azure-cli icon indicating copy to clipboard operation
azure-cli copied to clipboard
verified publisher icon Azure

CLI - Gen2+TLVM As Default - New Az VM OS Disk

Open AjKundnani opened this issue 3 years ago • 6 comments

Related command

Resource Provider

Microsoft.Compute/disks

Description of Feature or Work Requested

Gen2+TLVM as default (Preferred)

As part of making compute layer secure for customers to deploy workloads, request is to make Trusted Launch (GA Date: November 2021) as default deployment option in CLI. Following changes will need to be made for same:

NOTE: Below scenarios are applicable only for OS Disks, i.e., if command is used to create Data Disk, below scenarios and change requests do not apply.

Scenario 1 - User creates empty OS disk using az disk create --size-gb 10 --os-type

Present Behavior Updated Behavior post change
New disk with create option empty:
  1. User runs command az disk create -n diskname -g diskrgname --size-gb 120 --os-type Linux
  2. Empty OS Disk with Premium_LRS SKU is created.
 Updated default parameters and sequence:
  1. User runs command az disk create -n diskname -g diskrgname --size-gb 120 --os-type Linux
  2. Following parameters should be set by default:
    • --hyper-v-generation with value V2
    • --security-type with value TrustedLaunch

Scenario 2 - User creates OS disk from PIR image using az disk create --image-reference

Present Behavior Updated Behavior post change
New disk with create option FromImage:
  1. User runs command az disk create -n diskname -g diskrgname --image-reference 'urnofPIRimage'
  2. OS Disk with image reference and Premium_LRS SKU is created.
 Updated default parameters and sequence:
  1. User runs command az disk create -n diskname -g diskrgname --image-reference 'urnofPIRimage'
  2. CLI queries image capabilities using API Virtual Machines Images GET API
    • For Gen2, use property hyperVGeneration with value of V2
    • For Trusted Launch, use features -> SecurityType with value TrustedLaunchSupported
  3. Conditions:
    • If PIR image supports hyperVGeneration = v2 and SecurityType = TrustedLaunchSupported, enable following parameters by default:
      • --hyper-v-generation with value V2
      • --security-type with value TrustedLaunch
    • If PIR image supports hyperVGeneration = v2 and not TrustedLaunch, enable following parameters by default:
      • --hyper-v-generation with value V2
    • Catch All Disk will get deployed as Generation 1 OS Disk along with Notification message should be printed for user. Notification Message: Consider upgrading security for your workloads using Azure Trusted Launch VMs. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

Scenario 3 - User creates OS disk from PIR image using az disk create --gallery-image-reference

Similar to Scenario 2 described above, image capabilities can be queried using az sig image-version show.

Notification Message if needed to be provided to end users prior to making changes - Starting xx/xx/xxxx az disk create command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

NOTE: Please review limitations Trusted Launch VM Limitations to assess any impact for CLI users.

Minimum API Version Required

2021-12-01

Swagger PR link

Disk RP Swagger 2021-12-01

Request Example

Create disk with Trusted Launch Security Type

Target Date

2022-10-10

Additional context

  • Target date for implementing notification for user is to match ignite event scheduled for 2022-10-12
  • My understanding is before change is implemented, user will need to be provided with notification, hence target date for implementation of the changes is Build event 2023 (May 2023)
  • Multiple Trusted Launch VM limitations will be tentatively addressed before actual implementation date of May 2023.
  • Image capability to support Gen2 or Trusted Launch VM can be queried using API Virtual Machines Images GET API
    • For Gen2, use property hyperVGeneration with value of V2
    • For Trusted Launch, use features -> SecurityType with value TrustedLaunchSupported
  • TLVM-as-default implementation in Azure Portal is planned for December 2022.

AjKundnani avatar Aug 22 '22 06:08 AjKundnani

Compute

yonzhan avatar Aug 22 '22 07:08 yonzhan

Hello @AjKundnani, could you please help to confirm below details in this issue?

  • what is the difference between creating OS disk and data disk in terms of user passing parameters?
  • in the scenario 1, is the condition of setting the default value met when the value of DiskCreateOption is passed as empty?
  • in the scenario 3, it seems that az sig image-version show does not contain the information of hyperVGeneration and Trusted Launch, since the command az sig image-version show use the api of Gallery Image Versions GET.

Thanks

yanzhudd avatar Sep 09 '22 02:09 yanzhudd

Hello @AjKundnani, could you please help to confirm below details in this issue?

  • what is the difference between creating OS disk and data disk in terms of user passing parameters?
  • in the scenario 1, is the condition of setting the default value met when the value of DiskCreateOption is passed as empty?
  • in the scenario 3, it seems that az sig image-version show does not contain the information of hyperVGeneration and Trusted Launch, since the command az sig image-version show use the api of Gallery Image Versions GET.

Thanks

@yanzhudd

  1. Disk will be OS disk if:
    • If the CreateOption is set to FromImage
    • If the CreateOption is Import, Upload or Empty and --os-type parameter is provided.
  2. Correct, when CreateOption is set to Empty
  3. It should be az sig image-definition show

AjKundnani avatar Sep 12 '22 09:09 AjKundnani

Notification Message if needed to be provided to end users prior to making changes - Starting xx/xx/xxxx az disk create command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

Hello @AjKundnani, since the time of next build conference has not been determined, can the notification be modified to look like this? Starting next breaking window (sprint for 2023 Build Event) az disk create command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

yanzhudd avatar Sep 20 '22 02:09 yanzhudd

Notification Message if needed to be provided to end users prior to making changes - Starting xx/xx/xxxx az disk create command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

Hello @AjKundnani, since the time of next build conference has not been determined, can the notification be modified to look like this? Starting next breaking window (sprint for 2023 Build Event) az disk create command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

@yanzhudd - Is it ok from CLI perspective to call-out breaking change window for end users? Or if we can simplify perhaps, like Starting Build 2023 event, az disk create command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch, thoughts?

AjKundnani avatar Sep 20 '22 17:09 AjKundnani

Notification Message if needed to be provided to end users prior to making changes - Starting xx/xx/xxxx az disk create command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

Hello @AjKundnani, since the time of next build conference has not been determined, can the notification be modified to look like this? Starting next breaking window (sprint for 2023 Build Event) az disk create command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

@yanzhudd - Is it ok from CLI perspective to call-out breaking change window for end users? Or if we can simplify perhaps, like Starting Build 2023 event, az disk create command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch, thoughts?

It looks great. We will show this notification message to end users.

yanzhudd avatar Sep 21 '22 02:09 yanzhudd

@yanzhudd @zhoxing-ms - If we can remove the below block of message please, goal is to keep message consistent and avoid confusion for end user (this request is based on one of the team member)

image

AjKundnani avatar Nov 29 '22 10:11 AjKundnani

@yanzhudd - Per discussion with Disk resource provider team, removed the scenario for CreateOption = Empty. Scope if for OS disks created from image i.e., CreateOption = FromImage

AjKundnani avatar Jul 18 '23 11:07 AjKundnani

Hi @AjKundnani, let me check with you some details:

  • Is the following filter still needed before setting --security-type default value with TrustedLaunch in Scenario 1? https://github.com/Azure/azure-cli/blob/bbdf30570f44fa5f1ea41ef072a78cfaeb633198/src/azure-cli/azure/cli/command_modules/vm/custom.py#L428-L431

  • In the present version, creating OS disk using --gallery-image-reference param has a similar logic with using --image-reference https://github.com/Azure/azure-cli/blob/bbdf30570f44fa5f1ea41ef072a78cfaeb633198/src/azure-cli/azure/cli/command_modules/vm/custom.py#L467-L480 Will the logic of Scenario 2 be similar with Scenario 1, i.e., setting default values --hyper-v-generation with V2 and --security-type with TrustedLaunch?

yanzhudd avatar Oct 16 '23 08:10 yanzhudd

@yanzhudd

  • Is the following filter still needed before setting --security-type default value with TrustedLaunch in Scenario 1? https://github.com/Azure/azure-cli/blob/bbdf30570f44fa5f1ea41ef072a78cfaeb633198/src/azure-cli/azure/cli/command_modules/vm/custom.py#L428-L431

No, checking features and securityType of platform image is not required. Only the hyperVGeneration of image should be v2.

  • In the present version, creating OS disk using --gallery-image-reference param has a similar logic with using --image-reference https://github.com/Azure/azure-cli/blob/bbdf30570f44fa5f1ea41ef072a78cfaeb633198/src/azure-cli/azure/cli/command_modules/vm/custom.py#L467-L480 Will the logic of Scenario 2 be similar with Scenario 1, i.e., setting default values --hyper-v-generation with V2 and --security-type with TrustedLaunch?

No, for Scenario 2 where OS disk is created from Azure Compute Gallery image, defaults do not apply. Only change is if --security-type is not TrustedLaunch then print notification message to end user Consider upgrading security for your workloads using Azure Trusted Launch VMs. To know more about Trusted Launch, please visit https://aka.ms/TrustedLaunch

AjKundnani avatar Oct 16 '23 12:10 AjKundnani

@yanzhudd

  • Is the following filter still needed before setting --security-type default value with TrustedLaunch in Scenario 1? https://github.com/Azure/azure-cli/blob/bbdf30570f44fa5f1ea41ef072a78cfaeb633198/src/azure-cli/azure/cli/command_modules/vm/custom.py#L428-L431

No, checking features and securityType of platform image is not required. Only the hyperVGeneration of image should be v2.

  • In the present version, creating OS disk using --gallery-image-reference param has a similar logic with using --image-reference https://github.com/Azure/azure-cli/blob/bbdf30570f44fa5f1ea41ef072a78cfaeb633198/src/azure-cli/azure/cli/command_modules/vm/custom.py#L467-L480 Will the logic of Scenario 2 be similar with Scenario 1, i.e., setting default values --hyper-v-generation with V2 and --security-type with TrustedLaunch?

No, for Scenario 2 where OS disk is created from Azure Compute Gallery image, defaults do not apply. Only change is if --security-type is not TrustedLaunch then print notification message to end user Consider upgrading security for your workloads using Azure Trusted Launch VMs. To know more about Trusted Launch, please visit https://aka.ms/TrustedLaunch

@AjKundnani

  • For Scenario 1, should the warning messages other than mentioned above be removed? https://github.com/Azure/azure-cli/blob/bbdf30570f44fa5f1ea41ef072a78cfaeb633198/src/azure-cli/azure/cli/command_modules/vm/custom.py#L421-L434
  • For Scenario 2, should the warning messages other than mentioned above be removed? If so, since the Get API once added was to check whether the gallery images support hyperVGeneration V2 and then print warning logs, should the the Get logic be removed as well? https://github.com/Azure/azure-cli/blob/bbdf30570f44fa5f1ea41ef072a78cfaeb633198/src/azure-cli/azure/cli/command_modules/vm/custom.py#L467-L480
  • In Scenario 2, do setting securityType to Standard by default and print warning log apply for all gallery images? i.e., ignore the type of gallery image like community or shared or something and all filters mentioned above?

yanzhudd avatar Oct 17 '23 03:10 yanzhudd

@yanzhudd, For Scenario 1, based on current code:

  1. If source OS image is Gen1 - Then print notification to consider upgrading security of deployment. (Correct).
  2. If source OS image is Gen2 AND input --hyper-v-generation is V1 then instead of printing notification message, apply Trusted Launch defaults - --hyper-v-generation = V2, --security-type = TrustedLaunch OR print error message because Gen1 OS disk cannot be created using Gen2 OS image.
  3. L428 to 432 not required, if OS image is Gen2, then deployment should default to Trusted Launch.

For Scenario 2

  1. Yes, the logic can be simplified if --security-type is not set to TrustedLaunch then print warning message for end user.
  2. Yes, printing warning log applies to all Azure Compute gallery images - Shared, Community.

AjKundnani avatar Oct 17 '23 04:10 AjKundnani

  1. If source OS image is Gen2 AND input --hyper-v-generation is V1 then instead of printing notification message, apply Trusted Launch defaults - --hyper-v-generation = V2, --security-type = TrustedLaunch OR print error message because Gen1 OS disk cannot be created using Gen2 OS image.
  2. L428 to 432 not required, if OS image is Gen2, then deployment should default to Trusted Launch.

If source OS image is Gen2 AND input --hyper-v-generation is V1, would --security-type = TrustedLaunch be set directly or when --security-type is not input by end users?

yanzhudd avatar Oct 17 '23 06:10 yanzhudd

If source OS image is Gen2 AND input --hyper-v-generation is V1, would --security-type = TrustedLaunch be set directly or when --security-type is not input by end users?

In this scenario --hyper-v-generation should be V2. --security-type should be set to TrustedLaunch if no input by end user. If value for --security-type provided by end user then no change or defaults do not apply.

AjKundnani avatar Oct 17 '23 09:10 AjKundnani

Got it! Thanks @AjKundnani :) BTW, the PR has been opened, could you please help review this PR?

yanzhudd avatar Oct 18 '23 06:10 yanzhudd

Got it! Thanks @AjKundnani :) BTW, the PR has been opened, could you please help review this PR?

@yanzhudd - Reviewed PR, looks good to me, will validate further during bug bash, thanks.

AjKundnani avatar Oct 18 '23 14:10 AjKundnani