0

I'm currently trying to deploy through an ARM template the Linux Extension LAD. Following the documentation, the extension needs a SasToken and a storage account with table capacity in order to work. I deploy the Storage Account before I call a method similiar to this one in order to create a SasToken and then use that token to deploy the extension.

This works fine as the extension is installed. However, an error appears if I go check it out in the portal. It tells me I need container and object permissions, which I previously did not have, but now I have modified the SasToken parameter to include them in the deployment.

I've tried looking for the main keywords from the message but I couldn't figure it out.

Here is the error (it's long):

Problem(s) detected in generated mdsd configuration. Can't enable, although this install/enable operation is reported as successful so the VM can complete successful startup. Linux Diagnostic Extension will exit. Config validation message: 2020-11-25T17:07:57.9564180Z: Not all GCS env vars are defined. Missing 6: MONITORING_GCS_ENVIRONMENT MONITORING_GCS_ACCOUNT MONITORING_GCS_REGION MONITORING_GCS_CERT_CERTFILE MONITORING_GCS_CERT_KEYFILE MONITORING_GCS_STORAGE_RESOURCE_TAG_TYPE. GCS won't be used. Parse reported these messages: /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(3) Error: Invalid SAS token given. Reason: Account SAS must enable container and object access (srt='co' or better) /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(18) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(25) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(31) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(45) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(60) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(71) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(84) Fatal: AddMonikerEventInfo() failed: No default credential is found. /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: No default credentials were defined /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-3.0.131/xmlCfg.xml(97) Error: does not define subelement

Here is my template without ladcfg as it is very long:

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
  "vmName": {
    "type": "string",
    "metadata": {
      "description": "The VM Name."
    }
  },
  "location": {
    "type": "string",
    "metadata": {
      "description": "The location."
    }
  },
  "storageAccountName": {
    "type": "string",
    "metadata": {
      "description": "Storage Account Name."
    }
  },
  "storageAccountEndpoint": {
    "type": "string",
    "metadata": {
      "description": "Storage Account Endpoint."
    },
    "defaultValue": "https://core.windows.net"
  },
  "accountSasProperties": {
    "type": "object",
    "defaultValue": {
      "signedServices": "btq",
      "signedPermission": "rwlacup",
      "signedExpiry": "2030-01-01T00:00:01Z",
      "signedResourceTypes": "sco",
      "keyToSign":"key1"
    }
  }

},
"variables": {
  "perfSink": "[concat(parameters('vmName'),'-perfSink')]",
  "sysLogSink": "[concat(parameters('vmName'),'-sysLogSink')]"
},
"resources": [
  {
    "type": "Microsoft.Compute/virtualMachines/extensions",
    "name": "[concat(parameters('vmName'), '/LinuxDiagnostic')]",
    "apiVersion": "2019-07-01",
    "location": "[parameters('location')]",
    "properties": {
      "publisher": "Microsoft.Azure.Diagnostics",
      "type": "LinuxDiagnostic",
      "typeHandlerVersion": "3.0",
      "autoUpgradeMinorVersion": true,
      "settings": {
        "sinksConfig": {
          "sink": [
            {
              "name": "[variables('perfSink')]",
              "type": "JsonBlob"
            },
            {
              "name": "[variables('syslogSink')]",
              "type": "JsonBlob"
            }
          ]
        },
        "StorageAccount": "[parameters('storageAccountName')]",
        "ladCfg": { ... }
      },
      "protectedSettings": {
        "storageAccountName": "[parameters('storageAccountName')]",
        "storageAccountEndPoint": "[parameters('storageAccountEndpoint')]",
        "storageAccountSasToken": "[listAccountSas(resourceId('Microsoft.Storage/storageAccounts',parameters('storageAccountName')), '2018-02-01', parameters('accountSasProperties')).accountSasToken]"
      }
    }
  }
],
"outputs": {
}}

I forwardly thank any help provided.

Gonçalo
  • 35
  • 5
  • Have you referred to https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux?toc=/azure/azure-monitor/toc.json#protected-settings – Jim Xu Nov 26 '20 at 08:06
  • Yes, I may have missed something, but I've tried the configurations in that page, as well as mimicking the SAS needs exactly as described in the page. The Extension has the same error. – Gonçalo Nov 26 '20 at 08:31
  • Hi. According to the document, the `sinksConfig` should be in `protectedSettings`. – Jim Xu Nov 26 '20 at 08:32
  • I have noticed it when you sent the link, and changed it during this deployment. However, the issue did not change. – Gonçalo Nov 26 '20 at 08:34
  • Please try to output the sas token to check if it has right permissions. – Jim Xu Nov 26 '20 at 08:38
  • Hmm, it outputs ss=bt&srt=o&sp=rl&se=2050-01-01 in spite of me changing it. – Gonçalo Nov 26 '20 at 08:57
  • I think that was my first deployment's SAS Token. How can I change it/delete that one? – Gonçalo Nov 26 '20 at 09:10
  • Have you changed param `accountSasProperties` vaule? – Jim Xu Nov 26 '20 at 09:12
  • Yes, I have since then changed it over a few deployments. My original did in fact only have srt=o but then changed it. After you've sent the link I've also changed it. – Gonçalo Nov 26 '20 at 09:16
  • Could you please provide a sample template? Let me test it – Jim Xu Nov 26 '20 at 09:28
  • Alright, I'm a certified idiot, lol. I input the parameters in an unusual way and I forgot to check them and lo and behold, the SasProperties mirrored the output SasToken, as I was only editing the defaultValue. I was sure I hadn't set the parameter to use the default instead. Thank you for helping me with this, and sorry to waste your time lol. If you'd like you can put the answer and I'll mark it as right. – Gonçalo Nov 26 '20 at 09:40
  • Hi @gonçalo I have summarized my suggestions as a solution, could you please accept it as an answer? – Jim Xu Nov 27 '20 at 01:48

1 Answers1

1

I summarize my suggestions as below.

When we install Linux Diagnostic Extension to monitor metrics and logs and store data to Azure storage, we should provide an Account SAS token for Blob and Table services (ss='bt'), applicable to containers and objects (srt='co'), which grants add, create, list, update, and write permissions (sp='acluw'). Besides, regarding how to create Account SAS token in Azure ARM template, we can use ARM resource function listAccountSas

For example

"parameters": {
  "accountSasProperties": {
    "type": "object",
    "defaultValue": {
      "signedServices": "bt",
       "signedResourceTypes": "co",
       "signedPermission": "acluw",
       "signedExpiry": "9001-01-30T16:00:00Z"
    }
  }
},
...
"sasToken": "[listAccountSas(parameters('storagename'), '2018-02-01', parameters('accountSasProperties')).accountSasToken]"

For more details, please refer to

https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions-resource?tabs=json#list-example

https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/diagnostics-linux?toc=/azure/azure-monitor/toc.json#protected-settings

Jim Xu
  • 21,610
  • 2
  • 19
  • 39