在 Azure Stack Hub 上运行 Linux 虚拟机Run a Linux virtual machine on Azure Stack Hub

与在 Azure 中一样,除 VM 本身以外,在 Azure Stack Hub 中预配虚拟机 (VM) 还需要其他一些组件,包括网络和存储资源。Provisioning a virtual machine (VM) in Azure Stack Hub, like Azure, requires some additional components besides the VM itself, including networking and storage resources. 本文介绍在 Azure Stack Hub 上运行 Linux VM 的最佳做法。This article shows best practices for running a Linux VM on Azure Stack Hub.

Azure Stack Hub 上的 Linux VM 体系结构

资源组Resource group

资源组是保存相关 Azure Stack Hub 资源的逻辑容器。A resource group is a logical container that holds related Azure Stack Hub resources. 一般情况下,可根据资源的生存期及其管理者将资源分组。In general, group resources based on their lifetime and who will manage them.

将共享相同生命周期、密切相关的资源放入同一资源组Put closely associated resources that share the same lifecycle into the same resource group. 资源组可让你以组的形式部署和监视资源,并按资源组跟踪计费成本。Resource groups allow you to deploy and monitor resources as a group and track billing costs by resource group. 还可以删除作为集的资源,这适用于测试部署。You can also delete resources as a set, which is useful for test deployments. 指定有意义的资源名称,以便简化特定资源的查找并了解其角色。Assign meaningful resource names to simplify locating a specific resource and understanding its role. 有关详细信息,请参阅 Azure 资源的建议命名约定For more information, see Recommended Naming Conventions for Azure Resources.

虚拟机Virtual machine

可以通过发布的映像列表或上传到 Azure Stack Hub Blob 存储的自定义托管映像或虚拟硬盘 (VHD) 文件来预配 VM。You can provision a VM from a list of published images, or from a custom-managed image or virtual hard disk (VHD) file uploaded to Azure Stack Hub Blob storage. Azure Stack Hub 支持运行大量常用的 Linux 发行版,包括 CentOS、Debian、Red Hat Enterprise、Ubuntu 和 SUSE。Azure Stack Hub supports running various popular Linux distributions, including CentOS, Debian, Red Hat Enterprise, Ubuntu, and SUSE. 有关详细信息,请参阅 Azure Stack Hub 上的 LinuxFor more information, see Linux on Azure Stack Hub. 还可以选择联合 Azure Stack Hub 市场中提供的某个已发布 Linux 映像。You may also choose to syndicate one of the published Linux Images that are available on the Azure Stack Hub Marketplace.

Azure Stack Hub 提供了与 Azure 不同的虚拟机大小。Azure Stack Hub offers different virtual machine sizes from Azure. 有关详细信息,请参阅 Azure Stack Hub 中的虚拟机大小For more information, see Sizes for virtual machines in Azure Stack Hub. 若要将现有工作负荷转移到 Azure Stack Hub,一开始请先使用与本地服务器/Azure 最匹配的 VM 大小。If you are moving an existing workload to Azure Stack Hub, start with the VM size that's the closest match to your on-premises servers/Azure. 然后从 CPU、内存和每秒磁盘输入/输出操作次数 (IOPS) 等方面测量实际工作负荷的性能,并根据需要调整大小。Then measure the performance of your actual workload in terms of CPU, memory, and disk input/output operations per second (IOPS), and adjust the size as needed.

磁盘Disks

成本取决于预配磁盘的容量。Cost is based on the capacity of the provisioned disk. IOPS 和吞吐量(即数据传输速率)取决于 VM 大小,因此在预配磁盘时,请全面考虑三个因素(容量、IOPS 和吞吐量)。IOPS and throughput (that is, data transfer rate) depend on VM size, so when you provision a disk, consider all three factors (capacity, IOPS, and throughput).

Azure Stack Hub 上的磁盘 IOPS(每秒输入/输出操作次数)是 VM 大小(而不是磁盘类型)的函数。Disk IOPS (Input/Output Operations Per Second) on Azure Stack Hub is a function of VM size instead of the disk type. 这意味着,对于 Standard_Fs 系列 VM,不管你选择 SSD 还是 HDD 作为磁盘类型,单个额外的数据磁盘的 IOPS 限制都是 2300。This means that for a Standard_Fs series VM, regardless of whether you choose SSD or HDD for the disk type, the IOPS limit for a single additional data disk is 2300 IOPS. 施加的 IOPS 限制是一种上限(最大可能值),目的是防止邻域干扰。The IOPS limit imposed is a cap (maximum possible) to prevent noisy neighbors. 它不是你会在特定 VM 大小上获得的 IOPS 的保证。It isn't an assurance of IOPS that you'll get on a specific VM size.

我们还建议使用托管磁盘We also recommend using Managed Disks. 托管磁盘可代你处理存储,简化磁盘管理。Managed disks simplify disk management by handling the storage for you. 托管磁盘不需要存储帐户。Managed disks do not require a storage account. 只需指定磁盘的大小和类型,就可以将它部署为高度可用的资源。You simply specify the size and type of disk and it is deployed as a highly available resource.

OS 磁盘是存储在 Azure Stack Hub 存储中的 VHD,因此即使主机关闭,OS 磁盘也仍然存在。The OS disk is a VHD stored in Azure Stack Hub Storage, so it persists even when the host machine is down. 对于 Linux VM,OS 磁盘是 /dev/sda1。For Linux VMs, the OS disk is /dev/sda1. 我们还建议创建一个或多个数据磁盘(用于保存应用程序数据的持久性 VHD)。We also recommend creating one or more data disks, which are persistent VHDs used for application data.

刚创建的 VHD 尚未格式化,When you create a VHD, it is unformatted. 登录到 VM 对磁盘进行格式化。Log into the VM to format the disk. 在 Linux shell 中,数据磁盘显示为 /dev/sdc、/dev/sdd 等。In the Linux shell, data disks are displayed as /dev/sdc, /dev/sdd, and so on. 可以运行 lsblk 以列出块设备,包括磁盘。You can run lsblk to list the block devices, including the disks. 若要使用数据磁盘,请创建一个分区和文件系统,然后装载磁盘。To use a data disk, create a partition and file system, and mount the disk. 例如:For example:

# Create a partition.
sudo fdisk /dev/sdc \# Enter 'n' to partition, 'w' to write the change.

# Create a file system.
sudo mkfs -t ext3 /dev/sdc1

# Mount the drive.
sudo mkdir /data1
sudo mount /dev/sdc1 /data1

在添加数据磁盘时,将为磁盘分配逻辑单元号 (LUN) ID。When you add a data disk, a logical unit number (LUN) ID is assigned to the disk. 或者,可以指定 LUN ID — 例如,若要更换磁盘并保留相同的 LUN ID,或者应用程序要查找特定 LUN ID。Optionally, you can specify the LUN ID — for example, if you're replacing a disk and want to retain the same LUN ID, or you have an application that looks for a specific LUN ID. 但请记住,每个磁盘的 LUN ID 必须唯一。However, remember that LUN IDs must be unique for each disk.

使用临时磁盘创建 VM。The VM is created with a temporary disk. 此磁盘存储在 Azure Stack Hub 存储基础结构中的临时卷上。This disk is stored on a temporary volume on the Azure Stack Hub storage infrastructure. 它在重新启动期间以及发生其他 VM 生命周期事件期间可能会被删除。It may be deleted during reboots and other VM lifecycle events. 只使用此磁盘存储临时数据,如页面文件或交换文件。Use this disk only for temporary data, such as page or swap files. 对于 Linux VM,临时磁盘为 /dev/sdb1,并已装载到 /mnt/resource 或 /mnt。For Linux VMs, the temporary disk is /dev/sdb1 and is mounted at /mnt/resource or /mnt.

网络Network

网络组件包括以下资源:The networking components include the following resources:

  • 虚拟网络。Virtual network. 每个 VM 都会部署到可细分为多个子网的虚拟网络中。Every VM is deployed into a virtual network that can be segmented into multiple subnets.

  • 网络接口 (NIC)Network interface (NIC). NIC 使 VM 能够与虚拟网络进行通信。The NIC enables the VM to communicate with the virtual network. 如果 VM 需要多个 NIC,请注意每种 VM 大小都定义了最大 NIC 数量。If you need multiple NICs for your VM, be aware that a maximum number of NICs is defined for each VM size.

  • 公共 IP 地址/VIPPublic IP address/ VIP. 需要使用公共 IP 地址才能与 VM 通信 - 例如,通过远程桌面 (RDP)。A public IP address is needed to communicate with the VM — for example, via remote desktop (RDP). 公共 IP 地址可以是动态的或静态的。The public IP address can be dynamic or static. 默认是动态的。The default is dynamic. 如果 VM 需要多个 NIC,请注意每种 VM 大小都定义了最大 NIC 数量。If you need multiple NICs for your VM, be aware that a maximum number of NICs is defined for each VM size.

  • 还可以为 IP 地址创建完全限定的域名 (FQDN)。You can also create a fully qualified domain name (FQDN) for the IP address. 然后,可以在 DNS 中注册指向 FQDN 的 CNAME 记录You can then register a CNAME record in DNS that points to the FQDN. 有关详细信息,请参阅在 Azure 门户中创建完全限定的域名For more information, see Create a fully qualified domain name in the Azure portal.

  • 网络安全组 (NSG)。Network security group (NSG). 网络安全组用于允许或拒绝向 VM 传送网络流量。Network Security Groups are used to allow or deny network traffic to VMs. NSG 可与子网或单个 VM 实例相关联。NSGs can be associated either with subnets or with individual VM instances.

所有 NSG 都包含一组默认规则,其中包括阻止所有入站 Internet 流量的规则。All NSGs contain a set of default rules, including a rule that blocks all inbound Internet traffic. 无法删除默认规则,但其他规则可以覆盖它们。The default rules cannot be deleted, but other rules can override them. 若要启用 Internet 流量,请创建允许特定端口的入站流量的规则 — 例如,将端口 80 用于 HTTP。To enable Internet traffic, create rules that allow inbound traffic to specific ports — for example, port 80 for HTTP. 要启用 SSH,请添加允许 TCP 端口 22 的入站流量的 NSG 规则。To enable SSH, add an NSG rule that allows inbound traffic to TCP port 22.

操作Operations

SSHSSH. 在创建 Linux VM 之前,生成 2048 位 RSA 公共/专用密钥对。Before you create a Linux VM, generate a 2048-bit RSA public-private key pair. 创建 VM 时,请使用公钥文件。Use the public key file when you create the VM. 有关详细信息,请参阅如何在 Azure 中将 SSH 用于 LinuxFor more information, see How to Use SSH with Linux on Azure.

诊断Diagnostics. 启用监视和诊断,包括基本运行状况指标、诊断基础结构日志和启动诊断Enable monitoring and diagnostics, including basic health metrics, diagnostics infrastructure logs, and boot diagnostics. 如果 VM 陷入不可启动状态,启动诊断有助于诊断启动故障。Boot diagnostics can help you diagnose boot failure if your VM gets into a non-bootable state. 创建用于存储日志的 Azure 存储帐户。Create an Azure Storage account to store the logs. 标准的本地冗余存储 (LRS) 帐户足以存储诊断日志。A standard locally redundant storage (LRS) account is sufficient for diagnostic logs. 有关详细信息,请参阅启用监视和诊断For more information, see Enable monitoring and diagnostics.

可用性Availability. 由于 Azure Stack Hub 操作员计划的计划内维护,你的 VM 可能需要重新启动。Your VM may be subject to a reboot due to planned maintenance as scheduled by the Azure Stack Hub operator. 为了提高可用性,请在可用性集中部署多个 VM。For higher availability, deploy multiple VMs in an availability set.

备份 有关保护 Azure Stack Hub IaaS VM 的建议,请参阅此文Backups For recommendations on protecting your Azure Stack Hub IaaS VMs, reference this article.

停止 VMStopping a VM. Azure 对“已停止”和“已解除分配”状态进行了区分。Azure makes a distinction between "stopped" and "deallocated" states. VM 状态为“已停止”时,将计费,但 VM 为“已解除分配”状态时,则不计费。You are charged when the VM status is stopped, but not when the VM is deallocated. 在 Azure Stack Hub 门户中,“停止”按钮可解除分配 VM。In the Azure Stack Hub portal, the Stop button deallocates the VM. 如果在已登录时通过 OS 关闭,VM 会停止,但不会解除分配,因此仍会产生费用。If you shut down through the OS while logged in, the VM is stopped but not deallocated, so you will still be charged.

删除 VMDeleting a VM. 如果删除 VM,不会删除 VM 磁盘。If you delete a VM, the VM disks are not deleted. 这意味着可以安全地删除 VM,而不会丢失数据。That means you can safely delete the VM without losing data. 但是,仍将收取存储费用。However, you will still be charged for storage. 若要删除 VM 磁盘,请删除托管磁盘对象。To delete the VM disk, delete the managed disk object. 若要防止意外删除,请使用资源锁锁定整个资源组或锁定单个资源(如 VM)。To prevent accidental deletion, use a resource lock to lock the entire resource group or lock individual resources, such as a VM.

安全注意事项Security considerations

将 VM 载入到 Azure 安全中心以获取 Azure 资源的安全状态的中心视图。Onboard your VMs to Azure Security Center to get a central view of the security state of your Azure resources. 安全中心监视潜在的安全问题,并全面描述了部署的安全运行状况。Security Center monitors potential security issues and provides a comprehensive picture of the security health of your deployment. 安全中心针对每个 Azure 订阅进行配置。Security Center is configured per Azure subscription. 根据将 Azure 订阅载入安全中心标准版中所述启用安全数据收集。Enable security data collection as described in Onboard your Azure subscription to Security Center Standard. 启用数据收集后,安全中心会自动扫描该订阅下创建的所有 VM。When data collection is enabled, Security Center automatically scans any VMs created under that subscription.

修补程序管理Patch management. 若要在 VM 上配置修补程序管理,请参阅此文To configure Patch management on your VM, refer to this article. 如果启用,安全中心会检查是否缺少任何安全更新和关键更新。If enabled, Security Center checks whether any security and critical updates are missing. 使用 VM 上的组策略设置可启用自动系统更新。Use Group Policy settings on the VM to enable automatic system updates.

反恶意软件Antimalware. 如果启用,安全中心将检查是否已安装反恶意软件。If enabled, Security Center checks whether antimalware software is installed. 还可以使用安全中心从 Azure 门户中安装反恶意软件。You can also use Security Center to install antimalware software from inside the Azure portal.

访问控制Access control. 使用基于角色的访问控制 (RBAC) 来控制对 Azure 资源的访问。Use role-based access control (RBAC) to control access to Azure resources. RBAC 允许你将授权角色分配给开发运营团队的成员。RBAC lets you assign authorization roles to members of your DevOps team. 例如,“读者”角色可以查看 Azure 资源,但不能创建、管理或删除这些资源。For example, the Reader role can view Azure resources but not create, manage, or delete them. 某些权限特定于 Azure 资源类型。Some permissions are specific to an Azure resource type. 例如,“虚拟机参与者”角色可以执行重启或解除分配 VM、重置管理员密码、创建新的 VM 等操作。For example, the Virtual Machine Contributor role can restart or deallocate a VM, reset the administrator password, create a new VM, and so on. 可能对此体系结构有用的其他内置 RBAC 角色包括开发测试实验室用户网络参与者Other built-in RBAC roles that may be useful for this architecture include DevTest Labs User and Network Contributor.

备注

RBAC 不限制已登录到 VM 的用户可以执行的操作。RBAC does not limit the actions that a user logged into a VM can perform. 这些权限由来宾 OS 上的帐户类型决定。Those permissions are determined by the account type on the guest OS.

审核日志Audit logs. 使用活动日志可查看预配操作和其他 VM 事件。Use activity logs to see provisioning actions and other VM events.

数据加密Data encryption. Azure Stack Hub 使用静态加密来保护存储子系统级别的用户数据和基础结构数据。Azure Stack Hub protects user and infrastructure data at the storage subsystem level using encryption at rest. Azure Stack Hub 的存储子系统按照 128 位 AES 加密法使用 BitLocker 进行加密。Azure Stack Hub's storage subsystem is encrypted using BitLocker with 128-bit AES encryption. 有关更多详细信息,请参阅此文Refer to this article for more details.

后续步骤Next steps