MCMMCMBy Revdau
Deployment

Deployment Guide

Deployment guide for the MCM Platform — commands, requirements, and configurations.

MCM Platform — Deployment Guide


Get MCM up and running in under 30 minutes. This guide provides the essential commands, network requirements, and validation steps.


Prerequisites

RequirementSpecification
OSUbuntu Server 22.04 LTS
CPU8 CPU
RAM32 GB
Disk100 GB
Network1 Gbps
AccessRoot SSH
Inbound Ports22 (SSH) [or custom port], 443 (HTTPS)

:::warning Scaling for Production The above specifications are the minimum requirements to deploy and run the MCM Platform. For production environments with larger workloads, refer to the VM Sizing Guide for recommended specifications based on your managed resource count. :::

Step 1 — Extract & Install

# Connect to the server (run on local terminal)
ssh root@<SERVER_IP>

Custom SSH Port (Optional): If your server uses a custom SSH port (e.g., 2222) instead of the default port 22, you can update the SSH configuration and connect as follows:

  1. Update the SSH configuration to listen on your custom port:
    sudo sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config
  2. Restart the SSH service to apply the change:
    sudo systemctl restart ssh
  3. Exit the current remote SSH session:
    exit
  4. Connect from your local terminal using the custom port:
    ssh -p 2222 root@<SERVER_IP>

Download the deployment archive from the Sonatype Nexus repository using the secure downloader credentials: (Contact the Revdau team for credentials at mcm@revdau.ai)

# Download the archive from the Nexus repository
wget --user=[NEXUS_USERNAME] --password=[NEXUS_PASSWORD] -O mcm_artifacts_single_vm-1.1.0.tar.gz "http://92.204.249.45:8080/repository/mcm-artifacts/1.1.0/develop-single_tier/mcm_artifacts_single_vm-1.1.0.tar.gz"
# Extract the artifact (run inside remote SSH session)
tar -xzf mcm_artifacts_single_vm-1.1.0.tar.gz
# Run the installer
cd mcm_artifacts
sudo ./install.sh

Installation Time & Requirements: Installation takes 15–30 minutes. Outbound internet access is required on the server during installation to install and update Docker, dependencies, and other system packages. No access to external registries is required at runtime as the images are loaded locally.

Docker Permissions Note: The installer automatically configures a docker user group and adds the installing user to it. To execute Docker commands without sudo (e.g., during verification), apply the group membership changes in your current terminal session by running newgrp docker, or by logging out and logging back in.


Step 2 — Configure Domain (Optional)

MCM supports setting a custom domain for accessing the UI and APIs. By default, the platform uses the server's public IP address. Skip this step to continue using the IP.

To configure a custom domain:

  1. Update the DOMAIN variable in /etc/mcm/user_config.env (replace mcm.example.com with your actual domain name):
    sudo sed -i 's/DOMAIN=/DOMAIN=mcm.example.com/' /etc/mcm/user_config.env
  2. Restart the platform to apply changes and automatically regenerate TLS certificates:
    sudo bash /opt/mcm/scripts/restart.sh

Replace Self-Signed Certificates (Optional)

To secure the platform gateway with CA-signed TLS certificates instead of the default self-signed certificates, select one of the options below:

Option A — Use Existing CA-Signed Certificates

If you already have valid SSL/TLS certificates for your domain:

  1. Copy your CA-signed certificate to the configuration directory:

    sudo cp your_certificate.crt /etc/mcm/certs/server.crt
  2. Copy your private key to the configuration directory:

    sudo cp your_private_key.key /etc/mcm/certs/server.key
  3. Disable the automatic generation of self-signed certificates:

    sudo sed -i 's/GENERATE_SELF_SIGN_CERTS=true/GENERATE_SELF_SIGN_CERTS=false/' /etc/mcm/user_config.env
  4. Restart the platform to apply your certificates:

    sudo bash /opt/mcm/scripts/restart.sh

Option B — Generate Free Let's Encrypt Certificates (Certbot)

If you do not have an existing certificate, you can generate free CA-signed certificates using Let's Encrypt and Certbot:

Inbound Port 80 (Temporary Only): Certbot's HTTP-01 standalone challenge requires inbound port 80 (HTTP) to be open on your firewall temporarily to verify domain ownership. Once verification is complete, you can safely close port 80. If the MCM platform is already running, you must stop it temporarily to release port 80.

  1. Stop the MCM platform to release port 80:

    sudo bash /opt/mcm/scripts/stop.sh
  2. Install Certbot:

    sudo apt-get update && sudo apt-get install -y certbot
  3. Generate the certificates for your domain (replace mcm.example.com with your actual domain):

    sudo certbot certonly --standalone -d mcm.example.com --non-interactive --agree-tos -m admin@example.com
  4. Copy the generated certificate to the configuration directory (replace mcm.example.com with your actual domain):

    sudo cp /etc/letsencrypt/live/mcm.example.com/fullchain.pem /etc/mcm/certs/server.crt
  5. Copy the private key to the configuration directory (replace mcm.example.com with your actual domain):

    sudo cp /etc/letsencrypt/live/mcm.example.com/privkey.pem /etc/mcm/certs/server.key
  6. Disable the automatic generation of self-signed certificates:

    sudo sed -i 's/GENERATE_SELF_SIGN_CERTS=true/GENERATE_SELF_SIGN_CERTS=false/' /etc/mcm/user_config.env
  7. Start the platform to apply your certificates:

    sudo bash /opt/mcm/scripts/start.sh

Step 3 — Verify

# Check all containers are healthy
docker ps --format "table {{.Names}}\t{{.Status}}"

Open in your browser (use your custom domain if configured in Step 2, or the server's public IP address):

ApplicationURL
MCM UIhttps://<DOMAIN_OR_IP>/

Default credentials are auto-generated during installation. Find them in /etc/mcm/secrets.env.


Upgrade

# Transfer new artifact to the server (run on local terminal)
scp mcm_artifacts_<NEW_VERSION>.tar.gz root@<SERVER_IP>:/root/
# Connect to the server (run on local terminal)
ssh root@<SERVER_IP>
# Extract and upgrade (run inside remote SSH session)
tar -xzf mcm_artifacts_<NEW_VERSION>.tar.gz
cd mcm_artifacts
sudo ./upgrade.sh

Upgrades preserve your configuration (/etc/mcm/) and data (Docker volumes). Expect 5–15 minutes downtime.


Network & Connectivity Requirements

Network Requirements (Inbound Ports)

To allow users to access the MCM platform, ensure the following inbound ports are open on the firewall:

  • 22 (SSH) [or custom port] — System administration and secure shell access (open your custom SSH port instead if configured)
  • 443 (HTTPS) — Primary application gateway access
  • 80 (HTTP) — Required only temporarily during Let's Encrypt certificate generation or renewal verification (HTTP-01 challenge). It is not required to remain open permanently for platform operations.

Note: All other internal ports (database, Keycloak, and microservices) are kept isolated within the internal Docker network and do not need to be exposed.

Outbound Connectivity

To allow the MCM platform to communicate with cloud APIs, fetch exchange rates, and send notifications, ensure the following outbound ports are open on your host firewall:

PortProtocolPurpose / DestinationRequirement
443TCPHTTPS traffic for AWS/Azure/GCP cloud provider APIs, Frankfurter currency API, Microsoft Graph API, and secure package downloadsRequired (Runtime & Installation)
80TCPHTTP traffic for system package repositories (Ubuntu APT, Docker Engine) and CRL/OCSP certificate validationRequired (Installation/Upgrade only)

The MCM platform requires outbound access to the following domains for cloud management operations and optional integrations:

Domain / DestinationDescription
AWS API endpoints (*.amazonaws.com)AWS cloud management operations
Azure API endpoints (management.azure.com, login.microsoftonline.com)Azure cloud management operations
api.frankfurter.appCurrency exchange rate feeds for FinOps
api.github.comGitHub API integrations (Optional)
Azure and AWS blob storage endpointsAccessing cost report storage for FinOps

External Connectivity Requirements (Installation Time)

During the initial installation process only, the server requires outbound access to download dependencies:

Domain / DestinationDescription
download.docker.comDocker Engine package installation
github.comyq binary and installation scripts download
Cloud provider trust domainsDownloading TLS certificate chains to build JVM truststore

Note: Outbound internet access is required on the server during the initial installation phase to download system packages and configure Docker. No registry access is required at runtime.


Diagnostic / Health Check Script

You can verify the status and health of all deployed services by executing the following diagnostic script on the host server:

#!/bin/bash
# MCM Platform Diagnostic Check Script

echo "Checking MCM Platform Container Health Status..."
containers=(
  "apisix"
  "mcm-ui"
  "mcm-api"
  "keycloak"
  "mongodb"
  "elasticsearch"
)

all_containers=$(docker ps --format '{{.Names}}')

for container in "${containers[@]}"; do
  if echo "$all_containers" | grep -q "$container"; then
    status=$(docker inspect --format='{{json .State.Health.Status}}' "$container" 2>/dev/null)
    if [ "$status" == "\"healthy\"" ]; then
      echo "[SUCCESS] $container is healthy."
    elif [ -z "$status" ] || [ "$status" == "null" ]; then
      state=$(docker inspect --format='{{.State.Status}}' "$container")
      if [ "$state" == "running" ]; then
        echo "[SUCCESS] $container is running."
      else
        echo "[ERROR] $container is NOT running (State: $state)."
      fi
    else
      echo "[ERROR] $container health status is $status."
    fi
  else
    echo "[WARNING] $container is not deployed."
  fi
done

Quick Commands Reference

To start the MCM platform:

sudo bash /opt/mcm/scripts/start.sh

To stop the MCM platform (stops and removes all platform containers while preserving data volumes):

sudo bash /opt/mcm/scripts/stop.sh

To restart the MCM platform:

sudo bash /opt/mcm/scripts/restart.sh

To view the recent logs for a specific service directly using Docker:

docker logs --tail 100 <container-name>

To follow and view logs using Docker Compose (avoiding missing variable warnings by loading environment files):

docker compose \
  --env-file /opt/mcm/internal_config.env \
  --env-file /etc/mcm/secrets.env \
  --env-file /etc/mcm/user_config.env \
  logs -f --tail 100

To check for any currently unhealthy containers:

docker ps --filter "health=unhealthy"

To check the systemd service status of the platform:

sudo systemctl status mcm.service

To view all auto-generated secrets and passwords:

sudo cat /etc/mcm/secrets.env

Need More Details?

  • Troubleshooting Guide — Reference for diagnosing issues, verifying container health, and resolving deployment bugs.
  • VM Sizing Guide — Detailed resource requirements based on deployment size.

On this page