Azure App Service 中的 OS 和執行階段修補OS and runtime patching in Azure App Service

本文說明如何取得有關 App Service 中 OS 或軟體的特定版本資訊。This article shows you how to get certain version information regarding the OS or software in App Service.

App Service 是平台即服務,這表示 Azure 會為您管理 OS 和應用程式堆疊;您只需要管理您的應用程式和其資料。App Service is a Platform-as-a-Service, which means that the OS and application stack are managed for you by Azure; you only manage your application and its data. 您可以在 Azure 虛擬機器中獲得更多對於 OS 和應用程式堆疊的控制能力。More control over the OS and application stack is available you in Azure Virtual Machines. 記住這一點可幫助身為 App Service 使用者的您了解更多資訊,例如:With that in mind, it is nevertheless helpful for you as an App Service user to know more information, such as:

  • OS 更新的套用方式和時機?How and when are OS updates applied?
  • 針對重大漏洞 (例如零時差) 修補 App Service 的方式?How is App Service patched against significant vulnerabilities (such as zero-day)?
  • 哪些 OS 和執行階段版本在執行您的應用程式?Which OS and runtime versions are running your apps?

為求安全,我們不會將某些安全性資訊細節發佈出來。For security reasons, certain specifics of security information are not published. 不過,本文的目標是要讓程序盡量透明以減少疑慮,並說明要如何隨時得知最新的安全性相關公告或執行階段更新。However, the article aims to alleviate concerns by maximizing transparency on the process, and how you can stay up-to-date on security-related announcements or runtime updates.

OS 更新的套用方式和時機?How and when are OS updates applied?

Azure 會在兩個層級管理 OS 修補,分別是實體伺服器和執行 App Service 資源的客體虛擬機器 (VM)。Azure manages OS patching on two levels, the physical servers and the guest virtual machines (VMs) that run the App Service resources. 兩者皆會每月更新,以配合每月的 Patch Tuesday 排程。Both are updated monthly, which aligns to the monthly Patch Tuesday schedule. 這些更新會以能夠保證 Azure 服務具有高可用性 SLA 的方式自動套用。These updates are applied automatically, in a way that guarantees the high-availability SLA of Azure services.

如需更新套用方式的詳細資訊,請參閱揭露 App Service OS 更新背後的魔法For detailed information on how updates are applied, see Demystifying the magic behind App Service OS updates.

Azure 如何處理重大漏洞?How does Azure deal with significant vulnerabilities?

有嚴重漏洞需要立即修補時 (例如零時差漏洞),我們會依個案逐一處理高優先順序的更新。When severe vulnerabilities require immediate patching, such as zero-day vulnerabilities, the high-priority updates are handled on a case-by-case basis.

請造訪 Azure 安全性部落格,以隨時了解最新的 Azure 重大安全性公告。Stay current with critical security announcements in Azure by visiting Azure Security Blog.

何時會更新、新增或取代所支援的語言執行階段?When are supported language runtimes updated, added, or deprecated?

所支援的語言執行階段若有新的穩定版本 (主要、次要或修補),將會定期新增至 App Service 執行個體。New stable versions of supported language runtimes (major, minor, or patch) are periodically added to App Service instances. 有些更新會覆寫現有安裝,有些則會與現有版本並存安裝。Some updates overwrite the existing installation, while others are installed side by side with existing versions. 覆寫安裝的意思是,您的應用程式會自動在更新的執行階段上執行。An overwrite installation means that your app automatically runs on the updated runtime. 並存安裝的意思則是,您必須手動移轉應用程式,以便利用新的執行階段版本。A side-by-side installation means you must manually migrate your app to take advantage of a new runtime version. 如需詳細資訊,請參閱下列其中一個小節。For more information, see one of the subsections.

執行階段更新和取代會在以下位置公告:Runtime updates and deprecations are announced here:

注意

這裡的資訊適用於 App Service 應用程式內建的語言執行階段。Information here applies to language runtimes that are built into an App Service app. 例如,您上傳至 App Service 的自訂執行階段會維持不變,除非您手動升級。A custom runtime you upload to App Service, for example, remains unchanged unless you manually upgrade it.

新的修補程式更新New patch updates

以最新版本覆寫現有的安裝,即可自動套用 .NET、PHP、JAVA SDK 或 Tomcat 版本的修補程式更新。Patch updates to .NET, PHP, Java SDK, or Tomcat version are applied automatically by overwriting the existing installation with the latest version. Node.js 修補程式更新則會與現有版本並存安裝 (類似於下一節的主要和次要版本)。Node.js patch updates are installed side by side with the existing versions (similar to major and minor versions in the next section). 您可以透過 網站延伸模組,與內建的 python 安裝並存安裝新的 python 修補程式版本。New Python patch versions can be installed manually through site extensions, side by side with the built-in Python installations.

新的主要和次要版本New major and minor versions

有新增的主要或次要版本時,便會與現有版本並存安裝。When a new major or minor version is added, it is installed side by side with the existing versions. 您可以手動將應用程式升級至新的版本。You can manually upgrade your app to the new version. 如果您是在設定檔中 (例如 web.configpackage.json) 設定執行階段版本,則必須以相同方法升級。If you configured the runtime version in a configuration file (such as web.config and package.json), you need to upgrade with the same method. 如果您使用 App Service 設定來設定執行階段版本,則可以在 Azure 入口網站中或藉由在 Cloud Shell 中執行 Azure CLI 命令來加以變更,如下列範例所示:If you used an App Service setting to configure your runtime version, you can change it in the Azure portal or by running an Azure CLI command in the Cloud Shell, as shown in the following examples:

az webapp config set --net-framework-version v4.7 --resource-group <groupname> --name <appname>
az webapp config set --php-version 7.0 --resource-group <groupname> --name <appname>
az webapp config appsettings set --settings WEBSITE_NODE_DEFAULT_VERSION=8.9.3 --resource-group <groupname> --name <appname>
az webapp config set --python-version 3.8 --resource-group <groupname> --name <appname>
az webapp config set --java-version 1.8 --java-container Tomcat --java-container-version 9.0 --resource-group <groupname> --name <appname>

已取代的版本Deprecated versions

在要取代較舊的版本時,我們會公佈移除日期,讓您據此規劃執行階段版本升級。When an older version is deprecated, the removal date is announced so that you can plan your runtime version upgrade accordingly.

如何在執行個體上查詢 OS 和執行階段更新狀態?How can I query OS and runtime update status on my instances?

您無法存取重要的 OS 資訊 (請參閱 Azure App Service 上的作業系統功能),不過 Kudu 主控台可讓您針對 OS 版本和執行階段版本來查詢 App Service 執行個體。While critical OS information is locked down from access (see Operating system functionality on Azure App Service), the Kudu console enables you to query your App Service instance regarding the OS version and runtime versions.

下表說明如何找到 Windows 的版本和執行應用程式之語言執行階段的版本:The following table shows how to the versions of Windows and of the language runtime that are running your apps:

資訊Information 所在位置Where to find it
Windows 版本Windows version 請參閱 https://<appname>.scm.azurewebsites.net/Env.cshtml (在 [系統資訊] 底下)See https://<appname>.scm.azurewebsites.net/Env.cshtml (under System info)
.NET 版本.NET version 位於 https://<appname>.scm.azurewebsites.net/DebugConsole,在命令提示字元中執行下列命令:At https://<appname>.scm.azurewebsites.net/DebugConsole, run the following command in the command prompt:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full"
.NET Core 版本.NET Core version 位於 https://<appname>.scm.azurewebsites.net/DebugConsole,在命令提示字元中執行下列命令:At https://<appname>.scm.azurewebsites.net/DebugConsole, run the following command in the command prompt:
dotnet --version
PHP 版本PHP version 位於 https://<appname>.scm.azurewebsites.net/DebugConsole,在命令提示字元中執行下列命令:At https://<appname>.scm.azurewebsites.net/DebugConsole, run the following command in the command prompt:
php --version
預設的 Node.js 版本Default Node.js version Cloud Shell中,執行下列命令:In the Cloud Shell, run the following command:
az webapp config appsettings list --resource-group <groupname> --name <appname> --query "[?name=='WEBSITE_NODE_DEFAULT_VERSION']"
Python 版本Python version 位於 https://<appname>.scm.azurewebsites.net/DebugConsole,在命令提示字元中執行下列命令:At https://<appname>.scm.azurewebsites.net/DebugConsole, run the following command in the command prompt:
python --version
Java 版本Java version 位於 https://<appname>.scm.azurewebsites.net/DebugConsole,在命令提示字元中執行下列命令:At https://<appname>.scm.azurewebsites.net/DebugConsole, run the following command in the command prompt:
java -version

注意

您無法存取登錄位置 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages (這裡儲存了有關 "KB" 修補程式的資訊)。Access to registry location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages, where information on "KB" patches is stored, is locked down.

其他資源More resources

信任中心:安全性Trust Center: Security
Azure App Service 上的 64 位元 ASP.NET Core64 bit ASP.NET Core on Azure App Service