locked
Can the AzureDiskEncryptionForLinux extension be uninstalled after encrypting disk (Linux)? RRS feed

  • Question

  • We recently encrypted disks attached to several vms running Linux (centos 7.4.1708). In some cases, we had to resize the vms to 8GB RAM, encrypt the disks and downsize to 4GB again.

    I can see the AzureDiskEncryptionForLinux extension is still installed on the vms showing provisioning failure:

    [
        {
            "code": "ComponentStatus/Microsoft.Azure.Security.AzureDiskEncryptionForLinux/failed/53",
            "level": "Error",
            "displayStatus": "Provisioning failed",
            "message": "{\"os\": \"NotEncrypted\", \"data\": \"NotMounted\"}"
        }
    ]

    The OmsAgentForLinux extension is also failing.

    Enable failed with exit code 52 Couldn't create marker file

    My plan is to uninstall both extensions from the vms and just reinstall the OmsAgentForLinux . Is the AzureDiskEncryptionForLinux extension needed on the vms or can it be uninstalled?


    Thursday, February 6, 2020 10:50 AM

All replies

  • @Manc4Ever : OMS extension is know to cause this kind of issues. 

    Check the RAM (memory) allocated to the VM (basically checking the size of the vm).

    #df -Th ; free -m

     There is a similar thread discussion in GitHub link. Please refer to the suggestion mentioned in the link and let me know the status .

    Can you take a look at our VMExtensionProvisioning error?

    Linux VMs when encrypting both data and OS volumes, and where the root (/) file system usage is greater than 4GB. The root file system usage * 2. For instance, a 16 GB of root file system usage requires at least 32GB of RAM.

    Azure Disk Encryption operations may fail on virtual machine images using unsupported versions of the Azure Virtual Machine Agent. Linux images with agent versions earlier than 2.2.38 should be updated prior to enabling encryption. For more information, see How to update the Azure Linux Agent on a VM and Minimum version support for virtual machine agents in Azure.

    The Remove-AzureRmVMDiskEncryptionExtension cmdlet removes the disk encryption extension from a virtual machine. If no extension name is specified, this cmdlet removes the extension with default name AzureDiskEncryption for virtual machines that run the Windows operating system or AzureDiskEncryptionForLinux for Linux based virtual machines. This cmdlet does not disable encryption on the virtual machine. It removes the extension and the associated extension configuration from the virtual machine.

    For more information: Refer to this article 

    Workaround would be to stop and disable apps from auto start

    Provision the VM using an endorsed and supported Image Linux distribution, Encrypt the VM (prior installing any apps or doing any customization. Once the VM is encrypted, proceed to load any required data or install any required apps.

    Note: You can perform Disk encryption initially and re-install the OMS extension, once the encryption is performed. 

    If the issue still persist, please share the screen shot of the error message. 

    Hope this helps! 

    Kindly let us know if the above helps or you need further assistance on this issue.
    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Thursday, February 6, 2020 2:10 PM
  • Thanks @SumanthMarigowda-MSFT .

    Can I just confirm again that the AzureDiskEncryptionForLinux extension is not required after the disk encryption is completed? I don't want to undo any work. It took a long time to encrypt the disks a month ago. :)

    Thursday, February 6, 2020 2:16 PM
  • ADE is what encrypts the disk, and sets the key-grabbing process. Once complete it will not run again. The extension is always required, It's a part of encryption process and it's the way it's used to communicate the encryption status to azure portal.

    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.


    Thursday, February 6, 2020 2:55 PM
  • If ADE has completed encryption, why does it continue to say provisioning failed and expects instance RAM to be a minimum of 8GB?
    Thursday, February 6, 2020 3:47 PM
  • @Manc4Ever For Linux VM we should have minimum 8GB of RAM, May I know why was deceased? 

    How do you know that was completed? Can you share the screenshot?

    Thursday, February 6, 2020 4:11 PM
  • I'm just going off the encryption status on the vm > disks dashboard.

    

    Thursday, February 6, 2020 6:06 PM
  • @Manc4Ever It's show VM is encrypted, I think every thing looks fine, However you may cross verify by running the below mentioned commands.
    CLI 
    
    az vm show --name "myVM" -g "MyResourceGroup"
    
    PowerShell 
    Get-AzVmDiskEncryptionStatus -VMName MyVM -ResourceGroupName MyResourceGroup

     

    Kindly let us know if the above helps or you need further assistance on this issue.

    ---------------------------------------------------------------------------------------------------------

    If the propose answer was useful please remember to "Upvote" and "Mark as Answer"

    Friday, February 7, 2020 5:55 AM
  • Here's the output from the command to check encryption:

      "resources": [
        {
          "autoUpgradeMinorVersion": true,
          "forceUpdateTag": "1.0",
          "id": "/subscriptions/xxxxxxxxxxxxxxxx/resourceGroups/MY-RESOURCE-GROUP/providers/Microsoft.Compute/virtualMachines/MY-VM-01/extensions/AzureDiskEncryptionForLinux",
          "instanceView": null,
          "location": "ukwest",
          "name": "AzureDiskEncryptionForLinux",
          "protectedSettings": null,
          "provisioningState": "Failed",
          "publisher": "Microsoft.Azure.Security",
          "resourceGroup": "MY-RESOURCE-GROUP",
          "settings": {
            "EncryptionOperation": "EnableEncryption",
            "KekVaultResourceId": "/subscriptions/xxxxxxxxxxxxxxxx/resourceGroups/MY-RESOURCE-GROUPproviders/Microsoft.KeyVault/vaults/MY-KV-EncDisks-01",
            "KeyEncryptionAlgorithm": "RSA-OAEP",
            "KeyEncryptionKeyURL": "https://my-kv-encdisks-01.vault.azure.net/keys/MY-VM-01-KEY/9d232ecdd33e4cfcb4e62dc5c806c503",
            "KeyVaultResourceId": "/subscriptions/xxxxxxxxxxxxxxxx/resourceGroups/MY-RESOURCE-GROUPproviders/Microsoft.KeyVault/vaults/MY-KV-EncDisks-01",
            "KeyVaultURL": "https://MY-KV-EncDisks-01.vault.azure.net/",
            "VolumeType": "All"
          },
          "tags": null,
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "typeHandlerVersion": "1.1",
          "virtualMachineExtensionType": "AzureDiskEncryptionForLinux"
        },

    I will leave the ADE extension installed, but I need to get to the bottom of the following provisioning errors on several VMs.

    Not enough memory for enabling encryption on OS volume. 8 GB memory is recommended.

    Moving from volume type All to volume type OS is not allowed

    Also, after the disk encryption, I see the following provisioning error for the OmsAgentForLinux agent on all VMs:

    Enable failed with exit code 52 Couldn't create marker file


    Friday, February 7, 2020 10:49 AM
  • @Manc4Ever It 's states it's less than 8 GB memory, Can you please increase the Memory size as recommended. After increasing the size can, please restart the VM and run the above mentioned cmdlets and let me know the status

     
    Friday, February 7, 2020 11:54 AM
  • Last month, when we enabled encryption, we temporarily resized the instance to B2ms (8GB) and then downsized to B2s (4GB) after the encryption was completed.

    Do we need to set all VMs to 8GB even though encryption is enabled? 

    Friday, February 7, 2020 12:15 PM
  • Manc4Eve Once the encryption is completed the size can be reduced

    --------------------------------------------------------------------------------------------

    If the propose answer was useful please remember to "Upvote" and "Mark as Answer"

    Sunday, February 9, 2020 9:46 AM
  • Is there any update on the issue?

    If the suggested answer helped for your issue, do click on "Mark as Answer" and “Vote as Helpful” on the post that helps you, this can be beneficial to other community members.

    Monday, February 10, 2020 6:12 PM
  • If the instance size is reduced to 4GB RAM, then ADE will continue warning about 8GB of RAM minimum requirement? This is the problem we are seeing.
    Wednesday, February 12, 2020 5:32 PM
  • No . it is requirement to fasten the encryption alone Going further , we don't have retain the same configuration, Can you please share the screenshot of the warning error message? 
    Thursday, February 13, 2020 9:56 AM
  • Here's the screenshot from a VM with 4GB RAM and the error:

    [
        {
            "code": "ComponentStatus/Microsoft.Azure.Security.AzureDiskEncryptionForLinux/failed/53",
            "level": "Error",
            "displayStatus": "Provisioning failed",
            "message": "{\"os\": \"NotEncrypted\", \"data\": \"NotMounted\"}"
        }
    ]

    Thursday, February 13, 2020 10:29 AM
  • The following error relates to the OmsAgentForLinux agent:


    Thursday, February 13, 2020 10:30 AM
  •  

    @Manc4Ever Apologies for delay in responding here! After the encryption it's possible to reduce the size! But the warning will remain. However, that doesn't affect.

    --------------------------------------------------------------------------------------------

    If the propose answer was useful please remember to "Upvote" and "Mark as Answer"

    Wednesday, February 19, 2020 5:12 PM
  • @Manc4Ever Is there any update on the issue?

    If the suggested answer helped for your issue, do click on "Mark as Answer" and “Vote as Helpful” on the post that helps you, this can be beneficial to other community members.

    Thursday, February 27, 2020 8:47 AM
  • @Manc4Ever Is there any update on the issue?

    If the suggested answer helped for your issue, do click on "Mark as Answer" and “Vote as Helpful” on the post that helps you, this can be beneficial to other community members.

    Monday, March 2, 2020 8:58 AM
  •  Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Thursday, March 5, 2020 10:58 AM
  • @Manc4Ever Is there any update on the issue?

    If the suggested answer helped for your issue, do click on "Mark as Answer" and “Vote as Helpful” on the post that helps you, this can be beneficial to other community members.

    Monday, March 16, 2020 4:11 AM