MCMMCMBy Revdau
Single VM Deployment
v1.1 is unreleased — see v1.0 for the current stable release.

Single VM Deployment Guide

Deployment guide for the MCM Platform on a Single VM — commands, requirements, and configurations.

MCM Platform — Single VM Deployment Guide


Get MCM up and running in under 30 minutes. This guide provides the essential commands, network requirements, and validation steps for deploying the platform on a Single VM.


1. Prerequisites & VM Specifications

Ensure your target virtual machine meets the following minimum specifications:

RequirementSpecification
OSUbuntu Server 22.04 LTS
CPU8 CPU
RAM32 GB
Disk100 GB
Network1 Gbps
AccessRoot SSH
Inbound Ports22 (SSH) [or custom port], 443 (HTTPS)

Scaling for Production

The above specifications are the minimum requirements to deploy and run the MCM Platform. For production environments with larger workloads, refer to the VM Sizing Guide for recommended specifications based on your managed resource count.


2. Network & Connectivity Requirements

Deploying the MCM platform on a Single VM requires provisioning the underlying hosting server. The instance should be configured with the operating system and resources specified in Prerequisites & VM Specifications (Ubuntu 22.04 LTS, 8 CPU, 32 GB RAM, 100 GB Disk).

Infrastructure Setup: On-Premises

Provision a single physical host or local virtual machine meeting the resource specifications:

  • OS: Clean installation of Ubuntu Server 22.04 LTS.
  • Networking: Assign a static internal LAN IP (and map a public IP or configure a reverse proxy/VPN gateway if external access is required).

Infrastructure Setup: AWS Cloud

Launch a single EC2 instance inside your VPC public subnet:

  • AMI: Ubuntu Server 22.04 LTS.
  • Instance Type: t3.2xlarge (8 vCPUs, 32 GB RAM) to meet the resource specifications.
  • Elastic IP: Allocate and associate an Elastic IP (EIP) to the instance to ensure the public IP address remains static.

Infrastructure Setup: Azure Cloud

Launch a single Virtual Machine inside your Virtual Network (VNet) public subnet:

  • Image: Ubuntu Server 22.04 LTS.
  • Size: Standard_D8s_v5 (8 vCPUs, 32 GB RAM) to meet the resource specifications.
  • Public IP: Configure a static public IP resource associated with the VM network interface.

Infrastructure Setup: GCP Cloud

Launch a single Compute Engine virtual machine instance:

  • Machine Image: Ubuntu 22.04 LTS.
  • Machine Type: e2-standard-8 (8 vCPUs, 32 GB RAM) to meet the resource specifications.
  • External IP: Assign a static external IP address (reserve a static IP in your project console).

3. Firewall & Security Rules

To secure the single-node deployment, only administrative SSH and web traffic (HTTP/HTTPS) should be allowed inbound. Since the platform utilizes Docker Swarm internally, all cluster management ports (2377, 7946, 4789) must remain blocked from external inbound access to prevent unauthorized cluster probes.

Security Rule Rationale

  1. Port 22 (TCP): Used for administrative SSH access to the host.
  2. Port 80 (TCP): Used for standard HTTP traffic. Port 80 automatically redirects incoming requests to secure HTTPS (port 443) so users do not experience connection errors if they access the site via http://.
  3. Port 443 (TCP): Used for the primary secure application gateway access.

Procedure: On-Premises Host-Level Firewall (UFW)

Run the UFW configuration commands on your Single VM:

# 1. Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# 2. Allow SSH and Web traffic
sudo ufw allow 22/tcp comment "SSH Administrative Access"
sudo ufw allow 80/tcp comment "HTTP Gateway Redirection"
sudo ufw allow 443/tcp comment "HTTPS Ingress Gateway"

# 3. Enable the firewall
sudo ufw enable

AWS Security Group Rules (mcm-sg-single-vm)

Configure the following Security Group rules and associate them with your Single VM:

Inbound Rules:

ProtocolPort RangeSourcePurpose
TCP22[Your_Admin_IP]SSH Administrative Access
TCP4430.0.0.0/0HTTPS Ingress Gateway
TCP800.0.0.0/0HTTP Gateway Redirection

Azure Network Security Group (NSG) Rules

Configure the following Inbound security rules for your Single VM network interface:

Inbound Security Rules:

PriorityPortProtocolSourceDestinationActionPurpose
10022TCP[Your_Admin_IP]AnyAllowSSH Access
110443TCPAnyAnyAllowHTTPS Ingress Gateway
12080TCPAnyAnyAllowHTTP Gateway Redirection
65500*AnyAnyAnyDenyBlock all other traffic

GCP VPC Firewall Rules

Apply the following firewall rules targeting your single VM instance using network tags:

# 1. Allow SSH access to tagged instances
gcloud compute firewall-rules create mcm-allow-ssh \
    --network=mcm-vpc \
    --allow=tcp:22 \
    --source-ranges=[YOUR_ADMIN_IP] \
    --target-tags=mcm-single-vm

# 2. Allow HTTPS and HTTP access from anywhere
gcloud compute firewall-rules create mcm-allow-web \
    --network=mcm-vpc \
    --allow=tcp:80,tcp:443 \
    --source-ranges=0.0.0.0/0 \
    --target-tags=mcm-single-vm

Outbound Connectivity & Domains

The MCM platform requires outbound access to the following domains for cloud management operations and optional integrations:

Registry Archive Download Note: The MCM platform deployment archive (mcm_artifacts_single_vm-1.1.0.tar.gz) contains all core application services and bundled Docker images. Since this archive is only downloaded and extracted directly on this Single VM host, outbound internet connectivity to the registry repository is required only on this host VM during installation.

Domain / DestinationDescription
AWS API endpoints (*.amazonaws.com)AWS cloud management operations
Azure API endpoints (management.azure.com, login.microsoftonline.com)Azure cloud management operations
api.frankfurter.appCurrency exchange rate feeds for FinOps
api.github.comGitHub API integrations (Optional)
Azure and AWS blob storage endpointsAccessing cost report storage for FinOps

External Connectivity Requirements (Installation Time)

During the initial installation process only, the server requires outbound access to download dependencies:

Domain / DestinationDescription
download.docker.comDocker Engine package installation
github.comyq binary and installation scripts download
Cloud provider trust domainsDownloading TLS certificate chains to build JVM truststore

4. Installation Procedure

Download & Execute the Installer

  1. Connect to the server via SSH (run on your local terminal):

    ssh [VM_SSH_USER]@<SERVER_IP>

    Custom SSH Port (Optional)

    If your server uses a custom SSH port (e.g., 2222) instead of the default port 22, you can update the SSH configuration and connect as follows:

    1. Update the SSH configuration to listen on your custom port:
      sudo sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config
    2. Restart the SSH service to apply the change:
      sudo systemctl restart ssh
    3. Connect from your local terminal using the custom port:
      ssh -p 2222 [VM_SSH_USER]@<SERVER_IP>

    IMPORTANT: Remember to update your cloud VPC security groups, network firewalls, and host firewalls to keep this custom SSH port open inbound instead of the default port 22.

  2. Download the platform deployment archive: (Contact the Revdau team for download credentials at mcm@revdau.ai)

    You will receive a deployment credentials email from the Revdau team containing your Registry Credentials (Username and Password/Token):

    MCM Registry Credentials Email
    # Define credentials at the top
    REGISTRY_USER="your_username"
    REGISTRY_PASS="your_password"
    
    # Download the archive from the registry repository
    wget --user="$REGISTRY_USER" --password="$REGISTRY_PASS" -O mcm_artifacts_single_vm-1.1.0.tar.gz "http://92.204.249.45:8080/repository/mcm-artifacts/1.1.0/develop-single_tier/mcm_artifacts_single_vm-1.1.0.tar.gz"
  3. Extract the downloaded archive:

    tar -xzf mcm_artifacts_single_vm-1.1.0.tar.gz
  4. Navigate into the directory and run the installer:

    cd mcm_artifacts
    sudo bash install.sh --single-vm

Installation Details:

  • Installation Time: Installation takes 15–30 minutes. Outbound internet access is required on the server during installation to install dependencies.
  • Docker Permissions: The installer configures a docker user group and adds the current user to it. To execute Docker commands without sudo post-installation, run newgrp docker in your current terminal session, or log out and log back in.

Once the installer completes, open the application in your web browser:

ApplicationURL
MCM UIhttps://<DOMAIN_OR_IP>/subscription (Server's public IP address or custom domain)

Platform Activation & Onboarding

When you access the MCM platform gateway for the first time, you must activate the installation using your subscription details:

1. Retrieve Your Subscription Key

You will receive a deployment resources email from the Revdau team containing your unique Subscription Key:

MCM Subscription Email

2. Activate the Subscription

Open the application URL (https://<DOMAIN_OR_IP>) in your web browser. You will be greeted by the Subscription Activation page. Enter your Subscription Key and your registered MSP Email ID, then click Activate:

MCM Subscription Activation Page

3. Create the Administrator User

Once the subscription is activated, you will be redirected to the Create User page. Enter the details for the primary platform administrator (First Name, Last Name, Email, MSP Name, and Legal Name) and click Submit:

MCM Create Administrator User

4. Log In to the Platform

After submitting, you will be redirected to the main login portal.

For a walkthrough of the login process, managing credentials, and exploring user dashboards, please refer to the Getting Started User Guide.


5. Post-Deployment Verification & Operations

You can verify the status and health of all deployed services by executing the healthcheck script (Optional) on the host server:

sudo bash /opt/mcm/scripts/healthcheck.sh

General Verification and Control

For verification steps, container status checks, log tailing, systemd wrapper management, and platform upgrade/control commands, please refer to the Helper Scripts and Commands Guide.

For custom domain configuration and SSL/TLS certificate management, please refer to the Domain and TLS Certificate Configuration Guide.

For troubleshooting configuration, certificate, or service initialization errors, refer to the Troubleshooting Guide.


On this page