I am trying to achieve serial communication from the docker while using azure edge python module, it seems pyserial does not work. it's unable to find the physical device port from the docker.
{
"TestPythonModule": {
"version": "1.0",
"type": "docker",
"status": "running",
"restartPolicy": "always",
"settings": {
"image": "${MODULES.TestPythonModule}",
"createOptions": {
"HostConfig": {
"Devices": [
{
"PathOnHost": "/dev/ttyS0",
"PathInContainer": "/dev/ttyS0",
"CgroupPermissions": "rwm"
}
]
}
}
}
}
}
}
}
have you mapped the serial port into the container via it's create options in your module configuration... something like this:
{
"HostConfig": {
"Devices": [
{
"PathOnHost": "<device name on host machine>",
"PathInContainer": "<device name in container>",
"CgroupPermissions": "rwm"
}
]
}
}
where device name on host machine is something like /dev/ttys0 or whatever the serial port maps to on your machine? (I'm assuming Linux)
Related
I have a VMSS which I deployed using ARM templates. This is the networkProfile block under VMSS resource section.
"networkProfile": {
"networkInterfaceConfigurations": [
{
"name": "[variables('nicName')]",
"properties": {
"primary": true,
"ipConfigurations": [
{
"name": "[concat(variables('VMSSName'), '-ipconfig')]",
"properties": {
"subnet": {
"id": "[variables('subnetRef')]"
},
"applicationGatewayBackendAddressPools": "[variables('AppGatewayBackendAddressPool')]"
}
}
]
}
}
]
},
In Variable section, if I use resourceId() function and provide values from parameters then it does not apply the configuration in VMSS. for example:
"AppGatewayBackendAddressPool": "[resourceId(parameters('VirtualNetworkResourceGroup'),'Microsoft.Network/applicationGateways/backendAddressPools', parameters('ApplicationGatewayName'), parameters('BackendAddressPool'))]",
I've also tried adding parameters('SubscriptionName') but the result is same.
"AppGatewayBackendAddressPool": "[resourceId(parameters('SubscriptionName') ,parameters('VirtualNetworkResourceGroup'),'Microsoft.Network/applicationGateways/backendAddressPools', parameters('ApplicationGatewayName'), parameters('BackendAddressPool'))]",
When I declare variable like below then it applies backendAddressPool configuration in Networking -> Load Balancing.
"AppGatewayBackendAddressPool": [
{ "id": "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/applicationGateways/<applicationGatewayName>/backendAddressPools/<backendAddressPool>" }
],
Similar I'm doing with subnetRef like below and that is working fine.
"subnetRef": "[resourceId(parameters('VirtualNetworkResourceGroup'), 'Microsoft.Network/virtualNetworks/subnets', parameters('VirtualNetworkName'), parameters('SubnetName'))]",
I want to parametrize the deployment by defining separate parameters.json file so I can attach applicationGatewayBackendAddressPools with different virtual machine scale sets.
This is how I achieved it by following Ked Mardemootoo answer.
IP configuration section under networkProfile of VMSS resource.
"ipConfigurations": [
{
"name": "[concat(variables('VMSSName'), '-ipconfig')]",
"properties": {
"subnet": {
"id": "[variables('subnetRef')]"
},
"applicationGatewayBackendAddressPools": [
{ "id": "[concat(parameters('AapplicationGatewayExternalid'), '/backendAddressPools/', parameters('BackendAddressPool'))]" }
]
}
}
]
Template file parameters:
"BackendAddressPool": {
"type": "string",
"metadata": {
"description": "Backend pool to host blue/green vmss."
}
},
"AapplicationGatewayExternalid": {
"type": "string",
"metadata": {
"description": "Application Gateway Id."
}
}
Now, ARM template is calling and referencing applicationGatewayBackendAddressPools attribute dynamically under VMSS' resource section.
I have these two parameters in parameters.json file where I can define values according to environment.
"BackendAddressPool": {
"value": "<backendPoolName>"
},
"AapplicationGatewayExternalid": {
"value": "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/applicationGateways/<ApplicationGatewayName>"
}
Overriding template variables in release pipeline vars:
overriding template vars
Defining in pipeline vars
pipeline var
You seem to be missing the concat in the variables. Looking at the raw json on my end, this is how it's configured. See if you can do something similar, and convert the subnet name and backend address pool to variables.
"ipConfigurations": [
{
"name": "ip-vmss-name",
"properties": {
"primary": true,
"subnet": {
"id": "[concat(parameters('virtualNetworks_vnet_externalid'), '/subnets/snet-vm')]"
},
"privateIPAddressVersion": "IPv4",
"applicationGatewayBackendAddressPools": [
{
"id": "[concat(parameters('applicationGateways_agw_1_externalid'), '/backendAddressPools/be-addr-pool-vmss-1')]"
}
]
}
}
]
Nothing seems wrong with your variables/parameters call but applicationGatewayBackendAddressPools is not a valid attribute for neither VMSS nor Application Gateway.
You can do it check AKS and Application Gateway documentations. I achieve the same goal by setting backendAddressPools, which is in Application Gateway section, in different parameters.json files.
I'm trying to deploy a Windows-based Container from a private repository within an Azure Container Instance using the Azure Portal and I'm not sure whether I use the "Command override" at the "Advanced" section properly (probably I do not). The thing is I've to pass an argument during runtime, which sets the value of a License Server, so that a specific application, which needs to establish a connection to the License Server, can start up.
In general, the run command for the container would look like:
docker run IMAGE:TAG -LicenseServer Port#Host
My entrypoint within the Dockerfile is a Powershell Script "Start.ps1", which requests the corresponding value of the mentioned License Server.
I've read the manual and therefore I've inserted following string to override and to pass the argument:
[ "cmd", "Start.ps1", "-LicenseServer", "<Port>#<Hostname>"]
After deploying the ACI, the Container gets the state "running" for a few seconds, after that, it's terminated again. According to logs, it didn't work anyway.
So I wonder, what would be the proper way to deploy the container to get it running?
Thank you a lot in advance!
In addition to my question, to get more context:
ACI was created within Azure Portal:
I've used following settings see JSON view:
{
"properties": {
"sku": "Standard",
"provisioningState": "Succeeded",
"containers": [
{
"name": "<name>",
"properties": {
"image": "<image name>",
"command": [
"powershell",
"Start.ps1",
"-LicenseServer",
"<port>#<host>"
],
"ports": [
{
"protocol": "TCP",
"port": 80
}
],
"environmentVariables": [],
"instanceView": {
"restartCount": 1,
"currentState": {
"state": "Terminated",
"finishTime": "2021-04-28T06:06:22.2263538Z",
"detailStatus": "Container stopped per client request"
},
"previousState": {
"state": "Waiting",
"detailStatus": "CrashLoopBackOff: Back-off restarting failed"
}
},
"resources": {
"requests": {
"memoryInGB": 8,
"cpu": 1
}
}
}
}
],
"initContainers": [],
"imageRegistryCredentials": [
{
"server": "<login server>",
"username": "<user>"
}
],
"restartPolicy": "OnFailure",
"ipAddress": {
"ports": [
{
"protocol": "TCP",
"port": 80
}
],
"type": "Public",
"dnsNameLabel": "mycontainerdns",
"fqdn": "mycontainerdns.westeurope.azurecontainer.io"
},
"osType": "Windows",
"instanceView": {
"events": [],
"state": "Stopped"
}
},
"id": "/subscriptions/<subscription id>",
"name": "<aci name>",
"type": "Microsoft.ContainerInstance/containerGroups",
"location": "westeurope",
"tags": {}
}
Actually, the cmd just tell you when you need to connect to the windows container instance, you need to use the command:
az container exec -g resource_group_name -n container_group_name --container-name container_name --exec-command "cmd"
But when you want to overwrite the CMD command, you need to pass the arguments like this:
["powershell", "Start.ps1", "-LicenseServer", "<Port>#<Hostname>"]
It means you need to execute the Powershell script in the cmd terminal.
I finally found the solution. The command string, provided within "Command override" was wrong.
I've tried several versions, but it now worked with following:
[ "powershell", "C:/Windows/Scripts/Start.ps1", "-LicenseServer", "<port>#<host>" ]
Now I get logs and the running state of the container within the ACI deployment.
Before, I've tried as suggested in the first answer: (among others)
["powershell", "Start.ps1", "-LicenseServer", "<Port>#<Hostname>"]
But that seems not to work within ACI, as "Start.ps1" script couldn't be found ALTHOUGH I've set the working directory within the Dockerfile and of course it works within my Rancher deployment (by just providing "-LicenseServer PortatHost").
So, as conclusion you've to provide the full path to your file when it serves as Entrypoint within the Container.
Thank you a lot anyway for your help!
I have the following policy that I wish to implement in my IaC code scan using tfsec:
Custom Check: GCP Firewall rule allows all traffic on Telnet port (23)
The below is my custom check in .json format:
{
"checks":
[
{
"code": "CUS003",
"description": "Custom Check: GCP Firewall rule allows all traffic on Telnet port (23)",
"requiredTypes":
[
"resource"
],
"requiredLabels":
[
"google_compute_firewall"
],
"severity": "WARNING",
"matchSpec":
{
"name": "CUS003_matchSpec_name",
"action": "and",
"predicateMatchSpec":
[
{
"name": "source_ranges",
"action": "contains",
"value": "0.0.0.0/0"
},
{
"name": "ports",
"action": "contains",
"value": "23"
}
]
},
"errorMessage": "[WARNING] GCP Firewall rule allows all traffic on Telnet port (23)",
"relatedLinks":
[
"https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall"
]
}
]
}
I have tried using "not", "notContains", "equals", a combination of "subMatch" and/or "predicateMatchSpec" but nothing worked.
To test it out I have purposefully created firewall rules that should fail and others that should pass the checks. When I get check failures, it's for all rules, not just a few ones. Similarly when I get check passes, it's for all rules, not just a few ones.
Docs that might be useful: tfsec custom checks
Any help is appreciated. Unfortunately "tfsec" isn't a tag so I am hoping it's a terraform issue that I am facing.
I think now looking at it formatted its clear that source_ranges is a child of the google_compute_firewall resource. The ports attribute is a child of the allow. Your check is assuming that ports is a sibling of source_ranges.
I think this check is achievable with the following - it does a predicate check that there is source_range as required AND there is a block called allow, with an attribute ports containing 23
{
"checks": [
{
"code": "CUS003",
"description": "Custom Check: GCP Firewall rule allows all traffic on Telnet port (23)",
"requiredTypes": [
"resource"
],
"requiredLabels": [
"google_compute_firewall"
],
"severity": "WARNING",
"matchSpec": {
"action": "and",
"predicateMatchSpec": [
{
"name": "source_ranges",
"action": "contains",
"value": "0.0.0.0/0"
},
{
"name": "allow",
"action": "isPresent",
"subMatch": {
"name": "ports",
"action": "contains",
"value": "23",
"ignoreUndefined": true
}
}
]
},
"errorMessage": "[WARNING] GCP Firewall rule allows all traffic on Telnet port (23)",
"relatedLinks": [
"https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall"
]
}
]
}
I've tested it against the following body
resource "google_compute_firewall" "default" {
name = "test-firewall"
network = google_compute_network.default.name
allow {
protocol = "tcp"
ports = ["23", "8080", "1000-2000"]
}
source_ranges = ["0.0.0.0/0"]
source_tags = ["web"]
}
resource "google_compute_network" "default" {
name = "test-network"
}
I am considering the use of Microsoft monitoring agent to collect some log records from log files on the system and send them to a log analytics workspace.
Is there a way specifying target files(custom log files) the agent would listen to and stream the logs directly to azure workspace.
I know this is possible to do through azure portal by adding an additional data source in the workspace(as specified by this link https://learn.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-custom-logs).
I am looking for a way to configure these data sources from c# code/powershell script.(possibily api or sdk that i am not aware of ).
To add custom logs Use New-AzOperationalInsightsCustomLogDataSource.
Here are theother powershell commandlets which can be handy to query and create LogAnalytics Datasource.
get-azoperationalinsightsdatasource
New-AzOperationalInsightsApplicationInsightsDataSource
New-AzOperationalInsightsAzureActivityLogDataSource
New-AzOperationalInsightsComputerGroup
New-AzOperationalInsightsCustomLogDataSource
New-AzOperationalInsightsLinuxPerformanceObjectDataSource
New-AzOperationalInsightsLinuxSyslogDataSource
New-AzOperationalInsightsSavedSearch
New-AzOperationalInsightsStorageInsight
New-AzOperationalInsightsWindowsEventDataSource
New-AzOperationalInsightsWindowsPerformanceCounterDataSource
https://learn.microsoft.com/en-us/powershell/module/az.operationalinsights/get-azoperationalinsightsdatasource?view=azps-2.7.0
Also find the link for the Log analytics Rest API's which can be used easily with C# code.
https://learn.microsoft.com/en-us/rest/api/loganalytics/
https://learn.microsoft.com/en-us/rest/api/loganalytics/datasources/createorupdate
Powershell
Custom Log to collect
Link : https://learn.microsoft.com/en-us/azure/azure-monitor/platform/powershell-workspace-configuration
$CustomLog = #"
{
"customLogName": "sampleCustomLog1",
"description": "Example custom log datasource",
"inputs": [
{
"location": {
"fileSystemLocations": {
"windowsFileTypeLogPaths": [ "e:\\iis5\\*.log" ],
"linuxFileTypeLogPaths": [ "/var/logs" ]
}
},
"recordDelimiter": {
"regexDelimiter": {
"pattern": "\\n",
"matchIndex": 0,
"matchIndexSpecified": true,
"numberedGroup": null
}
}
}
],
"extractions": [
{
"extractionName": "TimeGenerated",
"extractionType": "DateTime",
"extractionProperties": {
"dateTimeExtraction": {
"regex": null,
"joinStringRegex": null
}
}
}
]
}
"#
# Custom Logs
New-AzOperationalInsightsCustomLogDataSource -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -CustomLogRawJson "$CustomLog" -Name "Example Custom Log Collection"
ARM Template
For the Arm template format for the custom logs will be as below. See the detailed link https://learn.microsoft.com/en-us/azure/azure-monitor/platform/template-workspace-configuration
{
"apiVersion": "2015-11-01-preview",
"type": "dataSources",
"name": "[concat(parameters('workspaceName'), parameters('customlogName'))]",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
],
"kind": "CustomLog",
"properties": {
"customLogName": "[parameters('customlogName')]",
"description": "this is a description",
"extractions": [
{
"extractionName": "TimeGenerated",
"extractionProperties": {
"dateTimeExtraction": {
"regex": [
{
"matchIndex": 0,
"numberdGroup": null,
"pattern": "((\\d{2})|(\\d{4}))-([0-1]\\d)-(([0-3]\\d)|(\\d))\\s((\\d)|([0-1]\\d)|(2[0-4])):[0-5][0-9]:[0-5][0-9]"
}
]
}
},
"extractionType": "DateTime"
}
],
"inputs": [
{
"location": {
"fileSystemLocations": {
"linuxFileTypeLogPaths": null,
"windowsFileTypeLogPaths": [
"[concat('c:\\Windows\\Logs\\',parameters('customlogName'))]"
]
}
},
"recordDelimiter": {
"regexDelimiter": {
"matchIndex": 0,
"numberdGroup": null,
"pattern": "(^.*((\\d{2})|(\\d{4}))-([0-1]\\d)-(([0-3]\\d)|(\\d))\\s((\\d)|([0-1]\\d)|(2[0-4])):[0-5][0-9]:[0-5][0-9].*$)"
}
}
}
]
}
}
I want to create a virtual machine that anyone can launch using the ARM REST API.
How do I do that? I cannot find instructions.
Apparently it is possible to create public virtual machine images here: https://vmdepot.msopentech.com/help/contribute/vhd.html/
There are a couple of ways you could do this. Presuming you have got a website / application etc at the frontend, and it is simply the backend communication you're looking for.
Prerequisites
The option here presumes that you have an active Microsoft Azure account, and are able to create a VM there via the portal. Once you are at a stage that you can do that, you can use the REST API to create a machine instead.
Option 1
You can either use the REST API to directly create a VM by PUTing a request to this URI -
https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Compute/virtualMachines/{vm-name}?validating={true|false}&api-version={api-version}
You would need to attach a JSON document to that request that would define the machine you are creating.
{
"id":"/subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.Compute/virtualMachines/myvm1",
"name":"myvm1",
"type":"Microsoft.Compute/virtualMachines",
"location":"westus",
"tags": {
"department":"finance"
},
"properties": {
"availabilitySet": {
"id":"/subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.Compute/availabilitySets/myav1"
},
"hardwareProfile": {
"vmSize":"Standard_A0"
},
"storageProfile": {
"imageReference": {
"publisher":"MicrosoftWindowsServerEssentials",
"offer":"WindowsServerEssentials",
"sku":"WindowsServerEssentials",
"version":"latest"
},
"osDisk": {
"name":"myosdisk1",
"vhd": {
"uri":"http://mystorage1.blob.core.windows.net/vhds/myosdisk1.vhd"
},
"caching":"ReadWrite",
"createOption":"FromImage"
},
"dataDisks": [ {
"name":"mydatadisk1",
"diskSizeGB":"1",
"lun": 0,
"vhd": {
"uri" : "http://mystorage1.blob.core.windows.net/vhds/mydatadisk1.vhd"
},
"createOption":"Empty"
} ]
},
"osProfile": {
"computerName":"myvm1",
"adminUsername":"username",
"adminPassword":"password",
"customData":"",
"windowsConfiguration": {
"provisionVMAgent":true,
"winRM": {
"listeners": [ {
"protocol": "https",
"certificateUrl": "url-to-certificate"
} ]
},
"additionalUnattendContent": {
"pass":"oobesystem",
"component":"Microsoft-Windows-Shell-Setup",
"settingName":"FirstLogonCommands|AutoLogon",
"content":"<XML unattend content>"
}
"enableAutomaticUpdates":true
},
"secrets":[ {
"sourceVault": {
"id": "/subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.KeyVault/vaults/myvault1"
},
"vaultCertificates": [ {
"certificateUrl": "https://myvault1.vault.azure.net/secrets/{secretName}/{secretVersion}"
"certificateStore": "{certificateStoreName}"
} ]
} ]
},
"networkProfile": {
"networkInterfaces": [ {
"id":"/subscriptions/{subscription-id}/resourceGroups/myresourceGroup1/providers /Microsoft.Network/networkInterfaces/mynic1"
} ]
}
}
}
More details about the authentication and parameters can be found at the Azure Virtual Machine Rest documentation - Create or update a virtual machine
Option 2
Alternatively you can create an Azure Resource Manager Template, such as 101-vm-simple-linux on Azure's Github template repository
Once you have a template defined for the VM you want to deploy you can PUT another request to this URI
https://management.azure.com/subscriptions/{subscription-id}/resourcegroups/{resource-group-name}/providers/microsoft.resources/deployments/{deployment-name}?api-version={api-version}
If you copy that template file to an Azure blob, along with another file specifying any parameters it needs, and send this JSON document with the PUT request
{
"properties": {
"templateLink": {
"uri": "http://mystorageaccount.blob.core.windows.net/templates/template.json",
"contentVersion": "1.0.0.0",
},
"mode": "Incremental",
"parametersLink": {
"uri": "http://mystorageaccount.blob.core.windows.net/templates/parameters.json",
"contentVersion": "1.0.0.0",
}
}
}
You can find the documentation for this at - Create a template deployment
This is to elaborate on #Michael B's answer: To discover what images are available, you can use the VMDepot -- of course -- or you can query for all the marketplace images. Look at the publishers list first, and then from there you can decide which images you would like.
The URN value you discover will be the one you want to use in your REST call. Hope this helps...