Deployment Guide
Deployment guide for the MCM Platform — commands, requirements, and configurations.
MCM Platform — Deployment Guide
Get MCM up and running in under 30 minutes. This guide provides the essential commands, network requirements, and validation steps.
Prerequisites
| Requirement | Specification |
|---|---|
| OS | Ubuntu Server 22.04 LTS |
| CPU | 8 CPU |
| RAM | 32 GB |
| Disk | 100 GB |
| Network | 1 Gbps |
| Access | Root SSH |
| Inbound Ports | 22 (SSH) [or custom port], 443 (HTTPS) |
:::warning Scaling for Production The above specifications are the minimum requirements to deploy and run the MCM Platform. For production environments with larger workloads, refer to the VM Sizing Guide for recommended specifications based on your managed resource count. :::
Step 1 — Extract & Install
# Connect to the server (run on local terminal)
ssh root@<SERVER_IP>Custom SSH Port (Optional): If your server uses a custom SSH port (e.g., 2222) instead of the default port 22, you can update the SSH configuration and connect as follows:
- Update the SSH configuration to listen on your custom port:
sudo sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config - Restart the SSH service to apply the change:
sudo systemctl restart ssh - Exit the current remote SSH session:
exit - Connect from your local terminal using the custom port:
ssh -p 2222 root@<SERVER_IP>
Download the deployment archive from the Sonatype Nexus repository using the secure downloader credentials: (Contact the Revdau team for credentials at mcm@revdau.ai)
# Download the archive from the Nexus repository
wget --user=[NEXUS_USERNAME] --password=[NEXUS_PASSWORD] -O mcm_artifacts_single_vm-1.1.0.tar.gz "http://92.204.249.45:8080/repository/mcm-artifacts/1.1.0/develop-single_tier/mcm_artifacts_single_vm-1.1.0.tar.gz"# Extract the artifact (run inside remote SSH session)
tar -xzf mcm_artifacts_single_vm-1.1.0.tar.gz# Run the installer
cd mcm_artifacts
sudo ./install.shInstallation Time & Requirements: Installation takes 15–30 minutes. Outbound internet access is required on the server during installation to install and update Docker, dependencies, and other system packages. No access to external registries is required at runtime as the images are loaded locally.
Docker Permissions Note: The installer automatically configures a
dockeruser group and adds the installing user to it. To execute Docker commands withoutsudo(e.g., during verification), apply the group membership changes in your current terminal session by runningnewgrp docker, or by logging out and logging back in.
Step 2 — Configure Domain (Optional)
MCM supports setting a custom domain for accessing the UI and APIs. By default, the platform uses the server's public IP address. Skip this step to continue using the IP.
To configure a custom domain:
- Update the
DOMAINvariable in/etc/mcm/user_config.env(replacemcm.example.comwith your actual domain name):sudo sed -i 's/DOMAIN=/DOMAIN=mcm.example.com/' /etc/mcm/user_config.env - Restart the platform to apply changes and automatically regenerate TLS certificates:
sudo bash /opt/mcm/scripts/restart.sh
Replace Self-Signed Certificates (Optional)
To secure the platform gateway with CA-signed TLS certificates instead of the default self-signed certificates, select one of the options below:
Option A — Use Existing CA-Signed Certificates
If you already have valid SSL/TLS certificates for your domain:
-
Copy your CA-signed certificate to the configuration directory:
sudo cp your_certificate.crt /etc/mcm/certs/server.crt -
Copy your private key to the configuration directory:
sudo cp your_private_key.key /etc/mcm/certs/server.key -
Disable the automatic generation of self-signed certificates:
sudo sed -i 's/GENERATE_SELF_SIGN_CERTS=true/GENERATE_SELF_SIGN_CERTS=false/' /etc/mcm/user_config.env -
Restart the platform to apply your certificates:
sudo bash /opt/mcm/scripts/restart.sh
Option B — Generate Free Let's Encrypt Certificates (Certbot)
If you do not have an existing certificate, you can generate free CA-signed certificates using Let's Encrypt and Certbot:
Inbound Port 80 (Temporary Only): Certbot's HTTP-01 standalone challenge requires inbound port 80 (HTTP) to be open on your firewall temporarily to verify domain ownership. Once verification is complete, you can safely close port 80. If the MCM platform is already running, you must stop it temporarily to release port 80.
-
Stop the MCM platform to release port 80:
sudo bash /opt/mcm/scripts/stop.sh -
Install Certbot:
sudo apt-get update && sudo apt-get install -y certbot -
Generate the certificates for your domain (replace
mcm.example.comwith your actual domain):sudo certbot certonly --standalone -d mcm.example.com --non-interactive --agree-tos -m admin@example.com -
Copy the generated certificate to the configuration directory (replace
mcm.example.comwith your actual domain):sudo cp /etc/letsencrypt/live/mcm.example.com/fullchain.pem /etc/mcm/certs/server.crt -
Copy the private key to the configuration directory (replace
mcm.example.comwith your actual domain):sudo cp /etc/letsencrypt/live/mcm.example.com/privkey.pem /etc/mcm/certs/server.key -
Disable the automatic generation of self-signed certificates:
sudo sed -i 's/GENERATE_SELF_SIGN_CERTS=true/GENERATE_SELF_SIGN_CERTS=false/' /etc/mcm/user_config.env -
Start the platform to apply your certificates:
sudo bash /opt/mcm/scripts/start.sh
Step 3 — Verify
# Check all containers are healthy
docker ps --format "table {{.Names}}\t{{.Status}}"Open in your browser (use your custom domain if configured in Step 2, or the server's public IP address):
| Application | URL |
|---|---|
| MCM UI | https://<DOMAIN_OR_IP>/ |
Default credentials are auto-generated during installation. Find them in
/etc/mcm/secrets.env.
Upgrade
# Transfer new artifact to the server (run on local terminal)
scp mcm_artifacts_<NEW_VERSION>.tar.gz root@<SERVER_IP>:/root/# Connect to the server (run on local terminal)
ssh root@<SERVER_IP># Extract and upgrade (run inside remote SSH session)
tar -xzf mcm_artifacts_<NEW_VERSION>.tar.gzcd mcm_artifacts
sudo ./upgrade.shUpgrades preserve your configuration (
/etc/mcm/) and data (Docker volumes). Expect 5–15 minutes downtime.
Network & Connectivity Requirements
Network Requirements (Inbound Ports)
To allow users to access the MCM platform, ensure the following inbound ports are open on the firewall:
- 22 (SSH) [or custom port] — System administration and secure shell access (open your custom SSH port instead if configured)
- 443 (HTTPS) — Primary application gateway access
- 80 (HTTP) — Required only temporarily during Let's Encrypt certificate generation or renewal verification (HTTP-01 challenge). It is not required to remain open permanently for platform operations.
Note: All other internal ports (database, Keycloak, and microservices) are kept isolated within the internal Docker network and do not need to be exposed.
Outbound Connectivity
To allow the MCM platform to communicate with cloud APIs, fetch exchange rates, and send notifications, ensure the following outbound ports are open on your host firewall:
| Port | Protocol | Purpose / Destination | Requirement |
|---|---|---|---|
| 443 | TCP | HTTPS traffic for AWS/Azure/GCP cloud provider APIs, Frankfurter currency API, Microsoft Graph API, and secure package downloads | Required (Runtime & Installation) |
| 80 | TCP | HTTP traffic for system package repositories (Ubuntu APT, Docker Engine) and CRL/OCSP certificate validation | Required (Installation/Upgrade only) |
The MCM platform requires outbound access to the following domains for cloud management operations and optional integrations:
| Domain / Destination | Description |
|---|---|
AWS API endpoints (*.amazonaws.com) | AWS cloud management operations |
Azure API endpoints (management.azure.com, login.microsoftonline.com) | Azure cloud management operations |
api.frankfurter.app | Currency exchange rate feeds for FinOps |
api.github.com | GitHub API integrations (Optional) |
| Azure and AWS blob storage endpoints | Accessing cost report storage for FinOps |
External Connectivity Requirements (Installation Time)
During the initial installation process only, the server requires outbound access to download dependencies:
| Domain / Destination | Description |
|---|---|
download.docker.com | Docker Engine package installation |
github.com | yq binary and installation scripts download |
| Cloud provider trust domains | Downloading TLS certificate chains to build JVM truststore |
Note: Outbound internet access is required on the server during the initial installation phase to download system packages and configure Docker. No registry access is required at runtime.
Diagnostic / Health Check Script
You can verify the status and health of all deployed services by executing the following diagnostic script on the host server:
#!/bin/bash
# MCM Platform Diagnostic Check Script
echo "Checking MCM Platform Container Health Status..."
containers=(
"apisix"
"mcm-ui"
"mcm-api"
"keycloak"
"mongodb"
"elasticsearch"
)
all_containers=$(docker ps --format '{{.Names}}')
for container in "${containers[@]}"; do
if echo "$all_containers" | grep -q "$container"; then
status=$(docker inspect --format='{{json .State.Health.Status}}' "$container" 2>/dev/null)
if [ "$status" == "\"healthy\"" ]; then
echo "[SUCCESS] $container is healthy."
elif [ -z "$status" ] || [ "$status" == "null" ]; then
state=$(docker inspect --format='{{.State.Status}}' "$container")
if [ "$state" == "running" ]; then
echo "[SUCCESS] $container is running."
else
echo "[ERROR] $container is NOT running (State: $state)."
fi
else
echo "[ERROR] $container health status is $status."
fi
else
echo "[WARNING] $container is not deployed."
fi
doneQuick Commands Reference
To start the MCM platform:
sudo bash /opt/mcm/scripts/start.shTo stop the MCM platform (stops and removes all platform containers while preserving data volumes):
sudo bash /opt/mcm/scripts/stop.shTo restart the MCM platform:
sudo bash /opt/mcm/scripts/restart.shTo view the recent logs for a specific service directly using Docker:
docker logs --tail 100 <container-name>To follow and view logs using Docker Compose (avoiding missing variable warnings by loading environment files):
docker compose \
--env-file /opt/mcm/internal_config.env \
--env-file /etc/mcm/secrets.env \
--env-file /etc/mcm/user_config.env \
logs -f --tail 100To check for any currently unhealthy containers:
docker ps --filter "health=unhealthy"To check the systemd service status of the platform:
sudo systemctl status mcm.serviceTo view all auto-generated secrets and passwords:
sudo cat /etc/mcm/secrets.envNeed More Details?
- Troubleshooting Guide — Reference for diagnosing issues, verifying container health, and resolving deployment bugs.
- VM Sizing Guide — Detailed resource requirements based on deployment size.