Running the Powershell AzureRM module in a Linux Docker container

Introduction

Given my affinity towards containers & azure, it will not come as a surprise when I say I published a small container from which you can launch AzureRM commands!

 

Repositories

  • Docker Hub (build) : https://hub.docker.com/r/kvaes/docker-powershell-azure/
  • GitHub (source) : https://github.com/kvaes/docker-powershell-azure

 

Getting Started

First of all, we’ll launch the container ;

docker run -ti kvaes/docker-powershell-azure

2016-09-23-10_09_10-rootdocker02_

Next up you do the device login ;

Login-AzureRmAccount

2016-09-23-10_08_33-rootdocker02_

And check out which commands are available…

get-command *azure*”

2016-09-23-10_08_20-rootdocker02_
As you notice, the current preview release is quite limited in available commands. Expect more to be added over time off course!

 

TL;DR

  • Powershell on Linux works
  • The AzureRM module is in preview, and limited in commands
  • It all works inside a container too!😀

Enforcing your DSC config on Linux

Introduction

In the previous post we talked about configuring a Linux host with DSC via Azure Automation. When using the default settings, as we did in that post, a node configuration will be set to “apply & monitor”. Today we’ll take a look at how you can force compliancy with a certain config.

 

Register.py

When we take a look at the Register.py, we notice that there is an option to change the “ConfigurationMode”.

root@docker02:/opt/microsoft/dsc# /opt/microsoft/dsc/Scripts/Register.py --help
Usage: Register.py [OPTIONS]
OPTIONS (case insensitive):
--RegistrationKey KEY
--ServerURL URL
--ConfigurationName NAME
--RefreshFrequencyMins NUM default=30
--ConfigurationModeFrequencyMins NUM default=15
--ConfigurationMode (ApplyAndMonitor,ApplyAndAutoCorrect,ApplyOnly) default=ApplyAndMonitor
--RefreshMode (Pull|Push) default=Pull
--Help

 

The default

By default it is set to “ApplyAndMonitor”… So when I would manually mess with the system, by removing a required package. Then that node would become “Non Compliant”.

2016-09-20-20_06_47-9_20_2016-4_30-pm-microsoft-azure

So our reporting will indicate that something is odd. But there will be no remediation.

 

Enforce!

By using the “ApplyAndAutoCorrect” option, we can ensure that DSC will take action when a system is non-compliant. To set this mode, use the following command ;

root@docker02:~# /opt/microsoft/dsc/Scripts/Register.py --RegistrationKey my-secret-key --ServerURL https://we-agentservice-prod-1.azure-automation.net/accounts/accountid --ConfigurationMode ApplyAndAutoCorrect

 

“The Test”

Let’s take a look what the node will do when we remove one of the packages that has been included in the node configuration. To speed up my process, I reduced the refresh frequencyso I don’t have to wait endlessly…😉

–RefreshFrequencyMins 5
–ConfigurationModeFrequencyMins 5

Anyhow, all looks good!

2016-09-20-20_19_59-9_20_2016-8_16-pm-microsoft-azure

So now let’s screw up this node…

root@docker02:/opt/microsoft/dsc# date && htop --help
Die Sep 20 20:16:38 CEST 2016
htop 2.0.1 - (C) 2004-2016 Hisham Muhammad
...
root@docker02:/opt/microsoft/dsc# date && apt-get remove htop -y
Die Sep 20 20:17:01 CEST 2016
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
htop
...

And the testing took a bit, longer as I noticed that the ConfigurationModeFrequencyMins option did not get set…

root@docker02:/opt/microsoft/dsc# Scripts/GetDscLocalConfigurationManager.py
instance of GetMetaConfiguration
{
ReturnValue=0
MetaConfiguration= instance of MSFT_DSCMetaConfiguration
{
ConfigurationModeFrequencyMins=30
RebootNodeIfNeeded=false
ConfigurationMode=ApplyAndAutoCorrect
Credential=NULL
RefreshMode=Pull
CertificateID=NULL
ConfigurationID=NULL
DownloadManagerName=NULL
DownloadManagerCustomData=NULL
RefreshFrequencyMins=1
AllowModuleOverwrite=false
LocalConfigurationManagerState=NULL
ConfigurationDownloadManagers=
{

 

… *waiting* …

Wait for it… and it’s back!

root@docker02:/opt/microsoft/dsc# date && htop --help
Die Sep 20 20:45:30 CEST 2016
htop 2.0.1 - (C) 2004-2016 Hisham Muhammad
Released under the GNU GPL.
...

2016-09-20-20_46_27-9_20_2016-8_45-pm-microsoft-azure

 

TL;DR

  • By default a non-compliant node will be reported, though no remediation will be done.
  • It is possible to configure the node to run in a mode where compliancy is enforced.

Managing Linux hosts with Desired State Configuration via Azure Automation

Introduction

For this post I’ll be assuming you know the basics of Desired State Configuration (or DSC in short). The objective of today is to test what Azure Automation can bring to the table in terms of managing Linux hosts. We all know about Puppet, Chef, Ansible, … but is Azure Automation a viable alternative? 

cmts1

 

First things first… Azure Automation Account

When getting started with DSC on linux, check out this documentation page as a reference. First up, we’ll create an Azure Automation account.

2016-09-15-14_05_03-inbox-karim-vaesxylos-com-outlook

Copy one of the keys and the URL, as we’ll need it to manually register our “OnPremise” host.

Continue reading “Managing Linux hosts with Desired State Configuration via Azure Automation”

Deploying OMS for Docker via Rancher

Introduction
Today we’ll be deploying Microsoft Operations Management Suite (OMS) for Docker via Rancher… Sound cool? It is! Basically we’re going to do the following guide and add Rancher to the twist.

For those unfamiliar with the Microsoft offering and more knowledgeable  in the OSS community. Imaging OMS as being the Microsoft counterpart of a typical ELK stack. The advantage is that it’s managed and that there are already a lot of integrations possible.

Continue reading “Deploying OMS for Docker via Rancher”

Azure : Billing Automation / Integration via the REST

Introduction
If you are an internal service provider needing to do chargebacks, or get an insight into your spending. Or if you are a cloud service provider in need to bill your customers for their Azure usage… You’ll find your self in need to get the raw usage data of your subscription(s). So today we’ll delve into getting your usage data from Azure via the REST api.

kvaes-azure-billing-consumption-usage-pricing-data-information

 

Environment Setup
For today’s post, we’ll be using “postman“. A very nice tool suggested by a co-worker of mine (Robin) and it’s really user-friendly to work with! What does the tool do? Basically it’ll let you craft REST calls without the need for custom scripts / coding effort. Why do we need it? Because we’re going to need to do authentication with each call, and let’s say… It isn’t that straightforward if you aren’t accustomed with it (like me at this time).🙂

In order to set up your environment, I would suggest that you go through the following guide. So basically setup your environment …
2016-09-01 13_14_56-Postman
and your header preset ; Continue reading “Azure : Billing Automation / Integration via the REST”

Azure : What does the Direct Server Return option do for a Load Balancer?

Introduction

When setting up a load balancing rule in Azure, you’ll be given the opportunity to enable/disable “Direct Server Return”.

2016-08-18 16_06_29-Add load balancing rule - Microsoft Azure

 

So what does it do?

Apart from disabling the “backend port” input field, what does it do? Clicking on the “?” gives us a start…

2016-08-18 16_06_00-Add load balancing rule - Microsoft Azure

Basically, DSR (Direct Server Return) will disable any NAT involved. So the targetted VM should be aware of the loadbalancer IP, or the network flow will break.

So it’s usefull to use as a cluster IP address (for example, when using a cluster IP), though do NOT use it for typical load balancing scenario’s where the nodes aren’t aware of the cluster address.

 

Azure : Enumeration and reconnaissance activities for Security Officers

Introduction

A while back I saw a very interesting session on penetration testing on Azure at the Hope conference by Apostolos Mastoris.

A Penetration Tester’s Guide to the Azure Cloud
(45 mins) Apostolos Mastoris — The wide adoption and the benefits of cloud computing has led many users and enterprises to move their applications and infrastructure towards the Cloud. However, the nature of the Cloud introduces new security challenges, therefore organizations are required to ensure that such hosted deployments do not expose them to additional risk. Auditing cloud services has become an essential task and, in order to carry out such assessments, familiarization with certain components of the target environments is required. This talk will provide insight into the Microsoft Azure Cloud service and present practical advice on performing security assessments on Azure-hosted deployments. More specifically, it will demystify the main components of a cloud service and dive further into Azure-specific features. The main security controls and configurations associated with each of the mainstream Azure components will also be explored. Areas that will be covered include role-based security, secure networking features, perimeter security, encryption capability, auditing, and monitoring of activities within the Azure Cloud environment. Additionally, the talk will include the demonstration of a new tool that uses the Azure PowerShell cmdlets to collect verbose information about the main components within a deployment. The tool also provides functionality to visualize the components within a network infrastructure using an interactive representation of the topology and the associations between the deployment’s components.

And yesterday I saw that Azurite (the tool) was released! So let’s take a look at how this looks when running this against one of my lab environments.

 

Prerequisites

Before engaging, be sure to have the following requisites on your system ;

 

Let’s get into the action!

The summary of command’s we’ll be handling ;

# PS> Import-Module AzureRM
# PS> Import-Module ./AzuriteExplorer.ps1
# PS> Review-AzureRmSubscription
# CMD> C:\python27\python.exe AzuriteVisualizer.py azure-subscription__.json

Basically, ensure that the resource manager module is loaded and import the custom Azurite module. Afterwards startup the cmdlet “Review-AzureRmSubscription”; where you’ll enter your credential and select the targeted subscription.

Once done, use python toe parse the extracted json file. That’ll generate an “AzuriteVisualizer.html”-document. Open the latter with Firefox to see a nice visualization!

 

The screenshots of the action

Starting “Azurite Explorer”

2016-08-18 09_28_59-

Parsing the json file to generate the html

2016-08-18 09_29_27-Windows PowerShell

Taking a look at the output in Firefox

2016-08-18 09_29_45-Azurite Visualizer - Azure Subscription Topology Overview