Messages

UPDATE: After posting this I was able to piece together some other articles and get this working. These are just my quick notes so someone smarter than me should be able to polish this up.

#Disable the default swap file - Azure agent mounts a temp volume presented to the VM and creates its own swap file
swapoff /dev/gpt/swapfs

#Install the agent dependencies
pkg upgrade
pkg install -y sudo bash git

# check on the python path -- at the time of this post it's 3.9 and create the link for python
ls /usr/local/bin/python*
ln -s /usr/local/bin/python3.9 /usr/local/bin/python

# clone the agent
git clone https://github.com/Azure/WALinuxAgent.git
cd WALinuxAgent

#check the current stable build -- at the time of this post it's v2.10.0.8
git checkout v2.10.0.8

#install the agent and register it as a service
python setup.py install --register-service

#create links for the agent
ln -sf /usr/local/sbin/waagent /usr/sbin/waagent
ln -sf /usr/local/sbin/waagent2.0 /usr/sbin/waagent2.0

#Setup the agent service scripts
echo '#! /bin/sh' >> /usr/local/etc/rc.d/waagent.sh
echo '/usr/local/sbin/waagent --daemon' >> /usr/local/etc/rc.d/waagent.sh
chmod +x /usr/local/etc/rc.d/waagent.sh
echo 'waagent_enable="YES"' >> /etc/rc.conf.local

#Change the agent built swap from 16gb default to 6gb -- the temp volume in my VM was only 8GB
sed -i .bak 's/ResourceDisk.SwapSizeMB=16384/ResourceDisk.SwapSizeMB=6144/g' /etc/waagent.conf

#A quick version check. If this doesn't return the version something went wrong
waagent -version

service waagent status
service waagent start
service waagent status

I've been able to find some references in posts but I haven't found any clear instructions on how to install the Azure Linux Agent onto an uploaded OPNSense HyperV image.  Has anyone been able to successfully install and configure the agent? If so, could you share your steps?

Thanks in advance!

Thanks! The Regex is a good idea.

Yes, the unique ID given to the ACL name is an OPNSense implementation but not one that's contained in other HAProxy implementations where unique ACL names aren't required and, in cases like this, are intentional.

You can see the difference in the OPNSense implementation and its unique ID "injection" when you compare the config file from an OPNSense HAProxy setup to another vendor's setup (let's use PFSense as an example).

Consider the following combined host/vpath rules:

ACL NAME "MY_HOSTS"
Host: www.foo.com
Host: foo.com
Host: www.foo.co.uk

ACL_NAME "ALLOWED_VPaths"
VPath: /bar

Without the OR condition on the ACL in OPNSense, you need to create three rules to accomplish the rule condition to only allow https://www.foo.com/bar, https://foo.com/bar and https://www.foo.co.uk/bar

With the OR condition on the same ACL name you can create one rule that effectively says:
(HOSTS Start With [https://www.foo.com OR https://foo.com OR https://www.foo.co.uk]) AND (VPATH Starts With  [/bar])

Hope that makes sense.

[acl images_url path_beg /images/ acl images_url path_end .jpg]

In the HAProxy documentation, an OR operator can be used by defining multiple ACLs with the same name. See https://www.haproxy.com/documentation/haproxy-configuration-tutorials/core-concepts/acls/#or-operator

You can also create an or statement by defining multiple ACLs with the same name. Below, the condition is again true if the requested URL path begins with /images/ or the URL path ends with .jpg:

frontend www
  bind :80
  acl images_url path_beg /images/
  acl images_url path_end .jpg
  use_backend static_assets if images_url
backend static_assets
  server s1 192.168.50.20:80


OPNsense's implementation of HAProxy generates a unique ID name for each ACL rather than to use the actual name that the user gives in the GUI. This appears to make the use of this OR operator not possible. For example, let's say that I had two host names for the same website (foo.com and www.foo.com) If I created an ACL with both of these conditions and gave them both the same name, then in a "normal" HAProxy config (including PFSense), I would only need to build one rule. As it stands now, I have to create a unique rule for each condition and add all of those rules to the front-end pool.

If you examine the OPNSense HAProxy config export, both are given a unique system generated ACL which results in the OR condition not being applied.

    # ACL: h-www_foo_com
    acl acl_662818fddd6816.90414207 hdr(host) -i www.foo.com

    # ACL: h-www_foo_com
    acl acl_662830c24229a7.03064246 hdr(host) -i foo.com

    # ACTION: foo_com_rule
    use_backend foo_backend if acl_662818fddd6816.90414207


Would it be possible to have the system generated ACL name be the same if the user inputed ACL name is the same? This would allow for the OR condition to be used on OPNSense like it does with PFSense and other implementations.

Thanks!
Mark