Switch to Azure CVMs

This commit is contained in:
Otto Bittner 2022-07-27 09:46:32 +02:00 committed by Malte Poll
parent 29a1b5de42
commit 0892525915
7 changed files with 22 additions and 47 deletions

View File

@ -2,46 +2,8 @@ package azure
// InstanceTypes are valid Azure instance types. // InstanceTypes are valid Azure instance types.
var InstanceTypes = []string{ var InstanceTypes = []string{
// Trusted Launch (2nd Generation AMD EPYC 7452 or 3rd Generation EPYC 7763v processors) // CVMs (3rd Generation EPYC 7763v processors)
// Dav4-series // DCasv5-series
"Standard_D2a_v4",
"Standard_D4a_v4",
"Standard_D8a_v4",
"Standard_D16a_v4",
"Standard_D32a_v4",
"Standard_D48a_v4",
"Standard_D64a_v4",
"Standard_D96a_v4",
// Dasv4-series
"Standard_D2as_v4",
"Standard_D4as_v4",
"Standard_D8as_v4",
"Standard_D16as_v4",
"Standard_D32as_v4",
"Standard_D48as_v4",
"Standard_D64as_v4",
"Standard_D96as_v4",
// Eav4-series
"Standard_E2a_v4",
"Standard_E4a_v4",
"Standard_E8a_v4",
"Standard_E16a_v4",
"Standard_E32a_v4",
"Standard_E48a_v4",
"Standard_E64a_v4",
"Standard_E96a_v4",
// Easv4-series
"Standard_E2as_v4",
"Standard_E4as_v4",
"Standard_E8as_v4",
"Standard_E16as_v4",
"Standard_E20as_v4",
"Standard_E32as_v4",
"Standard_E48as_v4",
"Standard_E64as_v4",
"Standard_E96as_v4",
// CVMs (not supported yet, 3rd Generation EPYC 7763v processors)
/* // DCasv5-series
"Standard_DC2as_v5", "Standard_DC2as_v5",
"Standard_DC4as_v5", "Standard_DC4as_v5",
"Standard_DC8as_v5", "Standard_DC8as_v5",
@ -78,5 +40,5 @@ var InstanceTypes = []string{
"Standard_EC32ads_v5", "Standard_EC32ads_v5",
"Standard_EC48ads_v5", "Standard_EC48ads_v5",
"Standard_EC64ads_v5", "Standard_EC64ads_v5",
"Standard_EC96ads_v5", */ "Standard_EC96ads_v5",
} }

View File

@ -68,6 +68,14 @@ func (s ScaleSet) Azure() armcomputev2.VirtualMachineScaleSet {
}, },
}, },
}, },
OSDisk: &armcomputev2.VirtualMachineScaleSetOSDisk{
ManagedDisk: &armcomputev2.VirtualMachineScaleSetManagedDiskParameters{
SecurityProfile: &armcomputev2.VMDiskSecurityProfile{
SecurityEncryptionType: to.Ptr(armcomputev2.SecurityEncryptionTypesVMGuestStateOnly),
},
},
CreateOption: to.Ptr(armcomputev2.DiskCreateOptionTypesFromImage),
},
}, },
NetworkProfile: &armcomputev2.VirtualMachineScaleSetNetworkProfile{ NetworkProfile: &armcomputev2.VirtualMachineScaleSetNetworkProfile{
NetworkInterfaceConfigurations: []*armcomputev2.VirtualMachineScaleSetNetworkConfiguration{ NetworkInterfaceConfigurations: []*armcomputev2.VirtualMachineScaleSetNetworkConfiguration{
@ -103,8 +111,8 @@ func (s ScaleSet) Azure() armcomputev2.VirtualMachineScaleSet {
}, },
}, },
SecurityProfile: &armcomputev2.SecurityProfile{ SecurityProfile: &armcomputev2.SecurityProfile{
SecurityType: to.Ptr(armcomputev2.SecurityTypesTrustedLaunch), SecurityType: to.Ptr(armcomputev2.SecurityTypesConfidentialVM),
UefiSettings: &armcomputev2.UefiSettings{VTpmEnabled: to.Ptr(true)}, UefiSettings: &armcomputev2.UefiSettings{VTpmEnabled: to.Ptr(true), SecureBootEnabled: to.Ptr(false)},
}, },
DiagnosticsProfile: &armcomputev2.DiagnosticsProfile{ DiagnosticsProfile: &armcomputev2.DiagnosticsProfile{
BootDiagnostics: &armcomputev2.BootDiagnostics{ BootDiagnostics: &armcomputev2.BootDiagnostics{

View File

@ -88,7 +88,7 @@ func TestFirewallPermissions(t *testing.T) {
// Verify vTPM // Verify vTPM
require.NotNil(scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile) require.NotNil(scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile)
require.NotNil(scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile.SecurityType) require.NotNil(scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile.SecurityType)
assert.Equal(armcomputev2.SecurityTypesTrustedLaunch, *scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile.SecurityType) assert.Equal(armcomputev2.SecurityTypesConfidentialVM, *scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile.SecurityType)
require.NotNil(scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile.UefiSettings) require.NotNil(scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile.UefiSettings)
require.NotNil(scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile.UefiSettings.VTpmEnabled) require.NotNil(scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile.UefiSettings.VTpmEnabled)
assert.True(*scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile.UefiSettings.VTpmEnabled) assert.True(*scaleSetAzure.Properties.VirtualMachineProfile.SecurityProfile.UefiSettings.VTpmEnabled)

View File

@ -101,7 +101,7 @@ az image create -g ${AZURE_RESOURCE_GROUP_NAME} -l ${AZURE_REGION} -n ${AZURE_IM
echo "Creating Azure Shared Image Gallery." echo "Creating Azure Shared Image Gallery."
az sig create -l ${AZURE_REGION} --gallery-name ${AZURE_GALLERY_NAME} --resource-group ${AZURE_RESOURCE_GROUP_NAME} az sig create -l ${AZURE_REGION} --gallery-name ${AZURE_GALLERY_NAME} --resource-group ${AZURE_RESOURCE_GROUP_NAME}
echo "Creating Image Definition." echo "Creating Image Definition."
az sig image-definition create --resource-group ${AZURE_RESOURCE_GROUP_NAME} -l ${AZURE_REGION} --gallery-name ${AZURE_GALLERY_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} --publisher ${AZURE_PUBLISHER} --offer ${AZURE_IMAGE_OFFER} --sku ${AZURE_SKU} --os-type Linux --os-state generalized --hyper-v-generation V2 --features SecurityType=TrustedLaunch az sig image-definition create --resource-group ${AZURE_RESOURCE_GROUP_NAME} -l ${AZURE_REGION} --gallery-name ${AZURE_GALLERY_NAME} --gallery-image-definition ${AZURE_IMAGE_DEFINITION} --publisher ${AZURE_PUBLISHER} --offer ${AZURE_IMAGE_OFFER} --sku ${AZURE_SKU} --os-type Linux --os-state generalized --hyper-v-generation V2 --features SecurityType=ConfidentialVmSupported
echo "Retrieving image ID." echo "Retrieving image ID."
AZURE_IMAGE_ID=$(az image list --query "[?name == '${AZURE_IMAGE_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" --output json | jq -r) AZURE_IMAGE_ID=$(az image list --query "[?name == '${AZURE_IMAGE_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" --output json | jq -r)
echo "Image ID is ${AZURE_IMAGE_ID}" echo "Image ID is ${AZURE_IMAGE_ID}"

View File

@ -150,7 +150,7 @@ upload-azure: $(AZURE_IMAGE_PATH)
@echo "Create shared image gallery (if it does not exist yet)" @echo "Create shared image gallery (if it does not exist yet)"
-az sig create -l $(AZURE_REGION) --gallery-name $(AZURE_GALLERY_NAME) --resource-group $(AZURE_RESOURCE_GROUP_NAME) -az sig create -l $(AZURE_REGION) --gallery-name $(AZURE_GALLERY_NAME) --resource-group $(AZURE_RESOURCE_GROUP_NAME)
@echo "Create image definition (if it does not exist yet)" @echo "Create image definition (if it does not exist yet)"
-az sig image-definition create --resource-group $(AZURE_RESOURCE_GROUP_NAME) -l $(AZURE_REGION) --gallery-name $(AZURE_GALLERY_NAME) --gallery-image-definition $(AZURE_IMAGE_DEFINITION) --publisher $(AZURE_PUBLISHER) --offer $(AZURE_IMAGE_OFFER) --sku $(AZURE_SKU) --os-type Linux --os-state generalized --hyper-v-generation V2 --features SecurityType=TrustedLaunch -az sig image-definition create --resource-group $(AZURE_RESOURCE_GROUP_NAME) -l $(AZURE_REGION) --gallery-name $(AZURE_GALLERY_NAME) --gallery-image-definition $(AZURE_IMAGE_DEFINITION) --publisher $(AZURE_PUBLISHER) --offer $(AZURE_IMAGE_OFFER) --sku $(AZURE_SKU) --os-type Linux --os-state generalized --hyper-v-generation V2 --features SecurityType=ConfidentialVmSupported
az sig image-version create --resource-group $(AZURE_RESOURCE_GROUP_NAME) -l $(AZURE_REGION) --gallery-name $(AZURE_GALLERY_NAME) --gallery-image-definition $(AZURE_IMAGE_DEFINITION) --gallery-image-version $(AZURE_IMAGE_VERSION) --target-regions $(AZURE_REGION) --replica-count 1 --tags bootstrapper-sha512=$$(sha512sum $(BOOTSTRAPPER_OVERRIDE_PATH) | cut -d " " -f 1) --managed-image "$$(az image list --query "[?name == '$(AZURE_IMAGE_NAME)' && resourceGroup == '$(AZURE_RESOURCE_GROUP_NAME)'] | [0].id" --output json | jq -r)" az sig image-version create --resource-group $(AZURE_RESOURCE_GROUP_NAME) -l $(AZURE_REGION) --gallery-name $(AZURE_GALLERY_NAME) --gallery-image-definition $(AZURE_IMAGE_DEFINITION) --gallery-image-version $(AZURE_IMAGE_VERSION) --target-regions $(AZURE_REGION) --replica-count 1 --tags bootstrapper-sha512=$$(sha512sum $(BOOTSTRAPPER_OVERRIDE_PATH) | cut -d " " -f 1) --managed-image "$$(az image list --query "[?name == '$(AZURE_IMAGE_NAME)' && resourceGroup == '$(AZURE_RESOURCE_GROUP_NAME)'] | [0].id" --output json | jq -r)"
@echo "Cleaning up resources" @echo "Cleaning up resources"
az image delete --resource-group $(AZURE_RESOURCE_GROUP_NAME) -n $(AZURE_IMAGE_NAME) az image delete --resource-group $(AZURE_RESOURCE_GROUP_NAME) -n $(AZURE_IMAGE_NAME)

View File

@ -170,7 +170,7 @@ func (s *Server) IssueRejoinTicket(ctx context.Context, req *joinproto.IssueRejo
// getK8sVersion reads the k8s version from a VolumeMount that is backed by the k8s-version ConfigMap. // getK8sVersion reads the k8s version from a VolumeMount that is backed by the k8s-version ConfigMap.
func (s *Server) getK8sVersion() (string, error) { func (s *Server) getK8sVersion() (string, error) {
fileContent, err := s.file.Read(filepath.Join(constants.ServiceBasePath, "k8s-version")) fileContent, err := s.file.Read(filepath.Join(constants.ServiceBasePath, constants.K8sVersion))
if err != nil { if err != nil {
return "", fmt.Errorf("could not read k8s version file: %v", err) return "", fmt.Errorf("could not read k8s version file: %v", err)
} }

View File

@ -114,3 +114,8 @@ Ubuntu currently ships swtpm 0.6.3 so you need to install swtpm [from launchpad]
```shell-session ```shell-session
sudo chown -R swtpm:root /var/lib/swtpm-localca sudo chown -R swtpm:root /var/lib/swtpm-localca
``` ```
## Misc
- List all domains: `virsh list --all`
- Destroy domain with nvram: `virsh undefine --nvram <name>`