混合 Runbook 辅助角色概述Hybrid Runbook Worker overview

Azure 自动化中的 Runbook 可能无权访问其他云或本地环境中的资源,因为它们在 Azure 云平台中运行。Runbooks in Azure Automation might not have access to resources in other clouds or in your on-premises environment because they run on the Azure cloud platform. 利用 Azure 自动化的混合 Runbook 辅助角色功能,既可以直接在托管角色的计算机上运行 Runbook,也可以对环境中的资源运行 Runbook,从而管理这些本地资源。You can use the Hybrid Runbook Worker feature of Azure Automation to run runbooks directly on the machine that's hosting the role and against resources in the environment to manage those local resources. Runbook 在 Azure 自动化中进行存储和管理,然后发送到一台或多台指定的计算机。Runbooks are stored and managed in Azure Automation and then delivered to one or more assigned machines.

Runbook 辅助角色类型Runbook Worker types

有两种类型的 Runbook 辅助角色 - 系统和用户。There are two types of Runbook Workers - system and user. 下表描述了它们之间的差异。The following table describes the difference between them.

类型Type 说明Description
系统System 支持由更新管理功能使用的一组隐藏 Runbook,这些 Runbook 专门用于在 Windows 和 Linux 计算机上安装用户指定的更新。Supports a set of hidden runbooks used by the Update Management feature that are designed to install user-specified updates on Windows and Linux machines.
此类型的混合 Runbook 辅助角色不是混合 Runbook 辅助角色组的成员,因此不会运行面向 Runbook 辅助角色组的 Runbook。This type of Hybrid Runbook Worker is not a member of a Hybrid Runbook Worker group, and therefore doesn't run runbooks that target a Runbook Worker group.
用户User 支持预期在 Windows 和 Linux 计算机上直接运行的用户定义的 Runbook,这些 Runbook 是一个或多个 Runbook 辅助角色组的成员。Supports user-defined runbooks intended to run directly on the Windows and Linux machine that are members of one or more Runbook Worker groups.

混合 Runbook 辅助角色可在 Windows 或 Linux 操作系统上运行,并且此角色依赖于向 Azure Monitor Log Analytics 工作区进行报告的 Log Analytics 代理A Hybrid Runbook Worker can run on either the Windows or the Linux operating system, and this role relies on the Log Analytics agent reporting to an Azure Monitor Log Analytics workspace. 该工作区不仅用于监视计算机是否运行支持的操作系统,还可以用于下载安装混合 Runbook 辅助角色所需的组件。The workspace is not only to monitor the machine for the supported operating system, but also to download the components required to install the Hybrid Runbook Worker.

启用 Azure 自动化更新管理后,连接到 Log Analytics 工作区的任何计算机都会自动配置为系统混合 Runbook 辅助角色。When Azure Automation Update Management is enabled, any machine connected to your Log Analytics workspace is automatically configured as a system Hybrid Runbook Worker. 若要将其配置为用户 Windows 混合 Runbook 辅助角色,请参阅部署 Windows 混合 Runbook 辅助角色;对于 Linux,请参阅部署 Linux 混合Runbook 辅助角色To configure it as a user Windows Hybrid Runbook Worker, see Deploy a Windows Hybrid Runbook Worker and for Linux, see Deploy a Linux Hybrid Runbook Worker.

它是如何工作的?How does it work?

混合 Runbook 辅助角色概述

每个用户混合 Runbook 辅助角色都是你在安装该辅助角色时指定的混合 Runbook 辅助角色组的成员。Each user Hybrid Runbook Worker is a member of a Hybrid Runbook Worker group that you specify when you install the worker. 一个组可以只包含一个辅助角色,但也可以在一个组中包含多个辅助角色,以实现高可用性。A group can include a single worker, but you can include multiple workers in a group for high availability. 每台计算机都可以托管一个向单个自动化帐户报告的混合 Runbook 辅助角色;你无法跨多个自动化帐户注册混合辅助角色。Each machine can host one Hybrid Runbook Worker reporting to one Automation account; you cannot register the hybrid worker across multiple Automation accounts. 混合辅助角色只能侦听单个自动化帐户中的作业。A hybrid worker can only listen for jobs from a single Automation account. 对于托管系统混合 Runbook 辅助角色(由更新管理进行管理)的计算机,可以将其添加到混合 Runbook 辅助角色组。For machines hosting the system Hybrid Runbook worker managed by Update Management, they can be added to a Hybrid Runbook Worker group. 但必须对更新管理和混合 Runbook 辅助角色组成员身份使用同一自动化帐户。But you must use the same Automation account for both Update Management and the Hybrid Runbook Worker group membership.

在用户混合 Runbook 辅助角色中启动 Runbook 时,可以指定该辅助角色会在其中运行的组。When you start a runbook on a user Hybrid Runbook Worker, you specify the group that it runs on. 组中的每个辅助角色都会轮询 Azure 自动化以查看是否有可用作业。Each worker in the group polls Azure Automation to see if any jobs are available. 如果作业可用,获取作业的第一个辅助角色将执行该作业。If a job is available, the first worker to get the job takes it. 作业队列的处理时间取决于混合辅助角色硬件配置文件和负载。The processing time of the jobs queue depends on the hybrid worker hardware profile and load. 不能指定特定的辅助角色。You can't specify a particular worker. 混合辅助角色使用轮询机制(每 30 秒一次),并遵循先到先服务的顺序。Hybrid worker works on a polling mechanism (every 30 secs) and follows an order of first-come, first-serve. 根据推送作业的时间,无论哪个混合辅助角色对自动化服务执行 ping 操作,都可提取该作业。Depending on when a job was pushed, whichever hybrid worker pings the Automation service picks up the job. 通常,一个混合辅助角色在每次执行 ping 操作时(即每隔 30 秒)可提取四个作业。A single hybrid worker can generally pick up four jobs per ping (that is, every 30 seconds). 如果推送作业的速率高于每 30 秒四个,则混合 Runbook 辅助角色组中的另一个混合辅助角色极有可能提取了该作业。If your rate of pushing jobs is higher than four per 30 seconds, then there is a high possibility another hybrid worker in the Hybrid Runbook Worker group picked up the job.

对于磁盘空间、内存或网络套接字,混合 Runbook 辅助角色没有许多 Azure 沙盒资源限制A Hybrid Runbook Worker doesn't have many of the Azure sandbox resource limits on disk space, memory, or network sockets. 对混合辅助角色的限制仅与辅助角色自己的资源有关,并且它们不受 Azure 沙盒的公平共享时间限制的约束。The limits on a hybrid worker are only related to the worker's own resources, and they aren't constrained by the fair share time limit that Azure sandboxes have.

若要控制如何在混合 Runbook 辅助角色上分发 Runbook 以及何时或如何触发作业,可以针对自动化帐户中不同的混合 Runbook 辅助角色组注册混合辅助角色。To control the distribution of runbooks on Hybrid Runbook Workers and when or how the jobs are triggered, you can register the hybrid worker against different Hybrid Runbook Worker groups within your Automation account. 针对特定组或组指定目标作业,以支持执行排列。Target the jobs against the specific group or groups in order to support your execution arrangement.

混合 Runbook 辅助角色安装Hybrid Runbook Worker installation

安装用户混合 Runbook 辅助角色的过程取决于操作系统。The process to install a user Hybrid Runbook Worker depends on the operating system. 下表定义了部署类型。The table below defines the deployment types.

操作系统Operating System 部署类型Deployment Types
WindowsWindows 自动Automated
手动Manual
LinuxLinux 手动Manual

安装 Windows 计算机的建议方法是,使用 Azure 自动化 Runbook 实现计算机配置过程的自动化。The recommended installation method for a Windows machine is to use an Azure Automation runbook to completely automate the process of configuring it. 如果这种方法不可行,你可以执行分步过程来手动安装和配置角色。If that isn't feasible, you can follow a step-by-step procedure to manually install and configure the role. 对于 Linux 计算机,运行 Python 脚本,在计算机上安装代理。For Linux machines, you run a Python script to install the agent on the machine.

网络规划Network planning

要使系统和用户混合 Runbook 辅助角色连接并注册到 Azure 自动化,必须让其有权访问此部分所述的端口号和 URL。For both a system and user Hybrid Runbook Worker to connect to and register with Azure Automation, it must have access to the port number and URLs described in this section. 辅助角色还必须有权访问 Log Analytics 代理所需的端口和 URL 才能连接到 Azure Monitor Log Analytics 工作区。The worker must also have access to the ports and URLs required for Log Analytics agent to connect to the Azure Monitor Log Analytics workspace.

混合 Runbook 辅助角色需要以下端口和 URL:The following port and URLs are required for the Hybrid Runbook Worker:

  • 端口:只需使用 TCP 443 即可进行出站 Internet 访问Port: Only TCP 443 required for outbound internet access
  • 全局 URL:*.azure-automation.cnGlobal URL: *.azure-automation.cn
  • 代理服务:https://<workspaceId>.agentsvc.azure-automation.cnAgent service: https://<workspaceId>.agentsvc.azure-automation.cn

使用代理服务器Proxy server use

如果使用代理服务器在 Azure 自动化与运行 Log Analytics 代理的计算机之间通信,请确保能够访问相应的资源。If you use a proxy server for communication between Azure Automation and machines running the Log Analytics agent, ensure that the appropriate resources are accessible. 来自混合 Runbook 辅助角色和自动化服务的请求的超时为 30 秒。The timeout for requests from the Hybrid Runbook Worker and Automation services is 30 seconds. 三次尝试后,请求失败。After three attempts, a request fails.

防火墙使用Firewall use

如果使用防火墙来限制对 Internet 的访问,则必须将防火墙配置为允许访问。If you use a firewall to restrict access to the Internet, you must configure the firewall to permit access. 如果将 Log Analytics 网关用作代理,请确保为混合 Runbook 辅助角色配置 Log Analytics 网关。If using the Log Analytics gateway as a proxy, ensure that it is configured for Hybrid Runbook Workers. 请参阅为自动化混合 Runbook 辅助角色配置 Log Analytics 网关See Configure the Log Analytics gateway for Automation Hybrid Runbook Workers.

服务标记Service tags

Azure 自动化从服务标记 GuestAndHybridManagement 开始支持 Azure 虚拟网络服务标记。Azure Automation supports Azure virtual network service tags, starting with the service tag GuestAndHybridManagement. 可以在网络安全组Azure 防火墙中使用服务标记来定义网络访问控制。You can use service tags to define network access controls on network security groups or Azure Firewall. 创建安全规则时,可以使用服务标记代替特定 IP 地址。Service tags can be used in place of specific IP addresses when you create security rules. 在规则的相应源或目标字段中指定服务标记名称(例如 GuestAndHybridManagement),可以允许或拒绝自动化服务的流量。By specifying the service tag name GuestAndHybridManagement in the appropriate source or destination field of a rule, you can allow or deny the traffic for the Automation service. 此服务标记不支持通过将 IP 范围限制到特定区域来实现更精细的控制。This service tag does not support allowing more granular control by restricting IP ranges to a specific region.

Azure 自动化服务的服务标记仅提供用于以下场景的 IP:The service tag for the Azure Automation service only provides IPs used for the following scenarios:

  • 从虚拟网络内触发 WebhookTrigger webhooks from within your virtual network
  • 允许混合 Runbook 辅助角色或 VNet 中的 State Configuration 代理与自动化服务通信Allow Hybrid Runbook Workers or State Configuration agents on your VNet to communicate with the Automation service

备注

服务标记 GuestAndHybridManagement 当前不支持在 Azure 沙盒中执行 runbook 作业,仅允许直接在混合 Runbook 辅助角色中执行。The service tag GuestAndHybridManagement currently doesn't support runbook job execution in an Azure sandbox, only directly on a Hybrid Runbook Worker.

混合 Runbook 辅助角色的更新管理地址Update Management addresses for Hybrid Runbook Worker

除了混合 Runbook 辅助角色所需的标准地址和端口,更新管理还具有网络规划部分下所述的其他网络配置要求。In addition to the standard addresses and ports required for the Hybrid Runbook Worker, Update Management has other network configuration requirements described under the network planning section.

混合 Runbook 辅助角色上的 Azure Automation State ConfigurationAzure Automation State Configuration on a Hybrid Runbook Worker

可以在混合 Runbook 辅助角色上运行 Azure Automation State ConfigurationYou can run Azure Automation State Configuration on a Hybrid Runbook Worker. 若要管理支持混合 Runbook 辅助角色的服务器的配置,必须将这些服务器添加为 DSC 节点。To manage the configuration of servers that support the Hybrid Runbook Worker, you must add the servers as DSC nodes. 请参阅启用要通过 Azure Automation State Configuration 进行管理的计算机See Enable machines for management by Azure Automation State Configuration.

Runbook 辅助角色限制Runbook Worker limits

每个自动化帐户的混合辅助角色组的数量上限为 4000,适用于系统和用户混合辅助角色。The maximum number of Hybrid Worker groups per Automation Account is 4000, and is applicable for both system & user hybrid workers. 如果要管理的计算机超过 4,000 台,建议创建其他自动化帐户。If you have more than 4,000 machines to manage, we recommend creating another Automation account.

混合 Runbook 辅助角色上的 RunbookRunbooks on a Hybrid Runbook Worker

可以使用 Runbook 来管理本地计算机上的资源,或者针对部署了用户混合 Runbook 辅助角色的本地环境中的资源运行 Runbook。You might have runbooks that manage resources on the local machine or run against resources in the local environment where a user Hybrid Runbook Worker is deployed. 在这种情况下,可以选择在混合辅助角色上(而不是在自动化帐户中)运行 Runbook。In this case, you can choose to run your runbooks on the hybrid worker instead of in an Automation account. 在混合 Runbook 辅助角色上运行的 Runbook 与在自动化帐户中运行的 Runbook 具有相同的结构。Runbooks run on a Hybrid Runbook Worker are identical in structure to those that you run in the Automation account. 请参阅在混合 Runbook 辅助角色上运行 RunbookSee Run runbooks on a Hybrid Runbook Worker.

混合 Runbook 辅助角色作业Hybrid Runbook Worker jobs

混合 Runbook 辅助角色作业在 Windows 上的本地系统帐户下运行,或在 Linux 上的 nxautomation 帐户下运行。Hybrid Runbook Worker jobs run under the local System account on Windows or the nxautomation account on Linux. Azure 自动化处理混合 Runbook 辅助角色上的作业的方式不同于处理 Azure 沙盒中运行的作业的方式。Azure Automation handles jobs on Hybrid Runbook Workers differently from jobs run in Azure sandboxes. 请参阅Runbook 执行环境See Runbook execution environment.

如果混合 Runbook 辅助角色托管计算机重新启动,则任何正在运行的 Runbook 将从头重启,或者从 PowerShell 工作流 Runbook 的最后一个检查点重启。If the Hybrid Runbook Worker host machine reboots, any running runbook job restarts from the beginning, or from the last checkpoint for PowerShell Workflow runbooks. 如果某个 Runbook 作业重启了 3 次以上,则它会暂停。After a runbook job is restarted more than three times, it is suspended.

混合 Runbook 辅助角色的 Runbook 权限Runbook permissions for a Hybrid Runbook Worker

由于在用户混合 Runbook 辅助角色上运行的 Runbook 可访问非 Azure 资源,因此无法使用通常由 Runbook 对 Azure 资源进行身份验证时所用的身份验证机制。Since they access non-Azure resources, runbooks running on a user Hybrid Runbook Worker can't use the authentication mechanism typically used by runbooks authenticating to Azure resources. Runbook 可以针对本地资源提供其自己的身份验证,也可以配置使用 Azure 资源的托管标识的身份验证。A runbook either provides its own authentication to local resources, or configures authentication using managed identities for Azure resources. 还可以指定运行方式帐户,为所有 Runbook 提供用户上下文。You can also specify a Run As account to provide a user context for all runbooks.

查看系统混合 Runbook 辅助角色View system Hybrid Runbook Workers

在 Windows 或 Linux 计算机上启用“更新管理”功能之后,可以在 Azure 门户中以清单形式列出系统混合 Runbook 辅助角色组的内容。After the Update Management feature is enabled on Windows or Linux machines, you can inventory the list of system Hybrid Runbook Workers group in the Azure portal. 你可以在门户中查看最多 2,000 个辅助角色,方法是从所选自动化帐户的左侧窗格的“混合辅助角色组”选项中选择“系统混合辅助角色组”选项卡。You can view up to 2,000 workers in the portal by selecting the tab System hybrid workers group from the option Hybrid workers group from the left-hand pane for the selected Automation account.

自动化帐户系统混合辅助角色组页

如果混合辅助角色超过 2000 个,则若要获取所有这些辅助角色的列表,可运行以下 PowerShell 脚本:If you have more than 2,000 hybrid workers, to get a list of all of them, you can run the following PowerShell script:

"Get-AzSubscription -SubscriptionName "<subscriptionName>" | Set-AzContext
$workersList = (Get-AzAutomationHybridWorkerGroup -ResourceGroupName "<resourceGroupName>" -AutomationAccountName "<automationAccountName>").Runbookworker
$workersList | export-csv -Path "<Path>\output.csv" -NoClobber -NoTypeInformation"

后续步骤Next steps