Customize the extension allowlist for Azure Arc-enabled Linux Servers – Wim Matthyssen - The Legend of Hanuman
featured image 3

Customize the extension allowlist for Azure Arc-enabled Linux Servers – Wim Matthyssen

by


In this blog post, I’ll guide you through the steps to customize the extension allowlist for the Azure Connected Machine agent on Azure Arc-enabled Linux servers.

This step-by-step guide will help you enhance security and streamline management in your Azure Arc environment.

💡 In a previous blog post, I showed you how to customize the extension allowlist for Azure Arc-enabled Windows Servers. You can find it here.

Table of Contents

Table of Contents

Customize the extension allowlist on a Linux server

First, connect to the Arc-enabled Linux Server via SSH (Secure Shell), preferably through a Jump Server.

I typically use a secured and hardened Windows Management Server with a SSH client like PuTTY installed, but you can also use alternatives such as Windows Terminal, depending on your preference.

To connect, you’ll need the server’s IP address or hostname, as well as a username and password, or of course, the SSH key.

💡 If you don’t already have PuTTY installed, you can download it from here.

In this example, I’ll be using PuTTY, so go ahead and open PuTTY on your system.

1 2

In the “Host Name (or IP address)” field, enter the server’s IP address or hostname. Ensure the “Port” is set to 22 (the default for SSH). Under “Connection type,” select SSH.

💡If you want to easily connect to the same server later and save time in the future, enter a name in the “Saved Sessions” field and click Save. Then, simply select the saved session and click Open to connect.

2 3
3 2

Then, authenticate by entering your username and pressing Enter. Next, provide your password or load your SSH key if required.

4 3
5 3

Next, log in as the root user. You can do this by using the sudo command (superuser do), followed by su or -i to simulate a root login shell.

6 4

Then, enter the following command to list all Azure Connected Machine agent configuration properties, such as the extensions.allowlist, along with their current values:

7 3

You can then check whether an allowlist or blocklist is already applied or if the server is still using the default setting, which allows all extensions ([ ]).

Then, as I prefer to do, you can configure an allowlist on this server. To permit only specific extensions, such as the Azure Key Vault virtual machine extension for Linux, use the following command:

azcmagent config set extensions.allowlist "Microsoft.Azure.Key.Vault/KeyVaultForLinux"
8 3
9 3

💡 You can find a full list of available extensions for Linux via this link.

Add or remove an extension from a configured allowlist

If you later need to add another extension to the configured allowlist, you can do so using the “--add” flag.

For example, to allow the Azure Monitor agent extension in addition to the existing ones, run the following command:

azcmagent config set extensions.allowlist "Microsoft.Azure.Monitor/AzureMonitorLinuxAgent" --add
10 3

If, on the other hand, you need to remove an extension from the allowlist later, you can use the “--remove” flag.

For example, to remove the Azure Key Vault virtual machine extension for Linux, run the following command:

azcmagent config set extensions.allowlist "Microsoft.Azure.Key.Vault/KeyVaultForLinux" --remove
11 3

💡 When troubleshooting issues while running a command, adding more detailed logging information can be helpful. To do so, simply append the “--verbose” flag at the end of the command.

12 3

Allow multiple extensions at once

Of course, it’s more efficient to allow multiple extensions at once instead of configuring each one individually.

For example, to allow the Azure Key Vault virtual machine extension for Linux, the Azure Monitor Agent, the Azure Automation Hybrid Runbook Worker extension, the Linux OS Update Extension, and the Linux Patch Extension on your Linux server, you can use the following command:

azcmagent config set extensions.allowlist "Microsoft.Azure.Key.Vault/KeyVaultForLinux,Microsoft.Azure.Monitor/AzureMonitorLinuxAgent,Microsoft.Compute/HybridWorkerForLinux,Microsoft.SoftwareUpdateManagement/LinuxOsUpdateExtension,Microsoft.CPlat.Core/LinuxPatchExtension"
14 3

Customizing the Arc Onboarding script with an allowlist

For automated deployments at scale, the allowlist can be seamlessly integrated into the Azure Arc onboarding Bash script (OnboardingScript.sh), which can be manually generated from the Azure Arc menu.

This integration allows you to streamline and automate the onboarding process across multiple machines or environments, ensuring that the allowlist is consistently applied to all machines during deployment.

Below is an example of how this can be implemented by adding a line of code to include an allowlist in the OnboardingScript.sh:

34 1
# Set the allowlist

sudo azcmagent config set extensions.allowlist "Microsoft.Azure.Key.Vault/KeyVaultForLinux,Microsoft.Azure.Monitor/AzureMonitorLinuxAgent,Microsoft.Compute/HybridWorkerForLinux,Microsoft.SoftwareUpdateManagement/LinuxOsUpdateExtension,Microsoft.CPlat.Core/LinuxPatchExtension"

I prefer to run the customized bash script locally, and to do so, I usually copy (upload) the script from my Windows workstation or management server to a folder (like Temp) on the Linux server using a tool like WinSCP.

💡 If required you can download WinSCP from here.

16 3
18 2
17 2

Once uploaded, grant execute permissions to the script for the current user by reopening PuTTY, connecting to the Linux server, and running the following command as root:

chmod +x OnboardingScript.sh
19 2

Then run the script as the root user.

./Temp/OnboardingScript.sh
31 2
32 2
23 2
33 1
36 2

Reset an extension allowlist to its default setting

If you’ve configured an allowlist but no longer need it for any reason, you can clear the extension allowlist and revert to the default setting, which allows all extensions, by running the following command:

azcmagent config clear "extensions.allowlist"
24 2

Disable the Extension Manager

If you don’t need to use extensions with Azure Arc, you can completely disable the extension manager by running the following command as root:

azcmagent config set extensions.enabled false
25 2

This will disable the extension manager, preventing any extensions from being used on the Azure Arc-connected machine.

💡 Keep in mind that disabling the extension manager won’t remove any extensions already installed on your server, so you’ll still need to remove them.

Conclusion

From a security and management perspective, it’s recommended to configure an allowlist for the Azure Connected Machine agent on your Arc-enabled Linux servers.

This approach improves security by controlling which extensions are allowed, minimizing the risk of unauthorized or accidental deployments or tasks executed by either authorized users or potential malicious actors.

I hope the steps and various allowlist configurations explained in this blog post help you maintain secure and well-managed Arc deployments.

If you have any questions or suggestions about this blog post, feel free to reach out to me on X (@wmatthyssen) or leave a comment. I’ll be happy to assist!


Share this content:

I am a passionate blogger with extensive experience in web design. As a seasoned YouTube SEO expert, I have helped numerous creators optimize their content for maximum visibility.

Contact

Leave a Comment