On this weblog put up, I’ll information you thru the steps to customise the extension allowlist for the Azure Linked Machine agent on Azure Arc-enabled Linux servers.
This step-by-step information will assist you improve safety and streamline administration in your Azure Arc atmosphere.
💡 In a earlier weblog put up, I confirmed you tips on how to customise the extension allowlist for Azure Arc-enabled Home windows Servers. You will discover it right here.
Desk of Contents
Customise the extension allowlist on a Linux server
First, connect with the Arc-enabled Linux Server through SSH (Safe Shell), ideally by a Soar Server.
I usually use a secured and hardened Home windows Administration Server with a SSH shopper like PuTTY put in, however you may as well use alternate options corresponding to Home windows Terminal, relying in your desire.
To attach, you’ll want the server’s IP handle or hostname, in addition to a username and password, or after all, the SSH key.
💡 For those who don’t have already got PuTTY put in, you possibly can obtain it from right here.
On this instance, I’ll be utilizing PuTTY, so go forward and open PuTTY in your system.
Within the “Host Title (or IP handle)” area, enter the server’s IP handle or hostname. Make sure the “Port” is about to 22 (the default for SSH). Underneath “Connection kind,” choose SSH.
💡If you wish to simply connect with the identical server later and save time sooner or later, enter a reputation within the “Saved Periods” area and click on Save. Then, merely choose the saved session and click on Open to attach.
Then, authenticate by coming into your username and urgent Enter. Subsequent, present your password or load your SSH key if required.
Subsequent, log in as the basis consumer. You are able to do this through the use of the sudo command (superuser do), adopted by su or -i to simulate a root login shell.
Then, enter the next command to listing all Azure Linked Machine agent configuration properties, such because the extensions.allowlist, together with their present values:
You’ll be able to then verify whether or not an allowlist or blocklist is already utilized or if the server continues to be utilizing the default setting, which permits all extensions ([ ]).
Then, as I choose to do, you possibly can configure an allowlist on this server. To allow solely particular extensions, such because the Azure Key Vault digital machine extension for Linux, use the next command:
azcmagent config set extensions.allowlist "Microsoft.Azure.Key.Vault/KeyVaultForLinux"
💡 You will discover a full listing of accessible extensions for Linux through this hyperlink.
Add or take away an extension from a configured allowlist
For those who later want so as to add one other extension to the configured allowlist, you are able to do so utilizing the “--add” flag.
For instance, to permit the Azure Monitor agent extension along with the prevailing ones, run the next command:
azcmagent config set extensions.allowlist "Microsoft.Azure.Monitor/AzureMonitorLinuxAgent" --add
If, alternatively, it’s worthwhile to take away an extension from the allowlist later, you should utilize the “--remove” flag.
For instance, to take away the Azure Key Vault digital machine extension for Linux, run the next command:
azcmagent config set extensions.allowlist "Microsoft.Azure.Key.Vault/KeyVaultForLinux" --remove
💡 When troubleshooting points whereas working a command, including extra detailed logging data will be useful. To take action, merely append the “--verbose” flag on the finish of the command.
Enable a number of extensions without delay
In fact, it’s extra environment friendly to permit a number of extensions without delay as a substitute of configuring each individually.
For instance, to permit the Azure Key Vault digital machine extension for Linux, the Azure Monitor Agent, the Azure Automation Hybrid Runbook Employee extension, the Linux OS Replace Extension, and the Linux Patch Extension in your Linux server, you should utilize the next command:
azcmagent config set extensions.allowlist "Microsoft.Azure.Key.Vault/KeyVaultForLinux,Microsoft.Azure.Monitor/AzureMonitorLinuxAgent,Microsoft.Compute/HybridWorkerForLinux,Microsoft.SoftwareUpdateManagement/LinuxOsUpdateExtension,Microsoft.CPlat.Core/LinuxPatchExtension"
Customizing the Arc Onboarding script with an allowlist
For automated deployments at scale, the allowlist will be seamlessly built-in into the Azure Arc onboarding Bash script (OnboardingScript.sh), which will be manually generated from the Azure Arc menu.
This integration permits you to streamline and automate the onboarding course of throughout a number of machines or environments, guaranteeing that the allowlist is constantly utilized to all machines throughout deployment.
Under is an instance of how this may be carried out by including a line of code to incorporate an allowlist within the OnboardingScript.sh:
# Set the allowlist
sudo azcmagent config set extensions.allowlist "Microsoft.Azure.Key.Vault/KeyVaultForLinux,Microsoft.Azure.Monitor/AzureMonitorLinuxAgent,Microsoft.Compute/HybridWorkerForLinux,Microsoft.SoftwareUpdateManagement/LinuxOsUpdateExtension,Microsoft.CPlat.Core/LinuxPatchExtension"
I choose to run the custom-made bash script domestically, and to take action, I often copy (add) the script from my Home windows workstation or administration server to a folder (like Temp) on the Linux server utilizing a device like WinSCP.
💡 If required you possibly can obtain WinSCP from right here.
As soon as uploaded, grant execute permissions to the script for the present consumer by reopening PuTTY, connecting to the Linux server, and working the next command as root:
chmod +x OnboardingScript.sh
Then run the script as the basis consumer.
./Temp/OnboardingScript.sh
Reset an extension allowlist to its default setting
For those who’ve configured an allowlist however not want it for any motive, you possibly can clear the extension allowlist and revert to the default setting, which permits all extensions, by working the next command:
azcmagent config clear "extensions.allowlist"
Disable the Extension Supervisor
For those who don’t want to make use of extensions with Azure Arc, you possibly can fully disable the extension supervisor by working the next command as root:
azcmagent config set extensions.enabled false
This can disable the extension supervisor, stopping any extensions from getting used on the Azure Arc-connected machine.
💡 Take into account that disabling the extension supervisor received’t take away any extensions already put in in your server, so that you’ll nonetheless have to take away them.
Conclusion
From a safety and administration perspective, it’s beneficial to configure an allowlist for the Azure Linked Machine agent in your Arc-enabled Linux servers.
This method improves safety by controlling which extensions are allowed, minimizing the danger of unauthorized or unintended deployments or duties executed by both licensed customers or potential malicious actors.
I hope the steps and numerous allowlist configurations defined on this weblog put up assist you keep safe and well-managed Arc deployments.
In case you have any questions or strategies about this weblog put up, be at liberty to achieve out to me on X (@wmatthyssen) or depart a remark. I’ll be blissful to help!
