适用于 Linux VM 的 Azure 磁盘加密故障排除指南Azure Disk Encryption for Linux VMs troubleshooting guide

本指南面向使用 Azure 磁盘加密的组织中的 IT 专业人员、信息安全分析人员和云管理员。This guide is for IT professionals, information security analysts, and cloud administrators whose organizations use Azure Disk Encryption. 本文旨在帮助排查与磁盘加密相关的问题。This article is to help with troubleshooting disk-encryption-related problems.

在执行以下任何步骤之前,请首先确保你尝试加密的 VM 具有受支持的 VM 大小和操作系统,并且已满足所有先决条件:Before taking any of the steps below, first ensure that the VMs you are attempting to encrypt are among the supported VM sizes and operating systems, and that you have met all the prerequisites:

Linux OS 磁盘加密故障排除Troubleshooting Linux OS disk encryption

在通过全盘加密过程运行 Linux 操作系统 (OS) 磁盘加密之前,Linux 操作系统 (OS) 磁盘加密必须卸载 OS 驱动器。Linux operating system (OS) disk encryption must unmount the OS drive before running it through the full disk encryption process. 如果无法卸载驱动器,则可能会出现错误消息“在发生以下情况后,卸载失败...”。If it can't unmount the drive, an error message of "failed to unmount after …" is likely to occur.

在已从支持的存储库映像更改环境的 VM 上尝试进行 OS 磁盘加密时,可能会发生此错误。This error can occur when OS disk encryption is attempted on a VM with an environment that has been changed from the supported stock gallery image. 与支持的映像的偏差可能会影响扩展卸载 OS 驱动器的能力。Deviations from the supported image can interfere with the extension's ability to unmount the OS drive. 偏差的示例可包括以下项:Examples of deviations can include the following items:

  • 自定义映像不再与受支持文件系统或分区方案匹配。Customized images no longer match a supported file system or partitioning scheme.
  • 加密之前在 OS 中安装并运行 SAP、MongoDB、Apache Cassandra 和 Docker 等大型应用程序时,将不支持这些应用程序。Large applications such as SAP, MongoDB, Apache Cassandra, and Docker aren't supported when they're installed and running in the OS before encryption. “Azure 磁盘加密”在准备用于磁盘加密的 OS 驱动器时无法根据需要安全地关闭这些进程。Azure Disk Encryption is unable to shut down these processes safely as required in preparation of the OS drive for disk encryption. 如果仍有活动的进程具备对 OS 驱动器打开的文件句柄,则 OS 驱动器无法卸载,这将导致 OS 驱动器加密失败。If there are still active processes holding open file handles to the OS drive, the OS drive can't be unmounted, resulting in a failure to encrypt the OS drive.
  • 在启用加密的几乎同一时间内运行自定义脚本,或者在加密过程中在 VM 上进行其他任何更改。Custom scripts that run in close time proximity to the encryption being enabled, or if any other changes are being made on the VM during the encryption process. 如果 Azure 资源管理器模板定义了多个同时执行的扩展,或者在执行磁盘加密的同时运行自定义脚本扩展或其他操作,则可能会发生此冲突。This conflict can happen when an Azure Resource Manager template defines multiple extensions to execute simultaneously, or when a custom script extension or other action runs simultaneously to disk encryption. 序列化并隔离此类步骤可能会解决问题。Serializing and isolating such steps might resolve the issue.
  • 在启用加密之前未禁用安全性增强的 Linux (SELinux),因此卸载步骤将会失败。Security Enhanced Linux (SELinux) hasn't been disabled before enabling encryption, so the unmount step fails. 完成加密后,可以重新启用 SELinux。SELinux can be reenabled after encryption is complete.
  • OS 磁盘使用逻辑卷管理器 (LVM) 方案。The OS disk uses a Logical Volume Manager (LVM) scheme. 尽管可以使用有限的 LVM 数据磁盘支持,但无法使用 LVM OS 磁盘支持。Although limited LVM data disk support is available, an LVM OS disk isn't.
  • 不满足最低内存要求(建议为 OS 磁盘加密提供 7 GB)。Minimum memory requirements aren't met (7 GB is suggested for OS disk encryption).
  • 数据驱动器以递归方式装载在 /mnt/ 目录下,或者相互装载(例如 /mnt/data1、/mnt/data2、/data3 + /data3/data4)。Data drives are recursively mounted under the /mnt/ directory, or each other (for example, /mnt/data1, /mnt/data2, /data3 + /data3/data4).

更新 Ubuntu 14.04 LTS 默认内核Update the default kernel for Ubuntu 14.04 LTS

Ubuntu 14.04 LTS 映像附带 4.4 版本的默认内核。The Ubuntu 14.04 LTS image ships with a default kernel version of 4.4. 此内核版本存在一个已知问题,即 Out of Memory Killer 会在 OS 加密过程中不正确地终止 dd 命令。This kernel version has a known issue in which Out of Memory Killer improperly terminates the dd command during the OS encryption process. 此 bug 已在最新 Azure 优化 Linux 内核中修复。This bug has been fixed in the most recent Azure tuned Linux kernel. 若要避免此错误,在映像中启用加密之前,使用以下命令更新至 Azure 优化内核 4.15 或更高版本:To avoid this error, prior to enabling encryption on the image, update to the Azure tuned kernel 4.15 or later using the following commands:

sudo apt-get update
sudo apt-get install linux-azure
sudo reboot

VM 重启进入新内核后,可以使用以下方式确认新内核版本:After the VM has restarted into the new kernel, the new kernel version can be confirmed using:

uname -a

更新 Azure 虚拟机代理和扩展版本Update the Azure Virtual Machine Agent and extension versions

使用不受支持的 Azure 虚拟机代理版本对虚拟机映像进行 Azure 磁盘加密操作可能会失败。Azure Disk Encryption operations may fail on virtual machine images using unsupported versions of the Azure Virtual Machine Agent. 启用加密之前,应先更新代理版本低于 2.2.38 的 Linux 映像。Linux images with agent versions earlier than 2.2.38 should be updated prior to enabling encryption. 有关详细信息,请参阅如何在 VM 上更新 Azure Linux 代理对 Azure 中虚拟机代理的最低版本支持For more information, see How to update the Azure Linux Agent on a VM and Minimum version support for virtual machine agents in Azure.

还需要 Microsoft.Azure.Security.AzureDiskEncryption 或 Microsoft.Azure.Security.AzureDiskEncryptionForLinux 来宾代理扩展的正确版本。The correct version of the Microsoft.Azure.Security.AzureDiskEncryption or Microsoft.Azure.Security.AzureDiskEncryptionForLinux guest agent extension is also required. 当满足 Azure 虚拟机代理先决条件并使用受支持的虚拟机代理版本时,平台将自动维护和更新扩展版本。Extension versions are maintained and updated automatically by the platform when Azure Virtual Machine agent prerequisites are satisfied and a supported version of the virtual machine agent is used.

Microsoft.OSTCExtensions.AzureDiskEncryptionForLinux extension 扩展已弃用,不再受支持。The Microsoft.OSTCExtensions.AzureDiskEncryptionForLinux extension has been deprecated and is no longer supported.

无法加密 Linux 磁盘Unable to encrypt Linux disks

在某些情况下,Linux 磁盘加密看上去停滞在“OS 磁盘加密已启动”状态,同时 SSH 处于禁用状态。In some cases, the Linux disk encryption appears to be stuck at "OS disk encryption started" and SSH is disabled. 加密过程可能需要 3-16 小时才能完成存储库映像。The encryption process can take between 3-16 hours to finish on a stock gallery image. 如果添加了多 TB 大小的数据磁盘,此过程可能需要数天才能完成。If multi-terabyte-sized data disks are added, the process might take days.

Linux OS 磁盘加密序列暂时卸载 OS 驱动器。The Linux OS disk encryption sequence unmounts the OS drive temporarily. 然后,它将对整个 OS 磁盘进行逐块加密,然后再将其重新安装为加密状态。It then performs block-by-block encryption of the entire OS disk, before it remounts it in its encrypted state. Linux 磁盘加密不允许在加密的同时并发使用 VM。Linux Disk Encryption doesn't allow for concurrent use of the VM while the encryption is in progress. VM 的性能特点会在完成加密所需的时间上产生显著差异。The performance characteristics of the VM can make a significant difference in the time required to complete encryption. 这些特点包括磁盘大小以及存储帐户为标准还是高级 (SSD) 存储。These characteristics include the size of the disk and whether the storage account is standard or premium (SSD) storage.

加密 OS 驱动器时,VM 会进入维护状态,同时会禁用 SSH,以防止对进行中的进程造成任何干扰。While the OS drive is being encrypted, the VM enters a servicing state and disables SSH to prevent any disruption to the ongoing process. 若要检查加密状态,请使用 Azure PowerShell Get-AzVmDiskEncryptionStatus 命令,然后检查 ProgressMessage 字段。To check the encryption status, use the Azure PowerShell Get-AzVmDiskEncryptionStatus command, and check the ProgressMessage field. 数据和 OS 磁盘进行加密时,ProgressMessage 将报告一系列状态:ProgressMessage will report a series of statuses as the data and OS disks are encrypted:

PS > Get-AzVMDiskEncryptionStatus -ResourceGroupName "MyResourceGroup" -VMName "myVM"

OsVolumeEncrypted          : EncryptionInProgress
DataVolumesEncrypted       : EncryptionInProgress
OsVolumeEncryptionSettings :
ProgressMessage            : Transitioning

PS > Get-AzVMDiskEncryptionStatus -ResourceGroupName "MyResourceGroup" -VMName "myVM"

OsVolumeEncrypted          : EncryptionInProgress
DataVolumesEncrypted       : EncryptionInProgress
OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings
ProgressMessage            : Encryption succeeded for data volumes

PS > Get-AzVMDiskEncryptionStatus -ResourceGroupName "MyResourceGroup" -VMName "myVM"

OsVolumeEncrypted          : EncryptionInProgress
DataVolumesEncrypted       : EncryptionInProgress
OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings
ProgressMessage            : Provisioning succeeded

PS > Get-AzVMDiskEncryptionStatus -ResourceGroupName "MyResourceGroup" -VMName "myVM"

OsVolumeEncrypted          : EncryptionInProgress
DataVolumesEncrypted       : EncryptionInProgress
OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings
ProgressMessage            : OS disk encryption started

对于大多数加密过程,ProgressMessage 将保留为“已启动 OS 磁盘加密”状态 。The ProgressMessage will remain in OS disk encryption started for most of the encryption process. 成功完成加密后,将返回 ProgressMessage:When encryption is complete and successful, ProgressMessage will return:

PS > Get-AzVMDiskEncryptionStatus -ResourceGroupName "MyResourceGroup" -VMName "myVM"

OsVolumeEncrypted          : Encrypted
DataVolumesEncrypted       : NotMounted
OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings
ProgressMessage            : Encryption succeeded for all volumes

显示此消息后,加密的 OS 驱动器预期可供使用,并且 VM 可恢复使用。After this message is available, the encrypted OS drive is expected to be ready for use and the VM is ready to be used again.

如果启动信息、进度消息或一个错误报告 OS 加密已在此进程执行期间失败,则将 VM 还原为加密前最后使用的快照或备份。If the boot information, the progress message, or an error reports that OS encryption has failed in the middle of this process, restore the VM to the snapshot or backup taken immediately before encryption. 本指南中以“卸载失败”错误为例,介绍了一个消息。An example of a message is the "failed to unmount" error that is described in this guide.

在再次尝试加密之前,请重新评估 VM 的特征,并确保满足所有先决条件。Before reattempting encryption, reevaluate the characteristics of the VM and make sure that all of the prerequisites are satisfied.

防火墙保护下的 Azure 磁盘加密故障排除Troubleshooting Azure Disk Encryption behind a firewall

请参阅隔离网络上的磁盘加密See Disk Encryption on an isolated network

加密状态故障排除Troubleshooting encryption status

即使磁盘在 VM 中解密后,门户也可能显示该磁盘已加密。The portal may display a disk as encrypted even after it has been unencrypted within the VM. 当使用低级别命令从 VM 内部直接解密磁盘,而不是使用较高级别的 Azure 磁盘加密管理命令时,可能会发生这种情况。This can occur when low-level commands are used to directly unencrypt the disk from within the VM, instead of using the higher level Azure Disk Encryption management commands. 较高级别命令不仅从 VM 内部解密磁盘,而且在 VM 外部它们还更新与 VM 关联的重要平台级加密设置和扩展设置。The higher level commands not only unencrypt the disk from within the VM, but outside of the VM they also update important platform level encryption settings and extension settings associated with the VM. 如果这些未保持一致,平台将无法报告加密状态或正确预配 VM。If these are not kept in alignment, the platform will not be able to report encryption status or provision the VM properly.

若要使用 PowerShell 禁用 Azure 磁盘加密,请使用 Disable-AzVMDiskEncryption,然后使用 Remove-AzVMDiskEncryptionExtensionTo disable Azure Disk Encryption with PowerShell, use Disable-AzVMDiskEncryption followed by Remove-AzVMDiskEncryptionExtension. 禁用加密之前,运行 Remove-AzVMDiskEncryptionExtension 会失败。Running Remove-AzVMDiskEncryptionExtension before the encryption is disabled will fail.

若要使用 CLI 禁用 Azure 磁盘加密,请使用 az vm encryption disableTo disable Azure Disk Encryption with CLI, use az vm encryption disable.

后续步骤Next steps

本文档已详细描述有关 Azure 磁盘加密的一些常见问题和解决这些问题的方法。In this document, you learned more about some common problems in Azure Disk Encryption and how to troubleshoot those problems. 有关此服务及其功能的详细信息,请参阅以下文章:For more information about this service and its capabilities, see the following articles: