Shulou(Shulou.com)06/02 Report--

This time, let's talk about how to achieve some simple automated operation and maintenance requirements in Azure. Generally speaking, automated operation and maintenance is achieved through many third-party tool platforms, and there are many popular ones at present, such as old chef, puppet, emerging PowerShell DSC, ansible. These should be familiar to all ears.

So how to achieve automated deployment and operation and maintenance on the Azure platform?

In fact, there are many methods, the first method is more traditional, that is, it still uses Chef, Ansible and other tool platforms for automated operation and maintenance, and it can still maintain the previous experience without learning any new technologies.

There is also a lot of technical support for this approach in Azure, and this image can also be found in the application market.

Many related extension can also be found in VM's extension.

This should be the easiest way for those who are already familiar with these tools.

Of course, after that, there are some other methods that can also achieve some simple automated operation and maintenance, and for the purpose of deployment, if it is some simple requirements, you can also consider using such methods. For example, multiple Windows VM servers want to join the same domain, or multiple web servers want to install certain software or roles uniformly. For such relatively simple requirements, you can use Custom Script Extension that comes with Azure.

For example, if you want to add multiple VM domains, generally speaking, adding domains can be achieved by pushing scripts in batches or manually. In Azure, in fact, we do not need to log in to any VM, we only need to add domains in the external network, as long as the network between the vm and DC of the added domain is connected, and the DNS can be resolved to the domain name normally.

For example, now we have a DC, a two-bit web server, web01 and web02, and now we have two requirements

1. Join two servers to the domain

two。 Install the IIS role on two servers

For the first requirement, we can implement it through the JsonADDomainExtension that comes with Azure. We only need to provide a cred with a domain and a domain name to join the server to the domain. The command is also very simple.

Run the following command directly in PowerShell to replace the contents with the actual contents

Set-AzureRmVMADDomainExtension-DomainName-Credential-Restart-ResourceGroupName-VMName-Name-TypeHandlerVersion "1.3"-JoinOption 3

Another problem arises here: if credential is written in a script, it is likely to be in clear text, which certainly won't work. How can we ensure the security of credential? One way is to use Get-Credential to store the account password directly in an encrypted form in a variable. But in this way, some human participation is needed in the process of adding domain. In addition, through Azure's key vault service, the account password can be saved in key vault and accessed through powershell.

Azure Key Vault is a tool for securely storing and accessing secrets. Critical information such as API keys, passwords, or certificates can be saved through Azure Key Vault. For example, we can save the account name and password of a domain account with permission to add a domain in key vault, and then obtain this information through PowerShell, and then add a domain as the credential of the added domain.

The way to create a key vault is very simple. First, select the Key Vault service in Azure and click add.

Enter some basic information here, such as the name of location, vault, etc.

After the creation is completed, since we want to protect some plaintext information, we only need to select secrets. If you want to save the certificate, you can also select certificates and generate secret.

After that, enter domain username and domain password respectively

You can see that this information is encrypted in key vault, and then you can get these values through the PowerShell command Get-AzureKeyVaultSecret

Run Get-AzureKeyVaultSecret-VaultName mxytestvault-Name domainuser to see information about this secret

If you get the secretvalue of this secret, you will see that this is an encrypted string

If you want to get plaintext information, you can get the SecretValueText attribute

In this way, unattended deployment can be achieved while ensuring the security of information.

Let's take a look at how to combine key vault and vm extension to automate deployment operations.

Assuming that the VM to be added to the domain is all in a resource group, you can add the VM from the resource group directly to the domain through the following script

The script reads as follows:

Param ([parameter (Mandatory = $true)] [string] $RGName,# resource group name [parameter (Mandatory = $false)] [string] $vaultname = "mxytestvault", # Azure key vault name [parameter (Mandatory = $false)] [string] $Domain = "mxyo365.com" # Domain name to join) function Join-Domain {param ([Parameter (Mandatory = $true)] $RGName, [Parameter (Mandatory = $true)] $VMName [Parameter (Mandatory = $true)] $Cred) # filter dc vms if ($VMName-notlike "* DC*") {# Get Azure vm $vm = Get-AzureRmVM-ResourceGroupName $RGName-Name $VMName-erroraction SilentlyContinue if ($vm-ne $null) {$ExtensionName = $VMName + (Get-Random-Minimum 1-Maximum 100) Try {# join domain with Azure dommain extension $Error.Clear () Write-Output "Setting domain join extension for vm $VMName Extension name:$ExtensionName "Set-AzureRmVMADDomainExtension-DomainName $Domain-Credential $Cred-Restart-ResourceGroupName $RGName-VMName $VMName-Name $ExtensionName-TypeHandlerVersion" 1.3 "- JoinOption 3} catch {Write-Output $Error [0] .Exception.message} else {Write-Output" VM $VMName does not exist. " }} # Get secret with PowerShell$domainuname = (Get-AzureKeyVaultSecret-VaultName $vaultname-Name domainuser). SecretValueTextWrite-Output "Get username from vault $vaultname" $domainfulluname = "$domainuname@$Domain" $domainpwd = (Get-AzureKeyVaultSecret-VaultName $vaultname-Name domainpassword). SecretValueWrite-Output "Get password from vault $vaultname" # Create credential with secret $DomainCred = New-Object System.Management.Automation.PSCredential ($domainfulluname $domainpwd) # Get VMs$VMS = Get-AzureRmVM-ResourceGroupName $RGNameforeach ($VM in $VMS) {Join-Domain-RGName $RGName-VMName $VM.Name-Cred $DomainCred}

When the script runs, you only need to specify the resource group name, vault name, and the domain name to join.

.\ RGJoinDomain.ps1-RGNAME test-vaultname mxytestvault-Domain mxyo365.com

You can see from the prompt that Web01 and web02 have successfully installed extension

After logging in to VM, you can see that WEB01 and WEB02 have been joined to the domain

After adding a domain, if you want to install some functional roles such as IIS, or software, you can do it through Azure VM extension. The method is very simple. Here is the script to install the IIS role through extension.

Param ([Parameter (Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] [Alias ('VMName')] [string] $Name, [Parameter (Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] [string] $ResourceGroupName) begin {Write-Output "Start to install IIS for vms"} process {try {$ExtensionName = $Name + "- IIS-" + (Get-Random-Minimum 1-Maximum 100) Write-Output "Trying to install iis for vm $Name Extension name:$ExtensionName "$vm=Get-AzureRmVM-ResourceGroupName $ResourceGroupName-Name $Name-ErrorAction Stop Set-AzureRmVMExtension `- ResourceGroupName $ResourceGroupName`-ExtensionName $ExtensionName `- VMName $Name`-Publisher Microsoft.Compute `- ExtensionType CustomScriptExtension`-TypeHandlerVersion 1.4 `- SettingString'{" commandToExecute ":" powershell Add-WindowsFeature Web-Server " Powershell Add-Content-Path\ "C:\\ inetpub\\ wwwroot\\ Default.htm\"-Value $($env:computername) "}'`- Location $vm.Location} catch {Write-Warning $_}} end {}

This script supports pipeline operation and is very convenient to run. For example, if you want to install IIS on a server containing a web name, you can filter out these servers first, and then pass the value to the install-iis script through the pipe, which can be installed through extension.

Get-AzureRMVM-ResourceGroupName test |? {$_ .name-like * web*} | install-iis.ps1

After installing IIS, the script adds the computer name to the default page. When you access the computer's public network IP, you can see that the computer's name can already be displayed.

In fact, when VM extension runs, it downloads the contents of the command to run inside VM, and you can see the directories of these extension in C:\ Package\ Plugins.

You can see the running status of extension directly in the folder.

You can also find the corresponding log and other information at C:\ WindowsAzure\ Logs\ Plugins\ Microsoft.Compute.CustomScriptExtension\ 1.9.3

Basically, that's it. Of course, this is just throwing a brick to attract jade. Azure VM's extension is still very easy to use, so we can try more.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.