Azure 虚拟机上的自定义数据和 Cloud-InitCustom data and Cloud-Init on Azure Virtual Machines

你可能需要在预配时将脚本或其他元数据注入 Azure 虚拟机。You may need to inject a script or other metadata into an Azure virtual machine at provisioning time. 在其他云中,此概念通常称为用户数据。In other clouds, this concept is often referred to as user data. 在 Azure 中有一项称作自定义数据的类似功能。In Azure, we have a similar feature called custom data.

自定义数据仅在首次启动/初始设置(称为“预配”)期间提供给 VM。Custom data is only made available to the VM during first boot/initial setup, we call this 'provisioning'. 预配是指向 VM 提供“VM 创建”参数(例如主机名、用户名、密码、证书、自定义数据、密钥等)的过程,某个预配代理(例如 Linux 代理cloud-init)会处理这些参数。Provisioning is the process where VM Create parameters (for example, hostname, username, password, certificates, custom data, keys etc.) are made available to the VM and a provisioning agent processes them, such as the Linux Agent and cloud-init.

将自定义数据传递给 VMPassing custom data to the VM

若要使用自定义数据,除非使用 AZ CLI 等 CLI 工具执行转换,否则在将内容传递给 API 之前,必须先对其进行 base64 编码。To use custom data, you must base64 encode the contents first before passing it to the API, unless you are using a CLI tool that does the conversion for you, such as AZ CLI. 大小不能超过 64 KB。The size cannot exceed 64 KB.

在 CLI 中,可将自定义数据作为文件传递,它将转换为 base64。In CLI, you can pass your custom data as a file, and it will be converted to base64.

az vm create \
  --resource-group myResourceGroup \
  --name centos74 \
  --image OpenLogic:CentOS-CI:7-CI:latest \
  --custom-data cloud-init.txt \
  --generate-ssh-keys

Azure 资源管理器 (ARM) 中有一个 base64 函数In Azure Resource Manager (ARM), there is a base64 function.

"name": "[parameters('virtualMachineName')]",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2019-07-01",
"location": "[parameters('location')]",
"dependsOn": [
..],
"variables": {
        "customDataBase64": "[base64(parameters('stringData'))]"
    },
"properties": {
..
    "osProfile": {
        "computerName": "[parameters('virtualMachineName')]",
        "adminUsername": "[parameters('adminUsername')]",
        "adminPassword": "[parameters('adminPassword')]",
        "customData": "[variables('customDataBase64')]"
        },

处理自定义数据Processing custom data

VM 上安装的预配代理负责处理与平台的对接并将其放到文件系统的过程。The provisioning agents installed on the VMs handle interfacing with the platform and placing it on the file system.

WindowsWindows

系统会将自定义数据以二进制文件的形式放在 %SYSTEMDRIVE%\AzureData\CustomData.bin 中,但不会对其进行处理。Custom data is placed in %SYSTEMDRIVE%\AzureData\CustomData.bin as a binary file, but it is not processed. 如果你希望处理此文件,需要生成自定义映像,并编写代码来处理 CustomData.bin。If you wish to process this file, you will need to build a custom image, and write code to process the CustomData.bin.

LinuxLinux

在 Linux OS 上,自定义数据将通过 ovf-env.xml 文件传递给 VM。在预配期间,该文件会复制到 /var/lib/waagent 目录。On Linux OS's, custom data is passed to the VM via the ovf-env.xml file, which is copied to the /var/lib/waagent directory during provisioning. 为了方便操作,较新版本的 Microsoft Azure Linux 代理还会将 base64 编码的数据复制到 /var/lib/waagent/CustomDataNewer versions of the Microsoft Azure Linux Agent will also copy the base64-encoded data to /var/lib/waagent/CustomData as well for convenience.

Azure 目前支持两个预配代理:Azure currently supports two provisioning agents:

  • Linux 代理 - 默认情况下,该代理不会处理自定义数据,你需要在启用自定义数据的情况下生成自定义映像。Linux Agent - By default the agent will not process custom data, you will need to build a custom image with it enabled. 文档中介绍的相关设置为:The relevant settings, as per the documentation are:
    • Provisioning.DecodeCustomDataProvisioning.DecodeCustomData
    • Provisioning.ExecuteCustomDataProvisioning.ExecuteCustomData

启用自定义数据并执行某个脚本时,在该脚本完成之前,会延迟 VM 的报告(指出 VM 是否已准备就绪,或预配是否成功)。When you enable custom data, and execute a script, it will delay the VM reporting that is it ready or that provisioning has succeeded until the script has completed. 如果该脚本超过了允许的 VM 总计预配时间(40 分钟),则 VM 创建操作会失败。If the script exceeds the total VM provisioning time allowance of 40 mins, the VM Create will fail. 请注意,如果脚本无法执行或者在执行期间出错,系统不会将此问题视为严重的预配失败,而你需要创建一个通知路径来提醒自己有关脚本的完成状态。Note, if the script fails to execute, or errors during executing, it is not deemed a fatal provisioning failure, you will need to create a notification path to alert you for the completion state of the script.

若要排查自定义数据执行问题,请查看 /var/log/waagent.logTo troubleshoot custom data execution, review /var/log/waagent.log

  • 云初始化 - 默认情况下会处理自定义数据,云初始化接受多种格式的自定义数据,如云初始化配置、脚本等。当云初始化处理自定义数据时,类似于 Linux 代理。cloud-init - By default will process custom data by default, cloud-init accepts multiple formats of custom data, such as cloud-init configuration, scripts etc. Similar to the Linux Agent, when cloud-init processes the custom data. 如果在执行配置处理或脚本的过程中出现错误,则不会将其视为致命的预配失败,需要创建通知路径以提醒你脚本的完成状态。If there are errors during execution of the configuration processing or scripts, it is not deemed a fatal provisioning failure, and you will need to create a notification path to alert you for the completion state of the script. 但是,与 Linux 代理不同,cloud-init 不会等待用户自定义数据配置完成后再向平台报告 VM 已准备就绪。However, different to the Linux Agent, cloud-init does not wait on user custom data configurations to complete before reporting to the platform that the VM is ready. 有关 Azure 上的 cloud-init 的详细信息,请查看文档For more information on cloud-init on azure, review the documentation.

若要排查自定义数据执行问题,请查看故障排除文档To troubleshoot custom data execution, review the troubleshooting documentation.

常见问题FAQ

是否可以在创建 VM 后更新自定义数据?Can I update custom data after the VM has been created?

对于单个 VM,无法更新 VM 模型中的自定义数据,但对于 VMSS,你可以通过 REST API 更新 VMSS 自定义数据(不适用于 PS 或 AZ CLI 客户端)。For single VMs, custom data in the VM model cannot be updated, but for VMSS, you can update VMSS custom data via REST API (not applicable for PS or AZ CLI clients). 在 VMSS 模型中更新自定义数据时:When you update custom data in the VMSS model:

  • VMSS 中的现有实例只有在重置映像之后,才会获得更新的自定义数据。Existing instances in the VMSS will not get the updated custom data, only until they are reimaged.
  • VMSS 中已升级的现有实例不会获得更新的自定义数据。Existing instances in the VMSS that are upgraded will not get the updated custom data.
  • 新实例会接收新的自定义数据。New instances will receive the new custom data.

是否可将敏感值放入自定义数据中?Can I place sensitive values in custom data?

建议不要将敏感数据存储在自定义数据中。We advise not to store sensitive data in custom data. 有关详细信息,请参阅 Azure 安全和加密最佳做法For more information, see Azure Security and encryption best practices.

自定义数据在 IMDS 中是否可用?Is custom data made available in IMDS?

目前不提供此功能。No, this feature is not currently available.