混合 Runbook 辅助角色概述Hybrid Runbook Worker overview

Azure 自动化中的 Runbook 可能无权访问其他云或本地环境中的资源,因为它们在 Azure 云平台中运行。Runbooks in Azure Automation might not have access to resources in other clouds or in your on-premises environment because they run on the Azure cloud platform. 利用 Azure 自动化的混合 Runbook 辅助角色功能,既可以直接在托管角色的计算机上运行 Runbook,也可以对环境中的资源运行 Runbook,从而管理这些本地资源。You can use the Hybrid Runbook Worker feature of Azure Automation to run runbooks directly on the computer that's hosting the role and against resources in the environment to manage those local resources. Runbook 在 Azure 自动化中进行存储和管理,然后发送到一台或多台指定的计算机。Runbooks are stored and managed in Azure Automation and then delivered to one or more assigned computers.

下图说明了此功能:The following image illustrates this functionality:

混合 Runbook 辅助角色概述

混合 Runbook 辅助角色可以运行 Windows 或 Linux 操作系统。A Hybrid Runbook Worker can run either the Windows or the Linux operating system. 若要进行监视,需要对受支持的操作系统使用 Azure Monitor 和 Log Analytics 代理。For monitoring, it requires the use of Azure Monitor and a Log Analytics agent for the supported operating system. 有关详细信息,请参阅 Azure MonitorFor more information, see Azure Monitor.

每个混合 Runbook 辅助角色都是你在安装代理时指定的混合 Runbook 辅助角色组的成员。Each Hybrid Runbook Worker is a member of a Hybrid Runbook Worker group that you specify when you install the agent. 一个组可以包含一个代理,但是可以在一个组中安装多个代理,以实现高可用性。A group can include a single agent, but you can install multiple agents in a group for high availability. 每台计算机可以托管一个向一个自动化帐户报告的混合辅助角色。Each machine can host one hybrid worker reporting to one Automation account.

在混合 Runbook 辅助角色中启动 Runbook 时,可以指定该辅助角色会在其中运行的组。When you start a runbook on a Hybrid Runbook Worker, you specify the group that it runs on. 组中的每个辅助角色都会轮询 Azure 自动化以查看是否有可用作业。Each worker in the group polls Azure Automation to see if any jobs are available. 如果作业可用,获取作业的第一个辅助角色将执行该作业。If a job is available, the first worker to get the job takes it. 作业队列的处理时间取决于混合辅助角色硬件配置文件和负载。The processing time of the jobs queue depends on the hybrid worker hardware profile and load. 不能指定特定的辅助角色。You can't specify a particular worker.

请使用混合 Runbook 辅助角色而不要使用 Azure 沙盒,因为它不会像沙盒那样对磁盘空间、内存或网络套接字施加许多的限制Use a Hybrid Runbook Worker instead of an Azure sandbox because it doesn't have many of the sandbox limits on disk space, memory, or network sockets. 混合辅助角色的限制仅与该辅助角色自身的资源相关。The limits on a hybrid worker are only related to the worker's own resources.

Note

公平份额时间限制不会对混合 Runbook 辅助角色造成约束,而 Azure 沙盒则受到这种约束。Hybrid Runbook Workers aren't constrained by the fair share time limit that Azure sandboxes have.

混合 Runbook 辅助角色的安装Hybrid Runbook Worker installation

安装混合 Runbook 辅助角色的过程取决于操作系统。The process to install a Hybrid Runbook Worker depends on the operating system. 下表定义了部署类型。The table below defines the deployment types.

操作系统Operating System 部署类型Deployment Types
WindowsWindows 自动Automated
手动Manual
LinuxLinux PythonPython

建议的安装方法是使用 Azure 自动化 Runbook 来完全自动执行 Windows 计算机的配置过程。The recommended installation method is to use an Azure Automation runbook to completely automate the process of configuring a Windows computer. 第二种方法是执行分步过程来手动安装和配置角色。The second method is to follow a step-by-step procedure to manually install and configure the role. 对于 Linux 计算机,运行 Python 脚本,在计算机上安装代理。For Linux machines, you run a Python script to install the agent on the machine.

网络规划Network planning

要使混合 Runbook 辅助角色连接并注册到 Azure 自动化,必须让其有权访问此部分所述的端口号和 URL。For the Hybrid Runbook Worker to connect to and register with Azure Automation, it must have access to the port number and URLs described in this section. 辅助角色还必须有权访问 Log Analytics 代理所需的端口和 URL,以便能够连接到 Azure Monitor Log Analytics 工作区。The worker must also have access to the ports and URLs required for Log Analytics agent to connect to the Azure Monitor Log Analytics workspace.

Note

本文最近已更新,从使用术语“Log Analytics”改为使用术语“Azure Monitor 日志”。This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. 日志数据仍然存储在 Log Analytics 工作区中,并仍然由同一 Log Analytics 服务收集并分析。Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. 我们正在更新术语,以便更好地反映 Azure Monitor 中日志的角色。We are updating the terminology to better reflect the role of logs in Azure Monitor. 有关详细信息,请参阅 Azure Monitor 术语更改See Azure Monitor terminology changes for details.

混合 Runbook 辅助角色需要以下端口和 URL:The following port and URLs are required for the Hybrid Runbook Worker:

  • 端口:出站 Internet 访问只需 TCP 443Port: Only TCP 443 required for outbound internet access
  • 全局 URL:*.azure-automation.cnGlobal URL: *.azure-automation.cn
  • 代理服务: https://<workspaceId>.agentsvc.azure-automation.cnAgent service: https://<workspaceId>.agentsvc.azure-automation.cn

建议使用在定义例外时列出的地址。We recommend that you use the addresses listed when defining exceptions. 对于 IP 地址,可以下载 Azure 数据中心 IP 范围For IP addresses, you can download the Azure Datacenter IP Ranges. 此文件每周更新,包含当前部署的范围以及即将对 IP 范围进行的更新。This file is updated weekly, and has the currently deployed ranges and any upcoming changes to the IP ranges.

使用代理服务器Proxy server use

如果使用代理服务器在 Azure 自动化与 Log Analytics 代理之间通信,请确保能够访问相应的资源。If you use a proxy server for communication between Azure Automation and the Log Analytics agent, ensure that the appropriate resources are accessible. 混合 Runbook 辅助角色和自动化服务发出的请求的超时为 30 秒。The timeout for requests from the Hybrid Runbook Worker and Automation services is 30 seconds. 尝试三次后,请求将会失败。After three attempts, a request fails.

使用防火墙Firewall use

如果使用防火墙来限制对 Internet 的访问,则必须将防火墙配置为允许访问。If you use a firewall to restrict access to the internet, you must configure the firewall to permit access. 如果使用 Log Analytics 网关作为代理,请确保为混合 Runbook 辅助角色配置该网关。If using the Log Analytics gateway as a proxy, ensure that it is configured for Hybrid Runbook Workers. 请参阅为自动化混合辅助角色配置 Log Analytics 网关See Configure the Log Analytics gateway for Automation Hybrid Workers.

混合 Runbook 辅助角色上的更新管理Update Management on Hybrid Runbook Worker

启用 Azure 自动化更新管理后,连接到 Log Analytics 工作区的任何计算机会自动配置为混合 Runbook 辅助角色。When Azure Automation Update Management is enabled, any computer connected to your Log Analytics workspace is automatically configured as a Hybrid Runbook Worker. 每个辅助角色能够支持以更新管理为目标的 Runbook。Each worker can support runbooks targeted at update management.

以这种方式配置的计算机不会注册到任何已在自动化帐户中定义的混合 Runbook 辅助角色组。A computer configured this way is not registered with any Hybrid Runbook Worker groups already defined in your Automation account. 可将计算机添加到混合 Runbook 辅助角色组,但必须对更新管理和混合 Runbook 辅助角色组成员身份使用同一帐户。You can add the computer to a Hybrid Runbook Worker group, but you must use the same account for both Update Management and the Hybrid Runbook Worker group membership. 此功能已添加到 7.2.12024.0 版本的混合 Runbook 辅助角色。This functionality was added to version 7.2.12024.0 of Hybrid Runbook Worker.

混合 Runbook 辅助角色的更新管理地址Update Management addresses for Hybrid Runbook Worker

在混合 Runbook 辅助角色所需的标准地址和端口的顶层,更新管理需要下表中的地址。On top of the standard addresses and ports that the Hybrid Runbook Worker requires, Update Management needs the addresses in the next table. 与这些地址的通信使用端口 443。Communication to these addresses uses port 443.

Azure 中国云Azure China Cloud
*.ods.opinsights.azure.cn*.ods.opinsights.azure.cn
*.oms.opinsights.azure.cn*.oms.opinsights.azure.cn
*.blob.core.chinacloudapi.cn*.blob.core.chinacloudapi.cn

混合 Runbook 辅助角色上的 State Configuration (DSC)State Configuration (DSC) on Hybrid Runbook Worker

可以在混合 Runbook 辅助角色上运行 State Configuration (DSC) 功能。You can run the State Configuration (DSC) feature on a Hybrid Runbook Worker. 若要管理支持混合 Runbook 辅助角色的服务器的配置,必须将这些服务器添加为 DSC 节点。To manage the configuration of servers that support the Hybrid Runbook Worker, you must add the servers as DSC nodes. 有关加入的详细信息,请参阅加入由 State Configuration (DSC) 管理的计算机For more information about onboarding, see Onboard machines for management by State Configuration (DSC).

混合 Runbook 辅助角色上的 RunbookRunbooks on a Hybrid Runbook Worker

可以使用 Runbook 来管理本地计算机上的资源,或者针对部署混合 Runbook 辅助角色的本地环境中的资源运行 Runbook。You might have runbooks that manage resources on the local computer or run against resources in the local environment where a Hybrid Runbook Worker is deployed. 在这种情况下,可以选择在混合辅助角色而不是自动化帐户中运行 Runbook。In this case, you can choose to run your runbooks on the hybrid worker instead of in an Automation account. 在混合 Runbook 辅助角色上运行的 Runbook 的结构,与在自动化帐户中运行的 Runbook 结构相同。Runbooks run on a Hybrid Runbook Worker are identical in structure to those that you run in the Automation account. 请参阅在混合 Runbook 辅助角色中运行 RunbookSee Run runbooks on a Hybrid Runbook Worker.

混合 Runbook 辅助角色作业Hybrid Runbook Worker jobs

混合 Runbook 辅助角色作业在 Windows 上的本地 System 帐户下运行,或者在 Linux 上的 nxautomation 帐户下运行。Hybrid Runbook Worker jobs run under the local System account on Windows or the nxautomation account on Linux. Azure 自动化处理混合 Runbook 辅助角色上的作业的方式,与处理 Azure 沙盒中运行的作业的方式稍有不同。Azure Automation handles jobs on Hybrid Runbook Workers somewhat differently from jobs run in Azure sandboxes. 请参阅 Runbook 执行环境See Runbook execution environment.

如果混合 Runbook 辅助角色主机重新启动,则任何正在运行的 Runbook 作业将从头重启,或者从 PowerShell 工作流 Runbook 的最后一个检查点重启。If the Hybrid Runbook Worker host machine reboots, any running runbook job restarts from the beginning, or from the last checkpoint for PowerShell Workflow runbooks. Runbook 作业重启 3 次以上后将会暂停。After a runbook job is restarted more than three times, it is suspended.

混合 Runbook 辅助角色的 Runbook 权限Runbook permissions for a Hybrid Runbook Worker

由于混合 Runbook 辅助角色上运行的 Runbook 访问非 Azure 资源,因此无法使用通常由 Runbook 对 Azure 资源进行身份验证时所用的身份验证机制。Since they access non-Azure resources, runbooks running on a Hybrid Runbook Worker can't use the authentication mechanism typically used by runbooks authenticating to Azure resources. Runbook 可以针对本地资源提供其自身的身份验证,或者配置使用 Azure 资源托管标识的身份验证。A runbook either provides its own authentication to local resources, or configures authentication using managed identities for Azure resources. 你还可以指定运行方式帐户,为所有 Runbook 提供用户上下文。You can also specify a Run As account to provide a user context for all runbooks.

后续步骤Next steps