If you use the Azure CLI's future defaults to launch a VM, the VM may be
modified without notifying you. This is not specific to Debian, and is due to
an Azure change. This message will explain the situation, our response, and
the user impact.
Background
==========
Azure VM extensions are software that Azure can install on a VM, at your
request. They typically provide configuration or Azure integration
features.
Microsoft Azure Linux Agent (a.k.a. waagent) enables this. It runs on
VMs to orchestrate the extension installation. It also provides a
health check heartbeat and was previously used for network provisioning.
waagent is free software, packaged in Debian, and installed on our
official images to enable these features for Debian users.
See [1] and [2] for more background on extensions.
The current situation
=====================
Until recently, extensions required user consent to install. But a
recent patch [3] to the Azure CLI has changed this. Azure CLI's future
defaults will automatically install the Guest Attestation Extension,
without user consent. This is used to support an Azure feature called
Trusted Launch VMs [4].
Trusted Launch VMs is intended as a a security feature, extending secure
boot. However there are a number of problems with the implementation:
- The extension is not a package from Debian, and so does not have
Debian security support.
- It is distributed without licenses, and so violates Debian's assurance
that the OS is fully free software.
- It is deployed into user VMs without user opt-in.
- It runs as root, without any confinement.
There is no indication that this is being used maliciously. It seems to
be an honest attempt to provide additional feature to Debian users on
Azure.
The cloud team's response
=========================
Our goal is to provide a free OS with security support through Debian,
so we will disable extension support. New Azure images will be released
with waagent's extension support disabled. Images for sid through
oldoldstable will be updated. A future upload of waagent will include
this config change.
This change will cause breakage for folks that use extensions. We're
sorry to create headaches for Debian users. But since this will be the
default, and waagent cannot currently filter extension installation
requests, this is the only mitigation available.
There is a wiki article at [5] that describes how to re-enable extension
handling in waagent.
How to tell if you are affected
===============================
If you do not use the Azure CLI's future defaults, your VMs won't be
affected. If you do, then you check you VMs for these extensions with
the Azure CLI:
az vm get-instance-view \
--resource-group myResourceGroup \
--name myVM \
--query "instanceView.extensions"
Or you can use the portal, by selecting "Extensions" under a VM.
waagent logs extension installations in /var/log/waagent.log and
individual extensions log to /var/log/azure/<extensionName>. See [6].
If you do use Azure CLI's future defaults, you can specify
`--disable-integrity-monitoring` to suppress these extensions.
Thanks,
Ross
[1] - https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/overview
[2] - https://github.com/Azure/azure-linux-extensions
[3] - https://github.com/Azure/azure-cli/pull/22048
[4] - https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch
[5] - https://wiki.debian.org/Cloud/MicrosoftAzure#VM_extensions_are_not_installed
[6] - https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/features-linux?tabs=azure-cli#troubleshoot-vm-extensions
Attachment:
signature.asc
Description: PGP signature