Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Trusted launch VMSS] Roll-back support from TrustedLaunch to Standard #28991

Closed
1 task done
AjKundnani opened this issue May 20, 2024 · 5 comments · Fixed by #29066
Closed
1 task done

[Trusted launch VMSS] Roll-back support from TrustedLaunch to Standard #28991

AjKundnani opened this issue May 20, 2024 · 5 comments · Fixed by #29066
Assignees
@zhoxing-ms @yanzhudd
Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team Compute az vm/vmss/image/disk/snapshot feature-request
Milestone
June 2024 (2024-0...

Comments

@AjKundnani
Copy link

AjKundnani commented May 20, 2024
edited

Preconditions

  • No need to upgrade Python SDK or the Python SDK is ready.

Related command

az vmss update

Resource Provider

Microsoft.Compute/virtualMachineScaleSets

Description of Feature or Work Requested

Roll-back support with 'Standard' security type

Request to support roll-back of VMSS model from Trusted launch to non-Trusted launch using parameter --security-type with new value Standard.

VMSS already supports forward upgrade from Standard (Gen1/Gen2) to TrustedLaunch.

--security-type

Current supported values New supported values
TrustedLaunch TrustedLaunch
Standard

When --security-type is set as Standard, request to send following API body to VMSS Compute API for initiating roll-back from Trusted launch to Non-Trusted launch (Gen2/Gen1 OS image):

"securityProfile": { 
    "securityType": "Standard",
    "uefiSettings": "[null()]"
}

Example

az vmss update -g cli-vmss-rg -n clivmss01 --security-type Standard

Minimum API Version Required

2020-06-01

Swagger PR link / SDK link

NA

Request Example

Available on Microsoft internal, please reach out to PM contact on teams for link to same.

Target Date

2024-06-30

PM Contact

ajkundna

Engineer Contact

shankarma

Additional context

VMSS already supports upgrading from Non-Trusted launch (Gen1/Gen2 OS image) to Trusted launch. This request is to enable roll-back support for seamless end user experience in event of any error or failure.
@microsoft-github-policy-service microsoft-github-policy-service bot added the Compute az vm/vmss/image/disk/snapshot label May 20, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels May 20, 2024
@yonzhan
Copy link
Collaborator

yonzhan commented May 20, 2024

Thank you for opening this issue, we will look into it.

@yonzhan yonzhan removed the question The issue doesn't require a change to the product in order to be resolved. Most issues start as that label May 20, 2024
@yonzhan yonzhan added this to the Backlog milestone May 20, 2024
@yanzhudd yanzhudd mentioned this issue May 31, 2024
Merged
3 tasks
@yanzhudd
Copy link
Contributor

Hi @AjKundnani
could you please help to use this private package to verify if the changes meet your expectation?

@AjKundnani
Copy link
Author

Hi @AjKundnani could you please help to use this private package to verify if the changes meet your expectation?

@yanzhudd , request to add following warning message when user is rolling back from TrustedLaunch to Standard security type.
Turning off Trusted launch disables foundational security for your VMs. For more information, visit https://aka.ms/TrustedLaunch

Also, following command did not work while going from Gen1 OS image to Gen2 OS image with Trusted launch.

az vmss update -g cli-vmss-rg -n clivmss01 --security-type TrustedLaunch --set virtualMachineProfile.storageProfile.imageReference.sku=2022-datacenter-azure-edition
Trusted Launch security type is supported on Hyper-V Generation 2 OS Images. To know more please visit https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch
(InvalidParameter) Disk Controller Type is only supported for VMs that are created from a Generation 2 Image or OS disk and VM Size that supports the same, refer to https://docs.microsoft.com/en-us/azure/virtual-machines/generation-2#creating-a-generation-2-vm for more details about creating Generation 2 VM.
Code: InvalidParameter
Message: Disk Controller Type is only supported for VMs that are created from a Generation 2 Image or OS disk and VM Size that supports the same, refer to https://docs.microsoft.com/en-us/azure/virtual-machines/generation-2#creating-a-generation-2-vm for more details about creating Generation 2 VM.
Target: storageProfile.diskControllerType

Validated following commands succesfully:

  • az vmss update -g cli-vmss-rg -n clivmss01 --security-type Standard --set virtualMachineProfile.storageProfile.imageReference.sku=2019-datacenter
  • az vmss update -g cli-vmss-rg -n clivmss01 --security-type Standard
  • az vmss update -g cli-vmss-rg -n clivmss01 --security-type TrustedLaunch

@yanzhudd
Copy link
Contributor

yanzhudd commented Jun 4, 2024

Hi @AjKundnani
Thanks for your confirmation! Sure, I'll add the warning message when rolling back to the Standard.

However, I cannot reproduce the second issue you mentioned:

Also, following command did not work while going from Gen1 OS image to Gen2 OS image with Trusted launch.

Could you please help to provide the az vmss create command you used to create the resource clivmss01?
BTW, I think this issue may not be related to this feature. I'll merge the PR firstly and then open another PR to fix this issue.

@AjKundnani
Copy link
Author

Hi @AjKundnani Thanks for your confirmation! Sure, I'll add the warning message when rolling back to the Standard.

However, I cannot reproduce the second issue you mentioned:

Also, following command did not work while going from Gen1 OS image to Gen2 OS image with Trusted launch.

Could you please help to provide the az vmss create command you used to create the resource clivmss01? BTW, I think this issue may not be related to this feature. I'll merge the PR firstly and then open another PR to fix this issue.

Created VMSS through portal. But did multiple roll backs and roll forwards which could've caused this issue.
Attempted with new Gen1 VMSS and upgraded to Trusted launch successfully using same command.

az vmss update -g cli-vmss-rg -n clivmss02 --security-type TrustedLaunch --set virtualMachineProfile.storageProfile.imageReference.sku=2022-datacenter-azure-edition

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zhoxing-ms zhoxing-ms

@yanzhudd yanzhudd

Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team Compute az vm/vmss/image/disk/snapshot feature-request
Projects
None yet
Milestone
June 2024 (2024-07-02)
Development

Successfully merging a pull request may close this issue.

[Compute] az vmss update: Add an option Standard to --security-type parameter yanzhudd/azure-cli
4 participants
@zhoxing-ms @AjKundnani @yonzhan @yanzhudd