使用使用者指派的受控識別進行記憶體存取

使用此命令建立具有使用者受控記憶體帳戶和使用者指派身分識別的叢集。 請注意,此範例是縮寫的命令,只會反白顯示與新增使用者受控記憶體相關的欄位。 這不是完整的叢集建立命令。

az networkcloud cluster create --name "<cluster-name>" \
  --resource-group "<cluster-resource-group>" \
  ...
  --mi-user-assigned "<user-assigned-identity-resource-id>" \
  --command-output-settings identity-type="UserAssignedIdentity" \
  identity-resource-id="<user-assigned-identity-resource-id>" \
  container-url="<container-url>" \
  ...
  --subscription "<subscription>"

使用此命令為使用者提供的記憶體帳戶和使用者指派的身分識別設定現有的叢集。 更新命令也可用來視需要變更記憶體帳戶位置和身分識別。

az networkcloud cluster update --name "<cluster-name>" \
  --resource-group "<cluster-resource-group>" \
  --mi-user-assigned "<user-assigned-identity-resource-id>" \
  --command-output-settings identity-type="UserAssignedIdentity" \
  identity-resource-id="<user-assigned-identity-resource-id>" \
  container-url="<container-url>" \
  --subscription "<subscription>"

設定叢集以使用系統指派的受控識別進行記憶體存取

使用此命令建立具有使用者受控記憶體帳戶和系統指派身分識別的叢集。 請注意,此範例是縮寫的命令,只會反白顯示與新增使用者受控記憶體相關的欄位。 這不是完整的叢集建立命令。

az networkcloud cluster create --name "<cluster-name>" \
  --resource-group "<cluster-resource-group>" \
  ...
  --mi-system-assigned true \
  --command-output-settings identity-type="SystemAssignedIdentity" \
  container-url="<container-url>" \
  ...
  --subscription "<subscription>"

使用此命令為使用者提供的記憶體帳戶設定現有的叢集,並使用自己的系統指派身分識別。 update 命令也可用來變更記憶體帳戶位置。

az networkcloud cluster update --name "<cluster-name>" \
  --resource-group "<cluster-resource-group>" \
  --mi-system-assigned true \
  --command-output-settings identity-type="SystemAssignedIdentity" \
  container-url="<container-url>" \
  --subscription "<subscription>"

若要將叢集從使用者指派的身分識別變更為系統指派的身分識別,必須先使用下一節中的 命令清除 CommandOutputSettings,然後使用此命令進行設定。

清除叢集的 CommandOutputSettings

您可以清除 CommandOutputSettings,將 run-data-extract 輸出導向至叢集管理員的記憶體。 不過,不建議使用此選項,因為它較不安全,且選項將在未來的版本中移除。

不過,從使用者指派的身分識別切換到系統指派的身分識別時,必須清除 CommandOutputSettings。

使用此命令清除 CommandOutputSettings:

az rest --method patch \
  --url  "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<cluster-resource-group>/providers/Microsoft.NetworkCloud/clusters/<cluster-name>?api-version=2024-08-01-preview" \
  --body '{"properties": {"commandOutputSettings":null}}'

檢視受控識別的主體標識碼

您可以在身分識別資源上選取 [JSON 檢視] 來找到識別資源標識符;標識元位於出現的面板頂端。 您可以在容器資源的 [設定 -> 屬性] 索引標籤上找到容器 URL。

CLI 也可以用來檢視叢集中的身分識別和相關聯的主體標識符數據。

範例:

az networkcloud cluster show --ids /subscriptions/<Subscription ID>/resourceGroups/<Cluster Resource Group Name>/providers/Microsoft.NetworkCloud/clusters/<Cluster Name>

系統指派的身分識別範例:

    "identity": {
        "principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222",
        "tenantId": "aaaabbbb-0000-cccc-1111-dddd2222eeee",
        "type": "SystemAssigned"
    },

使用者指派的身分識別範例:

    "identity": {
        "type": "UserAssigned",
        "userAssignedIdentities": {
            "/subscriptions/<subscriptionID>/resourcegroups/<resourceGroupName>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<userAssignedIdentityName>": {
                "clientId": "00001111-aaaa-2222-bbbb-3333cccc4444",
                "principalId": "bbbbbbbb-cccc-dddd-2222-333333333333"
            }
        }
    },

執行 run-data-extract 命令

run data extract 命令會執行一或多個預先定義的指令碼,以從裸機電腦擷取資料。

警告

Microsoft 不提供或支援任何運算子連接點 API 呼叫,其預期會提供純文字使用者名稱和/或密碼。 請注意,傳送的任何值都會記錄下來,並視為公開的祕密,應加以輪換和撤銷。 Microsoft 記錄的祕密的安全使用方法,是將祕密儲存在 Azure Key Vault 中,如果您有特定問題或疑慮,請透過 Azure 入口網站提交要求。

受支援命令的目前清單為

命令語法為:

az networkcloud baremetalmachine run-data-extract --name "<machine-name>"  \
  --resource-group "<cluster_MRG>" \
  --subscription "<subscription>" \
  --commands '[{"arguments":["<arg1>","<arg2>"],"command":"<command1>"}]'  \
  --limit-time-seconds "<timeout>"

--commands 選項中使用 json 格式指定多個命令。 每個 command 都會指定命令和引數。 針對具有多個引數的命令,以清單形式提供給 arguments 參數。 如需建構 --commands 結構的指示,請參閱 Azure CLI 縮寫

這些命令可以長時間執行,因此建議將 --limit-time-seconds 設定為至少 600 秒 (10 分鐘)。 執行多個擷取的 Debug 選項可能需要超過 10 分鐘的時間。

在回應中,作業會以非同步方式執行,並傳回 HTTP 狀態碼 202。 如需有關如何追蹤命令完成和檢視輸出檔案的詳細資料,請參閱檢視輸出一節。

硬體支援資料收集

此範例會執行 hardware-support-data-collection 命令,並從 Dell 伺服器取得 SysInfoTTYLog 記錄。 腳本會在 racadm supportassist collect 指定的裸機電腦上執行命令。 產生的 tar.gz 檔案包含 hardware-support-data-<timestamp>.zip 中壓縮的 extract 命令檔案輸出。

az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
  --resource-group "cluster_MRG" \
  --subscription "subscription" \
  --commands '[{"arguments":["SysInfo", "TTYLog"],"command":"hardware-support-data-collection"}]' \
  --limit-time-seconds 600

hardware-support-data-collection 輸出

====Action Command Output====
Executing hardware-support-data-collection command
Getting following hardware support logs: SysInfo,TTYLog
Job JID_814372800396 is running, waiting for it to complete ...
Job JID_814372800396 Completed.
---------------------------- JOB -------------------------
[Job ID=JID_814372800396]
Job Name=SupportAssist Collection
Status=Completed
Scheduled Start Time=[Not Applicable]
Expiration Time=[Not Applicable]
Actual Start Time=[Thu, 13 Apr 2023 20:54:40]
Actual Completion Time=[Thu, 13 Apr 2023 20:59:51]
Message=[SRV088: The SupportAssist Collection Operation is completed successfully.]
Percent Complete=[100]
----------------------------------------------------------
Deleting Job JID_814372800396
Collection successfully exported to /hostfs/tmp/runcommand/hardware-support-data-2023-04-13T21:00:01.zip

================================
Script execution result can be found in storage account:
https://cm2p9bctvhxnst.blob.core.windows.net/bmm-run-command-output/dd84df50-7b02-4d10-a2be-46782cbf4eef-action-bmmdataextcmd.tar.gz?se=2023-04-14T01%3A00%3A15Zandsig=ZJcsNoBzvOkUNL0IQ3XGtbJSaZxYqmtd%2BM6rmxDFqXE%3Dandsp=randspr=httpsandsr=bandst=2023-04-13T21%3A00%3A15Zandsv=2019-12-12

收集的硬體支援檔案範例清單

Archive:  TSR20240227164024_FM56PK3.pl.zip
   creating: tsr/hardware/
   creating: tsr/hardware/spd/
   creating: tsr/hardware/sysinfo/
   creating: tsr/hardware/sysinfo/inventory/
  inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_BIOSAttribute.xml
  inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_Sensor.xml
  inflating: tsr/hardware/sysinfo/inventory/sysinfo_DCIM_View.xml
  inflating: tsr/hardware/sysinfo/inventory/sysinfo_DCIM_SoftwareIdentity.xml
  inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_Capabilities.xml
  inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_StatisticalData.xml
   creating: tsr/hardware/sysinfo/lcfiles/
  inflating: tsr/hardware/sysinfo/lcfiles/lclog_0.xml.gz
  inflating: tsr/hardware/sysinfo/lcfiles/curr_lclog.xml
   creating: tsr/hardware/psu/
   creating: tsr/hardware/idracstateinfo/
  inflating: tsr/hardware/idracstateinfo/avc.log
 extracting: tsr/hardware/idracstateinfo/avc.log.persistent.1
[..snip..]

收集 MDE 代理程式資訊

資料是使用 mde-agent-information 命令收集的,並以 JSON 形式格式化為 /hostfs/tmp/runcommand/mde-agent-information.json。 JSON 檔案可在位於儲存體帳戶的資料擷取 ZIP 檔案中找到。 腳本會在指定的裸機電腦上執行一連串 mdatp 的命令。

此範例會執行沒有引數的 mde-agent-information 命令。

az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
  --resource-group "cluster_MRG" \
  --subscription "subscription" \
  --commands '[{"command":"mde-agent-information"}]' \
  --limit-time-seconds 600

mde-agent-information 輸出

====Action Command Output====
Executing mde-agent-information command
MDE agent is running, proceeding with data extract
Getting MDE agent information for bareMetalMachine
Writing to /hostfs/tmp/runcommand

================================
Script execution result can be found in storage account:
 https://cmzhnh6bdsfsdwpbst.blob.core.windows.net/bmm-run-command-output/f5962f18-2228-450b-8cf7-cb8344fdss63b0-action-bmmdataextcmd.tar.gz?se=2023-07-26T19%3A07%3A22Z&sig=X9K3VoNWRFP78OKqFjvYoxubp65BbNTq%2BGnlHclI9Og%3D&sp=r&spr=https&sr=b&st=2023-07-26T15%3A07%3A22Z&sv=2019-12-12

收集的 JSON 物件範例

{
  "diagnosticInformation": {
      "realTimeProtectionStats": $real_time_protection_stats,
      "eventProviderStats": $event_provider_stats
      },
  "mdeDefinitions": $mde_definitions,
  "generalHealth": $general_health,
  "mdeConfiguration": $mde_config,
  "scanList": $scan_list,
  "threatInformation": {
      "list": $threat_info_list,
      "quarantineList": $threat_info_quarantine_list
    }
}

收集 MDE 支援診斷

mde-support-diagnostics 命令收集到的資料會使用 MDE Client Analyzer 工具,將 mdatp 命令和相關記錄檔的資訊組合在一起。 記憶體帳戶 tgz 檔案包含 zip 名為 的 mde-support-diagnostics-<hostname>.zip檔案。 zip 應連同任何支援要求一起傳送,以確保支援小組可以視需要使用記錄來進行疑難排解和根本原因分析。

此範例會執行沒有引數的 mde-support-diagnostics 命令。

az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
  --resource-group "cluster_MRG" \
  --subscription "subscription" \
  --commands '[{"command":"mde-support-diagnostics"}]' \
  --limit-time-seconds 600

mde-support-diagnostics 輸出

====Action Command Output====
Executing mde-support-diagnostics command
[2024-01-23 16:07:37.588][INFO] XMDEClientAnalyzer Version: 1.3.2
[2024-01-23 16:07:38.367][INFO] Top Command output: [/tmp/top_output_2024_01_23_16_07_37mel0nue0.txt]
[2024-01-23 16:07:38.367][INFO] Top Command Summary: [/tmp/top_summary_2024_01_23_16_07_370zh7dkqn.txt]
[2024-01-23 16:07:38.367][INFO] Top Command Outliers: [/tmp/top_outlier_2024_01_23_16_07_37aypcfidh.txt]
[2024-01-23 16:07:38.368][INFO] [MDE Diagnostic]
[2024-01-23 16:07:38.368][INFO]   Collecting MDE Diagnostic
[2024-01-23 16:07:38.613][WARNING] mde is not running
[2024-01-23 16:07:41.343][INFO] [SLEEP] [3sec] waiting for agent to create diagnostic package
[2024-01-23 16:07:44.347][INFO] diagnostic package path: /var/opt/microsoft/mdatp/wdavdiag/5b1edef9-3b2a-45c1-a45d-9e7e4b6b869e.zip
[2024-01-23 16:07:44.347][INFO] Successfully created MDE diagnostic zip
[2024-01-23 16:07:44.348][INFO]   Adding mde_diagnostic.zip to report directory
[2024-01-23 16:07:44.348][INFO]   Collecting MDE Health
[...snip...]
================================
Script execution result can be found in storage account:
 https://cmmj627vvrzkst.blob.core.windows.net/bmm-run-command-output/7c5557b9-b6b6-a4a4-97ea-752c38918ded-action-bmmdataextcmd.tar.gz?se=2024-01-23T20%3A11%3A32Z&sig=9h20XlZO87J7fCr0S1234xcyu%2Fl%2BVuaDh1BE0J6Yfl8%3D&sp=r&spr=https&sr=b&st=2024-01-23T16%3A11%3A32Z&sv=2019-12-12

下載執行結果檔之後,可以解壓縮支援檔案進行分析。

MDE Client Analyzer 所收集資訊的範例清單

Archive:  mde-support-diagnostics-rack1compute02.zip
  inflating: mde_diagnostic.zip
  inflating: process_information.txt
  inflating: auditd_info.txt
  inflating: auditd_log_analysis.txt
  inflating: auditd_logs.zip
  inflating: ebpf_kernel_config.txt
  inflating: ebpf_enabled_func.txt
  inflating: ebpf_syscalls.zip
  inflating: ebpf_raw_syscalls.zip
  inflating: messagess.zip
  inflating: conflicting_processes_information.txt
[...snip...]

硬體彙總狀態

資料是使用 hardware-rollup-status 命令收集的,並以 JSON 形式格式化為 /hostfs/tmp/runcommand/rollupStatus.json。 JSON 檔案可在位於儲存體帳戶的資料擷取 ZIP 檔案中找到。 收集的數據會顯示機器子系統的健康情況。

此範例會執行沒有引數的 hardware-rollup-status 命令。

az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
  --resource-group "clusete_MRG" \
  --subscription "subscription" \
  --commands '[{"command":"hardware-rollup-status"}]' \
  --limit-time-seconds 600

hardware-rollup-status 輸出

====Action Command Output====
Executing hardware-rollup-status command
Getting rollup status logs for b37dev03a1c002
Writing to /hostfs/tmp/runcommand

================================
Script execution result can be found in storage account:
https://cmkfjft8twwpst.blob.core.windows.net/bmm-run-command-output/20b217b5-ea38-4394-9db1-21a0d392eff0-action-bmmdataextcmd.tar.gz?se=2023-09-19T18%3A47%3A17Z&sig=ZJcsNoBzvOkUNL0IQ3XGtbJSaZxYqmtd%3D&sp=r&spr=https&sr=b&st=2023-09-19T14%3A47%3A17Z&sv=2019-12-12

收集到的範例 JSON

{
	"@odata.context" : "/redfish/v1/$metadata#DellRollupStatusCollection.DellRollupStatusCollection",
	"@odata.id" : "/redfish/v1/Systems/System.Embedded.1/Oem/Dell/DellRollupStatus",
	"@odata.type" : "#DellRollupStatusCollection.DellRollupStatusCollection",
	"Description" : "A collection of DellRollupStatus resource",
	"Members" :
	[
		{
			"@odata.context" : "/redfish/v1/$metadata#DellRollupStatus.DellRollupStatus",
			"@odata.id" : "/redfish/v1/Systems/System.Embedded.1/Oem/Dell/DellRollupStatus/iDRAC.Embedded.1_0x23_SubSystem.1_0x23_Current",
			"@odata.type" : "#DellRollupStatus.v1_0_0.DellRollupStatus",
			"CollectionName" : "CurrentRollupStatus",
			"Description" : "Represents the subcomponent roll-up statuses.",
			"Id" : "iDRAC.Embedded.1_0x23_SubSystem.1_0x23_Current",
			"InstanceID" : "iDRAC.Embedded.1#SubSystem.1#Current",
			"Name" : "DellRollupStatus",
			"RollupStatus" : "Ok",
			"SubSystem" : "Current"
		},
		{
			"@odata.context" : "/redfish/v1/$metadata#DellRollupStatus.DellRollupStatus",
			"@odata.id" : "/redfish/v1/Systems/System.Embedded.1/Oem/Dell/DellRollupStatus/iDRAC.Embedded.1_0x23_SubSystem.1_0x23_Voltage",
			"@odata.type" : "#DellRollupStatus.v1_0_0.DellRollupStatus",
			"CollectionName" : "VoltageRollupStatus",
			"Description" : "Represents the subcomponent roll-up statuses.",
			"Id" : "iDRAC.Embedded.1_0x23_SubSystem.1_0x23_Voltage",
			"InstanceID" : "iDRAC.Embedded.1#SubSystem.1#Voltage",
			"Name" : "DellRollupStatus",
			"RollupStatus" : "Ok",
			"SubSystem" : "Voltage"
		},
[..snip..]

產生叢集 CVE 報告

弱點資料是使用 cluster-cve-report 命令收集的,並以 JSON 形式格式化為 {year}-{month}-{day}-nexus-cluster-vulnerability-report.json。 JSON 檔案可在位於儲存體帳戶的資料擷取 ZIP 檔案中找到。 收集的數據包括叢集中每個容器映像的弱點數據。

此範例會執行沒有引數的 cluster-cve-report 命令。

注意

目標電腦必須是控制平面節點,否則動作將不會執行。

az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
  --resource-group "cluster_MRG" \
  --subscription "subscription" \
  --commands '[{"command":"cluster-cve-report"}]' \
  --limit-time-seconds 600

cluster-cve-report 輸出

====Action Command Output====
Nexus cluster vulnerability report saved.


================================
Script execution result can be found in storage account:
https://cmkfjft8twwpst.blob.core.windows.net/bmm-run-command-output/20b217b5-ea38-4394-9db1-21a0d392eff0-action-bmmdataextcmd.tar.gz?se=2023-09-19T18%3A47%3A17Z&sig=ZJcsNoBzvOkUNL0IQ3XGtbJSaZxYqmtd%3D&sp=r&spr=https&sr=b&st=2023-09-19T14%3A47%3A17Z&sv=2019-12-12

CVE 報表結構描述

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "Vulnerability Report",
  "type": "object",
  "properties": {
    "metadata": {
      "type": "object",
      "properties": {
        "dateRetrieved": {
          "type": "string",
          "format": "date-time",
          "description": "The date and time when the data was retrieved."
        },
        "platform": {
          "type": "string",
          "description": "The name of the platform."
        },
        "resource": {
          "type": "string",
          "description": "The name of the resource."
        },
        "runtimeVersion": {
          "type": "string",
          "description": "The version of the runtime."
        },
        "managementVersion": {
          "type": "string",
          "description": "The version of the management software."
        },
        "vulnerabilitySummary": {
          "type": "object",
          "properties": {
            "criticalCount": {
              "type": "integer",
              "description": "Number of critical vulnerabilities."
            },
            "highCount": {
              "type": "integer",
              "description": "Number of high severity vulnerabilities."
            },
            "mediumCount": {
              "type": "integer",
              "description": "Number of medium severity vulnerabilities."
            },
            "lowCount": {
              "type": "integer",
              "description": "Number of low severity vulnerabilities."
            },
            "noneCount": {
              "type": "integer",
              "description": "Number of vulnerabilities with no severity."
            },
            "unknownCount": {
              "type": "integer",
              "description": "Number of vulnerabilities with unknown severity."
            }
          },
          "required": ["criticalCount", "highCount", "mediumCount", "lowCount", "noneCount", "unknownCount"]
        }
      },
      "required": ["dateRetrieved", "platform", "resource", "runtimeVersion", "managementVersion", "vulnerabilitySummary"]
    },
    "containers": {
      "type": "object",
      "additionalProperties": {
        "type": "array",
        "items": {
          "type": "object",
          "properties": {
            "namespace": {
              "type": "string",
              "description": "The namespace of the container."
            },
            "digest": {
              "type": "string",
              "description": "The digest of the container image."
            },
            "os": {
              "type": "object",
              "properties": {
                "family": {
                  "type": "string",
                  "description": "The family of the operating system."
                }
              },
              "required": ["family"]
            },
            "summary": {
              "type": "object",
              "properties": {
                "criticalCount": {
                  "type": "integer",
                  "description": "Number of critical vulnerabilities in this container."
                },
                "highCount": {
                  "type": "integer",
                  "description": "Number of high severity vulnerabilities in this container."
                },
                "lowCount": {
                  "type": "integer",
                  "description": "Number of low severity vulnerabilities in this container."
                },
                "mediumCount": {
                  "type": "integer",
                  "description": "Number of medium severity vulnerabilities in this container."
                },
                "noneCount": {
                  "type": "integer",
                  "description": "Number of vulnerabilities with no severity in this container."
                },
                "unknownCount": {
                  "type": "integer",
                  "description": "Number of vulnerabilities with unknown severity in this container."
                }
              },
              "required": ["criticalCount", "highCount", "lowCount", "mediumCount", "noneCount", "unknownCount"]
            },
            "vulnerabilities": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "title": {
                    "type": "string",
                    "description": "Title of the vulnerability."
                  },
                  "vulnerabilityID": {
                    "type": "string",
                    "description": "Identifier of the vulnerability."
                  },
                  "fixedVersion": {
                    "type": "string",
                    "description": "The version in which the vulnerability is fixed."
                  },
                  "installedVersion": {
                    "type": "string",
                    "description": "The currently installed version."
                  },
                  "referenceLink": {
                    "type": "string",
                    "format": "uri",
                    "description": "Link to the vulnerability details."
                  },
                  "publishedDate": {
                    "type": "string",
                    "format": "date-time",
                    "description": "The date when the vulnerability was published."
                  },
                  "score": {
                    "type": "number",
                    "description": "The CVSS score of the vulnerability."
                  },
                  "severity": {
                    "type": "string",
                    "description": "The severity level of the vulnerability."
                  },
                  "resource": {
                    "type": "string",
                    "description": "The resource affected by the vulnerability."
                  },
                  "target": {
                    "type": "string",
                    "description": "The target of the vulnerability."
                  },
                  "packageType": {
                    "type": "string",
                    "description": "The type of the package."
                  },
                  "exploitAvailable": {
                    "type": "boolean",
                    "description": "Indicates if an exploit is available for the vulnerability."
                  }
                },
                "required": ["title", "vulnerabilityID", "fixedVersion", "installedVersion", "referenceLink", "publishedDate", "score", "severity", "resource", "target", "packageType", "exploitAvailable"]
              }
            }
          },
          "required": ["namespace", "digest", "os", "summary", "vulnerabilities"]
        }
      }
    }
  },
  "required": ["metadata", "containers"]
}

CVE 資料詳細資料

每 24 小時或參考映射的 Kubernetes 資源變更時,CVE 數據會每隔 24 小時重新整理一次。

收集 Helm 版本

Helm 發行數據會使用 collect-helm-releases 命令收集,並格式化為 json 至 {year}-{month}-{day}-helm-releases.json。 JSON 檔案可在位於儲存體帳戶的資料擷取 ZIP 檔案中找到。 收集的數據報含叢集中的所有 helm 發行資訊,其中包含執行 命令 helm list時傳回的標準數據。

此範例會執行沒有引數的 collect-helm-releases 命令。

注意

目標電腦必須是控制平面節點,否則動作將不會執行。

az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
  --resource-group "cluster_MRG" \
  --subscription "subscription" \
  --commands '[{"command":"collect-helm-releases"}]' \
  --limit-time-seconds 600

collect-helm-releases 輸出

====Action Command Output====
Helm releases report saved.


================================
Script execution result can be found in storage account:
https://cmcr5xp3mbn7st.blob.core.windows.net/bmm-run-command-output/a29dcbdb-5524-4172-8b55-88e0e5ec93ff-action-bmmdataextcmd.tar.gz?se=2024-10-30T02%3A09%3A54Z&sig=v6cjiIDBP9viEijs%2B%2BwJDrHIAbLEmuiVmCEEDHEi%2FEc%3D&sp=r&spr=https&sr=b&st=2024-10-29T22%3A09%3A54Z&sv=2023-11-03

Helm 發行架構

{
  "$schema": "http://json-schema.org/schema#",
  "type": "object",
  "properties": {
    "metadata": {
      "type": "object",
      "properties": {
        "dateRetrieved": {
          "type": "string"
        },
        "platform": {
          "type": "string"
        },
        "resource": {
          "type": "string"
        },
        "clusterId": {
          "type": "string"
        },
        "runtimeVersion": {
          "type": "string"
        },
        "managementVersion": {
          "type": "string"
        }
      },
      "required": [
        "clusterId",
        "dateRetrieved",
        "managementVersion",
        "platform",
        "resource",
        "runtimeVersion"
      ]
    },
    "helmReleases": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "name": {
            "type": "string"
          },
          "namespace": {
            "type": "string"
          },
          "revision": {
            "type": "string"
          },
          "updated": {
            "type": "string"
          },
          "status": {
            "type": "string"
          },
          "chart": {
            "type": "string"
          },
          "app_version": {
            "type": "string"
          }
        },
        "required": [
          "app_version",
          "chart",
          "name",
          "namespace",
          "revision",
          "status",
          "updated"
        ]
      }
    }
  },
  "required": [
    "helmReleases",
    "metadata"
  ]
}

收集 Systemctl 狀態輸出

使用 命令收集 platform-services-status 服務狀態。 輸出格式為純文字格式,並傳回主機上服務的狀態概觀,以及 systemctl status 每個找到服務的 。

此範例會執行沒有引數的 platform-services-status 命令。

az networkcloud baremetalmachine run-data-extract --name "bareMetalMachineName" \
  --resource-group "clusete_MRG" \
  --subscription "subscription" \
  --commands '[{"command":"platform-services-status"}]' \
  --limit-time-seconds 600
  --output-directory "/path/to/local/directory"

platform-services-status 輸出

====Action Command Output====
UNIT                                                                                          LOAD      ACTIVE   SUB     DESCRIPTION
aods-infra-vf-config.service                                                                  not-found inactive dead    aods-infra-vf-config.service
aods-pnic-config-infra.service                                                                not-found inactive dead    aods-pnic-config-infra.service
aods-pnic-config-workload.service                                                             not-found inactive dead    aods-pnic-config-workload.service
arc-unenroll-file-semaphore.service                                                           loaded    active   exited  Arc-unenrollment upon shutdown service
atop-rotate.service                                                                           loaded    inactive dead    Restart atop daemon to rotate logs
atop.service                                                                                  loaded    active   running Atop advanced performance monitor
atopacct.service                                                                              loaded    active   running Atop process accounting daemon
audit.service                                                                                 loaded    inactive dead    Audit service
auditd.service                                                                                loaded    active   running Security Auditing Service
azurelinux-sysinfo.service                                                                    loaded    inactive dead    Azure Linux Sysinfo Service
blk-availability.service                                                                      loaded    inactive dead    Availability of block devices
[..snip..]


-------
● arc-unenroll-file-semaphore.service - Arc-unenrollment upon shutdown service
     Loaded: loaded (/etc/systemd/system/arc-unenroll-file-semaphore.service; enabled; vendor preset: enabled)
     Active: active (exited) since Tue 2024-11-12 06:33:40 UTC; 11h ago
   Main PID: 11663 (code=exited, status=0/SUCCESS)
        CPU: 5ms

Nov 12 06:33:39 rack1compute01 systemd[1]: Starting Arc-unenrollment upon shutdown service...
Nov 12 06:33:40 rack1compute01 systemd[1]: Finished Arc-unenrollment upon shutdown service.


-------
○ atop-rotate.service - Restart atop daemon to rotate logs
     Loaded: loaded (/usr/lib/systemd/system/atop-rotate.service; static)
     Active: inactive (dead)
TriggeredBy: ● atop-rotate.timer
[..snip..]

檢視輸出

此命令會提供連結(如果使用叢集管理員記憶體),或另一個命令(如果使用使用者提供的記憶體),以下載完整的輸出。 tar.gz 檔案也包含壓縮的 extract 命令檔案輸出。 透過在選擇性引數 --output-directory 中指定目錄路徑,將輸出檔案從儲存體 Blob 下載到本機目錄。

警告

使用 自 --output-directory 變數會覆寫本機目錄中與所建立新檔案同名的任何檔案。

注意

儲存體帳戶可能會遭到鎖定,因為網路或防火牆限制而造成 403 This request is not authorized to perform this operation.。 如需驗證存取的程式,請參閱叢集管理員記憶體或使用者受控記憶體區段。