Upload, create, and populate a managed disk
This topic describes how to create a managed disk to populate with the Access Gateway image.
Download and decompress
- Connect to the new virtual machine (VM). Use the IP address from the task in Prepare a temporary virtual machine disk and establish an ssh session.
ssh okta@AA.BB.CC.DD.
- Use wget to download the latest Access Gateway Microsoft Azure fixed disk image.
cd /home/okta ; wget https://download.oag.okta.com/ga/oag_azure.vhd.gz
- Unpack the fixed disk image to a temporary location on the /datadrive.
sudo mkdir /datadrive/temp ; sudo cp oag_azure.vhd.gz /datadrive/temp ; sudo gunzip -v /datadrive/temp/oag_azure.vhd.gz --keep
Enter this command to watch the progress of the unzip operation:
watch -d 'ls -l /datadrive/temp/'
Depending on the size of the disk and the speed of the VM, it can take 60–90 minutes to decompress the disk file.
If you encounter ssh timeout issues, consider running the decompress process in the background using nohup and routing the output to a log file.
nohup sudo nohup gunzip . . . > unzip.log 2>&1 &
Install Microsoft Azure CLI and AZCopy tools
- Change the directory.
cd /datadrive/temp
- Install the Microsoft Azure command-line interface.
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
- Install Azcopy.
sudo wget https://aka.ms/downloadazcopy-v10-linux ; sudo tar -xvf downloadazcopy-v10-linux
Create and populate a managed disk
- After installing the Microsoft Azure environment, use the az login command to sign in to the app.
- Sign in to az copy and get the tenant ID. See How to find your Microsoft Entra tenant ID.
cd /datadrive/temp/azcopy_linux_amd64_10.3.4 ; sudo ./azcopy login --tenant-id=<the tenant id from the output of az login>
- Sign in or return to the Microsoft Azure command-line interface.
az login
- Use the az disk create command to create a disk large enough to contain the OVA disk file.
az disk create -n <virtual-disk> --resource-group <resource-group> --location <"location"> --for-upload --upload-size-bytes <size> --sku standard_lrs
- <virtual-disk>: The name of the virtual disk. It's typically the same as the OVA disk, but without the suffix.
- <resource-group>: The name of the previously created resource group.
- <location>: The location of the resource group.
- <size>: The size of the disk in bytes.
- --sku standard_lrs: This is a required parameter.
Here's an example of this command with the parameters populated with values:
az disk create -n Okta-AccessGatewayDisk --resource-group AccessGateway --location eastus --for-upload --upload-size-bytes 236246270464 --sku standard_lrs
When you run this command, the following results appear:
{ "creationData": { "createOption": "Upload", "imageReference": null, "sourceResourceId": null, "sourceUniqueId": null, "sourceUri": null, "storageAccountId": null, "uploadSizeBytes": 20972032 },. . . "tags": {}, "timeCreated": "2020-04-20T17:51:29.894626+00:00", "type": "Microsoft.Compute/disks", "uniqueId": "d1485574-. . . ", "zones": null }
The file size of the created disk must be an exact match to the file size used when copying the disk image. Use a command, like ls -ln, to determine the file size in bytes.
- Use the az disk grant-access command to create a shared access token. You can use this to grant access to the disk.
az disk grant-access -n <virtual-disk> -g <resource-group> --access-level Write --duration-in-seconds 86400
- <virtual-disk>: The name of the virtual disk.
- <resource-group>: The name of the previously created resource group.
- --access-level Write: The required write access level.
- --duration-in-seconds 86400: The lifetime of the shared access token in seconds.
Here's an example of this command with the parameters populated with values:
az disk grant-access -n Okta-AccessGatewayDisk --resource-group AccessGateway --access-level Write --duration-in-seconds 86400When you run this command, the following results appear:
"accessSas": "https://md-. . . VY1SlQ79TOnwoMaVHjaqkmVlU%3D"
- Upload the disk file using the azcopy copy command.
cd /datadrive/temp/azcopy_linux_amd64_10.3.4 ; sudo ./azcopy copy <path-to-disk> <accessSas> --blob-type PageBlob
- <path-to-disk>: The fully qualified path to the fixed disk that you created previously.
- <accessSas>: The value from the az disk grant-access command.
Here's an example of this command with the parameters populated with values:
sudo ./azcopy copy /datadrive/temp/oag.vhd "https://md-impexp-t4pdnf22n02h.blob.core.windows.net/p15jhr4gwqhl/abcd?sv=2017-04-17&sr=b&si=b1154122-1458-4f02-a226-1554c66938c0&sig=vGnmhmKMY92r3ecQLlAEXtEHzRCFTsa5rrIxNsQqaZY%3D" -blob-type PageBlob
Azcopy uses the AZCOPY_CONCURRENCY_VALUE environment variable to control the upload process. Setting this variable to AUTO causes Azcopy to attempt to optimize the upload process.
Here's an example of a command using the AZCOPY_CONCURRENCY_VALUE environment variable:
export AZCOPY_CONCURRENCY_VALUE=AUTOsudo nohup ; sudo ./azcopy copy /datadrive/temp/oag.vhd \ "https://md-. . . VY1SlQ79TOnwoMaVHjaqkmVlU%3D" \ --blob-type PageBlob > /tmp/azcopy.log 2>&1 & - Monitor the copy using a command similar to this one:
tail -f /tmp/azcopy.log
When you run the tail command, the following results appear:
INFO: Scanning... Job 50d659dd-6174-fe4d-78b1-5f97e305fdee has started Log file is located at: ~/.azcopy/50d659dd-6174-fe4d-78b1-5f97e305fdee.log INFO: Trying 4 concurrent connections (initial starting point) INFO: Trying 16 concurrent connections (seeking optimum) . . . INFO: Trying 5 concurrent connections (at optimum) . . . Elapsed Time (Minutes): 78.9381 Total Number Of Transfers: 1 Number of Transfers Completed: 1 . . . Total Bytes Transferred: 236223201792 Final Job Status: Completed
- Use the az disk revoke-access command to revoke the previously granted access after the disk has been copied.
az disk revoke-access --name "<virtual-disk>" --resource-group "<resource-group>"
- <virtual-disk>: The name of the disk where access was granted.
- <resource-group>: The resource group that contains the disk.
Here's an example of the az disk revoke-access command with the parameters populated with values:
az disk revoke-access --name "Okta-AccessGateway-2020.5.0" --resource-group "AccessGateway"
Running this command produces the following results:
- Running
If you don't run the az disk revoke-access command, an error occurs because the disk isn't available for use.