Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CLI - Gen2+TLVM As Default - New VM with image parameter

See original GitHub issue

Related command

Resource Provider

Microsoft.Compute/virtualMachines

Description of Feature or Work Requested

Gen2+TLVM as default (Preferred)

As part of making compute layer secure for customers to deploy workloads, request is to make Trusted Launch (GA Date: November 2021) as default deployment option in CLI. Following changes will need to be made for same:

Scenario 1 - User runs query using az vm image list minimal parameters

Aliases.json will need to be updated for supporting Generation 2 VM Images.

Alias Current URN Requested URN Update
CentOS OpenLogic:CentOS:7.5:latest OpenLogic:CentOS:7_5-gen2:latest
Debian Debian:debian-10:10:latest Debian:debian-10:10-gen2:latest
Flatcar kinvolk:flatcar-container-linux-free:stable:latest kinvolk:flatcar-container-linux-free:stable-gen2:latest
RHEL Redhat:RHEL:7-LVM:latest RedHat:RHEL:7lvm-gen2:latest
UbuntuLTS Canonical:UbuntuServer:18.04-LTS:latest Canonical:UbuntuServer:18_04-lts-gen2:latest
Win2019Datacenter MicrosoftWindowsServer:WindowsServer:2019-Datacenter:latest MicrosoftWindowsServer:WindowsServer:2019-datacenter-gen2:latest
Win2016Datacenter MicrosoftWindowsServer:WindowsServer:2016-Datacenter:latest MicrosoftWindowsServer:WindowsServer:2016-datacenter-gen2:latest
Win2012R2Datacenter MicrosoftWindowsServer:WindowsServer:2012-R2-Datacenter:latest MicrosoftWindowsServer:WindowsServer:2012-r2-datacenter-gen2:latest
Win2022Datacenter MicrosoftWindowsServer:WindowsServer:2022-Datacenter:latest MicrosoftWindowsServer:WindowsServer:2022-datacenter-g2:latest

Notification Message if needed to be provided to end users prior to making changes - Starting xx/xx/xxxx az vm image list command will return Generation 2 VM images. To know more about Azure Generation 2, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/generation-2

Following images do NOT require change in Aliases.json file:

Alias Current URN No Change to URN
Win2012Datacenter MicrosoftWindowsServer:WindowsServer:2012-Datacenter:latest No Change MicrosoftWindowsServer:WindowsServer:2012-Datacenter:latest
Win2008R2SP1 MicrosoftWindowsServer:WindowsServer:2008-R2-SP1:latest No Change MicrosoftWindowsServer:WindowsServer:2008-R2-SP1:latest
Win2022AzureEditionCore MicrosoftWindowsServer:WindowsServer:2022-datacenter-azure-edition-core:latest No change MicrosoftWindowsServer:WindowsServer:2022-datacenter-azure-edition-core:latest
openSUSE-Leap SUSE:opensuse-leap-15-3:gen2:latest No change SUSE:opensuse-leap-15-3:gen2:latest
SLES SUSE:sles-15-sp3:gen2:latest No change SUSE:sles-15-sp3:gen2:latest

Scenario 2 - User creates VM with command az vm create

Present Behavior Updated Behavior post change
New VM with image parameter:
  1. User runs command az vm create --name vmname --resource-group rgname --image imagealias --size vmsize.
  2. If --size parameter is not specified, CLI creates VM with Standard_DS1_v2 VM SIze.
 Updated default parameters:
  1. User runs command az vm create --name vmname --resource-group rgname --image imagealias --size vmsize
  2. CLI should check for capabilities available with VM Size using API Resource SKU List API and Image specified using API Virtual Machines Images GET API. If no size specified, default VM Size taken as Standard_DS1_v2
  3. Conditions:
    • If VM Size and Image both supports Generation 2 and Trusted Launch - Following parameters are set by default:
      • --enable-secure-boot with value true
      • --enable-vtpm with value true
      • --security-type with value TrustedLaunch
    • If VM size and image passed by user both supports Generation 2 but one or both of them do not support Trusted Launch - VM is deployed as Generation 2 VM without turning on TrustedLaunch related parameters mentioned above.
    • If VM size passed by user does not supports Generation 2 but URNAlias post update referencing Gen2 image - API will throw error. If check can be added in CLI, that’ll be ideal.
    • If VM Size or image passed by user does not supports Trusted Launch but user passes any of below parameters explicitly:
      • --enable-secure-boot with value true
      • --enable-vtpm with value true
      • --security-type with value TrustedLaunch
      - API will throw error, if check can be added in CLI that will be ideal.
    • Catch all VM will get deployed as Generation 1 VM - Deploy VM with user passed configuration along with Notification message should be printed for user. Notification Message Consider upgrading security for your workloads using Azure Trusted Launch VMs. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

Notification Message if needed to be provided to end users prior to making changes - Starting xx/xx/xxxx az vm create command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

Scenario 3 - User creates VMSS with command az vmss create

Present Behavior Updated Behavior post change
New VMSS with image parameter:
  1. User runs command az vmss create --name vmssname --resource-group rgname --image imagealias --size vmsize.
  2. If --size parameter is not specified, CLI creates VMSS with Standard_DS1_v2 VM SIze.
 Updated default parameters:
  1. User runs command az vmss create --name vmssname --resource-group rgname --image imagealias --size vmsize
  3. CLI should check for capabilities available with VM Size using API Resource SKU List API and Image specified using API Virtual Machines Images GET API. If no size specified, default VM Size taken as Standard_DS1_v2
  4. Conditions:
    • If VM Size and Image both supports Generation 2 and Trusted Launch - Following parameters are set by default:
      • --enable-secure-boot with value true
      • --enable-vtpm with value true
      • --security-type with value TrustedLaunch
    • If VM size and image passed by user both supports **Generation 2 ** but one or both of them do not support Trusted Launch - VM is deployed as Generation 2 VM without turning on TrustedLaunch related parameters mentioned above.
    • If VM size passed by user does not supports Generation 2 but URNAlias post update referencing Gen2 image - API will throw error. If check can be added in CLI, that’ll be ideal.
    • If VM Size or image passed by user does not supports Trusted Launch but user passes any of below parameters explicitly:
      • --enable-secure-boot with value true
      • --enable-vtpm with value true
      • --security-type with value TrustedLaunch
      - API will throw error, if check can be added in CLI that will be ideal.
    • Catch all VM will get deployed as Generation 1 VM - Deploy VM with user passed configuration along with Notification message should be printed for user. Notification Message Consider upgrading security for your workloads using Azure Trusted Launch VMs. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

Notification Message if needed to be provided to end users prior to making changes - Starting xx/xx/xxxx az vmss create command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

VM Size and Image capabilities API Checks:

  • VM Size / SKU capability to support Gen2 or Trusted Launch VM can be queried using API Resource SKU List API
    • For Gen2 refer to property HyperVGeneration with supported value of v2
    • For trusted launch VM, refer to property TrustedLaunchSupportDisabled set to true, for sizes which support Gen2 but not Trusted Launch.
  • Image capability to support Gen2 or Trusted Launch VM can be queried using API Virtual Machines Images GET API
    • For Gen2, use property hyperVGeneration with value of V2
    • For Trusted Launch, use features -> SecurityType with value TrustedLaunchSupported

NOTE: Please review limitations Trusted Launch VM Limitations to assess any impact for CLI users.

Gen2 as default (Failback alternative)

If Gen2+TLVM-as-default cannot be implemented, we request to make Generation 2 VM (GA Date: 2019) as failback alternative default deployment option in CLI. Following changes will need to be made for same:

  • Scenario 1 will remain same for both Gen2+TLVM as default and Gen2-as-default options.
  • Scenarios 2 & 3 will remain similar except for first condition: If VM size passed by user with parameter --size supports Generation 2 VM and Trusted Launch OR user does not specifies VM size, i.e., default size Standard_DS1_v2 is used - VM is deployed as Generation 2 VM without turning on TrustedLaunch related parameters mentioned above.

Notification Message if needed to be provided to end users prior to making changes - Starting xx/xx/xxxx az vm create command will deploy Generation 2 VM by default. To know more about Azure Generation 2 VM, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/generation-2

NOTE: Generation 2 VMs have full feature parity with existing Generation 1 VMs used by majority of customers.

Minimum API Version Required

2021-11-01

Swagger PR link

Compute Swagger 2021-11-01

Request Example

Target Date

2022-10-10

Additional context

  • Target date for implementing notification for user is to match ignite event scheduled for 2022-10-12
  • My understanding is before change is implemented, user will need to be provided with notification, hence target date for implementation of the changes is Build event 2023 (May 2023)
  • Multiple Trusted Launch VM limitations will be tentatively addressed before actual implementation date of May 2023.
  • VM Size / SKU capability to support Gen2 or Trusted Launch VM can be queried using API Resource SKU List API
    • For Gen2 refer to property HyperVGeneration with supported value of v2
    • For trusted launch VM, refer to property TrustedLaunchSupportDisabled set to true, for sizes which support Gen2 but not Trusted Launch.
  • Image capability to support Gen2 or Trusted Launch VM can be queried using API Virtual Machines Images GET API
    • For Gen2, use property hyperVGeneration with value of V2
    • For Trusted Launch, use features -> SecurityType with value TrustedLaunchSupported
  • TLVM-as-default implementation in Azure Portal is planned for December 2022.
  • VM Managed Images do not support Trusted Launch VMs. In scenario where user is trying to deploy VM using Managed Image, Trusted Launch parameters should be set to false and VM should be deployed as Hyper-V Generation V2

Issue Analytics

  • State:open
  • Created a year ago
  • Reactions:1
  • Comments:39 (19 by maintainers)

github_iconTop GitHub Comments

1reaction
AjKundnanicommented, Nov 29, 2022

@AjKundnani Could you please take a look at this comment? https://github.com/Azure/azure-cli/pull/24674/files#r1034524150

@zhoxing-ms - Thanks, responded.

1reaction
AjKundnanicommented, Nov 22, 2022

@AjKundnani In the existing logic of CLI, if users passe in the complete and valid resource ID to --image parameter, then we think this value is a managed image ID. If we reuse this logic, does it meet your expectations?

code link:

https://github.com/Azure/azure-cli/blob/62492854bd972efa06f4ba64952592afcb3fcf25/src/azure-cli/azure/cli/command_modules/vm/_validators.py#L245-L247

https://github.com/Azure/azure-cli/blob/62492854bd972efa06f4ba64952592afcb3fcf25/src/azure-cli/azure/cli/command_modules/vm/_validators.py#L398-L400

As discussed, kindly use existing logic of CLI to differentiate between Platform, Managed, Gallery and Community image.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Create a VM using a specialized image version - Microsoft Learn
Create the VM using az vm create using the --specialized parameter to indicate that the image is a specialized image.
Read more >
New-VM Command | VMware PowerCLI Reference
Required Parameter Name Type Position required Name String named optional AdvancedOption AdvancedOption named optional AlternateGuestName String named
Read more >
import-image — AWS CLI 1.27.32 Command Reference
Amazon Web Services VM Import/Export strongly recommends specifying a value for either the --license-type or --usage-operation parameter when you create a ...
Read more >
Create VM instances from machine images - Google Cloud
If you want to use the command-line examples in this guide, do the following: Install or update to the latest version of the...
Read more >
Chapter 13. Configuring virtual machine network connections
The following diagram illustrates the default VM network configuration: ... Image displaying the network interface details of the selected virtual machine.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

`az resource list` fails to return images that do in fact exist

Next page

CLI - Gen2+TLVM As default - New VM with minimal Inputs