Update Linux templates for disk encryption GA #2526
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,102 @@ | ||
| # Deployment of RHEL 7.2 with full disk encryption | ||
|
|
||
| <a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.luolix.top%2Fkrkhan%2Fazure-quickstart-templates%2Fcnedemo%2F101-vm-full-disk-encrypted-rhel%2Fazuredeploy.json" target="_blank"> | ||
| <img src="http://azuredeploy.net/deploybutton.png"/> | ||
| </a> | ||
| <a href="http://armviz.io/#/?load=https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.luolix.top%2Fkrkhan%2Fazure-quickstart-templates%2Fcnedemo%2F101-vm-full-disk-encrypted-rhel%2Fazuredeploy.json" target="_blank"> | ||
| <img src="http://armviz.io/visualizebutton.png"/> | ||
| </a> | ||
|
|
||
| This template creates a fully-encrypted RHEL 7.2 VM in Azure. The VM consists of: | ||
|
|
||
| - 30 GB encrypted OS drive. | ||
| - A 200 GB RAID-0 array mounted at `/mnt/raidencrypted`. | ||
|
|
||
| ## Prerequisites: | ||
|
|
||
| Azure Disk Encryption securely stores the encryption secrets in a specified Azure Key Vault. You will need client ID and client secret of an AAD application to enable key vault authentication. | ||
|
|
||
| The [AzureDiskEncryptionPreRequisiteSetup.ps1](https://github.com/Azure/azure-powershell/blob/dev/src/ResourceManager/Compute/Commands.Compute/Extension/AzureDiskEncryption/Scripts/AzureDiskEncryptionPreRequisiteSetup.ps1) script can be used to create the Key Vault and assign appropriate access policies. | ||
|
|
||
| ## Monitoring progress | ||
|
|
||
| It will take roughly one hour to encrypt the OS drive. You can monitor the encryption progress by calling `Get-AzureRmVmDiskEncryptionStatus` PowerShell cmdlet as shown below. | ||
|
|
||
| C:\> Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $ResourceGroupName -VMName $VMName | ||
| -ExtensionName $ExtensionName | ||
|
|
||
| OsVolumeEncrypted : EncryptionInProgress | ||
| DataVolumesEncrypted : EncryptionInProgress | ||
| OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings | ||
| ProgressMessage : OS disk encryption started | ||
|
|
||
| Once the cmdlet shows the message `VMRestartPending`, like the one show below, reboot the VM. | ||
|
|
||
| C:\> Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $ResourceGroupName -VMName $VMName | ||
| -ExtensionName $ExtensionName | ||
|
|
||
| OsVolumeEncrypted : VMRestartPending | ||
| DataVolumesEncrypted : Encrypted | ||
| OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings | ||
| ProgressMessage : OS disk successfully encrypted, please reboot the VM | ||
|
|
||
| After you reboot the VM, this will be the final layout: | ||
|
|
||
| # lsblk | ||
| NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT | ||
| fd0 2:0 1 4K 0 disk | ||
| sda 8:0 0 30G 0 disk | ||
| ├─sda1 8:1 0 500M 0 part | ||
| └─sda2 8:2 0 29.5G 0 part | ||
| └─osencrypt 253:0 0 29.5G 0 crypt / | ||
| sdb 8:16 0 14G 0 disk | ||
| └─sdb1 8:17 0 14G 0 part /mnt/resource | ||
| sdc 8:32 0 48M 0 disk | ||
| └─sdc1 8:33 0 47M 0 part | ||
| sdd 8:48 0 100G 0 disk | ||
| └─md0 9:0 0 199.9G 0 raid0 | ||
| └─a717a295-61e2-4de9-9b27-689f3f6d5831 253:1 0 199.9G 0 crypt /mnt/encryptedraid | ||
| sde 8:64 0 100G 0 disk | ||
| └─md0 9:0 0 199.9G 0 raid0 | ||
| └─a717a295-61e2-4de9-9b27-689f3f6d5831 253:1 0 199.9G 0 crypt /mnt/encryptedraid | ||
|
|
||
| `/` will be mounted mounted from a AES-256 bit encrypted drive: | ||
|
|
||
| # cryptsetup status osencrypt | ||
| /dev/mapper/osencrypt is active and is in use. | ||
| type: n/a | ||
| cipher: aes-xts-plain64 | ||
| keysize: 256 bits | ||
| device: /dev/sda2 | ||
| offset: 0 sectors | ||
| size: 61888512 sectors | ||
| mode: read/write | ||
|
|
||
| While `/mnt/encryptedraid` will point to the 200 GB RAID array: | ||
|
|
||
| # df -h | ||
| Filesystem Size Used Avail Use% Mounted on | ||
| /dev/mapper/osencrypt 30G 1.8G 28G 6% / | ||
| devtmpfs 3.4G 0 3.4G 0% /dev | ||
| tmpfs 3.5G 0 3.5G 0% /dev/shm | ||
| tmpfs 3.5G 8.3M 3.4G 1% /run | ||
| tmpfs 3.5G 0 3.5G 0% /sys/fs/cgroup | ||
| /dev/sdb1 14G 2.1G 11G 16% /mnt/resource | ||
| tmpfs 697M 0 697M 0% /run/user/1000 | ||
| /dev/dm-1 197G 61M 187G 1% /mnt/encryptedraid | ||
|
|
||
| If you run the `Get-AzureRmVmDiskEncryptionStatus` cmdlet again, you will see updated encryption status: | ||
|
|
||
| C:\> Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $ResourceGroupName -VMName $VMName | ||
| -ExtensionName $ExtensionName | ||
|
|
||
| OsVolumeEncrypted : Encrypted | ||
| DataVolumesEncrypted : Encrypted | ||
| OsVolumeEncryptionSettings : Microsoft.Azure.Management.Compute.Models.DiskEncryptionSettings | ||
| ProgressMessage : [KeyVault URL of LUKS passphrase secret] | ||
|
|
||
| ## References: | ||
|
|
||
| - [White paper](https://azure.microsoft.com/en-us/documentation/articles/azure-security-disk-encryption/) | ||
| - [Explore Azure Disk Encryption with Azure Powershell](https://blogs.msdn.microsoft.com/azuresecurity/2015/11/16/explore-azure-disk-encryption-with-azure-powershell/) | ||
| - [Explore Azure Disk Encryption with Azure PowerShell – Part 2](http://blogs.msdn.com/b/azuresecurity/archive/2015/11/21/explore-azure-disk-encryption-with-azure-powershell-part-2.aspx) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,162 @@ | ||
| { | ||
| "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", | ||
| "contentVersion": "1.0.0.0", | ||
| "parameters": { | ||
| "adminUsername": { | ||
| "type": "string", | ||
| "metadata": { | ||
| "description": "User name for the Virtual Machine." | ||
| } | ||
| }, | ||
| "adminPassword": { | ||
| "type": "securestring", | ||
| "metadata": { | ||
| "description": "Password for the Virtual Machine." | ||
| } | ||
| }, | ||
| "aadClientID": { | ||
| "metadata": { | ||
| "description": "Client ID of AAD app which has permissions to KeyVault" | ||
| }, | ||
| "type": "string" | ||
| }, | ||
| "aadClientSecret": { | ||
| "metadata": { | ||
| "description": "Client Secret of AAD app which has permissions to KeyVault" | ||
| }, | ||
| "type": "securestring" | ||
| }, | ||
| "keyVaultName": { | ||
| "type": "string", | ||
| "metadata": { | ||
| "description": "Name of the KeyVault to place the volume encryption key" | ||
| } | ||
| }, | ||
| "keyVaultResourceGroup": { | ||
| "type": "string", | ||
| "metadata": { | ||
| "description": "Resource group of the KeyVault" | ||
| } | ||
| }, | ||
| "vmName": { | ||
| "type": "string", | ||
| "metadata": { | ||
| "description": "Name of the VM that will be created" | ||
| } | ||
| }, | ||
| "_artifactsLocation": { | ||
| "type": "string", | ||
| "defaultValue": "https://raw.githubusercontent.com/krkhan/azure-quickstart-templates/cnedemo", | ||
| "metadata": { | ||
| "description": "The base URI where artifacts required by this template are located. When the template is deployed using the accompanying scripts, a private location in the subscription will be used and this value will be automatically generated." | ||
| } | ||
| }, | ||
| "_artifactsLocationSasToken": { | ||
| "type": "string", | ||
| "defaultValue": "", | ||
| "metadata": { | ||
| "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated." | ||
| } | ||
| } | ||
| }, | ||
| "variables": { | ||
| "templateName": "101-vm-full-disk-encrypted-rhel", | ||
| "createVmUrl": "[concat(parameters('_artifactsLocation'), '/', '101-vm-simple-rhel', '/', 'azuredeploy.json', parameters('_artifactsLocationSasToken'))]", | ||
| "createVmDeploymentName": "[concat(uniquestring(parameters('vmName')), 'createVm')]", | ||
| "encryptVmUrl": "[concat(parameters('_artifactsLocation'), '/', '201-encrypt-running-linux-vm', '/', 'azuredeploy.json', parameters('_artifactsLocationSasToken'))]", | ||
| "encryptVmDeploymentName": "[concat(uniquestring(parameters('vmName')), 'encryptVm')]", | ||
| "scriptsFolder": "scripts", | ||
| "scriptFileName": "setup_raid.sh", | ||
| "setupRaidUrl": "[concat(parameters('_artifactsLocation'), '/', variables('templateName'), '/', variables('scriptsFolder'), '/', variables('scriptFileName'), parameters('_artifactsLocationSasToken'))]", | ||
| "setupRaidExtensionName": "setupRaidCustomScript", | ||
| "diskFormatQuery": "{\"dev_path\":\"/dev/md0\",\"name\":\"encryptedraid\",\"file_system\":\"ext4\"}" | ||
| }, | ||
| "resources": [ | ||
| { | ||
| "apiVersion": "2016-02-01", | ||
| "name": "[variables('createVmDeploymentName')]", | ||
| "type": "Microsoft.Resources/deployments", | ||
| "properties": { | ||
| "mode": "Incremental", | ||
| "parameters": { | ||
| "adminUsername": { | ||
| "value": "[parameters('adminUsername')]" | ||
| }, | ||
| "adminPassword": { | ||
| "value": "[parameters('adminPassword')]" | ||
| }, | ||
| "vmName": { | ||
| "value": "[parameters('vmName')]" | ||
| } | ||
| }, | ||
| "templateLink": { | ||
| "contentVersion": "1.0.0.0", | ||
| "uri": "[variables('createVmUrl')]" | ||
| } | ||
| } | ||
| }, | ||
| { | ||
| "type": "Microsoft.Compute/virtualMachines/extensions", | ||
| "name": "[concat(parameters('vmName'), '/', variables('setupRaidExtensionName'))]", | ||
| "apiVersion": "2015-06-15", | ||
| "location": "[resourceGroup().location]", | ||
| "dependsOn": [ | ||
| "[resourceId('Microsoft.Resources/deployments', variables('createVmDeploymentName'))]" | ||
| ], | ||
| "properties": { | ||
| "publisher": "Microsoft.OSTCExtensions", | ||
| "type": "CustomScriptForLinux", | ||
| "typeHandlerVersion": "1.5", | ||
| "autoUpgradeMinorVersion": true, | ||
| "settings": { | ||
| "fileUris": [ | ||
| "[variables('setupRaidUrl')]" | ||
| ], | ||
| "commandToExecute": "./setup_raid.sh" | ||
| }, | ||
| "protectedSettings": {} | ||
| } | ||
| }, | ||
| { | ||
| "apiVersion": "2016-02-01", | ||
| "dependsOn": [ | ||
| "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'), variables('setupRaidExtensionName'))]" | ||
| ], | ||
| "name": "[variables('encryptVmDeploymentName')]", | ||
| "type": "Microsoft.Resources/deployments", | ||
| "properties": { | ||
| "mode": "Incremental", | ||
| "parameters": { | ||
| "encryptionOperation": { | ||
| "value": "EnableEncryptionFormat" | ||
| }, | ||
| "volumeType": { | ||
| "value": "All" | ||
| }, | ||
| "diskFormatQuery": { | ||
| "value": "[variables('diskFormatQuery')]" | ||
| }, | ||
| "aadClientID": { | ||
| "value": "[parameters('aadClientID')]" | ||
| }, | ||
| "aadClientSecret": { | ||
| "value": "[parameters('aadClientSecret')]" | ||
| }, | ||
| "keyVaultName": { | ||
| "value": "[parameters('keyVaultName')]" | ||
| }, | ||
| "keyVaultResourceGroup": { | ||
| "value": "[parameters('keyVaultResourceGroup')]" | ||
| }, | ||
| "vmName": { | ||
| "value": "[parameters('vmName')]" | ||
| } | ||
| }, | ||
| "templateLink": { | ||
| "contentVersion": "1.0.0.0", | ||
| "uri": "[variables('encryptVmUrl')]" | ||
| } | ||
| } | ||
| } | ||
| ] | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| { | ||
| "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", | ||
| "contentVersion": "1.0.0.0", | ||
| "parameters": { | ||
| "adminUsername": { | ||
| "value": "" | ||
| }, | ||
| "adminPassword": { | ||
| "value": "" | ||
| }, | ||
| "aadClientID": { | ||
|
There was a problem hiding this comment. null the param values since CI won't handle this and user must supply something specific |
||
| "value": "" | ||
| }, | ||
| "aadClientSecret": { | ||
| "value": "" | ||
| }, | ||
| "keyVaultResourceGroup": { | ||
| "value": "" | ||
| }, | ||
| "keyVaultName": { | ||
| "value": "" | ||
| }, | ||
| "vmName": { | ||
| "value": "" | ||
| } | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| { | ||
| "itemDisplayName": "Red Hat Enterprise Linux 7.2 VM (Fully Encrypted)", | ||
| "description": "This template will deploy a Red Hat Enterprise Linux 7.2 VM and encrypt both OS and data drives.", | ||
| "githubUsername": "krkhan", | ||
| "dateUpdated": "2016-09-19" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| #!/bin/sh | ||
|
|
||
| set -e | ||
|
|
||
| yum install -y mdadm | ||
| mdadm --create --verbose /dev/md0 --level=0 --raid-devices=2 /dev/sdc /dev/sdd | ||
| mkdir -p /etc/mdadm | ||
| mdadm --detail --scan > /etc/mdadm/mdadm.conf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is a "vmName" parameter really necessary? It should be fine to inline "[concat('rhelVM', uniqueString(resourceGroup().id))]" in the nested deployment resource below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
vmName is necessary because we want the user to be able to create multiple VMs with the same template. Otherwise subsequent invocations will fail.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That makes sense.