1803 dell emc cloud for microsoft azure stack · 8 1803 dell emc cloud for microsoft azure stack...

1803 Dell EMC Cloud for Microsoft Azure Stack Patch and Update Guide

302-004-514 Rev 04

Dell Engineering May 2018

2 1803 Dell EMC Cloud for Microsoft Azure Stack Patch and Update Guide | version 04

Revisions

Date Version Description

Jan 2018 00 Initial release

Apr 2018 01 Update for 1803

May 2018 02 1803 Revisions:

Minor corrections

Added Appendix A – Updating iDRAC

May 2018 03 1803 Revisions:

Minor corrections

Updated WDAC section

May 2018 04 1803 Revisions

Removed non-applicable information

Removed WDAC section

THIS GUIDE IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES.

THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND BY DELL EMC or MICROSOFT

Copyright © 2018 Dell Inc. All rights reserved. Dell and the Dell EMC logo are trademarks of Dell Inc. in the United States and/or other jurisdictions. All

other marks and names mentioned herein may be trademarks of their respective companies.


Table of contents Patch and Update Overview ............................................................................................................................................... 4

Goal . ................................................................................................................................................................ 4

About Speculative Execution Side-Channel Vulnerabilities ......................................................................................... 4

Performing Patch and Updates .................................................................................................................................... 5

Installing Microsoft updates ................................................................................................................................................ 6

Downloading content .................................................................................................................................................... 6

Updating the Hardware Lifecycle Management Server [HLH] ..................................................................................... 6

Running the Microsoft Patch and Updates on Azure Stack Scale Nodes. ................................................................ 15

How to review updates ...................................................................................................................................................... 25

Monitor updates in Azure Stack using the privileged endpoint .................................................................................. 31

Use the update management cmdlets ....................................................................................................................... 33

Troubleshooting .......................................................................................................................................................... 35

New features .............................................................................................................................................................. 35

Fixed issues ................................................................................................................................................................ 36

Changes ..................................................................................................................................................................... 36

Known issues with the update process ............................................................................................................................. 37

Appendix A. iDRAC Update (Local File) ........................................................................................................................... 40


Patch and Update Overview

Goal .

Azure Stack operators are faced with the enormous challenge of keeping their solution both secure and

functional. They must ensure the solution is not vulnerable to threats–external or internal–while maintaining

negotiated service-level agreements.

About Speculative Execution Side-Channel Vulnerabilities

Dell EMC is aware of the side-channel analysis vulnerabilities (also known as Meltdown and Spectre)

affecting many modern microprocessors that were publicly described a team of security researchers on

January 3, 2018. This document addresses the specific steps for securing the servers within the Dell EMC

Cloud for Microsoft Azure Stack from these specific vulnerabilities.

In general, there are three steps that must be taken to implement full mitigations against these

attacks. These can be summarized as follows:

1. Patch the Operating System on the server (install Windows Server 2016 KB4056890).

2. Enable specific mitigations within the Operating System (apply registry modifications).

3. Update the Intel processor microcode on the server (flash the server BIOS).

Important: If you have already applied mitigation steps above, you can still follow this guide to verify that the

mitigations are in place.

In the context of the Azure stack solution:

The Installing the Windows Server 2016 Cumulative Update on the HLH Host, Verify Mitigations by

Setting Windows Server 2016 Registry Values, and Updating the OME and OMNM VMs subsections

within this document explain how to apply these same updates to the physical HLH host, as well as

the OpenManage Essentials / SupportAssist Enterprise and OpenManage Network Manager Virtual

Machines that reside on that host.

The Microsoft Azure Stack 1712 Update (Build 20180106.1) and all subsequent releases address the

preceding step 1 and step 2 for the scale unit hosts and the infrastructure VMs that comprise the

Azure Stack solution. Following the procedures in the Running the Microsoft Patch and Updates on

Azure Stack Scale Nodes section of this document will apply the necessary OS updates and registry

configuration settings for the physical scale unit hosts and the infrastructure VMs.

As of February 20, 2018, Intel released production microcode updates to address these issues. Dell

EMC has incorporated these updates into the PowerEdge Server system BIOS, and these updates

are available for download. For the latest information and recommended BIOS versions, see

Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754):

https://newsroom.intel.com/news/latest-intel-security-news-updated-firmware-available/


Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking) in the Dell

Knowledge Base.

If you need to apply these BIOS updates to the hosts in your Azure Stack solution, please contact

Support for assistance. Until further notice, Dell EMC recommends that any BIOS or firmware

updates for Azure Stack be performed during a planned outage during which the Azure Stack solution

will be brought offline.

Performing Patch and Updates

Installing Patches and Updates includes software updates for the operating system and features for the Azure

Stack solution.

1. Running Microsoft software Patch and Update framework

a. Hardware Lifecycle Management Server [HLH]

b. Azure Stack Scale Nodes


Installing Microsoft updates This section includes the following procedures:

Updating the Hardware Lifecycle Management Server [HLH] provides the procedure for updating the

hardware lifecycle management server.

Running the Microsoft Patch and Updates on Azure Stack scale nodes

These operations can be performed in either order.

Downloading content

Download the Dell EMC Tools compressed file (Cloud for Microsoft Azure Stack 13G Customer Toolkit

1-0-<version>-x.zip) from the Dell EMC Support Downloads Webpage for 13G onto your OME-VM. Right

click the zip file to extract its contents into a folder (for example, C:\DELLEMCTools\). This toolkit has,

among various Dell EMC tools, the framework and firmware installation files required for running Dell EMC

post-deployment / FRU scenario firmware Patch and Update process.

In order to access the firmware executables, double-click the DellEMC-13GPowerEdgeR730xd-

1.0.<version>.x.exe package and extract the contents in the same "<C:\DELLEMCTools\>" folder. Click

“Yes” at the prompt.

Updating the Hardware Lifecycle Management Server [HLH]

Installing the Windows Server 2016 Cumulative Update on the HLH Host Complete the following steps to update Windows Server 2016 on the HLH host:

Step Activity

1 Log in to your HLH server.

2 Browse to the folder on your OME-VM where you extracted Cloud for Microsoft Azure Stack 13G

Customer Toolkit 1-0-<version>-x.zip (for example, C:\DELLEMCTools\). Go to the

HLH_Cumulative_Windows_Update folder for the Windows Server 2016 x86_64 Cumulative Update for

March 2018 (KB 4096309) and copy it onto the HLH host.

https://support.emc.com/downloads/42238_Cloud-for-Microsoft-Azure-Stack-13G


Step Activity

3 Run the update package.

Click “Yes” to allow the update to execute.


Step Activity

4 The update will progress through multiple stages and take several minutes to complete.

Note: This may take 25 minutes or more to complete.

5 When the update package has finished running, click “Restart Now” to reboot the computer and finish applying the updates.


Step Activity

6 Log in to Windows and open an elevated (Administrator) PowerShell.

Issue the following command and verify that KB 4096309 has been installed:

Get-HotFix

Verify the Mitigations by Setting Windows Server 2016 Registry Values Complete the following steps to set or verify the registry values that enable the mitigations mentioned in About

Speculative Execution Side-Channel Vulnerabilities:

Step Activity

1 Open an elevated (Administrator) PowerShell. Issue the following three commands to set the registry values (each command should be entered as one continuous line, despite the wrapping in this document):

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

For more information, refer to https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

2 Execute the Restart-Computer cmdlet to reboot the HLH.

Updating the OME and OMNM VMs To further ensure that guest-to-host and guest-to-guest memory access is protected against potential exploits,

the OS update and registry settings should also be applied to the virtual machines that run on the HLH host.

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution



Install the Cumulative Update on the OME and OMNM Virtual Machines Complete the following steps to update Windows Server 2016 on the OME and OMNM virtual machines:

Note: The screenshots are examples and do not show the current versions or hotfixes.

Step Activity

1 From the HLH console, connect to the OME VM via RDP (or from Hyper-V Manager). Log on as the local Administrator.

2 Either place a copy of the Windows Server 2016 x86_64 Cumulative Update for March 2018 (KB 4096309)

locally on the VM, or connect to a file share location that contains the update package.


Step Activity

3 Run the update package.

Click “Yes” to allow the update to execute.


Step Activity

4 The update will progress through multiple stages and take several minutes to complete.

Note: This may take 25 minutes or more to complete.

5 When the update package has finished running, click “Restart Now” to reboot the computer and finish applying the updates.

Note: The reboot may take several minutes due to portions of the update that run before Windows

Server 2016 shuts down.


Step Activity

6 Log in to the VM (as in step 1) and open an elevated (Administrator) PowerShell.

Issue the following command and verify that KB 4096309 has been installed:

Get-HotFix

7 Repeat these same steps to apply the update on the OMNM virtual machine.


Enable Mitigations on the OME and OMNM Virtual Machines Complete the following steps to set or verify the registry values that enable the mitigations mentioned in About

Speculative Execution Side-Channel Vulnerabilities:

Step Activity

1 From the HLH console, connect to the OME VM via RDP (or from Hyper-V Manager). Log on as the local Administrator.

2 Open an elevated (Administrator) PowerShell. Issue the following three commands to set the registry values (each command should be entered as one continuous line, despite the wrapping in this document):

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

For more information, refer to https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

3 Execute the Restart-Computer cmdlet to reboot the virtual machine.

4 Repeat these same steps to apply the update on the OMNM virtual machine.




Running the Microsoft Patch and Updates on Azure Stack Scale Nodes.

IMPORTANT: This update package is only applicable for Azure Stack integrated systems. Do not apply

this update package to the Azure Stack Development Kit.

Build reference The Azure Stack 1803 update build number is 20180329.1.

Prerequisites

IMPORTANT: Do not attempt to create virtual machines during the installation of this update. For more

information about managing updates, see Manage updates in Azure Stack overview.

Install the Azure Stack 1802 Update before you apply the Azure Stack 1803 update.

Procedure The following procedure shows how to import and install updates as an Azure Stack operator.

Step Activity

1 Download the Azure Stack 1803 update package from Microsoft. The build number is 20180329.1.

Scroll down the page to the section “Download the update” and download the package. An update package will typically consist of a single self-extracting executable (.exe), corresponding bin files (.bin) and a single metadata (.xml) file.

https://docs.microsoft.com/en-us/azure-stack-updates#plan-for-updates

https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-update-1802

https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-update-1803


Step Activity

The <package>.exe file contains the payload for the update, for example the latest cumulative update

for Windows Server.

The corresponding <package>.bin file(s) provide compression for the payload as associated with the

executable.

The metadata.xml file contains essential information about the update, for example the publisher, name,

prerequisite, size and support path URL.


Step Activity

2 To import the update package to Azure Stack, in the administrator portal, under Data + Storage, click Storage Accounts.

3 In the filter box, type update, and select the updateadminaccount.


Step Activity

4 In the updateadminaccount storage account details, under Services, select Blobs.


Step Activity

5 On the Blob service tile, click + Container to create a new container, give it a name (for example, update-1803), and then click OK.

Note: The name must start with a lower-case letter.


Step Activity

6 After the container is created, click Upload to upload the <package>.exe, any associated .bin files, and the metadata.xml files into the container.

7 Browse to the <package>.exe file, and then click Open in the file explorer window.


Step Activity

8 Next, click Upload in the administrator portal.


Step Activity

9 Do the same for the <package>.bin and metadata.xml files.

Note: There may be more than one .bin file.

10 When done, you can review the Notifications. A notification should indicate that upload has completed.


Step Activity

11 Navigate back to the Update tile to review the newly-added update package.

12 To install an update, select the package marked as Ready and either right-click and select Update now, or click Update now in the command bar at the top of the window.


Step Activity


How to review updates You can drill into the Update tile to view information about updates that may have already been imported, or

updates you plan to install on a certain date.

After an update package is uploaded to Azure Stack, the top-level Update tile will indicate that an update is

available, and show the current version of the stamp. See the following screenshots to review the in-line

logging and “download full logs” features. Sometimes the update availability information is not updated right

away, so please refresh the portal and it should reflect “Update available”.


You can also click on the Download full logs to get the upgrade summary information log in JSON format.


Monitor updates in Azure Stack using the privileged endpoint

The following information is also available at Microsoft’s Azure Stack website, Monitor updates in Azure Stack

using the privileged endpoint. It is recommended to visit the website in order to get the latest updates and

changes made by the Microsoft Azure Stack team.

Applies to: Azure Stack integrated systems

You can use the privileged endpoint to monitor the progress of an Azure Stack update run, and to resume a

failed update run from the last successful step.

The following new PowerShell cmdlets for update management are included in the 1710 update for Azure

Stack integrated systems:

Cmdlet Description

Get-AzureStackUpdateStatus Returns the status of the currently running, completed, or failed

update. Provides the high-level status of the update operation,

and an XML document that describes both the current step and

the corresponding state.

Get-AzureStackUpdateVerboseLog Returns the verbose logs that are generated by the update.

Resume-AzureStackUpdate Resumes a failed update at the point where it failed. In certain

scenarios, you may have to complete mitigation steps before you

resume the update.

Verify the cmdlets are available Because the cmdlets are new in the 1710 update package for Azure Stack, the 1710 update process needs to

get to a certain point before the monitoring capability is available. Typically, the cmdlets are available if the

status in the administrator portal indicates that the 1710 update is at the Restart Storage Hosts step.

Specifically, the cmdlet update occurs during Step: Running step 2.6 - Update PrivilegedEndpoint whitelist.

You can also determine whether the cmdlets are available programmatically by querying the command list

from the privileged endpoint. To do this, run the following commands from the hardware lifecycle host or from

a Privileged Access Workstation. Also, make sure the privileged endpoint is a trusted host. For more

information, see step 1 of Access the privileged endpoint.

https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-monitor-update

https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-monitor-update

https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/azure-stack/azure-stack-privileged-endpoint.md#access-the-privileged-endpoint


1. Create a PowerShell session on any of the ERCS virtual machines in your Azure Stack environment

(Prefix-ERCS01, Prefix-ERCS02, or Prefix-ERCS03). Replace Prefix with the virtual machine prefix

string that’s specific to your environment.

$cred = Get-Credential $pepSession = New-PSSession -ComputerName <Prefix>-ercs01 -Credential $cred -ConfigurationName PrivilegedEndpoint

When prompted for credentials, use the <Azure Stack domain>\cloudadmin account, or an account

that's a member of the CloudAdmins group. For the CloudAdmin account, enter the same password

that was provided during installation for the AzureStackAdmin domain administrator account.

2. Get the full list of commands that are available in the privileged endpoint.

$commands = Invoke-Command -Session $pepSession -ScriptBlock { Get-Command }

3. Determine if the privileged endpoint was updated.

$updateManagementModuleName = "Microsoft.Azurestack.UpdateManagement" if (($commands | ? Source -eq $updateManagementModuleName)) { Write-Host "Privileged endpoint was updated to support update monitoring tools." } else { Write-Host "Privileged endpoint has not been updated yet. Please try again later."

}

4. List the commands specific to the Microsoft.AzureStack.UpdateManagement module.

$commands | ? Source -eq $updateManagementModuleName

For example:

$commands | ? Source -eq $updateManagementModuleName CommandType Name Version Source PSComputerName ----------- ---- ------- ------ -------------- Function Get-AzureStackUpdateStatus 0.0 Microsoft.Azurestack.UpdateManagement Contoso-ercs01 Function Get-AzureStackUpdateVerboseLog 0.0 Microsoft.Azurestack.UpdateManagement Contoso-ercs01 Function Resume-AzureStackUpdate 0.0 Microsoft.Azurestack.UpdateManagement Contoso-ercs01


Use the update management cmdlets

Note: Run the following commands from the hardware lifecycle host or from a Privileged Access

Workstation. Also, make sure the privileged endpoint is a trusted host. For more information, see step 1

of Access the privileged endpoint.

Connect to the privileged endpoint and assign session variable Run the following commands to create a PowerShell session on any of the ERCS virtual machines in your

Azure Stack environment (Prefix-ERCS01, Prefix-ERCS02, or Prefix-ERCS03), and to assign a session

variable.

$cred = Get-Credential $pepSession = New-PSSession -ComputerName <Prefix>-ercs01 -Credential $cred -ConfigurationName PrivilegedEndpoint

When prompted for credentials, use the <Azure Stack domain>\cloudadmin account, or an account that's a

member of the CloudAdmins group. For the CloudAdmin account, enter the same password that was

provided during installation for the AzureStackAdmin domain administrator account.

Get high-level status of the current update run To get a high-level status of the current update run, run the following commands:

$statusString = Invoke-Command -Session $pepSession -ScriptBlock { Get-AzureStackUpdateStatus -StatusOnly } $statusString.Value

Possible values include:

Running

Completed

Failed

Canceled

You can run these commands repeatedly to see the most up-to-date status. You don't have to re-establish a

connection to check again.

Get the full update run status with details You can get the full update run summary as an XML string. You can write the string to a file for examination,

or convert it to an XML document and use PowerShell to parse it. The following command parses the XML to

get a hierarchical list of the currently running steps.

[xml]$updateStatus = Invoke-Command -Session $pepSession -ScriptBlock { Get-AzureStackUpdateStatus }

https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/azure-stack/azure-stack-privileged-endpoint.md#access-the-privileged-endpoint


$updateStatus.SelectNodes("//Step[@Status='InProgress']")

In the following example, the top-level step (Cloud Update) has a child plan to update and restart the storage

hosts. It shows that the Restart Storage Hosts plan is updating the Blob Storage service on one of the hosts.

[xml]$updateStatus = Invoke-Command -Session $pepSession -ScriptBlock { Get-AzureStackUpdateStatus } $updateStatus.SelectNodes("//Step[@Status='InProgress']") FullStepIndex : 2 Index : 2 Name : Cloud Update Description : Perform cloud update. StartTimeUtc : 2017-10-13T12:50:39.9020351Z Status : InProgress Task : Task FullStepIndex : 2.9 Index : 9 Name : Restart Storage Hosts Description : Restart Storage Hosts. EceErrorAction : Stop StartTimeUtc : 2017-10-13T15:44:06.7431447Z Status : InProgress Task : Task FullStepIndex : 2.9.2 Index : 2 Name : PreUpdate ACS Blob Service Description : Check function level, update deployment artifacts, configure Blob service settings StartTimeUtc : 2017-10-13T15:44:26.0708525Z Status : InProgress Task : Task

Get the verbose progress log You can write the log to a file for examination. This can help you diagnose an update failure.

$log = Invoke-Command -Session $pepSession -ScriptBlock { Get-AzureStackUpdateVerboseLog } $log > ".\UpdateVerboseLog.txt"

Actively view the verbose logging To actively view the verbose log during an update run and jump to the most recent entries, run the following

commands to enter the session in interactive mode, and to show the log:

Enter-PSSession -Session $pepSession


Get-AzureStackUpdateVerboseLog -Wait

The log updates every 60 seconds, and new content (if available) is written to the console.

During long-running background processes, the console output may not be written to the console for some

time. To cancel the interactive output, press Ctrl+C.

Resume a failed update operation If the update fails, you can resume the update run where it left off.

Invoke-Command -Session $pepSession -ScriptBlock { Resume-AzureStackUpdate }

Troubleshooting

The privileged endpoint is available on all ERCS virtual machines in the Azure Stack environment. Because

the connection is not made to a highly available endpoint, you may experience occasional interruptions,

warnings, or error messages. These messages may indicate that the session was disconnected or that there

was an error communicating with the ECE Service. This behavior is expected. You can retry the operation in

a few minutes or create a new privileged endpoint session on one of the other ERCS virtual machines.

New features

This update includes the following improvements and fixes for Azure Stack.

Update Azure Stack secrets - (Accounts and Certificates). For more information about managing secrets, see Rotate secrets in Azure Stack.

Automatic redirect to HTTPS when you use HTTP to access the administrator and user portals. This improvement was made based on UserVoice feedback for Azure Stack.

Access the Marketplace – You can now open the Azure Stack Marketplace by using the +New option from within the admin and user portals the same way you do in the Azure portals.

Azure Monitor - Azure Stack adds Azure Monitor to the admin and user portals. This includes new explorers for metrics and activity logs. To access this Azure Monitor from external networks, port 13012must be open in firewall configurations. For more information about ports required by Azure Stack, see Azure Stack datacenter integration - Publish endpoints.

Also as part of this change, under More services, Audit logs now appears as Activity logs. The functionality is now consistent with the Azure portal.

Sparse files - When you add a new image to Azure Stack, or add an image through marketplace syndication, the image is converted to a sparse file. Images that were added prior to using Azure Stack version 1803 cannot be converted. Instead, you must use marketplace syndication to resubmit those images to take advantage of this feature.

Sparse files are an efficient file format used to reduce storage space use, and improve I/O.  For more

information, see Fsutil sparse for Windows Server.

https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-rotate-secrets

https://feedback.azure.com/forums/344565-azure-stack/suggestions/32205385-it-would-be-great-if-there-was-a-automatic-redirec

https://ms.portal.azure.com/#create/hub

https://docs.microsoft.com/azure/monitoring-and-diagnostics/monitoring-overview-azure-monitor

https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-integrate-endpoints

https://docs.microsoft.com/windows-server/administration/windows-commands/fsutil-sparse


Fixed issues

Fixed - Internal Load Balancing (ILB) now properly handles MAC addresses for back-end VMs, which causes ILB to drop packets to the back-end network when using Linux instances on the back-end network. ILB works fine with Windows instances on the back-end network.

Fixed - An issue where VPN Connections between Azure Stack would become disconnected due to Azure Stack using different settings for the IKE policy than Azure. The values now match the values in Azure.

Fixed - The IP issue where VPN Connections was previously visible in the portal; however enabling or toggling IP Forwarding has no effect. The feature is turned on by default and the ability to change this not yet supported. The control has been removed from the portal.

Fixed - Azure Stack does not support Policy Based VPN Gateways, even though the option appears in the Portal. The option has been removed from the Portal.

Fixed - Unable to update Network Security Group Rules from the Portal is now fixed.

Fixed - Azure Stack now prevents resizing of a virtual machine that is created with dynamic disks.

Fixed - Usage data for virtual machines is now separated at hourly intervals. This is consistent with Azure.

Fixed - The issue where in the admin and user portals, the Settings blade for vNet Subnets fails to load. As a workaround, use PowerShell and the Get-AzureRmVirtualNetworkSubnetConfig cmdlet to view and manage this information.

Fixed - When you create a virtual machine, the message Unable to display pricing no longer appears when choosing a size for the VM size.

Various fixes for performance, stability, security, and the operating system that is used by Azure Stack.

Changes

The way to change the state of a newly created offer from private to public or decommissioned has changed.

For more information, see Create an offer.

https://docs.microsoft.com/powershell/module/azurerm.network/get-azurermvirtualnetworksubnetconfig?view=azurermps-5.5.0

https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-create-offer


Known issues with the update process There are no known issues for the installation of update 1803.

Known issues (post-installation) The following are post-installation known issues for build 20180323.2.

Portal

The ability to open a new support request from the dropdown from within the administrator portal isn’t available. Instead, use the following link:

- For Azure Stack integrated systems, use https://aka.ms/newsupportrequest.

In the admin portal, it is not possible to edit storage metrics for Blob service, Table service, or Queue service. When you go to Storage, and then select the blob, table, or queue service tile, a new blade opens that displays a metrics chart for that service. If you then select Edit from the top of the metrics chart tile, the Edit Chart blade opens but does not display options to edit metrics.

It might not be possible to view compute or storage resources in the administrator portal. The cause of this issue is an error during the installation of the update that causes the update to be incorrectly reported as successful. If this issue occurs, contact Microsoft Customer Support Services for assistance.

You might see a blank dashboard in the portal. To recover the dashboard, select the gear icon in the upper right corner of the portal, and then select Restore default settings.

When you view the properties of a resource or resource group, the Move button is disabled. This behavior is expected. Moving resources or resource groups between resource groups or subscriptions is not currently supported.

Deleting user subscriptions results in orphaned resources. As a workaround, first delete user resources or the entire resource group, and then delete user subscriptions.

You cannot view permissions to your subscription using the Azure Stack portals. As a workaround, use PowerShell to verify permissions.

In the dashboard of the admin portal, the Update tile fails to display information about updates. To resolve this issue, click on the tile to refresh it.

In the admin portal, you might see a critical alert for the Microsoft.Update.Admin component. The Alert name, description, and remediation all display as:

- ERROR - Template for FaultType ResourceProviderTimeout is missing.

This alert can be safely ignored.

Marketplace Users can browse the full marketplace without a subscription and can see administrative items like plans and

offers. These items are non-functional to users.

Compute

Scaling settings for virtual machine scale sets are not available in the portal. As a workaround, you can

use Azure PowerShell. Because of PowerShell version differences, you must use the -Name parameter

instead of -VMScaleSetName .

You cannot scale up a virtual machine scale set (VMSS) that was created when using Azure Stack prior to version 1803. This is due to the change in support for using availability sets with virtual machine scale

https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-manage-portals#quick-access-to-help-and-support

https://aka.ms/newsupportrequest

https://docs.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-manage-powershell#change-the-capacity-of-a-scale-set


sets. This support is added with version 1803. When you attempt to add additional instances to scale a VMSS that was created prior to this support being added, the action fails with the message Provisioning state failed. We are investigating a fix for this issue to enable an older VMSS to scale, and will update this content if and when that is available.

When you create an availability set in the portal by going to New > Compute > Availability set, you can only create an availability set with a fault domain and update domain of 1. As a workaround, when creating a new virtual machine, create the availability set by using PowerShell, CLI, or from within the portal.

When you create virtual machines on the Azure Stack user portal, the portal displays an incorrect number of data disks that can attach to a DS series VM. DS series VMs can accommodate as many data disks as the Azure configuration.

When a VM image fails to be created, a failed item that you cannot delete might be added to the VM images compute blade.

As a workaround, create a new VM image with a dummy VHD that can be created through Hyper-V (New-VHD -Path C:\dummy.vhd -Fixed -SizeBytes 1 GB). This process should fix the problem that prevents deleting the failed item. Then, 15 minutes after creating the dummy image, you can successfully delete it.

You can then try to redownload the VM image that previously failed.

If provisioning an extension on a VM deployment takes too long, users should let the provisioning time-out instead of trying to stop the process to deallocate or delete the VM.

Linux VM diagnostics is not supported in Azure Stack. When you deploy a Linux VM with VM diagnostics enabled, the deployment fails. The deployment also fails if you enable the Linux VM basic metrics through diagnostic settings.

Networking

After a VM is created and associated with a public IP address, you can't disassociate that VM from that IP address. Disassociation appears to work, but the previously assigned public IP address remains associated with the original VM.

Currently, you must use only new public IP addresses for new VMs you create.

This behavior occurs even if you reassign the IP address to a new VM (commonly referred to as a VIP swap). All future attempts to connect through this IP address result in a connection to the originally associated VM, and not to the new one.

Azure Stack supports a single local network gateway per IP address. This is true across all tenant subscriptions. After the creation of the first local network gateway connection, subsequent attempts to create a local network gateway resource with the same IP address are blocked.

On a Virtual Network that was created with a DNS Server setting of Automatic, changing to a custom DNS Server fails. The updated settings are not pushed to VMs in that Vnet.

Azure Stack does not support adding additional network interfaces to a VM instance after the VM is deployed. If the VM requires more than one network interface, they must be defined at deployment time.


SQL and MySQL

Before proceeding, review the important note in before you begin near the start of the release notes.

It can take up to one hour before users can create databases in a new SQL or MySQL deployment.

Only the resource provider is supported to create items on servers that host SQL or MySQL. Items created on a host server that are not created by the resource provider might result in a mismatched state.

Note:

After you update to Azure Stack 1803, you can continue to use the SQL and MySQL resource providers that

you previously deployed. We recommend you update SQL and MySQL when a new release becomes

available. Like Azure Stack, apply updates to SQL and MySQL resource providers sequentially. For example,

if you use version 1711, first apply version 1712, then 1802, and then update to 1803.

The installation of update 1803 does not affect the current use of SQL or MySQL resource providers by your

users. Regardless of the version of the resource providers you use, your users data in their databases is not

touched, and remains accessible.

App Service

Users must register the storage resource provider before they create their first Azure Function in the subscription.

In order to scale out infrastructure (workers, management, front-end roles), you must use PowerShell.

Usage

Usage Public IP address usage meter data shows the same EventDateTime value for each record instead of the TimeDate stamp that shows when the record was created. Currently, you cannot use this data to perform accurate accounting of public IP address usage.

https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-update-1803#before-you-begin


Appendix A. iDRAC Update (Local File)

Note: This procedure is only for the iDRAC firmware. For any other updates, refer to the appropriate

documentation for the correct procedures.

1. From the HLH Host, open Internet Explorer and connect to the iDRAC IP of the first host that needs to be updated.


2. In the left-hand navigation pane, expand "iDRAC Settings", then select "Update and Rollback."


3. Select "Local" for the "File Location", and click "Browse" to open the file picker and select the update package for

the iDRAC from D:\DUPS\

a. Click "Upload" to start copying the firmware to the iDRAC controller.


b. The upload progress will be displayed under "Update Details."


4. After the upload has completed, select the iDRAC firmware update (click its check box), and then click "Install" to

begin the upgrade process.

a. A dialog box displays. Click the "Job Queue" button in this dialog box to monitor the update progress.


5. Observe the "System Alert" at the top of the "Job Queue" page. Because we are updating the firmware for the iDRAC itself, there may be a temporary loss in connectivity as the firmware is being applied to the controller.


6. When the job status shows "Completed", close the browser tab. Open a new tab and attempt to reconnect to the iDRAC. It may take a minute or two before you are able to log in.


7. Verify that the "Firmware Version" and "Lifecycle Controller Firmware" have both been successfully updated.

8. Log out of the iDRAC, connect to the next host, and repeat this process until the HLH and all of the Scale Unit Nodes have been successfully updated.

1803 dell emc cloud for microsoft azure stack · 8 1803 dell emc cloud for microsoft azure stack...

Documents