Azure 应用服务中的 OS 和运行时修补OS and runtime patching in Azure App Service

本文介绍如何有关应用服务中的 OS 或软件的特定版本信息。This article shows you how to get certain version information regarding the OS or software in App Service.

应用服务是一种平台即服务,这意味着,Azure 会自行管理 OS 和应用程序堆栈,而你只需管理自己的应用程序及其数据。App Service is a Platform-as-a-Service, which means that the OS and application stack are managed for you by Azure; you only manage your application and its data. Azure 虚拟机中,能够以更高的力度控制 OS 和应用程序堆栈。More control over the OS and application stack is available you in Azure Virtual Machines. 考虑到这一点,应用服务用户了解以下方面的详细信息总会有好处:With that in mind, it is nevertheless helpful for you as an App Service user to know more information, such as:

  • 如何以及何时应用 OS 更新?How and when are OS updates applied?
  • 应用服务如何修补重大漏洞(例如零日漏洞)?How is App Service patched against significant vulnerabilities (such as zero-day)?
  • 应用运行哪些 OS 和运行时版本?Which OS and runtime versions are running your apps?

出于安全原因,有些具体的安全信息不会公布。For security reasons, certain specifics of security information are not published. 但是,文章旨在缓解安全忧虑,它会最大程度地将该过程透明化,并介绍如何获取最新的安全相关公告或运行时更新。However, the article aims to alleviate concerns by maximizing transparency on the process, and how you can stay up-to-date on security-related announcements or runtime updates.

如何以及何时应用 OS 更新?How and when are OS updates applied?

Azure 管理两个级别的 OS 修补:运行应用服务资源的物理服务器和来宾虚拟机 (VM)。Azure manages OS patching on two levels, the physical servers and the guest virtual machines (VMs) that run the App Service resources. 这两种方案会根据每月的周二修补计划更新。Both are updated monthly, which aligns to the monthly Patch Tuesday schedule. 这些更新会自动应用,保证达到 Azure 服务的高可用性 SLA。These updates are applied automatically, in a way that guarantees the high-availability SLA of Azure services.

有关如何应用更新的详细信息,请参阅揭示应用服务 OS 背后的秘密For detailed information on how updates are applied, see Demystifying the magic behind App Service OS updates.

Azure 如何处理重大漏洞?How does Azure deal with significant vulnerabilities?

严重的漏洞(例如零日漏洞)需要立即修补时,将会根据案例以高优先级处理更新。When severe vulnerabilities require immediate patching, such as zero-day vulnerabilities, the high-priority updates are handled on a case-by-case basis.

访问 Azure 安全博客,及时了解 Azure 中的关键安全公告。Stay current with critical security announcements in Azure by visiting Azure Security Blog.

何时更新、添加或弃用受支持的语言运行时?When are supported language runtimes updated, added, or deprecated?

受支持语言运行时的新稳定版本(主要、次要或修补版本)会定期添加到应用服务实例。New stable versions of supported language runtimes (major, minor, or patch) are periodically added to App Service instances. 一些更新会覆盖现有的安装,还有一些更新会连同现有的版本一并安装。Some updates overwrite the existing installation, while others are installed side by side with existing versions. 覆盖安装意味着应用自动在更新的运行时上运行。An overwrite installation means that your app automatically runs on the updated runtime. 并列安装意味着必须手动迁移应用才能利用新的运行时版本。A side-by-side installation means you must manually migrate your app to take advantage of a new runtime version. 有关详细信息,请参阅以下小节之一。For more information, see one of the subsections.

以下网页中公布了运行时更新和弃用情况:Runtime updates and deprecations are announced here:

备注

此处的信息适用于应用服务应用中内置的语言运行时。Information here applies to language runtimes that are built into an App Service app. 例如,上传到应用服务的自定义运行时将保持不变,除非手动升级。A custom runtime you upload to App Service, for example, remains unchanged unless you manually upgrade it.

新的修补更新New patch updates

对 .NET、PHP、Java SDK 或 Tomcat/Jetty 版本所做的修补更新会通过将现有版本覆盖为新版本来自动应用。Patch updates to .NET, PHP, Java SDK, or Tomcat/Jetty version are applied automatically by overwriting the existing installation with the new version. Node.js 修补更新将与现有版本一并安装(类似于下一部分中的主要版本和次要版本)。Node.js patch updates are installed side by side with the existing versions (similar to major and minor versions in the next section). 新的 Python 修补程序版本可以通过站点扩展,与内置的 Python 安装一起手动安装。New Python patch versions can be installed manually through site extensions, side by side with the built-in Python installations.

新的主要版本和次要版本New major and minor versions

添加新的主要版本或次要版本后,该版本与现有版本一并安装。When a new major or minor version is added, it is installed side by side with the existing versions. 可将应用手动升级到新版本。You can manually upgrade your app to the new version. 如果在配置文件(例如 web.configpackage.json)中配置了运行时版本,则需要使用相同的方法升级。If you configured the runtime version in a configuration file (such as web.config and package.json), you need to upgrade with the same method. 如果使用应用服务设置配置了运行时版本,则可在 Azure 门户中更改此版本,或者通过在 Azure CLI 中运行 Azure CLI 命令来更改此版本,如以下示例所示:If you used an App Service setting to configure your runtime version, you can change it in the Azure portal or by running an Azure CLI command in the Azure CLI, as shown in the following examples:

az webapp config set --net-framework-version v4.7 --resource-group <groupname> --name <appname>
az webapp config set --php-version 7.0 --resource-group <groupname> --name <appname>
az webapp config appsettings set --settings WEBSITE_NODE_DEFAULT_VERSION=8.9.3 --resource-group <groupname> --name <appname>
az webapp config set --python-version 3.4 --resource-group <groupname> --name <appname>
az webapp config set --java-version 1.8 --java-container Tomcat --java-container-version 9.0 --resource-group <groupname> --name <appname>

已弃用的版本Deprecated versions

弃用某个旧版本后,将会公布删除日期,以便你可以相应地规划运行时版本升级。When an older version is deprecated, the removal date is announced so that you can plan your runtime version upgrade accordingly.

如何在实例中查询 OS 和运行时更新状态?How can I query OS and runtime update status on my instances?

尽管关键的 OS 信息已被限制访问(请参阅 Azure 应用服务中的操作系统功能),但可以使用 Kudu 控制台在应用服务实例中查询有关 OS 版本和运行时版本的信息。While critical OS information is locked down from access (see Operating system functionality on Azure App Service), the Kudu console enables you to query your App Service instance regarding the OS version and runtime versions.

下表显示了应用中运行的 Windows 和语言运行时版本:The following table shows how to the versions of Windows and of the language runtime that are running your apps:

信息Information 查找位置Where to find it
Windows 版本Windows version 查看 https://<appname>.scm.chinacloudsites.cn/Env.cshtml(在“系统信息”下)See https://<appname>.scm.chinacloudsites.cn/Env.cshtml (under System info)
.NET 版本.NET version https://<appname>.scm.chinacloudsites.cn/DebugConsole 中的命令提示符下运行以下命令:At https://<appname>.scm.chinacloudsites.cn/DebugConsole, run the following command in the command prompt:
powershell -command "gci 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF'"
.NET Core 版本.NET Core version https://<appname>.scm.chinacloudsites.cn/DebugConsole 中的命令提示符下运行以下命令:At https://<appname>.scm.chinacloudsites.cn/DebugConsole, run the following command in the command prompt:
dotnet --version
PHP 版本PHP version https://<appname>.scm.chinacloudsites.cn/DebugConsole 中的命令提示符下运行以下命令:At https://<appname>.scm.chinacloudsites.cn/DebugConsole, run the following command in the command prompt:
php --version
默认的 Node.js 版本Default Node.js version Azure Cli 中运行下列命令:In the Azure Cli, run the following command:
az webapp config appsettings list --resource-group <groupname> --name <appname> --query "[?name=='WEBSITE_NODE_DEFAULT_VERSION']"
Python 版本Python version https://<appname>.scm.chinacloudsites.cn/DebugConsole 中的命令提示符下运行以下命令:At https://<appname>.scm.chinacloudsites.cn/DebugConsole, run the following command in the command prompt:
python --version
Java 版本Java version https://<appname>.scm.chinacloudsites.cn/DebugConsole 中的命令提示符下运行以下命令:At https://<appname>.scm.chinacloudsites.cn/DebugConsole, run the following command in the command prompt:
java -version

备注

访问注册表位置 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages,其中存储了有关“KB”修补的信息。该位置已被锁定。Access to registry location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages, where information on "KB" patches is stored, is locked down.

更多资源More resources

信任中心:安全性Trust Center: Security
Azure 应用服务中的 64 位 ASP.NET Core64 bit ASP.NET Core on Azure App Service