Single VM Deployment Guide
Deployment guide for the MCM Platform on a Single VM — commands, requirements, and configurations.
MCM Platform — Single VM Deployment Guide
Get MCM up and running in under 30 minutes. This guide provides the essential commands, network requirements, and validation steps for deploying the platform on a Single VM.
1. Prerequisites & VM Specifications
Ensure your target virtual machine meets the following minimum specifications:
| Requirement | Specification |
|---|---|
| OS | Ubuntu Server 22.04 LTS |
| CPU | 8 CPU |
| RAM | 32 GB |
| Disk | 100 GB |
| Network | 1 Gbps |
| Access | Root SSH |
| Inbound Ports | 22 (SSH) [or custom port], 443 (HTTPS) |
Scaling for Production
The above specifications are the minimum requirements to deploy and run the MCM Platform. For production environments with larger workloads, refer to the VM Sizing Guide for recommended specifications based on your managed resource count.
2. Network & Connectivity Requirements
Deploying the MCM platform on a Single VM requires provisioning the underlying hosting server. The instance should be configured with the operating system and resources specified in Prerequisites & VM Specifications (Ubuntu 22.04 LTS, 8 CPU, 32 GB RAM, 100 GB Disk).
Infrastructure Setup: On-Premises
Provision a single physical host or local virtual machine meeting the resource specifications:
- OS: Clean installation of Ubuntu Server 22.04 LTS.
- Networking: Assign a static internal LAN IP (and map a public IP or configure a reverse proxy/VPN gateway if external access is required).
Infrastructure Setup: AWS Cloud
Launch a single EC2 instance inside your VPC public subnet:
- AMI: Ubuntu Server 22.04 LTS.
- Instance Type:
t3.2xlarge(8 vCPUs, 32 GB RAM) to meet the resource specifications. - Elastic IP: Allocate and associate an Elastic IP (EIP) to the instance to ensure the public IP address remains static.
Infrastructure Setup: Azure Cloud
Launch a single Virtual Machine inside your Virtual Network (VNet) public subnet:
- Image: Ubuntu Server 22.04 LTS.
- Size:
Standard_D8s_v5(8 vCPUs, 32 GB RAM) to meet the resource specifications. - Public IP: Configure a static public IP resource associated with the VM network interface.
Infrastructure Setup: GCP Cloud
Launch a single Compute Engine virtual machine instance:
- Machine Image: Ubuntu 22.04 LTS.
- Machine Type:
e2-standard-8(8 vCPUs, 32 GB RAM) to meet the resource specifications. - External IP: Assign a static external IP address (reserve a static IP in your project console).
3. Firewall & Security Rules
To secure the single-node deployment, only administrative SSH and web traffic (HTTP/HTTPS) should be allowed inbound. Since the platform utilizes Docker Swarm internally, all cluster management ports (2377, 7946, 4789) must remain blocked from external inbound access to prevent unauthorized cluster probes.
Security Rule Rationale
- Port 22 (TCP): Used for administrative SSH access to the host.
- Port 80 (TCP): Used for standard HTTP traffic. Port 80 automatically redirects incoming requests to secure HTTPS (port 443) so users do not experience connection errors if they access the site via
http://. - Port 443 (TCP): Used for the primary secure application gateway access.
Procedure: On-Premises Host-Level Firewall (UFW)
Run the UFW configuration commands on your Single VM:
# 1. Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# 2. Allow SSH and Web traffic
sudo ufw allow 22/tcp comment "SSH Administrative Access"
sudo ufw allow 80/tcp comment "HTTP Gateway Redirection"
sudo ufw allow 443/tcp comment "HTTPS Ingress Gateway"
# 3. Enable the firewall
sudo ufw enableAWS Security Group Rules (mcm-sg-single-vm)
Configure the following Security Group rules and associate them with your Single VM:
Inbound Rules:
| Protocol | Port Range | Source | Purpose |
|---|---|---|---|
| TCP | 22 | [Your_Admin_IP] | SSH Administrative Access |
| TCP | 443 | 0.0.0.0/0 | HTTPS Ingress Gateway |
| TCP | 80 | 0.0.0.0/0 | HTTP Gateway Redirection |
Azure Network Security Group (NSG) Rules
Configure the following Inbound security rules for your Single VM network interface:
Inbound Security Rules:
| Priority | Port | Protocol | Source | Destination | Action | Purpose |
|---|---|---|---|---|---|---|
| 100 | 22 | TCP | [Your_Admin_IP] | Any | Allow | SSH Access |
| 110 | 443 | TCP | Any | Any | Allow | HTTPS Ingress Gateway |
| 120 | 80 | TCP | Any | Any | Allow | HTTP Gateway Redirection |
| 65500 | * | Any | Any | Any | Deny | Block all other traffic |
GCP VPC Firewall Rules
Apply the following firewall rules targeting your single VM instance using network tags:
# 1. Allow SSH access to tagged instances
gcloud compute firewall-rules create mcm-allow-ssh \
--network=mcm-vpc \
--allow=tcp:22 \
--source-ranges=[YOUR_ADMIN_IP] \
--target-tags=mcm-single-vm
# 2. Allow HTTPS and HTTP access from anywhere
gcloud compute firewall-rules create mcm-allow-web \
--network=mcm-vpc \
--allow=tcp:80,tcp:443 \
--source-ranges=0.0.0.0/0 \
--target-tags=mcm-single-vmOutbound Connectivity & Domains
The MCM platform requires outbound access to the following domains for cloud management operations and optional integrations:
Registry Archive Download Note: The MCM platform deployment archive (
mcm_artifacts_single_vm-1.1.0.tar.gz) contains all core application services and bundled Docker images. Since this archive is only downloaded and extracted directly on this Single VM host, outbound internet connectivity to the registry repository is required only on this host VM during installation.
| Domain / Destination | Description |
|---|---|
AWS API endpoints (*.amazonaws.com) | AWS cloud management operations |
Azure API endpoints (management.azure.com, login.microsoftonline.com) | Azure cloud management operations |
api.frankfurter.app | Currency exchange rate feeds for FinOps |
api.github.com | GitHub API integrations (Optional) |
| Azure and AWS blob storage endpoints | Accessing cost report storage for FinOps |
External Connectivity Requirements (Installation Time)
During the initial installation process only, the server requires outbound access to download dependencies:
| Domain / Destination | Description |
|---|---|
download.docker.com | Docker Engine package installation |
github.com | yq binary and installation scripts download |
| Cloud provider trust domains | Downloading TLS certificate chains to build JVM truststore |
4. Installation Procedure
Download & Execute the Installer
-
Connect to the server via SSH (run on your local terminal):
ssh [VM_SSH_USER]@<SERVER_IP>Custom SSH Port (Optional)
If your server uses a custom SSH port (e.g.,
2222) instead of the default port22, you can update the SSH configuration and connect as follows:- Update the SSH configuration to listen on your custom port:
sudo sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config - Restart the SSH service to apply the change:
sudo systemctl restart ssh - Connect from your local terminal using the custom port:
ssh -p 2222 [VM_SSH_USER]@<SERVER_IP>
IMPORTANT: Remember to update your cloud VPC security groups, network firewalls, and host firewalls to keep this custom SSH port open inbound instead of the default port 22.
- Update the SSH configuration to listen on your custom port:
-
Download the platform deployment archive: (Contact the Revdau team for download credentials at mcm@revdau.ai)
You will receive a deployment credentials email from the Revdau team containing your Registry Credentials (Username and Password/Token):
# Define credentials at the top REGISTRY_USER="your_username" REGISTRY_PASS="your_password" # Download the archive from the registry repository wget --user="$REGISTRY_USER" --password="$REGISTRY_PASS" -O mcm_artifacts_single_vm-1.1.0.tar.gz "http://92.204.249.45:8080/repository/mcm-artifacts/1.1.0/develop-single_tier/mcm_artifacts_single_vm-1.1.0.tar.gz" -
Extract the downloaded archive:
tar -xzf mcm_artifacts_single_vm-1.1.0.tar.gz -
Navigate into the directory and run the installer:
cd mcm_artifacts sudo bash install.sh --single-vm
Installation Details:
- Installation Time: Installation takes 15–30 minutes. Outbound internet access is required on the server during installation to install dependencies.
- Docker Permissions: The installer configures a
dockeruser group and adds the current user to it. To execute Docker commands withoutsudopost-installation, runnewgrp dockerin your current terminal session, or log out and log back in.
Once the installer completes, open the application in your web browser:
| Application | URL |
|---|---|
| MCM UI | https://<DOMAIN_OR_IP>/subscription (Server's public IP address or custom domain) |
Platform Activation & Onboarding
When you access the MCM platform gateway for the first time, you must activate the installation using your subscription details:
1. Retrieve Your Subscription Key
You will receive a deployment resources email from the Revdau team containing your unique Subscription Key:
2. Activate the Subscription
Open the application URL (https://<DOMAIN_OR_IP>) in your web browser. You will be greeted by the Subscription Activation page. Enter your Subscription Key and your registered MSP Email ID, then click Activate:
3. Create the Administrator User
Once the subscription is activated, you will be redirected to the Create User page. Enter the details for the primary platform administrator (First Name, Last Name, Email, MSP Name, and Legal Name) and click Submit:
4. Log In to the Platform
After submitting, you will be redirected to the main login portal.
For a walkthrough of the login process, managing credentials, and exploring user dashboards, please refer to the Getting Started User Guide.
5. Post-Deployment Verification & Operations
You can verify the status and health of all deployed services by executing the healthcheck script (Optional) on the host server:
sudo bash /opt/mcm/scripts/healthcheck.shGeneral Verification and Control
For verification steps, container status checks, log tailing, systemd wrapper management, and platform upgrade/control commands, please refer to the Helper Scripts and Commands Guide.
For custom domain configuration and SSL/TLS certificate management, please refer to the Domain and TLS Certificate Configuration Guide.
For troubleshooting configuration, certificate, or service initialization errors, refer to the Troubleshooting Guide.