禁用或删除 VM 和映像中的 Linux 代理Disable or remove the Linux Agent from VMs and images

在删除 Linux 代理之前,你必须了解在删除 Linux 代理后 VM 将无法执行哪些操作。Before removing the Linux Agent, you must understand of what VM will not be able to do after the Linux Agent is removed.

Azure 虚拟机 (VM) 扩展是小型应用程序,可在 Azure VM 上提供部署后配置和自动化任务。扩展由 Azure 控制平面安装并管理。Azure virtual machine (VM) extensions are small applications that provide post-deployment configuration and automation tasks on Azure VMs, extensions are installed and managed by the Azure control plane. Azure Linux 代理的职责是处理平台扩展命令并确保 VM 中的扩展处于正确状态。It is the job of the Azure Linux Agent to process the platform extension commands and ensure the correct state of the extension inside the VM.

Azure 平台可承载许多扩展,其中包括 VM 配置、监视、安全性和实用工具应用程序。The Azure platform hosts many extensions that range from VM configuration, monitoring, security, and utility applications. 第一方和第三方扩展都有很大的选择范围,使用扩展的主要方案示例包括:There is a large choice of first and third-party extensions, examples of key scenarios that extensions are used for:

  • 支持第一方 Azure 服务,例如 Azure 备份、监视、磁盘加密、安全性、站点复制,等等。Supporting first party Azure services, such as Azure Backup, Monitoring, Disk Encryption, Security, Site Replication and others.
  • SSH/密码重置SSH / Password resets
  • VM 配置 - 运行自定义脚本,安装 Chef、Puppet 代理,等等。VM configuration - Running custom scripts, installing Chef, Puppet agents etc..
  • 第三方产品,例如 AV 产品、VM 漏洞工具、VM 和应用监视工具。Third-party products, such as AV products, VM vulnerability tools, VM and App monitoring tooling.
  • 可以使用新的 VM 部署捆绑扩展。Extensions can be bundled with a new VM deployment. 例如,它们可能属于大型部署中的一部分,在 VM 预配上配置应用程序,或针对任何受支持的扩展操作系统后部署运行。For example, they can be part of a larger deployment, configuring applications on VM provision, or run against any supported extension operated systems post deployment.

禁用扩展处理Disabling extension processing

可以通过多种方式来禁用扩展处理(具体取决于你的需求),但在继续之前,必须删除部署到 VM 的所有扩展,例如,可以使用 AZ CLI 执行列出删除操作:There are several ways to disable extension processing, depending on your needs, but before you continue, you MUST remove all extensions deployed to the VM, for example using the AZ CLI, you can list and delete:

az vm extension delete -g MyResourceGroup --vm-name MyVm -n extension_name

备注

如果未执行上述操作,则平台会尝试发送扩展配置并在 40 分钟后超时。If you do not do the above, the platform will try to send the extension configuration and timeout after 40min.

在控制平面中禁用Disable at the control plane

如果你不确定将来是否需要扩展,则可以保留 VM 上安装的 Linux 代理,然后从平台禁用扩展处理功能。If you are not sure whether you will need extensions in the future, you can leave the Linux Agent installed on the VM, then disable extension processing capability from the platform. 这是 Microsoft.Compute api 版本 2018-06-01 或更高版本中提供的选项,不依赖于所安装的 Linux 代理版本。This is option is available in Microsoft.Compute api version 2018-06-01 or higher, and does not have a dependency on the Linux Agent version installed.

az vm update -g <resourceGroup> -n <vmName> --set osProfile.allowExtensionOperations=false

可以通过上述命令轻松地从平台重新启用此扩展处理,但启用时请将其设置为“true”。You can easily reenable this extension processing from the platform, with the above command, but set it to 'true'.

从正在运行的 VM 中删除 Linux 代理Remove the Linux Agent from a running VM

请确保先从 VM 中删除所有现有扩展,如上所述。Ensure you have removed all existing extensions from the VM before, as per above.

步骤 1:删除 Azure Linux 代理Step 1: Remove the Azure Linux Agent

如果只是删除 Linux 代理,而不删除关联的配置项目,则可在以后重新安装。If you just remove the Linux Agent, and not the associated configuration artifacts, you can reinstall at a later date. 以 root 身份运行以下命令之一,以便删除 Azure Linux 代理:Run one of the following, as root, to remove the Azure Linux Agent:

对于 Ubuntu 18.04 及更高版本For Ubuntu >=18.04

apt -y remove walinuxagent

对于 7.7 或更高版本的 CentOSFor CentOS >= 7.7

yum -y remove WALinuxAgent

对于 SUSEFor SUSE

zypper --non-interactive remove python-azure-agent

步骤 2:(可选)删除 Azure Linux 代理项目Step 2: (Optional) Remove the Azure Linux Agent artifacts

重要

你可以删除 Linux 代理的所有关联项目,但这意味着你以后无法重新安装它。You can remove all associated artifacts of the Linux Agent, but this will mean you cannot reinstall it at a later date. 因此,强烈建议你首先考虑禁用 Linux 代理,只使用以上方法删除 Linux 代理。Therefore, it is strongly recommended you consider disabling the Linux Agent first, removing the Linux Agent using the above only.

如果你知道以后不会再重新安装 Linux 代理,则可以运行以下命令:If you know you will not ever reinstall the Linux Agent again, then you can run the following:

对于 Ubuntu 18.04 及更高版本For Ubuntu >=18.04

apt -y purge walinuxagent
rm -rf /var/lib/waagent
rm -f /var/log/waagent.log

对于 7.7 或更高版本的 CentOSFor CentOS >= 7.7

yum -y remove WALinuxAgent
rm -f /etc/waagent.conf.rpmsave
rm -rf /var/lib/waagent
rm -f /var/log/waagent.log

对于 SUSEFor SUSE

zypper --non-interactive remove python-azure-agent
rm -f /etc/waagent.conf.rpmsave
rm -rf /var/lib/waagent
rm -f /var/log/waagent.log

准备不含 Linux 代理的映像Preparing an image without the Linux Agent

如果你有一个已包含 cloud-init 的映像,并且你想要删除 Linux 代理,但仍使用 cloud-init 进行预配,请以 root 身份运行步骤 2 中的步骤(步骤 3 为可选)来删除 Azure Linux 代理,然后通过以下命令删除 cloud-init 配置和缓存的数据,并准备 VM 以创建自定义映像。If you have an image that already contains cloud-init, and you want to remove the Linux agent, but still provision using cloud-init, run the steps in Step 2 (and optionally Step 3) as root to remove the Azure Linux Agent and then the following will remove the cloud-init configuration and cached data, and prepare the VM to create a custom image.

cloud-init clean --logs --seed 

取消预配并创建映像Deprovision and create an image

Linux 代理能够通过步骤“waagent -deprovision+user”清理一些现有的映像元数据,但在将其删除后,你需要执行如下操作,并删除其中的任何其他敏感数据。The Linux Agent has the ability to clean up some of the existing image metadata, with the step "waagent -deprovision+user", however, after it has been removed, you will need to perform actions such as the below, and remove any other sensitive data from it.

  • 删除所有现有的 ssh 主机密钥Remove all existing ssh host keys

    rm /etc/ssh/ssh_host_*key*
    
  • 删除管理员帐户Delete the admin account

    touch /var/run/utmp
    userdel -f -r <admin_user_account>
    
  • 删除 root 密码Delete the root password

    passwd -d root
    

完成上述操作后,可以使用 Azure CLI 创建自定义映像。Once you have completed the above, you can create the custom image using the Azure CLI.

创建常规托管映像Create a regular managed image

az vm deallocate -g <resource_group> -n <vm_name>
az vm generalize -g <resource_group> -n <vm_name>
az image create -g <resource_group> -n <image_name> --source <vm_name>

在共享映像库中创建映像版本Create an image version in a Shared Image Gallery

az sig image-version create \
    -g $sigResourceGroup 
    --gallery-name $sigName 
    --gallery-image-definition $imageDefName 
    --gallery-image-version 1.0.0 
    --managed-image /subscriptions/00000000-0000-0000-0000-00000000xxxx/resourceGroups/imageGroups/providers/images/MyManagedImage

从不包含 Linux 代理的映像创建 VMCreating a VM from an image that does not contain a Linux Agent

从不包含 Linux 代理的映像创建 VM 时,需要确保 VM 部署配置指示此 VM 上不支持扩展。When you create the VM from the image with no Linux Agent, you need to ensure the VM deployment configuration indicates extensions are not supported on this VM.

备注

如果未执行上述操作,则平台会尝试发送扩展配置并在 40 分钟后超时。If you do not do the above, the platform will try to send the extension configuration and timeout after 40min.

若要在禁用扩展的情况下部署 VM,你可以将 Azure CLI 与 --enable-agent 结合使用。To deploy the VM with extensions disabled, you can use the Azure CLI with --enable-agent.

az vm create \
    --resource-group $resourceGroup \
    --name $prodVmName \
    --image OpenLogic:CentOS:7.7:latest \
    --admin-username azadmin \
    --ssh-key-value "$sshPubkeyPath" \
    --enable-agent false

另外,可以使用 Azure 资源管理器 (ARM) 模板,通过设置 "provisionVMAgent": false, 来执行此操作。Alternatively, you can do this using Azure Resource Manager (ARM) templates, by setting "provisionVMAgent": false,.

"osProfile": {
    "computerName": "[parameters('virtualMachineName')]",
    "adminUsername": "[parameters('adminUsername')]",
    "linuxConfiguration": {
        "disablePasswordAuthentication": "true",
        "provisionVMAgent": false,
        "ssh": {
            "publicKeys": [
                {
                    "path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]",
                    "keyData": "[parameters('adminPublicKey')]"

后续步骤Next steps

有关详细信息,请参阅预配 LinuxFor more information, see Provisioning Linux.