anjuna-azure-cli instance
Create and manage Azure Confidential VMs.
| You must be logged in to a valid Azure account permitted to create and manage Azure Confidential VMs. |
DESCRIPTION
The anjuna-azure-cli instance tool supports the following options to manage
Azure Confidential VMs:
-
create: Create a new instance -
describe: Get status information for confidential VMs -
log: Read the boot log for confidential VMs -
log-enable: Enable boot diagnostic logging for confidential VMs -
log-disable: Disable boot diagnostic logging for confidential VMs
Creating an Azure Confidential VM requires an Azure-compatible disk image. See anjuna-azure-cli disk for a description of the tools needed to create and upload disk images.
Use the az account show command to confirm that you are logged in.
If you are not logged in, consider using the az login command to initialize your az session.
anjuna-azure-cli instance create
The anjuna-azure-cli instance create tool creates AMD SEV instances on Microsoft Azure.
anjuna-azure-cli instance create --name <INSTANCE_NAME> --location <INSTANCE_LOCATION> [OPTIONS]
The instance create command allows you to optionally specify a storage account to record the boot diagnostics logs.
These logs are used to provide the serial console logs functionality in Azure.
You can also enable the logs after the CVM has been started by using the az vm boot-diagnostics enable command.
If a network interface, virtual network, subnet, or network security group is not provided to anjuna-azure-cli instance create,
Azure automatically creates the necessary resources in the resource group associated with the CVM.
Alternately, you can create the associated network resources in advance using the az commands or by using Terraform and attach them to the CVM with anjuna-azure-cli instance create.
When the --nics option is used to attach one or more network interfaces,
then the other network related options cannot be used, or Azure will report an error.
The NSG, vnet, and subnet need to be configured in the NIC(s).
|
|
These following Azure CLI commands may be helpful:
|
OPTIONS
--image-definition the Azure Image Definition to use --image-gallery the Azure Image Definition's parent shared image gallery --image-version string the image version to use --location string (Optional) the location to associate with your resources --name name of the VM instance to use --resource-group the Azure resource group to be used for the artifacts needed for this operation --instance-type Type of the VM instance to create (default: Standard_DC2as_v5) --nics <nic> | "nic0< nic1< nic2...>" names (<nic> | "nic0< nic1< nic2...>") of the network interfaces to attach (default: automatically created) --nsg_association name of Network Security Group (default: automatically created). Use "" for none --storage-account storage account for the boot-diagnostic logs --subnet name of the subnet (default: automatically created) --vnet name of the virtual network (default: automatically created)
When the --storage-account flag is specified,
the Anjuna CLI will enable the Azure boot diagnostics mechanism,
which writes VM system boot logs to the given storage account.
The boot diagnostics can also be enabled after an instance is created,
using the anjuna-azure-cli instance log-enable command described below.
|
EXAMPLES
The example below creates an Azure Confidential VM called my-cvm-instance in westus using the image hello-world-boot-disk version 1.0.0.
The CVM is attached to the network interface (NIC) called example-nic, which has been previously created using the terraform script below.
The NIC is attached to the example-subnet and has been configured with a public IP address (using example-pip).
By virtue of being attached to example-subnet, it also uses example-vnet and example-nsg.
$ anjuna-azure-cli instance create \
--name my-cvm-instance \
--location westus \
--image-gallery myimagegallery \
--image-definition hello-world-boot-disk \
--image-version 1.0.0 \
--resource-group myresourcegroup \
--storage-account mystorageaccount \
--nics example-nic$ cat network.tf
# Terraform script for creating a permissive network configuration
# Network Security Group
resource "azurerm_network_security_group" "nsg" {
name = "example-nsg"
location = example.location
resource_group_name = example.resource_group
security_rule {
name = "SSH"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "HTTP"
priority = 1020
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "80"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "HTTPS"
priority = 1021
direction = "Outbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "ping"
priority = 1050
direction = "Inbound"
access = "Allow"
protocol = "Icmp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
# Virtual Network
resource "azurerm_virtual_network" "vnet" {
name = "example-network"
address_space = ["10.0.0.0/16"]
location = example.location
resource_group_name = example.resource_group
}
# Subnet
resource "azurerm_subnet" "subnet" {
name = "example-subnet"
resource_group_name = example.resource_group
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = ["10.0.1.0/24"]
}
# Associate Network Security Group with Subnet
resource "azurerm_subnet_network_security_group_association" "nsg_association" {
subnet_id = azurerm_subnet.subnet.id
network_security_group_id = azurerm_network_security_group.nsg.id
}
resource "azurerm_public_ip" "public_ip" {
name = "example-pip"
location = example.location
resource_group_name = example.resource_group
allocation_method = "Dynamic"
}
resource "azurerm_network_interface" "nic" {
name = "example-nic"
location = example.location
resource_group_name = example.resource_group
ip_configuration {
name = "internal"
subnet_id = azurerm_subnet.subnet.id
private_ip_address_allocation = "Dynamic"
public_ip_address_id = azurerm_public_ip.public_ip.id
}
}anjuna-azure-cli instance describe
Use the anjuna-azure-cli instance describe tool to display information about existing VMs.
anjuna-azure-cli instance describe --resource-group <RESOURCE_GROUP> --name <INSTANCE_NAME> [OPTIONS]
OPTIONS
--json Get instance details formatted as JSON data (verbose) --name string Name of the VM instance to use, required --query string JSON query string. See http://jmespath.org/ for more information and examples. --resource-group Azure resource group to use, required
EXAMPLES
$ anjuna-azure-cli instance describe \
--name my-cvm-instance \
--resource-group myresourcegroup
Name ResourceGroup PowerState PublicIps Fqdns Location Zones
--------------- ------------------ -------------- ----------- ------- ---------- -------
my-cvm-instance myresourcegroup VM deallocated 192.168.1.1 eastus$ anjuna-azure-cli instance describe \
--json \
--name my-cvm-instance \
--resource-group myresourcegroup
{
"additionalCapabilities": null,
"applicationProfile": null,
"availabilitySet": null,
"billingProfile": null,
"capacityReservation": null,
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": true,
"storageUri": null
}
},
"evictionPolicy": null,
"extendedLocation": null,
"extensionsTimeBudget": null,
"fqdns": "",
"hardwareProfile": {
"vmSize": "Standard_D2s_v3",
"vmSizeProperties": null
},
...
}anjuna-azure-cli instance log
Use the anjuna-azure-cli instance log tool to read a VM’s boot log.
anjuna-azure-cli instance log --resource-group <RESOURCE_GROUP> --name <INSTANCE_NAME> [OPTIONS]
OPTIONS
--name string Name of the VM instance to use, required --resource-group Azure resource group to use, required --tail Continuously poll for new boot log messages (press CTRL-C to exit)
EXAMPLES
$ anjuna-azure-cli instance log \
--name my-cvm-instance \
--resource-group myresourcegroup
GRUB_FORCE_PARTUUID set, attempting initrdless boot.
[ 0.000000] Linux version 5.15.0-1039-azure (buildd@lcy02-amd64-067) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #46~20.04.1-Ubuntu SMP Mon May 22 19:42:46 UTC 2023 (Ubuntu 5.15.0-1039.46~20.04.1-azure 5.15.98)
[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-5.15.0-1039-azure root=PARTUUID=009f94b8-8128-45cc-90af-ef644b24e646 ro console=tty1 console=ttyS0 earlyprintk=ttyS0 panic=-1
...
$$ anjuna-azure-cli instance log \
--tail \
--name my-cvm-instance \
--resource-group myresourcegroup
Tailing boot log, press CTRL-C to exit..
GRUB_FORCE_PARTUUID set, attempting initrdless boot.
[ 0.000000] Linux version 5.15.0-1039-azure (buildd@lcy02-amd64-067) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #46~20.04.1-Ubuntu SMP Mon May 22 19:42:46 UTC 2023 (Ubuntu 5.15.0-1039.46~20.04.1-azure 5.15.98)
[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-5.15.0-1039-azure root=PARTUUID=009f94b8-8128-45cc-90af-ef644b24e646 ro console=tty1 console=ttyS0 earlyprintk=ttyS0 panic=-1
...anjuna-azure-cli instance log-enable
Use the anjuna-azure-cli instance log-enable command to enable boot diagnostics for VMs.
By default, the Anjuna CLI enables boot diagnostics for newly-created instances when the --storage-account flag is specified.
|
anjuna-azure-cli instance log-enable --resource-group <RESOURCE_GROUP> --name <INSTANCE_NAME>