SUSE Linux Enterprise and Azure Hybrid Benefit

During Microsoft Ignite 2020 the support of Azure Hybrid Benefit for SUSE Pay As You Go was announced.  This is the result of a combined effort that includes changes in the Azure IMDS (Instance Metadata Service) and the SUSE region based update infrastructure that supports PAYG instances. Let’s
get into the details about what that means and why this is significant.

We all know the story. Let’s set up a POC to see if it works and the POC then grows and turns into a production setup. The beauty of the cloud is that the POC can be started on small instances on a shoe string budget and since it’s a POC systems get turned off when no one is working on the POC. This approach makes things very cost efficient and streamlined. For convenience to access to updates initiatives like this often use on-demand instances which is also an easy way to avoid involving operations and checking for compliance as PAYG has everything built in. So far so good. The problem now arises when the whole kit and caboodle goes into production. Instances get bigger, everything has to run 24×7, there are corporate standards to follow and existing support contracts to consider and so on and so forth. This happens often enough that on a more or less regular basis the “it would sure be nice to turn those PAYG instances into BYOS (Bring Your Own Subscription) instances” conversation gets started. So far the answer has always been, “sorry no can do.” This is where Azure Hybrid Benefit comes into play. For now in preview, but soon enough in GA as simple command

az vm update --license-type SLES_BYOS -n $NAME_OF_THE_INSTANCE -g
$NAME_OF_THE_RESOURCE_GROUP

will switch your instance to be BYOS instead of PAYG. As can be seen from the command, a resource group is necessary and thus this feature is not available for Classic VMs. There will also be a switch in the Azure Web-UI to make this switch.

What happens once the command is issued is that on the Azure side the instance metadata will be updated to indicate that the instance is now BYOS and that tells the Azure billing infrastructure to no longer track the instance as a SUSE PAYG instance. On the SUSE side this implies, since the instance is no longer tracked as PAYG the user will manage updates by some other means rather then through the SUSE region local update infrastructure. In order to make all of this work together as intended client side and server side changes are needed. The server side changes for the update infrastructure were rolled out with the announcement and the client side changes are available through package updates.

Update 2021-05-17:

Due to changes in the IMDS implementation in Azure, which were discovered during final testing an update to the python3-azuremetadata package was necessary. Therefore the minimum version for AHB is now 5.1.4 and the tarballs have been updated. This effectively extended the grace period. Instance validation for AHB will be enabled server side on June 18th, two weeks after the next expected image refresh.

End update 2021-05-17

In order to take advantage of Azure Hybrid Benefit you will need to have

cloud-regionsrv-client-9.1.3
python3-azuremetadata-5.1.4
regionServiceClientConfigAzure-1.0.5

or later versions installed. With these updates the client will send the necessary information to the update infrastructure to identify the instance as PAYG or as BYOS within the Azure Hybrid Benefit framework. Given that there are update windows for running instances etc a 6 months transition period is in place where the changes on the update infrastructure will not verify the additional data being sent by the client. At the end of March 2021 the update infrastructure will check for the data and instances that do not send the data will loose access to the update infrastructure.

For those that find this information after March 2021 and just lost access you are in a chicken and egg problem. You need the new packages but you can’t get them from the update infrastructure. Therefore an outof band update is available for SLES 12 based instances use

wget --no-check-certificate
https://52.188.224.179/late_instance_offline_ahb_SLE12.tar.gz
sha1sum late_instance_offline_ahb_SLE12.tar.gz
adc8dae8cb475703303291927c788b0488820ce5 late_instance_offline_ahb_SLE12.tar.gz
tar -xf late_instance_offline_ahb_SLE12.tar.gz
cd late_update
zypper --no-refresh --no-remote --non-interactive in *.rpm

for SLES 15 based instances use

wget --no-check-certificate
https://52.188.224.179/late_instance_offline_ahb_SLE15.tar.gz
sha1sum late_instance_offline_ahb_SLE15.tar.gz
d082888a9a3da757178e9cdfda40e76b3f644aac late_instance_offline_ahb_SLE15.tar.gz
tar -xf late_instance_offline_ahb_SLE15.tar.gz
cd late_update
zypper --no-refresh --no-remote --non-interactive in *.rpm

This will get you back to working operation w.r.t. access of the update infrastructure.

With this the switching from PAYG to BYOS in Azure is possible and will eliminate some headaches.