If you use the Azure CLI's future defaults to launch a VM, the VM may be modified without notifying you. This is not specific to Debian, and is due to an Azure change. This message will explain the situation, our response, and the user impact. Background ========== Azure VM extensions are software that Azure can install on a VM, at your request. They typically provide configuration or Azure integration features. Microsoft Azure Linux Agent (a.k.a. waagent) enables this. It runs on VMs to orchestrate the extension installation. It also provides a health check heartbeat and was previously used for network provisioning. waagent is free software, packaged in Debian, and installed on our official images to enable these features for Debian users. See [1] and [2] for more background on extensions. The current situation ===================== Until recently, extensions required user consent to install. But a recent patch [3] to the Azure CLI has changed this. Azure CLI's future defaults will automatically install the Guest Attestation Extension, without user consent. This is used to support an Azure feature called Trusted Launch VMs [4]. Trusted Launch VMs is intended as a a security feature, extending secure boot. However there are a number of problems with the implementation: - The extension is not a package from Debian, and so does not have Debian security support. - It is distributed without licenses, and so violates Debian's assurance that the OS is fully free software. - It is deployed into user VMs without user opt-in. - It runs as root, without any confinement. There is no indication that this is being used maliciously. It seems to be an honest attempt to provide additional feature to Debian users on Azure. The cloud team's response ========================= Our goal is to provide a free OS with security support through Debian, so we will disable extension support. New Azure images will be released with waagent's extension support disabled. Images for sid through oldoldstable will be updated. A future upload of waagent will include this config change. This change will cause breakage for folks that use extensions. We're sorry to create headaches for Debian users. But since this will be the default, and waagent cannot currently filter extension installation requests, this is the only mitigation available. There is a wiki article at [5] that describes how to re-enable extension handling in waagent. How to tell if you are affected =============================== If you do not use the Azure CLI's future defaults, your VMs won't be affected. If you do, then you check you VMs for these extensions with the Azure CLI: az vm get-instance-view \ --resource-group myResourceGroup \ --name myVM \ --query "instanceView.extensions" Or you can use the portal, by selecting "Extensions" under a VM. waagent logs extension installations in /var/log/waagent.log and individual extensions log to /var/log/azure/<extensionName>. See [6]. If you do use Azure CLI's future defaults, you can specify `--disable-integrity-monitoring` to suppress these extensions. Thanks, Ross [1] - https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/overview [2] - https://github.com/Azure/azure-linux-extensions [3] - https://github.com/Azure/azure-cli/pull/22048 [4] - https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch [5] - https://wiki.debian.org/Cloud/MicrosoftAzure#VM_extensions_are_not_installed [6] - https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/features-linux?tabs=azure-cli#troubleshoot-vm-extensions
Attachment:
signature.asc
Description: PGP signature