Azure 应用服务上的操作系统功能Operating system functionality on Azure App Service

本文介绍了可供在 Azure 应用服务上运行的所有 Windows 应用使用的常见基准操作系统功能。This article describes the common baseline operating system functionality that is available to all Windows apps running on Azure App Service. 这些功能包括文件、网络和注册表访问以及诊断日志和事件。This functionality includes file, network, and registry access, and diagnostics logs and events.

应用服务计划层App Service plan tiers

应用服务在多租户托管环境中运行客户应用。App Service runs customer apps in a multi-tenant hosting environment. 部署在“免费”和“共享”层中的应用在共享虚拟机上的辅助进程中运行,而部署在“标准”和“高级”层中的应用在专用于与单个客户关联的应用的虚拟机上运行。 Apps deployed in the Free and Shared tiers run in worker processes on shared virtual machines, while apps deployed in the Standard and Premium tiers run on virtual machine(s) dedicated specifically for the apps associated with a single customer.

备注

应用服务免费和共享(预览)托管计划是基本层,与其他应用服务应用在相同的 Azure 虚拟机上运行。App Service Free and Shared (preview) hosting plans are base tiers that run on the same Azure virtual machines as other App Service apps. 某些应用可能属于其他客户。Some apps might belong to other customers. 这些层仅旨在用于开发和测试目的。These tiers are intended to be used only for development and testing purposes.

由于应用服务支持不同层之间的无缝缩放体验,因此,为应用服务应用实施的安全配置保持不变。Because App Service supports a seamless scaling experience between different tiers, the security configuration enforced for App Service apps remains the same. 这可以确保应用服务计划在切换不同的层时,应用不会突然发生行为上的变化,并且不会以意外的方式失败。This ensures that apps don't suddenly behave differently, failing in unexpected ways, when App Service plan switches from one tier to another.

开发框架Development frameworks

应用服务定价层控制可用于应用的计算资源(CPU、磁盘存储、内存和网络出口)的数量。App Service pricing tiers control the amount of compute resources (CPU, disk storage, memory, and network egress) available to apps. 但是,可用于应用的框架功能范围保持不变,而与缩放层无关。However, the breadth of framework functionality available to apps remains the same regardless of the scaling tiers.

应用服务支持多种开发框架,包括 ASP.NET、经典 ASP、node.js、PHP 和 Python – 它们全都作为 IIS 中的扩展运行。App Service supports a variety of development frameworks, including ASP.NET, classic ASP, node.js, PHP, and Python - all of which run as extensions within IIS. 为了简化和标准化安全配置,应用服务应用通常使用其默认设置运行不同的开发框架。In order to simplify and normalize security configuration, App Service apps typically run the various development frameworks with their default settings. 用于配置应用的一个方法可能是为每个单独的开发框架自定义 API 外围应用和功能。One approach to configuring apps could have been to customize the API surface area and functionality for each individual development framework. 而应用服务则是通过实现操作系统功能的公共基准,采用更通用的方法,与应用的开发框架无关。App Service instead takes a more generic approach by enabling a common baseline of operating system functionality regardless of an app's development framework.

以下部分概述了可用于应用服务应用的一般类型的操作系统功能。The following sections summarize the general kinds of operating system functionality available to App Service apps.

文件访问File access

应用服务中存在各种不同的驱动器,包括本地驱动器和网络驱动器。Various drives exist within App Service, including local drives and network drives.

本地驱动器Local drives

就其核心而言,应用服务是在 Azure PaaS(平台即服务)基础结构的基础上运行的服务。At its core, App Service is a service running on top of the Azure PaaS (platform as a service) infrastructure. 因此,“附加到”虚拟机的本地驱动器是可用于在 Azure 中运行的任何辅助角色的相同驱动器类型。As a result, the local drives that are "attached" to a virtual machine are the same drive types available to any worker role running in Azure. 这包括:This includes:

  • 操作系统驱动器 (D:\ drive)An operating system drive (the D:\ drive)
  • 包含应用服务独占使用(且客户不可访问)的 Azure 包 cspkg 文件的应用程序驱动器An application drive that contains Azure Package cspkg files used exclusively by App Service (and inaccessible to customers)
  • “user”驱动器 (C:\ drive),其大小因虚拟机大小而异。A "user" drive (the C:\ drive), whose size varies depending on the size of the VM.

随着应用程序增长,请务必监视磁盘利用率。It is important to monitor your disk utilization as your application grows. 如果达到了磁盘配额,可能会对应用程序产生负面影响。If the disk quota is reached, it can have adverse effects to your application. 例如:For example:

  • 应用可能会引发错误,指示磁盘上没有足够的空间。The app may throw an error indicating not enough space on the disk.
  • 浏览到 Kudu 控制台时,可能会看到磁盘错误。You may see disk errors when browsing to the Kudu console.
  • 从 Azure DevOps 或 Visual Studio 进行部署可能会失败并显示 ERROR_NOT_ENOUGH_DISK_SPACE: Web deployment task failed. (Web Deploy detected insufficient space on disk)Deployment from Azure DevOps or Visual Studio may fail with ERROR_NOT_ENOUGH_DISK_SPACE: Web deployment task failed. (Web Deploy detected insufficient space on disk).
  • 你的应用可能会出现性能下降。Your app may suffer slow performance.

网络驱动器(即 UNC 共享)Network drives (aka UNC shares)

应用服务中有一个独具特色的方面能够简化应用的部署和维护,这就是所有用户内容都存储在一组 UNC 共享中。One of the unique aspects of App Service that makes app deployment and maintenance straightforward is that all user content is stored on a set of UNC shares. 此模型很好地映射到具有多个负载均衡服务器的本地 Web 托管环境所用内容存储的公共模式。This model maps well to the common pattern of content storage used by on-premises web hosting environments that have multiple load-balanced servers.

在应用服务内,每个数据中心都创建了许多 UNC 共享。Within App Service, there is a number of UNC shares created in each data center. 在每个数据中心针对所有客户的某个百分比的用户内容将分配给各 UNC 共享。A percentage of the user content for all customers in each data center is allocated to each UNC share. 此外,单个客户的订阅的所有文件内容将始终置于相同的 UNC 共享中。Furthermore, all of the file content for a single customer's subscription is always placed on the same UNC share.

由于 Azure 服务的工作方式,负责承载 UNC 共享的特定虚拟机将随着时间而更改。Due to how Azure services work, the specific virtual machine responsible for hosting a UNC share will change over time. 应确保由不同虚拟机装入 UNC 共享,因为在正常 Azure 操作过程中它们会启动和关闭。It is guaranteed that UNC shares will be mounted by different virtual machines as they are brought up and down during the normal course of Azure operations. 因此,应用应该永远不会作出这样的硬编码的假定,即 UNC 文件路径中的计算机信息会在一段时间后保持不变。For this reason, apps should never make hard-coded assumptions that the machine information in a UNC file path will remain stable over time. 相反,它们应使用应用服务提供的方便的 faux 绝对路径 D:\home\siteInstead, they should use the convenient faux absolute path D:\home\site that App Service provides. 此 faux 绝对路径为引用自己的网站提供可移植的应用到用户未知方法。This faux absolute path provides a portable, app-and-user-agnostic method for referring to one's own app. 通过使用 D:\home\site,可以在应用之间传输共享文件,而不必为每次传输都配置新的绝对路径。By using D:\home\site, one can transfer shared files from app to app without having to configure a new absolute path for each transfer.

向应用授予的文件访问的类型Types of file access granted to an app

每个客户的订阅都在一个数据中心内的特定 UNC 共享上具有保留的目录结构。Each customer's subscription has a reserved directory structure on a specific UNC share within a data center. 客户可以在特定数据中心内创建多个应用,因此,属于单个客户订阅的所有目录都在同一个 UNC 共享上创建。A customer may have multiple apps created within a specific data center, so all of the directories belonging to a single customer subscription are created on the same UNC share. 该共享可以包含目录(例如针对内容、错误和诊断日志的目录)以及源代码管理创建的应用的更早版本。The share may include directories such as those for content, error and diagnostic logs, and earlier versions of the app created by source control. 按照预期,客户的应用目录可用于在运行时由应用的应用程序代码进行读写访问。As expected, a customer's app directories are available for read and write access at runtime by the app's application code.

在附加到运行应用的虚拟机的本地驱动器上,应用服务在 C:\ 驱动器上为特定于应用的临时本地存储预留一处空间。On the local drives attached to the virtual machine that runs an app, App Service reserves a chunk of space on the C:\ drive for app-specific temporary local storage. 尽管应用对自己的临时本地存储具有完全读/写访问权限,但该存储实际上并不旨在直接供应用程序代码使用。Although an app has full read/write access to its own temporary local storage, that storage really isn't intended to be used directly by the application code. 而是用于为 IIS 和 Web 应用程序框架提供临时文件存储。Rather, the intent is to provide temporary file storage for IIS and web application frameworks. 应用服务还限制可用于每个应用的临时本地存储量,以免单个应用占用过多的本地文件存储量。App Service also limits the amount of temporary local storage available to each app to prevent individual apps from consuming excessive amounts of local file storage.

两个说明应用服务如何使用临时本地存储的示例分别针对的是临时 ASP.NET 文件的目录和 IIS 压缩文件的目录。Two examples of how App Service uses temporary local storage are the directory for temporary ASP.NET files and the directory for IIS compressed files. ASP.NET 编译系统使用“临时 ASP.NET 文件”目录作为临时编译缓存位置。The ASP.NET compilation system uses the "Temporary ASP.NET Files" directory as a temporary compilation cache location. IIS 使用“IIS 临时压缩文件”目录存储压缩的响应输出。IIS uses the "IIS Temporary Compressed Files" directory to store compressed response output. 在应用服务中,这两种类型的文件使用(以及其他使用)都重新映射到按应用临时本地存储。Both of these types of file usage (as well as others) are remapped in App Service to per-app temporary local storage. 此重新映射确保该功能按预期延续。This remapping ensures that functionality continues as expected.

应用服务中的每个应用作为随机的唯一低权限辅助进程标识运行,该标识名为“应用程序池标识”,以下网页做了进一步的介绍:https://www.iis.net/learn/manage/configuring-security/application-pool-identitiesEach app in App Service runs as a random unique low-privileged worker process identity called the "application pool identity", described further here: https://www.iis.net/learn/manage/configuring-security/application-pool-identities. 应用程序代码将此标识由于对操作系统驱动器(D:\ 驱动器)的基本的只读访问。Application code uses this identity for basic read-only access to the operating system drive (the D:\ drive). 这意味着应用程序代码可以列出公共目录结构并且读取操作系统驱动器上的公共文件。This means application code can list common directory structures and read common files on operating system drive. 尽管这可能看上去就好像是一种较为广泛的访问级别,但在 Azure 托管服务中设置某一辅助角色并且读取驱动器内容时,相同的目录和文件是可访问的。Although this might appear to be a somewhat broad level of access, the same directories and files are accessible when you provision a worker role in an Azure hosted service and read the drive contents.

跨多个实例的文件访问File access across multiple instances

主目录包含应用的内容,并且应用程序代码可以写入该目录。The home directory contains an app's content, and application code can write to it. 如果应用在多个实例上运行,则主目录在所有实例间共享,以便所有实例都看到同一个目录。If an app runs on multiple instances, the home directory is shared among all instances so that all instances see the same directory. 所以,举例来说,如果应用将上传的文件保存到主目录,则所有实例都可以立即使用那些文件。So, for example, if an app saves uploaded files to the home directory, those files are immediately available to all instances.

网络访问Network access

应用程序代码可以使用基于 TCP/IP 和 UDP 的协议建立与公开外部服务的 Internet 可访问终结点的出站网络连接。Application code can use TCP/IP and UDP-based protocols to make outbound network connections to Internet accessible endpoints that expose external services. 应用可以使用这些相同协议连接到 Azure 中的服务;例如,建立与 SQL 数据库的 HTTPS 连接即是如此。Apps can use these same protocols to connect to services within Azure, for example, by establishing HTTPS connections to SQL Database.

还有有限容量以便为应用建立一个本地环回连接,并且让应用侦听该本地环回套接字。There is also a limited capability for apps to establish one local loopback connection, and have an app listen on that local loopback socket. 此功能存在主要是为了实现作为其功能的一部分侦听本地环回套接字的应用。This feature exists primarily to enable apps that listen on local loopback sockets as part of their functionality. 每个应用监视一个“专用”环回连接。Each app sees a "private" loopback connection. 应用“A”无法侦听应用“B”创建的本地环回套接字。App "A" cannot listen to a local loopback socket established by app "B".

还支持命名管道作为共同运行应用的不同进程之间的进程间通信 (IPC) 机制。Named pipes are also supported as an inter-process communication (IPC) mechanism between different processes that collectively run an app. 例如,IIS FastCGI 模块依赖命名管道协调运行 PHP 页的单独进程。For example, the IIS FastCGI module relies on named pipes to coordinate the individual processes that run PHP pages.

代码执行、进程和内存Code execution, processes, and memory

如前所述,应用使用随机应用程序池标识在低权限辅助进程内运行。As noted earlier, apps run inside of low-privileged worker processes using a random application pool identity. 应用程序代码有权访问与辅助进程相关联的内存空间,以及可由 CGI 处理器或其他应用程序生成的任何子进程。Application code has access to the memory space associated with the worker process, as well as any child processes that may be spawned by CGI processes or other applications. 但是,一个应用不能访问另一个应用的内存或数据,即使它们位于同一个虚拟机上。However, one app cannot access the memory or data of another app even if it is on the same virtual machine.

应用可以运行使用支持的 Web 开发框架编写的脚本或页面。Apps can run scripts or pages written with supported web development frameworks. 应用服务不将任何 Web 框架设置配置为更受限制的模式。App Service doesn't configure any web framework settings to more restricted modes. 例如,在应用服务上运行的 ASP.NET 应用以“完全”信任运行,与更受限制的信任模式相反。For example, ASP.NET apps running on App Service run in "full" trust as opposed to a more restricted trust mode. Web 框架(包括经典 ASP 和 ASP.NET)可以调用进程中 COM 组件(但不能调用进程外 COM 组件),例如在 Windows 操作系统上默认注册的 ADO(ActiveX 数据对象)。Web frameworks, including both classic ASP and ASP.NET, can call in-process COM components (but not out of process COM components) like ADO (ActiveX Data Objects) that are registered by default on the Windows operating system.

应用可以生成和运行任意代码。Apps can spawn and run arbitrary code. 允许应用执行诸如生成命令外壳程序或运行 PowerShell 脚本之类的任务。It is allowable for an app to do things like spawn a command shell or run a PowerShell script. 但是,即使可以从应用生成任意代码和进程,可执行程序和脚本仍会被限制为授予父应用程序池的权限。However, even though arbitrary code and processes can be spawned from an app, executable programs and scripts are still restricted to the privileges granted to the parent application pool. 例如,应用可以生成发出出站 HTTP 调用的可执行文件,但同一个可执行文件不能尝试从其 NIC 取消绑定某个虚拟机的 IP 地址。For example, an app can spawn an executable that makes an outbound HTTP call, but that same executable cannot attempt to unbind the IP address of a virtual machine from its NIC. 允许向低权限的代码发出出站网络调用,但尝试在虚拟机上重新配置网络设置要求管理权限。Making an outbound network call is allowed to low-privileged code, but attempting to reconfigure network settings on a virtual machine requires administrative privileges.

诊断日志和事件Diagnostics logs and events

日志信息是某些应用尝试访问的另外一组数据。Log information is another set of data that some apps attempt to access. 可用于在应用服务中运行的代码的日志信息类型包括应用生成的诊断和日志信息,这些信息对于应用而言也是可以轻松进行访问的。The types of log information available to code running in App Service includes diagnostic and log information generated by an app that is also easily accessible to the app.

例如,某一活动应用生成的 W3C HTTP 日志既可以在为该应用创建的网络共享位置中的日志目录上提供,也可以在 blob 存储中提供(如果客户已经将 W3C 日志记录设置到存储中)。For example, W3C HTTP logs generated by an active app are available either on a log directory in the network share location created for the app, or available in blob storage if a customer has set up W3C logging to storage. 后者能够收集大量日志,而没有超出与某一网络共享相关联的文件存储限制的风险。The latter option enables large quantities of logs to be gathered without the risk of exceeding the file storage limits associated with a network share.

在类似情况下,还可以使用 .NET 跟踪和诊断基础结构将来自 .NET 应用的实时诊断信息记入日志,并且可以选择是将跟踪信息写入应用的网络共享还是写入 blob 存储位置。In a similar vein, real-time diagnostics information from .NET apps can also be logged using the .NET tracing and diagnostics infrastructure, with options to write the trace information to either the app's network share, or alternatively to a blob storage location.

诊断日志记录和跟踪中不可用于应用的领域是 Windows ETW 事件以及常见的 Windows 事件日志(例如系统、应用程序和安全事件日志)。Areas of diagnostics logging and tracing that aren't available to apps are Windows ETW events and common Windows event logs (for example, System, Application, and Security event logs). 因为 ETW 跟踪信息可能在计算机范围中是可查看的(具有正确的 ACL),所以,将阻止对 ETW 事件的读写访问。Since ETW trace information can potentially be viewable machine-wide (with the right ACLs), read and write access to ETW events are blocked. 开发人员可能会注意到,用于读取和写入 ETW 事件和常见 Windows 事件日志的 API 调用好像在起作用,但这是因为应用服务在“伪装”这些调用,让它们看起来很成功。Developers might notice that API calls to read and write ETW events and common Windows event logs appear to work, but that is because App Service is "faking" the calls so that they appear to succeed. 实际上,应用程序代码对于此事件数据没有访问权限。In reality, the application code has no access to this event data.

注册表访问Registry access

应用对于它们在其上运行的虚拟机的注册表的大部分内容(尽管不是全部内容)具有只读访问权限。Apps have read-only access to much (though not all) of the registry of the virtual machine they are running on. 实际上,这意味着应用可以访问允许对本地用户组进行只读访问的注册表项。In practice, this means registry keys that allow read-only access to the local Users group are accessible by apps. 注册表中当前不支持读写访问的一个区域是 HKEY_CURRENT_USER Hive。One area of the registry that is currently not supported for either read or write access is the HKEY_CURRENT_USER hive.

对注册表的写访问被阻止,包括对任何按用户注册表项的访问。Write-access to the registry is blocked, including access to any per-user registry keys. 从应用角度来说,对注册表的写访问永远不应依赖于 Azure 环境,因为应用可以(并且也是这样做的)跨不同虚拟机进行迁移。From the app's perspective, write access to the registry should never be relied upon in the Azure environment since apps can (and do) get migrated across different virtual machines. 应用可依赖的唯一持久可写入存储是在应用服务 UNC 共享上存储的按应用内容目录结构。The only persistent writeable storage that can be depended on by an app is the per-app content directory structure stored on the App Service UNC shares.

远程桌面访问Remote desktop access

应用服务不提供对 VM 实例的远程桌面访问。App Service doesn't provide remote desktop access to the VM instances.

详细信息More information

Azure 应用服务沙盒 - 有关应用服务的执行环境的最新信息。Azure App Service sandbox - The most up-to-date information about the execution environment of App Service. 直接由应用服务开发团队维护此页。This page is maintained directly by the App Service development team.