Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Trusted Launch CLI Change Request - VM Disk Snapshot & Config

See original GitHub issue

Related command

az snapshot show az disk create az disk grant-access

Resource Provider

Microsoft.Compute/disks Microsoft.Compute/snapshots

Description of Feature or Work Requested

feature request to add output value, new parameter and add values into existing parameters for following commands to support Trusted Launch VM Disks:

Feature request is to provide customers with completion of Trusted Launch VM (already GA) disk management:

  • validate if the snapshot customer has taken is enabled for TrustedLaunch.
  • import managed OS disk for Trusted Launch VMs. optionally along with VMGuestState disk if required.
  • upload managed OS disk with VM Guest State using new string parameter –upload-type which will replace existing parameter --for-upload

Additional Output Value

az snapshot show

When customer use az snapshot show command, the output should return SecurityProfile of the snapshot. SecurityProfile output is already supported in az disk show command, same needs to be extended to snapshots as well.

 "securityProfile": {
    "securityType": "TrustedLaunch"
  },

New Parameter

–security-data-uri (az disk create)

New string parameter –security-data-uri for command az disk create:

  • Allows customer to pass Blob URI for VM Guest State VHD. If customer does not use this parameter, DiskRP will create new VM Guest State (i.e., optional parameter)
  • When specified, the command should interpret that disk will be imported from un-managed VHD in storage account or another managed disk for TrustedLaunch VM OS Disk Security Type.
  • –security-type parameter mandatory when –security-data-uri value is passed.
  • –hyper-v-generation parameter value should be V2
  • This is the URI of a blob to be imported into VM guest state.
–upload-type (az disk create)

New string parameter –upload-type to replace --for-upload parameter in az disk create:

Accepted Value Description
Upload For Standard disk only upload scenario.
  • If used with TrustedLaunch --security-type, DiskRP will create new VM Guest State blob
  • Set Disk CreateOption to Upload in DiskRP API.
UploadWithSecurityData For OS Disk upload along with VM Guest State.
  • –security-type parameter mandatory
  • Set Disk CreateOption to UploadPreparedSecure in DiskRP API.
  • –hyper-v-generation parameter value should be V2
  • Parameter –secure-vm-guest-state-sas switched to true or ON for az disk grant-access
  • Not valid for data disk upload, only to be used for OS Disk upload at present.
–secure-vm-guest-state-sas (az disk grant-access)

New switch parameter –secure-vm-guest-state-sas for az disk grant-access:

  • Allows customer to query VM Guest State SAS.
  • Required when new parameter –Upload-Type is set to UploadWithSecurityData in az disk create command, which’ll set CreateOption to UploadPreparedSecure
  • Output would show both accessSas and securityDataAccessSAS in response. If parameter not used, then output would return only accessSas

End to End Usage

Scenario 1 - Get Trusted Launch VM Disk Snapshot

  1. Get Virtual Machine Disk snapshot.

    az snapshot show --id $snapshotResourceId

    {
  "completionPercent": null,
  "creationData": {
    "createOption": "Copy",
    "galleryImageReference": null,
    "imageReference": null,
    "logicalSectorSize": null,
    "sourceResourceId": "/subscriptions/390a3e32-6963-47d8-bcef-ee8db1c22720/resourceGroups/tvm-cli-change-rg/providers/Microsoft.Compute/disks/tvm-cli-change-vm_OsDisk_1_78358962d0b645a0a3899f18c98b099a",
    "sourceUniqueId": "78358962-d0b6-45a0-a389-9f18c98b099a",
    "sourceUri": null,
    "storageAccountId": null,
    "uploadSizeBytes": null
  },
  "diskAccessId": null,
  "diskSizeBytes": 32213303296,
  "diskSizeGb": 30,
  "diskState": "Unattached",
  "encryption": {
    "diskEncryptionSetId": null,
    "type": "EncryptionAtRestWithPlatformKey"
  },
  "encryptionSettingsCollection": null,
  "extendedLocation": null,
  "hyperVGeneration": "V2",
  "id": "/subscriptions/390a3e32-6963-47d8-bcef-ee8db1c22720/resourceGroups/tvm-cli-change-rg/providers/Microsoft.Compute/snapshots/test01",
  "incremental": false,
  "location": "southeastasia",
  "managedBy": null,
  "name": "test01",
  "networkAccessPolicy": "AllowAll",
  "osType": "Linux",
  "provisioningState": "Succeeded",
  "publicNetworkAccess": "Enabled",
  "purchasePlan": null,
  "resourceGroup": "tvm-cli-change-rg",
  "securityProfile": {
    "securityType": "TrustedLaunch"
  },
  "sku": {
    "name": "Standard_LRS",
    "tier": "Standard"
  },
  "supportedCapabilities": {
    "acceleratedNetwork": true,
    "architecture": "x64"
  },
  "supportsHibernation": null,
  "tags": {},
  "timeCreated": "2022-04-29T12:48:54.475669+00:00",
  "type": "Microsoft.Compute/snapshots",
  "uniqueId": "8e845670-5c0f-4153-a178-9a544ba4b7e1"
}
Scenario 2 - Secure Import of Trusted Launch VM OS Disk

  1. Create disk with –security-data-uri parameter:

    az disk create -n $diskName -g $resourceGroup \
    -l $location --os-type Windows --hyper-v-generation V2 \
    --security-type "TrustedLaunch" \
    --source $sourceDiskVhdUri --security-data-uri $guestStateDiskVhdUri \
    --sku standard_lrs
Scenario 3 - Secure Upload of Trusted Launch VM OS Disk

  1. Create an empty disk with –Upload-Type parameter:

    az disk create -n $diskName -g $resourceGroup \
    -l $location --os-type Windows --hyper-v-generation V2 \
    --security-type "TrustedLaunch" --Upload-Type "UploadWithSecurityData" \
    --upload-size-bytes 34359738880 --sku standard_lrs

  2. Grant access to generate accessSas and securityDataAccessSAS using –secure-vm-guest-state-sas parameter

    diskSas = $(az disk grant-access -n $diskName -g $resourceGroupName \
    --access-level Write --duration-in-seconds 86400 \
    --secure-vm-guest-state-sas)

    Returned value schema:

    {
  "accessSas": "https://md-impexp-t0rdsfgsdfg4.blob.core.windows.net/w2c3mj0ksfgl/abcd?sv=2017-04-17&sr=b&si=600a9281-d39e-4cc3-91d2-923c4a696537&sig=xXaT6mFgf139ycT87CADyFxb%2BnPXBElYirYRlbnJZbs%3D",
  "securityDataAccessSas": "<VM Guest State Sas URI>"
}

  3. Copy Disk Content from Local Disk:

    AzCopy.exe copy "c:\somewhere\mydisk.vhd" $diskSas.AccessSAS --blob-type PageBlob

  4. Copy VM Guest State content from a local VHD:

    AzCopy.exe copy "c:\somewhere\myvmgs.vhd" $diskSas.securityDataAccessSAS --blob-type PageBlob

Minimum API Version Required

2021-08-01

Swagger PR link

https://github.com/Azure/azure-rest-api-specs/pull/17118

Request Example

Target Date

2022-07-05

Additional context

Request for Trusted Launch VM feature.

Contacts

Role Contact
Main developer contacts (emails + github aliases) Abhishek Verma (AZURE) Abhishek.Verma@microsoft.com, Anshul Solanki Anshul.Solanki@microsoft.com
PM contact (email + github alias) Ajay Kundnani ajay.kundnani@microsoft.com
Other people who should attend a design review (email) Run Cai run.cai@microsoft.com, Deepak J V J.Deepak@microsoft.com

Issue Analytics

  • State:closed
  • Created a year ago
  • Reactions:3
  • Comments:29 (16 by maintainers)

github_iconTop GitHub Comments

1reaction
AjKundnanicommented, Jun 27, 2022

As per Disk RP team “uploadpreparedsecure has same verifications which are applicable to upload create option”

@AjKundnani I see. Thanks for your confirmation!

I can check but currently there’s no plan that am aware of to add this restriction. If its not reasonable as per CLI best practices, we can skip this check. Will need to ensure this restriction is published in docs such that end user is aware of this restriction.

We’d better not only add this verification on the CLI side, otherwise it may be inconsistent with the experience of other sides. We may consider adding this restriction information to the help message to let users aware of this restriction. (it will be automatically synchronized to our public doc)

For seamless user experience, if we can auto-turn flag --secure-vm-guest-state-sas on based on Disk CreateOption of UploadPreparedSecure, that will be ideal and will not need to expose this parameter to end user. Because VMGS is mandatory when CreateOption is UploadPreparedSecure and not required when CreateOption is Upload.

I see. It sounds like a good solution not to expose the parameter --secure-vm-guest-state-sas to users

Thanks @zhoxing-ms - Adding help message about restriction of OS disk only for VMGS should be helpful.

For parameter --secure-vm-guest-state-sas, if we can publish example in docs on how to use the returned VM Guest State SAS URL for uploading disk with security data, that’ll be helpful.

1reaction
zhoxing-mscommented, Jun 27, 2022

As per Disk RP team “uploadpreparedsecure has same verifications which are applicable to upload create option”

@AjKundnani I see. Thanks for your confirmation!

I can check but currently there’s no plan that am aware of to add this restriction. If its not reasonable as per CLI best practices, we can skip this check. Will need to ensure this restriction is published in docs such that end user is aware of this restriction.

We’d better not only add this verification on the CLI side, otherwise it may be inconsistent with the experience of other sides. We may consider adding this restriction information to the help message to let users aware of this restriction. (it will be automatically synchronized to our public doc)

For seamless user experience, if we can auto-turn flag --secure-vm-guest-state-sas on based on Disk CreateOption of UploadPreparedSecure, that will be ideal and will not need to expose this parameter to end user. Because VMGS is mandatory when CreateOption is UploadPreparedSecure and not required when CreateOption is Upload.

I see. It sounds like a good solution not to expose the parameter --secure-vm-guest-state-sas to users

Read more comments on GitHub >

github_iconTop Results From Across the Web

Deploy a trusted launch VM - Azure Virtual Machines
To change the trusted launch configuration, in the left menu, under the Settings section, select Configuration. You can enable or disable Secure ...
Read more >
How to create snapshots for Azure VMs and managed disks
Users can create Azure VM snapshots using PowerShell or Azure CLI. Keep these best practices in mind when creating and using Azure snapshots:....
Read more >
20.39. Managing Snapshots Red Hat Enterprise Linux 7
Using snapshotname , generates a request to make the existing named snapshot become the current snapshot, without reverting it to the guest virtual...
Read more >
Take a Snapshot of a Virtual Machine - VMware Docs
Snapshots capture the entire state of the virtual machine at the time you take the snapshot. You can take a snapshot when a...
Read more >
create-snapshot — AWS CLI 1.27.32 Command Reference
Creates a snapshot of an EBS volume and stores it in Amazon S3. You can use snapshots for backups, to make copies of...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Unexpected error when listing resources

Next page

"az storage message get" crashes (Ubuntu 20.04 LTS, az-cli 2.36.0-1~focal)