Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Gen2 VM] Send null uefiSettings along with 'Standard' securityType #30728

Closed
1 task done
AjKundnani opened this issue Jan 28, 2025 · 10 comments · Fixed by #31002
Closed
1 task done

[Gen2 VM] Send null uefiSettings along with 'Standard' securityType #30728

AjKundnani opened this issue Jan 28, 2025 · 10 comments · Fixed by #31002
Assignees
@zhoxing-ms @yanzhudd
Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team Compute az vm/vmss/image/disk/snapshot feature-request Possible-Solution Similar-Issue
Milestone
Backlog

Comments

@AjKundnani
Copy link

AjKundnani commented Jan 28, 2025
edited
Loading

Preconditions

  • No need to upgrade Python SDK or the Python SDK is ready.

Related command

az vm create --security-type Standard
az vm update --security-type Standard
az vmss create --security-type Standard
az vmss update --security-type Standard

Resource Provider

Microsoft.Compute/virtualMachines

Description of Feature or Work Requested

Cmdlets az vm create and az vm update support securityType value Standard which allows end users to bypass or roll-back Trusted launch VM to Gen2 VM.

However, currently:

  • az vm create is sending securityProfile as null which is causing Trusted launch VM to be created. Request to send following API request instead, securityType should be set to Standard and uefiSettings set to null:
securityProfile = @{
            securityType = "Standard"
        }
  • az vm update command is passing blank or empty uefiSettings as well which is causing below error from API.
    ErrorMessage: Use of UEFI settings is not supported when security type is 'Standard'.

uefiSettings should be sent as null along with securityType Standard.

securityProfile = @{
            securityType = "Standard"
        }

Minimum API Version Required

2020-12-01

Swagger PR link / SDK link

Virtual machine create with uefiSettings

Request Example

No response

Target Date

2025-03-01

PM Contact

ajkundna

Engineer Contact

psurad

Additional context

  • We are implementing "Trusted launch as default" in REST API (currently in private preview). i.e., sending null securityType will be interpreted as TrustedLaunch by API instead of Gen2. Hence need to send Standard securityType.
  • This feature requires AFEC registration Microsoft.Compute\UseStandardSecurityType
  • uefiSettings in az cli version 2.62.0 are sent as empty or blank. uefiSettings block should be sent as null when securityType parameter is set to Standard
@yonzhan
Copy link
Collaborator

yonzhan commented Jan 28, 2025

Thank you for opening this issue, we will look into it.

@github-actions GitHub Actions
Copy link

Here are some similar issues that might help you. Please check if they can solve your problem.

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

This worked for me on EL8:

dnf list --showduplicates azure-cli
dnf install azure-cli-2.56.0-1.el8

https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=dnf#install-specific-version

Reference:

@microsoft-github-policy-service microsoft-github-policy-service bot added the Compute az vm/vmss/image/disk/snapshot label Jan 28, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot added Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jan 28, 2025
@yonzhan yonzhan removed the question The issue doesn't require a change to the product in order to be resolved. Most issues start as that label Jan 28, 2025
@yonzhan yonzhan added this to the Backlog milestone Jan 28, 2025
@zhoxing-ms
Copy link
Contributor

zhoxing-ms commented Feb 5, 2025
edited
Loading

Target Date
2025-03-01

@AjKundnani Sorry, as this sprint is already fully scheduled, can we postpone it to the next sprint (probably before mid April)?

@AjKundnani
Copy link
Author

@zhoxing-ms, before mid-April 2025 works, thanks in advance.

@AjKundnani
Copy link
Author

This issue was potentially solved with #28397 but most likely the output of the fix would be Trusted launch VM.

@yanzhudd
Copy link
Contributor

Hi @AjKundnani

when I create a VM with setting the securityType to "Standard", an error is reported:
Image

The properties are

{
  "hardwareProfile": {
    "vmSize": "Standard_DS1_v2"
  },
  "networkProfile": {
    "networkInterfaces": [
      {
        "id": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/zytest/providers/Microsoft.Network/networkInterfaces/1vm1VMNic",
        "properties": {
          "deleteOption": null
        }
      }
    ]
  },
  "storageProfile": {
    "osDisk": {
      "createOption": "fromImage",
      "name": null,
      "caching": "ReadWrite",
      "managedDisk": {
        "storageAccountType": null
      }
    },
    "imageReference": {
      "publisher": "OpenLogic",
      "offer": "CentOS",
      "sku": "7_6-gen2",
      "version": "latest"
    }
  },
  "osProfile": {
    "computerName": "1vm1",
    "adminUsername": "azureuser",
    "adminPassword": "[parameters('adminPassword')]"
  },
  "securityProfile": {
    "securityType": "Standard"
  }
}

Could you please take a look at this error?

@AjKundnani
Copy link
Author

Hi @AjKundnani

when I create a VM with setting the securityType to "Standard", an error is reported: Image

@yanzhudd - Is the required AFEC Microsoft.Compute\UseStandardSecurityType registered on subscription?

@yanzhudd yanzhudd mentioned this issue Mar 11, 2025
Merged
3 tasks
@yanzhudd
Copy link
Contributor

Hi @AjKundnani
could you please help to confirm if this private package could meet your expectations?

@AjKundnani
Copy link
Author

Hi @AjKundnani could you please help to confirm if this private package could meet your expectations?

@yanzhudd - Will share the results tentatively today or early next week.

@AjKundnani
Copy link
Author

@yanzhudd - All test results passed, the build / package is meeting the requirements / expectations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zhoxing-ms zhoxing-ms

@yanzhudd yanzhudd

Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team Compute az vm/vmss/image/disk/snapshot feature-request Possible-Solution Similar-Issue
Projects
None yet
Milestone
Backlog
4 participants
@zhoxing-ms @AjKundnani @yonzhan @yanzhudd