Introduction to Linux on Azure
Updated:
This topic provides an overview of some aspects of using Linux virtual machines in the Azure cloud. Deploying a Linux virtual machine is a straightforward process using an image from the gallery.
Table of Contents
Authentication: Usernames, Passwords and SSH Keys
When creating a Linux virtual machine using the Azure Management Portal, you are asked to provide a username, password and (optionally) an SSH public key. The choice of a username for deploying a Linux virtual machine on Azure is subject to the following constraint: names of system accounts (UID <100) already present in the virtual machine are not allowed, 'root' for example.
SSH Key Generation
The current version of the Management Portal only accepts SSH public keys that are encapsulated in an X509 certificate. Please follow the steps below to generate and use SSH keys with Azure.
Use openssl to generate an X509 certificate with a 2048-bit RSA keypair.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout myPrivateKey.key -out myCert.pem
Please answer the few questions that the openssl prompts for (you may leave them blank). The content in these fields is not used by the platform.
Change the permissions on the private key to secure it.
chmod 600 myPrivateKey.key
Convert the myCert.pem to myCert.cer (DER encoded X509 certificate)
openssl x509 -outform der -in myCert.pem -out myCert.cer
Upload the myCert.cer while creating the Linux virtual machine. The provisioning process will automatically install the public key in this certificate into the ~/.ssh/authorized_keys file for the specified user in the virtual machine.
Connect to the Linux virtual machine using ssh.
ssh -i myPrivateKey.key -p port username@servicename.cloudapp.net
You will be prompted to accept the fingerprint of the host's public key the first time you log in.
You may optionally copy myPrivateKey.key to ~/.ssh/id_rsa so that your openssh client can automatically pick this up without the use of the -i option. Alternatively you can modify ~/.ssh/config to include a section for your virtual machine:
Host servicename.cloudapp.net
IdentityFile %d/.ssh/myPrivateKey.key
Generate a Key from an Existing OpenSSH Compatible Key
The previous example describes how to create a new key for use with Windows Azure. In some cases users may already have an existing OpenSSH compatible public & private key pair and wish to use the same keys with Windows Azure.
OpenSSH private keys are directly readable by the openssl utility. The following command will take an existing SSH private key (id_rsa in the example below) and create the .pem public key that is needed for Windows Azure:
# openssl req -x509 -key ~/.ssh/id_rsa -nodes -days 365 -newkey rsa:2048 -out myCert.pem
The myCert.pem file is the public key that may then be used to provision a Linux virtual machine on Windows Azure. During provisioning the .pem file will be translated into an openssh compatible public key and placed in ~/.ssh/authorized_keys.
Obtaining Superuser Privileges Using sudo
The user account that is specified during virtual machine instance deployment on Azure is a privileged account. This account is configured by the Azure Linux Agent to be able to elevate privileges to root (superuser account) using the sudo utility. Once logged in using this user account, you will be able to run commands as root using the command syntax
# sudo <COMMAND>
You can optionally obtain a root shell using sudo -s.
Firewall Configuration
Azure provides an inbound packet filter that restricts connectivity to ports specified in the Management Portal. By default, the only allowed port is SSH. You may open up access to additional ports on your Linux virtual machine by configuring endpoints in the Management Portal:
The Linux images in the Azure Gallery do not enable the iptables firewall by default. If desired, the firewall may be configured to provide additional filtering.
Hostname Changes
When you initially deploy an instance of a Linux image, you are required to provide a host name for the virtual machine. Once the virtual machine is running, this hostname is published to the platform DNS servers so that multiple virtual machines connected to each other can perform IP address lookups using hostnames.
If hostname changes are desired after a virtual machine has been deployed, please use the command
# sudo hostname <newname>
The Azure Linux Agent includes functionality to automatically detect this name change and appropriately configure the virtual machine to persist this change and publish this change to the platform DNS servers.
Ubuntu Images
Ubuntu images utilize cloud-init, which provides additional capabilities for bootstrapping a virtual machine.
Virtual Machine Image Capture
Azure provides the ability to capture the state of an existing virtual machine into an image that can subsequently be used to deploy additional virtual machine instances. The Azure Linux Agent may be used to rollback some of the customization that was performed during the provisioning process. You may follow the steps below to capture a virtual machine as an image:
Run waagent -deprovision to undo provisioning customization. Or waagent -deprovision+user to optionally, delete the user account specified during provisioning and all associated data.
Shut down/power off the virtual machine.
Click Capture in the Management Portal or use the Powershell or CLI tools to capture the virtual machine as an image.
Attaching Disks
Each virtual machine has a temporary, local resource disk attached. Because data on a resource disk may not be durable across reboots, it is often used by applications and processes running in the virtual machine for transient and temporary storage of data. It is also used to store the page or swap files for the operating system.
On Linux, the resource disk is typically managed by the Azure Linux Agent and automatically mounted to /mnt/resource (or /mnt on Ubuntu images).
>[AZURE.NOTE] Note that the resource disk is a **temporary** disk, and might be deleted and reformatted when the VM is rebooted.
On Linux the data disk might be named by the kernel as /dev/sdc, and users will need to partition, format and mount that resource. This is covered step-by-step in the tutorial: How to Attach a Data Disk to a Virtual Machine.