All BlogsMicrosoft AzureinfrastructureAutomationLinux

Azure Image Builder(二)之自动化构建自定义托管镜像 CentOS 7.7 并集成 Azure Shared Image Gallery 做全球分发

1. 前言

上一篇我们测试了 AIB 自动化构建 CentOS 7.7 自定义镜像,相信大家也体会到了云上原生服务带来的自动化便利度。其实,AIB 能够做到的远远不止这些,除此之外还可以集成 Vnet 以及 RHEL 等 License 等功能,尤其值得一提的是和 Azure Shared Image Gallery(后文简称 SIG )的服务集成。对于 SIG 本文不多做介绍,不了解的同学们通过官方文档自行科普吧,简单来说就是一个可以做到全球管理分发虚拟机镜像的 Azure 云服务,该服务构成可以参考下图:

本文,我们来测试下 AIB 和 SIG 的集成,验证下自动化构建全球虚拟机镜像的功能。


2. 前期准备工作

和第一篇博客相同,需要准备好 Global Azure 账户,配置好 Azure CLI,该测试在 Windows Subsystem v2 Ubuntu 18.04 上运行,需要注意该实验同样需要在一个 Session 内运行,因为要继承所有设置的自定义变量。


3.1 AIB / VM / Storage Feature 注册

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# Feature Registration
az feature register --namespace Microsoft.VirtualMachineImages --name VirtualMachineTemplatePreview
az provider register -n Microsoft.VirtualMachineImages

az feature show --namespace Microsoft.VirtualMachineImages --name VirtualMachineTemplatePreview | grep state

# register and enable for shared image gallery
az feature register --namespace Microsoft.Compute --name GalleryPreview
az provider register -n Microsoft.Compute

az feature show --namespace Microsoft.Compute --name GalleryPreview | grep state

# wait until it says registered

# check you are registered for the providers

az provider show -n Microsoft.VirtualMachineImages | grep registrationState
az provider show -n Microsoft.Storage | grep registrationState
az provider show -n Microsoft.Compute | grep registrationState
az provider show -n Microsoft.KeyVault | grep registrationState

如果命令输出结果显示相关 feature 没注册,则运行以下命令:

1
2
3
4
az provider register -n Microsoft.VirtualMachineImages
az provider register -n Microsoft.Storage
az provider register -n Microsoft.Compute
az provider register -n Microsoft.KeyVault

创建 RG 并设置相关环境变量:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Create SIG resource group
sigResourceGroup=aibsigrg

# location of SIG (see possible locations in main docs)
location=southeastasia

# additional region to replication image to
additionalregion=eastus

# your subscription
# get the current subID : 'az account show | grep id'
subscriptionID=$(az account show | grep id | tr -d '",' | cut -c7-)

# name of the shared image gallery, e.g. myCorpGallery
sigName=aibsig01

# name of the image definition to be created, e.g. ProdImages
imageDefName=aib01sig01centos77image01def01

# image distribution metadata reference name
runOutputName=aib01sig01centos77image01ro01

# create resource group
az group create -n $sigResourceGroup -l $location

3.2 创建 User-Assigned Managed Identity 并赋权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# create user assigned identity for image builder to access the storage account where the script is located
idenityName=aibsig01uami01
az identity create -g $sigResourceGroup -n $idenityName

# get identity id
aibsig01uami01id=$(az identity show -g $sigResourceGroup -n $idenityName | grep "clientId" | cut -c16- | tr -d '",')

# get the user identity URI, needed for the template
aibsig01uami01uri=/subscriptions/$subscriptionID/resourcegroups/$sigResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$idenityName

# download preconfigured role definition example
curl https://raw.githubusercontent.com/TheoDoreW/wxsblog.github.io/master/2021/07/26/2021-07-26-AzureImageBuilderCLSIGI/template/AIBRoleImageCreation.json -o AIBRoleImageCreation.json

imageRoleDefName="Azure Image Builder Image Def01"

# update the definition
sed -i -e "s/<subscriptionID>/$subscriptionID/g" AIBRoleImageCreation.json
sed -i -e "s/<rgName>/$imageResourceGroup/g" AIBRoleImageCreation.json
sed -i -e "s/Azure Image Builder Service Image Creation Role/$imageRoleDefName/g" AIBRoleImageCreation.json

# create role definitions
az role definition create --role-definition ./AIBRoleImageCreation.json

# grant role definition to the user assigned identity
az role assignment create \
    --assignee $aibsig01uami01id \
    --role "$imageRoleDefName" \
    --scope /subscriptions/$subscriptionID/resourceGroups/$sigResourceGroup

创建 Azure Shared Image Gallery:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# create SIG
az sig create \
    -g $sigResourceGroup \
    --gallery-name $sigName

# create SIG image definition
az sig image-definition create \
   -g $sigResourceGroup \
   --gallery-name $sigName \
   --gallery-image-definition $imageDefName \
   --publisher aibpublisher \
   --offer aiboffer \
   --sku 7.7 \
   --os-type Linux

3.3 修改 AIB SIG CentOS77 模板文件

1
2
3
4
5
6
7
8
9
10
11
12
13
# download the example and configure it with your vars
curl https://raw.githubusercontent.com/TheoDoreW/wxsblog.github.io/master/2021/07/26/2021-07-26-AzureImageBuilderCLSIGI/template/SIGCentOS77AIBTemplate.json -o SIGCentOS77AIBTemplate.json

sed -i -e "s/<subscriptionID>/$subscriptionID/g" SIGCentOS77AIBTemplate.json
sed -i -e "s/<rgName>/$sigResourceGroup/g" SIGCentOS77AIBTemplate.json
sed -i -e "s/<imageDefName>/$imageDefName/g" SIGCentOS77AIBTemplate.json
sed -i -e "s/<sharedImageGalName>/$sigName/g" SIGCentOS77AIBTemplate.json

sed -i -e "s/<region1>/$location/g" SIGCentOS77AIBTemplate.json
sed -i -e "s/<region2>/$additionalregion/g" SIGCentOS77AIBTemplate.json
sed -i -e "s/<runOutputName>/$runOutputName/g" SIGCentOS77AIBTemplate.json

sed -i -e "s%<aibsig01uami01uri>%$aibsig01uami01uri%g" SIGCentOS77AIBTemplate.json

3.4 创建 AIB SIG CentOS 7.7 镜像

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# submit the image confiuration to the VM Image Builder Service

az resource create \
    --resource-group $sigResourceGroup \
    --properties @SIGCentOS77AIBTemplate.json \
    --is-full-object \
    --resource-type Microsoft.VirtualMachineImages/imageTemplates \
    -n SIG01CentOS77AIB01

# wait approx 1-3mins, depending on external links

# start the image build

az resource invoke-action \
     --resource-group $sigResourceGroup \
     --resource-type  Microsoft.VirtualMachineImages/imageTemplates \
     -n SIG01CentOS77AIB01 \
     --action Run 

# wait approx 15mins

3.5 创建 CentOS 7.7 VM 并登陆验证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
az vm create \
  --resource-group $sigResourceGroup \
  --name centos01 \
  --admin-username centos \
  --location $location \
  --image "/subscriptions/$subscriptionID/resourceGroups/$sigResourceGroup/providers/Microsoft.Compute/galleries/$sigName/images/$imageDefName/versions/latest" \
  --ssh-key-value @id_rsa.pub

# and login...

ssh centos@<pubIp>

You should see the image was customized with a Message of the Day as soon as your SSH connection is established!

******************************************************************
**                   This VM was built from the:                **
**     !! AZURE VM IMAGE BUILDER Custom CentOS 7.7 Image !!     **
**                   You have just been Customized :-)          **
******************************************************************

4. 总结

至此,第二篇自动化构建自定义托管镜像 CentOS 7.7 并集成 Azure Shared Image Gallery 做全球分发的示例就完成了,希望能够给大家一些参考。