|
| 1 | +--- |
| 2 | +title: Harden a Linux image to remove Azure guest agent |
| 3 | +description: Learn how to use the Azure CLI to harden a linux image to remove Azure guest agent. |
| 4 | +author: vvenug |
| 5 | +ms.service: virtual-machines |
| 6 | +mms.subservice: confidential-computing |
| 7 | +ms.topic: how-to |
| 8 | +ms.workload: infrastructure |
| 9 | +ms.date: 8/03/2023 |
| 10 | +ms.author: vvenugopal |
| 11 | +ms.custom: devx-track-azurecli |
| 12 | +--- |
| 13 | + |
| 14 | +# Harden a Linux image to remove Azure guest agent |
| 15 | + |
| 16 | +**Applies to:** :heavy_check_mark: Linux Images |
| 17 | + |
| 18 | +Azure supports two provisioning agents [cloud-init](https://github.com/canonical/cloud-init), and the [Azure Linux Agent](https://github.com/Azure/WALinuxAgent) (WALA), which forms the prerequisites for creating the [generalized images](/azure/virtual-machines/generalize#linux) (Azure Compute Gallery or Managed Image). The Azure Linux Agent contains Provisioning Agent code and Extension Handling code in one package. |
| 19 | + |
| 20 | +It's crucial to comprehend what functionalities the VM loses before deciding to remove the Azure Linux Agent. Removal of the guest agent removes the functionality enumerated at [Azure Linux Agent](/azure/virtual-machines/extensions/agent-linux?branch=pr-en-us-247336). |
| 21 | + |
| 22 | +This "how to" shows you steps to remove guest agent from the Linux image. |
| 23 | +## Prerequisites |
| 24 | + |
| 25 | +- If you don't have an Azure subscription, [create a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. |
| 26 | +- An Ubuntu image - you can choose one from the [Azure Marketplace](/azure/virtual-machines/linux/cli-ps-findimage). |
| 27 | + |
| 28 | +### Remove Azure Linux Agent and prepare a generalized Linux image |
| 29 | + |
| 30 | +Steps to create an image that removes the Azure Linux Agent are as follows: |
| 31 | + |
| 32 | +1. Download an Ubuntu image. |
| 33 | + |
| 34 | + [How to download a Linux VHD from Azure](/azure/virtual-machines/linux/download-vhd?tabs=azure-portal) |
| 35 | + |
| 36 | +2. Mount the image. |
| 37 | + |
| 38 | + Follow the instructions in step 2 of [remove sudo users from the Linux Image](/azure/confidential-computing/harden-the-linux-image-to-remove-sudo-users) to mount the image. |
| 39 | + |
| 40 | +3. Remove the Azure Linux agent |
| 41 | + |
| 42 | + Run as root to [remove the Azure Linux Agent](/azure/virtual-machines/linux/disable-provisioning) |
| 43 | + |
| 44 | + For Ubuntu 18.04+ |
| 45 | + ``` |
| 46 | + sudo chroot /mnt/dev/$imagedevice/ apt -y remove walinuxagent |
| 47 | + ``` |
| 48 | +
|
| 49 | +
|
| 50 | +> [!NOTE] |
| 51 | +> If you know you will not reinstall the Linux Agent again [remove the Azure Linux Agent artifacts](/azure/virtual-machines/linux/disable-provisioning#:~:text=Step%202%3A%20(Optional)%20Remove%20the%20Azure%20Linux%20Agent%20artifacts), you can run the following steps. |
| 52 | +
|
| 53 | +
|
| 54 | +4. (Optional) Remove the Azure Linux Agent artifacts. |
| 55 | +
|
| 56 | + If you know you will not reinstall the Linux Agent again, then you can run the following else skip this step: |
| 57 | +
|
| 58 | + For Ubuntu 18.04+ |
| 59 | + ``` |
| 60 | + sudo chroot /mnt/dev/$imagedevice/ rm -rf /var/lib/walinuxagent |
| 61 | + sudo chroot /mnt/dev/$imagedevice/ rm -rf /etc/ walinuxagent.conf |
| 62 | + sudo chroot /mnt/dev/$imagedevice/ rm -rf /var/log/ walinuxagent.log |
| 63 | + ``` |
| 64 | +
|
| 65 | +5. Create a systemd service to provision the VM. |
| 66 | +
|
| 67 | + Since we are removing the Azure Linux Agent, we need to provide a mechanism to report ready. Copy the contents of the bash script or python script located [here](/azure/virtual-machines/linux/no-agent?branch=pr-en-us-247336#add-required-code-to-the-vm) to the mounted image and make the file executable (i.e, grant execute permission on the file - chmod). |
| 68 | + ``` |
| 69 | + sudo chmod +x /mnt/dev/$imagedevice/usr/local/azure-provisioning.sh |
| 70 | + ``` |
| 71 | +
|
| 72 | + To ensure report ready mechanism, create a [systemd service unit](/azure/virtual-machines/linux/no-agent#:~:text=Automating%20running%20the%20code%20at%20first%20boot) |
| 73 | + and add the following to the /etc/systemd/system (this example names the unit file azure-provisioning.service) |
| 74 | + ``` |
| 75 | + sudo chroot /mnt/dev/$imagedevice/ systemctl enable azure-provisioning.service |
| 76 | + ``` |
| 77 | + Now the image is generalized and can be used to create a VM. |
| 78 | +
|
| 79 | +6. Unmount the image. |
| 80 | + ``` |
| 81 | + umount /mnt/dev/$imagedevice |
| 82 | + ``` |
| 83 | +
|
| 84 | + The image prepared does not include Azure Linux Agent anymore. |
| 85 | +
|
| 86 | +7. Use the prepared image to deploy a confidential VM. |
| 87 | +
|
| 88 | + Follow the steps starting from 4 in the [Create a custom image for Azure confidential VM](/azure/confidential-computing/how-to-create-custom-image-confidential-vm) document to deploy the agent-less confidential VM. |
| 89 | +
|
| 90 | +> [!NOTE] |
| 91 | +> If you are looking to deploy cvm scaled scale using the custom image, please note that some features related to auto scaling will be restricted. Will manual scaling rules continue to work as expected, the autoscaling ability will be limited due to the agentless custom image. More details on the restrictions can be found here for the [provisioning agent](/azure/virtual-machines/linux/disable-provisioning). Alternatively, you can navigate to the metrics tab on the azure portal and confirm the same. |
| 92 | +
|
| 93 | +## Next Steps |
| 94 | +
|
| 95 | +[Create a custom image for Azure confidential VM](/azure/confidential-computing/how-to-create-custom-image-confidential-vm) |
0 commit comments