Azure Marketplace Virtual Machine Image Certification
This guide introduces the virtual machine image certification tools, certification processes, and certification failure solutions for Azure Marketplace ISVs (independent software vendors).
In this document, the scope of Azure Marketplace is China, and “mirror image” or “image” mean the same thing.
1. Download, installation, and use of the certification tool
The Azure image certification tool can be used for Windows and Linux VMs. It connects to Windows-based virtual machines via PowerShell and Linux-based virtual machines via SSH.net, after which it detects and certifies the VM’s operating system. It ensures the VM image is compatible with Microsoft Azure, verifies whether the VHD image meets the requirements in the guide, and outputs a compatibility report.
The certification tool package must be installed on a Windows operating system. The Windows system can be on a local machine or the Azure platform. For Linux VMs, connection and validation is through TCP port 22, which is open by default and does not need to be configured. For Windows VMs, connection for the certification tool is via TCP port 5986.
The full validation process is as follows:
- First, download the certification tool to a Windows platform from the Microsoft Download Center.
- Prepare the Linux or Windows VM to be certified. The Linux VM does not require special settings. The Windows VM requires special settings to meet validation requirements; please see below for Windows VM special settings.
- Open the certification tool and click on the “start a new test” button.
- In the “test information” page, input a name for the test run.
- Select whether the VM is Linux or Windows. The following choices will depend on which version you chose.
- After the basic Linux or Windows VM image is selected, select “test connection” and make sure that SSH.Net or PowerShell is properly connected for the test. After the connection is established, select “Next” to start the test.
- After the test is successfully completed, you will receive results for each element tested (Pass/Fail/Warning). If any test fails, the image is not certified. If this occurs, review the requirements and make any necessary changes. After the automatic testing, the questionnaire screen will prompt the user to input additional information about the VM image. Answer these questions and select “Next”.
- Finally, in addition to downloading the questionnaire answers, you can also download previously-run test results and logs. Save the results in the same container as the VHD.
Windows VM special settings:
Set TCP port 5986. In the Azure Portal, browse to Resource Group -> {Virtual Machine Resource Group} -> {NSG name} -> Inbound Security Rules as shown below:
Download the following three files to the VM directory C:\winRM
a. https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/201-vm-winrm-windows/ConfigureWinRM.ps1 b. https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/201-vm-winrm-windows/makecert.exe c. https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/201-vm-winrm-windows/winrmconf.cmdOpen PowerShell as Administrator and execute the following commands:
ConfigureWinRM.ps1 testvm.chinaeast.cloudapp.chinacloudapi.cnSome Windows Servers are unable to run the above commands. Please refer to the Windows PowerShell Execution Policy and run the following commands:
Powershell -ExecutionPolicy Unrestricted -file ConfigureWinRM.ps1 40.73.115.226
2. Issues identified during certification and solutions
The VM image can only be released onto the Azure Marketplace following authentication by the certification tool. Certification for the image will also be reviewed during its release onto the Marketplace.
Certification consists of two main parts: “Execute Tests” and “Questionnaire.” “Execute Tests” is primarily an automatic inspection of the program; “Questionnaire” is primarily a manual check of the publisher. The “Execute Tests” section is explained first, followed by “Questionnaire.”
2.1 Centos-based certification
2.1.1 “Execute Tests” issues and solutions
| Name | Description | Resolution |
|---|---|---|
| Bash History | Bash history files should be cleared before creating the VM image | Execute the bash command "$ history -c" to clear the command line history |
| Linux Agent Version | Azure Linux Agent 2.2.10 and above should be installed | $ sudo yum install python-pyasn1 WALinuxAgent; sudo systemctl enable waagent(For 7.0 and above), or see "Preparing a CentOS-based virtual machine for Azure" |
| Required Kernel Parameters | Verifiles the following kernel parameters are set console=ttyS0,earlyprintk=ttyS0,rootdelay=300 | For CentOS7 and above, go to /etc/default/grub and edit the GRUB_CMDLINE_LINUX parameters, for example: "rootdelay=300 console=ttyS0 earlyprintk=ttyS0". Then run the following command to regenerate the grub configuration and reboot: $ sudo grub2-mkconfig -o /boot/grub2/grub.cfg; reboot. For CentOS7 and above, go to /etc/grub.conf and edit the rd_NO_MD SYSFONT parameters, for example: "rootdelay=300 console=ttyS0 earlyprintk=ttyS0". Then reboot. Alternatively, refer to the CentOS-based virtual machine for Azure. |
| Swap Partition on OS Disk | Verifies that no Swap partitions are created on the OS disk | Please delete the swap partition that comes with the system. If the system requires a swap partition, it can be created by modifying the /etc/waagent.conf file configuration, for example: "ResourceDisk.EnableSwap=y" and "ResourceDisk.SwapSizeMB=2048". Alternatively, refer to the CentOS-based virtual machine for Azure. |
| Root Partition on OS Disk | It is recommended that a single root partition is created for the OS disk | The root directory should be on the same disk as the operating system, please confirm. |
| OpenSSL Version | OpenSSL Version should be >=0.9.8 | Please go to the following website to download a newer version of OpenSSL and install it: OpenSSL |
| Python Version | Python version 2.6+ is highly recommended | Please go to the following website to download a newer version of Python and install it: Python |
| Client Alive Interval | It is recommended to set ClientAliveInterval to 180. Depending on the application requirements, it can be set between 30 and 235. If you are enabling the SSH for your end users, this value must be set as explained | Go to the /etc/ssh/sshd_config file and modify parameters such as "ClientAliveInterval 180." |
| OS Architecture | Only 64-bit operating system should be supported | Please switch to a 64-bit operating system. |
| Security threats | Identifies OS with recent high-profile vulnerability that may need patching. Ignore warning if system was patched as appropriate | Security patches can be updated using sudo yum --security update. Alternatively, refer to how to install security patches in Centos. |
2.2 Ubuntu-based certification
2.2.1 “Execute Tests” issues and solutions
| Name | Description | Resolution |
|---|---|---|
| Bash History | Bash history files should be cleared before creating the VM image | Execute the bash command "$ history -c" to clear the command line history |
| Linux Agent Version | Azure Linux Agent 2.0.8 and above should be installed | $ sudo apt-get update; sudo apt-get install walinuxagent or refer to Ubuntu virtual machine for Azure. |
| Required Kernel Parameters | Verifies the following kernel parameters are set console=ttyS0,earlyprintk=ttyS0,rootdelay=300 | Go to /etc/default/grub and edit the GRUB_CMDLINE_LINUX parameters, for example: "rootdelay=300 console=ttyS0 earlyprintk=ttyS0 rootdelay=300". Then run the following command to regenerate the grub configuration and reboot: “**$ sudo update-grub **”. Alternatively, refer to Ubuntu Virtual Machine for Azure. |
| Swap Partition on OS Disk | Verifies that no swap partitions are created on the OS disk | Please delete the swap partition that comes with the system. If the system requires a swap partition, it can be created by modifying the /etc/waagent.conf file configuration, for example: "ResourceDisk.EnableSwap=y" and "ResourceDisk.SwapSizeMB=2048." |
| Root Partition on OS Disk | It is recommended that a single root partition is created for the OS disk | The root directory should be on the same disk as the operating system, please confirm. |
| OpenSSL Version | OpenSSL Version should be >=0.9.8 | Please go to the following website to download a newer version of OpenSSL and install it: OpenSSL |
| Python Version | Python version 2.6+ is highly recommended | Please go to the following website to download a newer version of Python and install it: Python. |
| Client Alive Interval | It is recommended to set ClientAliveInterval to 180. Depending on the application requirements, it can be set between 30 and 235. If you are enabling the SSH for your end users, this value must be set as explained | Go to the /etc/ssh/sshd_config file and modify parameters such as "ClientAliveInterval 180." |
| OS Architecture | Only 64-bit operating system should be supported | Please switch to a 64-bit operating system. |
| Security threats | Identifies OS with recent high-profile vulnerability that may need patching. Ignore warning if system was patched as appropriate | Update using sudo apt-get update && sudo apt-get dist-upgrade. |
| Please refer to Ubuntu security notices. |
2.3 Windows-based certification
Some Windows software or services are not supported in the Microsoft Azure virtual machine environment (service architecture). Please refer to Microsoft Server Software Support for Microsoft Azure Virtual Machines.
2.3.1 “Execute Tests” issues and solutions
| Name | Description | Resolution |
|---|---|---|
| OS Architecture | Azure only supports 64-bit operating systems | Only 64-bit systems are currently supported. Please refer to the Remarks for preparing to upload a Windows VHD or VHDX to Azure. |
| User account dependency | Application execution should not have dependency on the administrator account. | Please do not rely on the administrator account to run your system. |
| Failover Cluster | The Windows Server Failover Clustering feature is not yet supported, Application should not have dependency on this feature. | Please refer to Failover Cluster PowerShell Cmdlets in Windows Server Failover Clusters, and use the Get-Cluster command to confirm whether the Failover system is installed on the virtual machine. |
| IPV6 | IPV6 is not yet supported in the Azure environment, Application should not have dependency on this feature. | IP address type and allocation methods in Azure |
| DHCP | Dynamic Host Configuration Protocal Server role is not yet supported. Application should not have dependency on this feature. | Azure has its own set of virtual network management modes. DHCP is not available in Azure. Please refer to Virtual Networks |
| Hyper-V | Hyper-V Server role is not yet supported. Application should not have dependency on this feature. | Hyper-V can no longer be installed in virtual machines. You can use the Get-WindowsFeature in PowerShell to check whether Hyper-V is installed. For details, please refer to Install the Hyper-V role on Windows Server 2016. |
| Remote Access | Remote Access (Direct Access) Server role is not yet supported. Application should not have dependency on this feature. | Use the Get-WindowsFeature in PowerShell to check if this is installed. |
| Rights Management Services | Rights Management Services Server role is not yet supported. Application should not have dependency on this feature. | Use the Get-WindowsFeature in PowerShell to check if this is installed. |
| Windows Deployment Services | Windows Deployment Services Server role is not yet supported. Application should not have dependency on this feature. | Use the Get-WindowsFeature in PowerShell to check if this is installed. |
| BitLocker Drive Encryption | BitLocker Drive Encryption not supported on the operating system hard disk, may be used on data disks. | Please check in Control Panel -> System and Security -> BitLocker Drive Encryption. |
| Internet Storage Name Server | Internet Storage Name Server feature is not yet supported. Application should not have dependency on this feature. | Use the Get-WindowsFeature in PowerShell to check if iSNS is installed. |
| Multipath I/O | Multipath I/O Server feature is not yet supported. Application should not have dependency on this feature. | Use the Get-WindowsFeature in PowerShell to check if this is installed. |
| Network Load Balancing | Network Load Balancing Server feature is not yet supported. Application should not have dependency on this feature. | Use the Get-WindowsFeature in PowerShell to check if this is installed. |
| Peer Name Resolution Protocol | Peer Name Resolution Protocol Server feature is not yet supported. Application should not have dependency on this feature. | Use the Get-WindowsFeature in PowerShell to check if this is installed. |
| SNMP Services | SNMP Services feature is not yet supported. Application should not have dependency on this feature. | Use the Get-WindowsFeature in PowerShell to check if this is installed. |
| Storage Manager for SANs | Storage Manager for SANs Server feature is not yet supported. Application should not have dependency on this feature. | “Storage Manager for SANs” is not currently supported. |
| Windows Internet Name Service | Windows Internet Name Service Server feature is not yet supported. Application should not have dependency on this feature. | Use the Get-WindowsFeature in PowerShell to check if WINS is installed. |
| Wireless LAN Service | Wireless LAN Service Server feature is not yet supported. Application should not have dependency on this feature. | Use the Get-WindowsFeature in PowerShell to check if this is installed. |