Merge pull request #268703 from rpsqrd/azcmagent-1-39

American-Dipper · web-flow · commit 9478d75a57e6 · 2024-03-19T14:31:14.000-07:00
azcmagent 1.39 relnotes
diff --git a/articles/azure-arc/servers/agent-overview.md b/articles/azure-arc/servers/agent-overview.md
@@ -151,8 +151,8 @@ Installing the Connected Machine agent for Linux applies the following system-wi
 
 The Azure Connected Machine agent is designed to manage agent and system resource consumption. The agent approaches resource governance under the following conditions:
 
-* The Guest Configuration agent can use up to 5% of the CPU to evaluate policies.
-* The Extension Service agent can use up to 5% of the CPU on Windows machines and 30% of the CPU on Linux machines to install, upgrade, run, and delete extensions. Some extensions might apply more restrictive CPU limits once installed. The following exceptions apply:
+* The Machine Configuration (formerly Guest Configuration) service can use up to 5% of the CPU to evaluate policies.
+* The Extension service can use up to 5% of the CPU on Windows machines and 30% of the CPU on Linux machines to install, upgrade, run, and delete extensions. Some extensions might apply more restrictive CPU limits once installed. The following exceptions apply:
 
   | Extension type | Operating system | CPU limit |
   | -------------- | ---------------- | --------- |
@@ -173,6 +173,24 @@ During normal operations, defined as the Azure Connected Machine agent being con
 
 The performance data above was gathered in April 2023 on virtual machines running Windows Server 2022 and Ubuntu 20.04. Actual agent performance and resource consumption will vary based on the hardware and software configuration of your servers.
 
+### Custom resource limits
+
+The default resource governance limits are the best choice for most servers. However, small virtual machines and servers with limited CPU resources might encounter timeouts when managing extensions or evaluating policies because there aren't enough CPU resources to complete the tasks. Starting with agent version 1.39, you can customize the CPU limits applied to the extension manager and Machine Configuration services to help the agent complete these tasks faster.
+
+To see the current resource limits for the extension manager and Machine Configuration services, run the following command.
+
+```bash
+azcmagent config list
+```
+
+In the output, you'll see two fields, `guestconfiguration.agent.cpulimit` and `extensions.agent.cpulimit` with the current resource limit specified as a percentage. On a fresh install of the agent, both will show `5` because the default limit is 5% of the CPU.
+
+To change the resource limit for the extension manager to 80%, run the following command:
+
+```bash
+azcmagent config set extensions.agent.cpulimit 80
+```
+
 ## Instance metadata
 
 Metadata information about a connected machine is collected after the Connected Machine agent registers with Azure Arc-enabled servers. Specifically:
diff --git a/articles/azure-arc/servers/agent-release-notes-archive.md b/articles/azure-arc/servers/agent-release-notes-archive.md
@@ -19,6 +19,24 @@ The Azure Connected Machine agent receives improvements on an ongoing basis. Thi
 - Known issues
 - Bug fixes
 
+## Version 1.34 - September 2023
+
+Download for [Windows](https://download.microsoft.com/download/b/3/2/b3220316-13db-4f1f-babf-b1aab33b364f/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)
+
+### New features
+
+- [Extended Security Updates for Windows Server 2012 and 2012 R2](prepare-extended-security-updates.md) can be purchased and enabled through Azure Arc. If your server is already running the Azure Connected Machine agent, [upgrade to agent version 1.34](manage-agent.md#upgrade-the-agent) or later to take advantage of this new capability.
+- New system metadata is collected to enhance your device inventory in Azure:
+  - Total physical memory
+  - More processor information
+  - Serial number
+  - SMBIOS asset tag
+- Network requests to Microsoft Entra ID (formerly Azure Active Directory) now use `login.microsoftonline.com` instead of `login.windows.net`
+
+### Fixed
+
+- Better handling of disconnected agent scenarios in the extension manager and policy engine.
+
 ## Version 1.33 - August 2023
 
 Download for [Windows](https://download.microsoft.com/download/0/c/7/0c7a484b-e29e-42f9-b3e9-db431df2e904/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)
diff --git a/articles/azure-arc/servers/agent-release-notes.md b/articles/azure-arc/servers/agent-release-notes.md
@@ -16,6 +16,22 @@ The Azure Connected Machine agent receives improvements on an ongoing basis. To
 
 This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in [archive for What's new with Azure Connected Machine agent](agent-release-notes-archive.md).
 
+## Version 1.39 - March 2024
+
+Download for [Windows](https://download.microsoft.com/download/1/9/f/19f44dde-2c34-4676-80d7-9fa5fc44d2a8/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)
+
+### New features
+
+- Check which extensions are installed and manually remove them with the new [azcmagent extension](azcmagent-extension.md) command group. These commands run locally on the machine and work even if a machine has lost its connection to Azure.
+- You can now [customize the CPU limit](agent-overview.md#custom-resource-limits) applied to the extension manager and machine configuration policy evaluation engine. This might be helpful on small or under-powered VMs where the [default resource governance limits](agent-overview.md#agent-resource-governance) can cause extension operations to time out.
+
+### Fixed
+
+- Improved reliability of the run command feature with long-running commands
+- Removed an unnecessary endpoint from the network connectivity check when onboarding machines via an Azure Arc resource bridge
+- Improved heartbeat reliability
+- Removed unnecessary dependencies
+
 ## Version 1.38 - February 2024
 
 Download for [Windows](https://download.microsoft.com/download/4/8/f/48f69eb1-f7ce-499f-b9d3-5087f330ae79/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)
@@ -102,24 +118,6 @@ The Windows Admin Center in Azure feature is incompatible with Azure Connected M
 - Fixed a bug where clearing the `incomingconnections.enabled` [configuration setting](azcmagent-config.md) would show `<nil>` as the previous value
 - Security fix for the extension allowlist and blocklist feature to address an issue where an invalid extension name could impact enforcement of the lists.
 
-## Version 1.34 - September 2023
-
-Download for [Windows](https://download.microsoft.com/download/b/3/2/b3220316-13db-4f1f-babf-b1aab33b364f/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)
-
-### New features
-
-- [Extended Security Updates for Windows Server 2012 and 2012 R2](prepare-extended-security-updates.md) can be purchased and enabled through Azure Arc. If your server is already running the Azure Connected Machine agent, [upgrade to agent version 1.34](manage-agent.md#upgrade-the-agent) or later to take advantage of this new capability.
-- New system metadata is collected to enhance your device inventory in Azure:
-  - Total physical memory
-  - More processor information
-  - Serial number
-  - SMBIOS asset tag
-- Network requests to Microsoft Entra ID (formerly Azure Active Directory) now use `login.microsoftonline.com` instead of `login.windows.net`
-
-### Fixed
-
-- Better handling of disconnected agent scenarios in the extension manager and policy engine.
-
 ## Next steps
 
 - Before evaluating or enabling Azure Arc-enabled servers across multiple hybrid machines, review [Connected Machine agent overview](agent-overview.md) to understand requirements, technical details about the agent, and deployment methods.
diff --git a/articles/azure-arc/servers/azcmagent-extension.md b/articles/azure-arc/servers/azcmagent-extension.md
@@ -0,0 +1,77 @@
+---
+title: azcmagent extension CLI reference
+description: Syntax for the azcmagent extension command line tool
+ms.topic: reference
+ms.date: 03/11/2024
+---
+
+# azcmagent extension
+
+Local management of Azure Arc extensions installed on the machine. These commands can be run even when a machine is in a disconnected state.
+
+The extension manager must be stopped before running any of these commands. Stopping the extension manager interrupts any in-progress extension installs, upgrades, and removals. To disable the extension manager, run `Stop-Service ExtensionService` on Windows or `systemctl stop extd`. When you're done managing extensions locally, start the extension manager again with `Start-Service ExtensionService` on Windows or `systemctl start extd` on Linux.
+
+## Commands
+
+| Command | Purpose |
+| ------- | ------- |
+| [azcmagent extension list](#azcmagent-extension-list) | Lists extensions installed on the machine |
+| [azcmagent extension remove](#azcmagent-extension-remove) | Uninstalls extensions on the machine |
+
+## azcmagent extension list
+
+Lists extensions installed on the machine.
+
+### Usage
+
+```
+azcmagent extension list [flags]
+```
+
+### Examples
+
+See which extensions are installed on your machine.
+
+```
+azcmagent extension list
+```
+
+### Flags
+
+[!INCLUDE [common-flags](includes/azcmagent-common-flags.md)]
+
+## azcmagent extension remove
+
+Uninstalls extensions on the machine.
+
+### Usage
+
+```
+azcmagent extension remove [flags]
+```
+
+### Examples
+
+Remove the "AzureMonitorWindowsAgent" extension from the local machine.
+
+```
+azcmagent extension remove --name AzureMonitorWindowsAgent
+```
+
+Remove all extensions from the local machine.
+
+```
+azcmagent extension remove --all
+```
+
+### Flags
+
+`--all`, `-a`
+
+Removes all extensions from the machine.
+
+`--name`, `-n`
+
+Removes the specified extension from the machine. Use [azcmagent extension list](#azcmagent-extension-list) to get the name of the extension.
+
+[!INCLUDE [common-flags](includes/azcmagent-common-flags.md)]
diff --git a/articles/azure-arc/servers/plan-evaluate-on-azure-virtual-machine.md b/articles/azure-arc/servers/plan-evaluate-on-azure-virtual-machine.md
@@ -1,5 +1,5 @@
 ---
-title: How to evaluate Azure Arc-enabled servers with an Azure VM
+title: How to evaluate Azure Arc-enabled servers with an Azure virtual machine
 description: Learn how to evaluate Azure Arc-enabled servers using an Azure virtual machine.
 ms.date: 10/01/2021
 ms.topic: conceptual
@@ -10,9 +10,9 @@ ms.topic: conceptual
 > [!CAUTION]
 > This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).
 
-Azure Arc-enabled servers is designed to help you connect servers running on-premises or in other clouds to Azure. Normally, you would not use Azure Arc-enabled servers on an Azure virtual machine because all the same capabilities are natively available for these VMs, including a representation of the VM in Azure Resource Manager, VM extensions, managed identities, and Azure Policy. If you attempt to install Azure Arc-enabled servers on an Azure VM, you'll receive an error message stating that it is unsupported and the agent installation will be canceled.
+Azure Arc-enabled servers is designed to help you connect servers running on-premises or in other clouds to Azure. Normally, you wouldn't connect an Azure virtual machine to Azure Arc because all the same capabilities are natively available for these VMs. Azure VMs already have a representation in Azure Resource Manager, VM extensions, managed identities, and Azure Policy. If you attempt to install Azure Arc-enabled servers on an Azure VM, you'll receive an error message stating that it is unsupported.
 
-While you cannot install Azure Arc-enabled servers on an Azure VM for production scenarios, it is possible to configure Azure Arc-enabled servers to run on an Azure VM for *evaluation and testing purposes only*. This article will help you set up an Azure VM before you can enable Azure Arc-enabled servers on it.
+While you cannot install Azure Arc-enabled servers on an Azure VM for production scenarios, it's possible to configure Azure Arc-enabled servers to run on an Azure VM for *evaluation and testing purposes only*. This article walks you through how to prepare an Azure VM to look like an on-premises server for testing purposes.
 
 > [!NOTE]
 > The steps in this article are intended for virtual machines hosted in the Azure cloud. Azure Arc-enabled servers is not supported on virtual machines running on Azure Stack Hub or Azure Stack Edge.
@@ -21,7 +21,7 @@ While you cannot install Azure Arc-enabled servers on an Azure VM for production
 
 * Your account is assigned to the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role.
 * The Azure virtual machine is running an [operating system supported by Azure Arc-enabled servers](prerequisites.md#supported-operating-systems). If you don't have an Azure VM, you can deploy a [simple Windows VM](https://portal.azure.com/#create/Microsoft.Template/uri/https%3a%2f%2fraw.githubusercontent.com%2fAzure%2fazure-quickstart-templates%2fmaster%2fquickstarts%2fmicrosoft.compute%2fvm-simple-windows%2fazuredeploy.json) or a [simple Ubuntu Linux 18.04 LTS VM](https://portal.azure.com/#create/Microsoft.Template/uri/https%3a%2f%2fraw.githubusercontent.com%2fAzure%2fazure-quickstart-templates%2fmaster%2fquickstarts%2fmicrosoft.compute%2fvm-simple-windows%2fazuredeploy.json).
-* Your Azure VM can communicate outbound to download the Azure Connected Machine agent package for Windows from the [Microsoft Download Center](https://aka.ms/AzureConnectedMachineAgent), and Linux from the Microsoft [package repository](https://packages.microsoft.com/). If outbound connectivity to the Internet is restricted following your IT security policy, you will need to download the agent package manually and copy it to a folder on the Azure VM.
+* Your Azure VM can communicate outbound to download the Azure Connected Machine agent package for Windows from the [Microsoft Download Center](https://aka.ms/AzureConnectedMachineAgent), and Linux from the Microsoft [package repository](https://packages.microsoft.com/). If outbound connectivity to the Internet is restricted following your IT security policy, you can download the agent package manually and copy it to a folder on the Azure VM.
 * An account with elevated (that is, an administrator or as root) privileges on the VM, and RDP or SSH access to the VM.
 * To register and manage the Azure VM with Azure Arc-enabled servers, you are a member of the [Azure Connected Machine Resource Administrator](../../role-based-access-control/built-in-roles.md#azure-connected-machine-resource-administrator) or [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role in the resource group.
 
@@ -35,14 +35,15 @@ To start managing your Azure VM as an Azure Arc-enabled server, you need to make
 
 3. Create a security rule to deny access to the Azure Instance Metadata Service (IMDS). IMDS is a REST API that applications can call to get information about the VM's representation in Azure, including its resource ID and location. IMDS also provides access to any managed identities assigned to the machine. Azure Arc-enabled servers provides its own IMDS implementation and returns information about the Azure Arc representation of the VM. To avoid situations where both IMDS endpoints are available and apps have to choose between the two, you block access to the Azure VM IMDS so that the Azure Arc-enabled server IMDS implementation is the only one available.
 
-After you've made these changes, your Azure VM behaves like any machine or server outside of Azure and is at the necessary starting point to install and evaluate Azure Arc-enabled servers.
+After you make these changes, your Azure VM behaves like any machine or server outside of Azure and is at the necessary starting point to install and evaluate Azure Arc-enabled servers.
 
 When Azure Arc-enabled servers is configured on the VM, you see two representations of it in Azure. One is the Azure VM resource, with a `Microsoft.Compute/virtualMachines` resource type, and the other is an Azure Arc resource, with a `Microsoft.HybridCompute/machines` resource type. As a result of preventing management of the guest operating system from the shared physical host server, the best way to think about the two resources is the Azure VM resource is the virtual hardware for your VM, and let's you control the power state and view information about its SKU, network, and storage configurations. The Azure Arc resource manages the guest operating system in that VM, and can be used to install extensions, view compliance data for Azure Policy, and complete any other supported task by Azure Arc-enabled servers.
 
 ## Reconfigure Azure VM
 
 > [!NOTE]
 > For windows, set the environment variable to override the ARC on an Azure VM installation.
+>
 > ```powershell
 > [System.Environment]::SetEnvironmentVariable("MSFT_ARC_TEST",'true', [System.EnvironmentVariableTarget]::Machine)
 > ```
@@ -53,7 +54,7 @@ When Azure Arc-enabled servers is configured on the VM, you see two representati
 
 2. Disable the Azure VM Guest Agent.
 
-   To disable the Azure VM Guest Agent, you'll need to connect to your VM using Remote Desktop Connection (Windows) or SSH (Linux). Once connected, run the following commands to disable the guest agent.
+   To disable the Azure VM Guest Agent, connect to your VM using Remote Desktop Connection (Windows) or SSH (Linux) and run the following commands to disable the guest agent.
 
    For Windows, run the following PowerShell commands:
 
@@ -65,11 +66,8 @@ When Azure Arc-enabled servers is configured on the VM, you see two representati
    For Linux, run the following commands:
 
    ```bash
-   CURRENT_HOSTNAME=$(hostname)
-   sudo service walinuxagent stop
-   sudo waagent -deprovision -force
-   sudo rm -rf /var/lib/waagent
-   sudo hostnamectl set-hostname $CURRENT_HOSTNAME
+   sudo systemctl stop walinuxagent
+   sudo systemctl disable walinuxagent
    ```
 
 3. Block access to the Azure IMDS endpoint.
@@ -80,7 +78,7 @@ When Azure Arc-enabled servers is configured on the VM, you see two representati
    New-NetFirewallRule -Name BlockAzureIMDS -DisplayName "Block access to Azure IMDS" -Enabled True -Profile Any -Direction Outbound -Action Block -RemoteAddress 169.254.169.254
    ```
 
-   For Linux, consult your distribution's documentation for the best way to block outbound access to `169.254.169.254/32` over TCP port 80. Normally you'll block outbound access with the built-in firewall, but you can also temporarily block it with **iptables** or **nftables**.
+   For Linux, consult your distribution's documentation for the best way to block outbound access to `169.254.169.254/32` over TCP port 80. Normally you'd block outbound access with the built-in firewall, but you can also temporarily block it with **iptables** or **nftables**.
 
    If your Azure VM is running Ubuntu, perform the following steps to configure its uncomplicated firewall (UFW):
 
@@ -100,7 +98,7 @@ When Azure Arc-enabled servers is configured on the VM, you see two representati
    For other distributions, consult your firewall docs or configure a generic iptables rule with the following command:
 
    ```bash
-   sudo iptables -A OUTPUT -d 169.254.169.254 -j REJECT
+   sudo iptables -I OUTPUT 1 -d 169.254.169.254 -j REJECT
    ```
 
    > [!NOTE]
@@ -112,7 +110,7 @@ When Azure Arc-enabled servers is configured on the VM, you see two representati
    The VM is now ready for you to begin evaluating Azure Arc-enabled servers. To install and configure the Azure Connected Machine agent, see [Connect hybrid machines using the Azure portal](onboard-portal.md) and follow the steps to generate an installation script and install using the scripted method.
 
    > [!NOTE]
-   > If outbound connectivity to the internet is restricted from your Azure VM, you'll need to download the agent package manually. Copy the agent package to the Azure VM, and modify the Azure Arc-enabled servers installation script to reference the source folder.
+   > If outbound connectivity to the internet is restricted from your Azure VM, you can download the agent package manually. Copy the agent package to the Azure VM, and modify the Azure Arc-enabled servers installation script to reference the source folder.
 
 If you missed one of the steps, the installation script detects it is running on an Azure VM and terminates with an error. Verify you've completed steps 1-3, and then rerun the script.
 
diff --git a/articles/azure-arc/servers/toc.yml b/articles/azure-arc/servers/toc.yml
