none
Azure compatabilty

    Question

  • Hi All,

    One of the big selling points for Azure Stack is a common experience across Azure and Azure Stack to reduce operational burden. I have started to explore what this really means and am hitting some potential problems. I have tested Terraform and Ansible two tools our customers use. 

    With terraform I have hit an auth problem that requires some changes to the go code to fix. Sadly above my weight but the issue is tracked here: https://github.com/terraform-providers/terraform-provider-azurerm/issues/13

    With Ansible where I have more experience I have run into many problems and implemented workarounds for some to the point I can run a simple task to create a resource pool, beyond that I have hit problems.

    1. SSL verification errors

    Self signed SSL certs don't seem to be supported with the python-azure-sdk. I accept this is not the Azure Stack teams issue, but it's worth recording here.

    https://github.com/ansible/ansible/issues/33455#issuecomment-348475505

    2. Metadata endpoint errors

    The second issue I have hit is that Ansible uses the python-azure-sdk which checks for specific endpoints (e.g. resource_manager) via the metadata discovery endpoint. These are not being set so it fails but I suspect this is an error in Azure Stack? The issue is documented in detail here:

    https://github.com/Azure/azure-sdk-for-python/issues/1660

    3. Inconnsitency

    This last point is the most concerning for me. There seem to be subtle differences that will break lots of code, both bespoke, official and community.

    I got to the point I could successfully run Ansible to create resource groups but creating a storage account failed because the storage type is named differently and the python-azure-sdk does validation.

    Standard_LRS (Azure)

    StandardLRS (Azure Stack)

    This type of inconsistency will cause lots of issues and I wandered how the MS teams are working together the minimise this type of issue and validate that tooling etc continue to work with Azure Stack if the feature is supported?

    Friday, December 01, 2017 3:46 PM

All replies

  • Hi, thanks for your attention and feedback! About 3. inconsistency on storage account type between Azure and Azure Stack, we'll follow up on the verification and do fixing accordingly.

    Thanks,
    Shawn

    Monday, December 04, 2017 2:26 PM
  • Hello,

    We had some verification on "Create" and "List" storage account scenarios on Azure Stack and monitor the response of REST API calls. We got "accountType=Standard_LRS" in the response which seems consistent with Azure.

    So could you please share some details about the test case that you ran and how the inconsistency was found? What's the SDK version did you use? it would much helpful if you could share your test code of the comparison test.

    Thanks,
    Shawn

    Tuesday, December 05, 2017 2:34 PM
  • Hello Charlie,

    We received your email and have setup a Skype meeting with you and a few of our Engineering leads.

    Please check your email and reply to the meeting invite.

      

    - If you are unable to attend, please reply with a range of available times so we can reschedule.

    - Please review the meeting agenda and feel free to add, edit or delete any of the items or questions.

    We look forward to speaking with you.

     

    We apologize for any inconvenience and appreciate your time and interest in Azure Stack.

    If you experience any issues with Azure Stack or the current ASDK release, please feel free to contact us.

         

     Thanks


    Gary Gallanes

    Tuesday, December 05, 2017 8:23 PM
    Moderator
  • Hi Shawn,

    Thanks for looking into this. First I need to apologise I have given you incorrect information. I think I had to make so many changes to get things working that I introduce some problems!

    So I can now successfully create storage accounts with Ansible. However, I am still concerned about compatibility as I have had to introduce two fixes to get this working, beyond the original ones the azure-python-sdkteam kindly fixed.

    1. Fix the endpoints

    When authenticating against Azure the following code (https://github.com/Azure/msrestazure-for-python/blob/master/msrestazure/azure_cloud.py) sets the management endpoint to:

    'management': 'https://management.core.windows.net/',

    This is used by https://github.com/Azure/msrestazure-for-python/blob/master/msrestazure/azure_active_directory.py line 398 as the resource for the token request and it works fine and I can get a valid token back. However wit Azure Stack the endpoint is set to:

    'management': 'https://management.local.azurestack.external',

    Which looks correct however it fails to get a token. If we update the resource to actually be the 'active_directory_resource_id' e.g.

    https://management.<domain>.onmicrosoft.com/xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx

    It works perfectly and I can authenticate and run Ansible playbooks. Are you able to explain why the auth models are so different. Can you also provide a doc detailing the differences between the metadata endpoints and what is the correct approach?

    The following issue is being used to track this, https://github.com/Azure/azure-sdk-for-python/issues/1669.

    2. Hardcoded API's

    It is not possible to use the default storage module (https://github.com/Azure/azure-sdk-for-python/blob/master/azure-mgmt-storage/azure/mgmt/storage/v2017_06_01/operations/storage_accounts_operations.py) to create storage accounts because the API version is hardcoded.

    This code appears to have pinned the storage API to "2017-06-01"

    Editing this to a value supported by Azure Stack gets it to work correctly. I have opened an issue here to track this, https://github.com/Azure/azure-sdk-for-python/issues/1696.

    I do hold up my hands here and acknowledge that this could be a lack of understanding on my part but it does feel immensely complicated for something that is supposed to be "An extension of Azure".

    Hope this provides enough info.

    Cheers

    Charlie


    Tuesday, December 12, 2017 2:12 PM
  • Hi Shawn,

    Here's another example of a difference: https://github.com/Azure/msrestazure-for-python/issues/64

    Thanks

    Charlie

    Tuesday, December 12, 2017 5:10 PM