Automating Agent Installation on Linux VMs in Azure (Existing and New)

Question

Hello Azure Community,

I am seeking guidance on automating the installation of a security product agent on all Linux virtual machines (VMs) in my Azure environment.

My Requirements:

1. Automated Installation on Existing VMs: I need a method to automatically install my agent on all existing Linux VMs in my Azure environment.
2. Real-Time Installation on New VMs: I require a solution that triggers the installation process as soon as a new Linux VM is created. The installation should be seamless and without manual intervention.
3. Preferred Installation Method: My current installation process uses a bash script. While I prefer to continue using this method, I am open to alternative solutions if they provide significant benefits.
4. Minimal Impact on VM Deployment: The installation method should not affect the deployment process of a VM and must be seamless to the customer.

What I Need:

• Best practices for automating agent installation on existing and new Linux VMs.
• Recommendations on Azure-native tools or services that can facilitate this automation.
• Examples or documentation on setting up such automation processes.
• Alternatives to bash scripts if they are not the optimal solution.

I appreciate any detailed guidance or solutions you can provide to help me achieve these requirements. Thank you in advance for your assistance!

Best regards,

Naor Haziz

Answer 1

Automated Installation on Existing VMs

Azure Automation Runbooks: Azure Automation allows you to create and execute runbooks to automate tasks. You can create a runbook that runs a bash script to install your security agent on all existing VMs.

Steps:

1. Create an Azure Automation Account:
   • Navigate to Azure Portal -> Automation Accounts -> Create a new Automation Account.
2. Create a Runbook:
   • In the Automation Account, go to Runbooks -> Create a new Runbook.
   • Choose the type (PowerShell or Python). For simplicity, you can use PowerShell to execute the bash script.
3. Script to Install Agent:

$script = @"
#!/bin/bash
# Your agent installation script
echo 'Installing security agent...'
sudo curl -o /tmp/install_agent.sh <URL_to_your_bash_script>
sudo bash /tmp/install_agent.sh
"@
$linuxVms = Get-AzVM -ResourceGroupName <YourResourceGroup> | Where-Object { $_.StorageProfile.OsDisk.OsType -eq "Linux" }
foreach ($vm in $linuxVms) {
    Invoke-AzVMRunCommand -ResourceGroupName $vm.ResourceGroupName -Name $vm.Name -CommandId 'RunShellScript' -ScriptString $script
}

4. Schedule the Runbook:

• Create a schedule to run the runbook at regular intervals to ensure any new VM missed by the real-time automation gets the agent installed.

Real-Time Installation on New VMs

Azure Policy and Azure Event Grid: Azure Policy can enforce configurations on your resources, and Azure Event Grid can trigger actions based on events.

Steps:

1. Create a Custom Azure Policy:
   • This policy will audit if the security agent is installed and can trigger a remediation task.
   Example policy definition:

      {
        "mode": "Indexed",
        "policyRule": {
          "if": {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                "equals": "Linux"
              }
            ]
          },
          "then": {
            "effect": "AuditIfNotExists",
            "details": {
              "type": "Microsoft.Compute/virtualMachines/extensions",
              "name": "InstallAgent",
              "existenceCondition": {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                    "equals": "<YourExtensionPublisher>"
                  },
                  {
                    "field": "Microsoft.Compute/virtualMachines/extensions/type",
                    "equals": "<YourExtensionType>"
                  }
                ]
              }
            }
          }
        }
      }
      
      
   

2. Remediation Task:

        - Set up a remediation task for the policy to deploy an extension or run a script if the agent is not found.
      ```1. **Azure Event Grid and Azure Automation:**
   
      ```sql
        - Use Event Grid to monitor for the creation of new VMs.
      
        
              - When a new VM is created, trigger an Azure Automation runbook to install the agent.
   

   Example Event Grid setup:
   • Create an Event Grid subscription for the Microsoft.Compute/virtualMachines/write event.
   • The Event Grid subscription triggers an Azure Function or Logic App, which in turn invokes the Azure Automation runbook to install the agent.

Preferred Installation Method Using Bash Script Azure VM Extensions: Azure VM Custom Script Extension can be used to run a bash script on VMs.

Steps:

1. Custom Script Extension:

Create a script file (e.g., install_agent.sh) and upload it to an Azure Storage Account or GitHub.

2. Deploy the Extension:

Use the following ARM template or CLI command to deploy the extension on new VMs: ARM Template snippet:

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "name": "[concat(parameters('vmName'), '/CustomScript')]",
  "apiVersion": "2021-03-01",
  "location": "[parameters('location')]",
  "properties": {
    "publisher": "Microsoft.Azure.Extensions",
    "type": "CustomScript",
    "typeHandlerVersion": "2.0",
    "autoUpgradeMinorVersion": true,
    "settings": {
      "fileUris": [
        "https://<your_storage_account>.blob.core.windows.net/scripts/install_agent.sh"
      ],
      "commandToExecute": "bash install_agent.sh"
    }
  }
}

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth Marcin