Skip to content

Commit 09fc647

Browse files
JAC0BSMITHJAC0BSMITH
committed
Managing Method C for BMM and BMC
1 parent 1671567 commit 09fc647

File tree

3 files changed

+584
-0
lines changed

3 files changed

+584
-0
lines changed

articles/operator-nexus/TOC.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,10 @@
3636
href: howto-baremetal-run-read.md
3737
- name: BareMetal Review Output Run-Read
3838
href: howto-baremetal-review-read-output.md
39+
- name: BareMetal BMM Access Setup
40+
href: howto-baremetal-bmm-ssh.md
41+
- name: BareMetal BMC Access Setup
42+
href: howto-baremetal-bmc-ssh.md
3943
- name: Isolation Domain
4044
href: howto-configure-isolation-domain.md
4145
- name: AKS-Hybrid

articles/operator-nexus/howto-baremetal-bmc-ssh.md

Lines changed: 279 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,279 @@
1+
---
2+
title: Manage emergency access to a bare metal machine using the `az networkcloud cluster bmckeyset` command for Azure Operator Nexus
3+
description: Step by step guide on using the `az networkcloud cluster bmckeyset` command to manage emergency access to a bare metal machine.
4+
author: eak13
5+
ms.author: ekarandjeff
6+
ms.service: azure-operator-nexus
7+
ms.topic: how-to
8+
ms.date: 04/18/2023
9+
ms.custom: template-how-to
10+
---
11+
12+
# Manage emergency access to a bare metal machine using the `az networkcloud cluster bmckeyset`
13+
14+
> [!CAUTION] >
15+
Please note this process is used in emergency situations when all other troubleshooting options have been exhausted via Azure. SSH access to these bare metal machines (BMM) is restricted to users managed via this method from the specified jump host list.
16+
17+
There are rare situations where a user needs to investigate & resolve issues with a BMM and all other ways have been exhausted via Azure. Operator Nexus provides the `az networkcloud cluster bmckeyset` command so users can manage SSH access to the baseboard management controller (BMC) on these BMMs.
18+
19+
When the command runs, it executes on each of BMM in the Cluster. If a BMM is unavailable or powered off at the time of command execution, the status of the command will reflect which BMMs couldn't have the command executed. There's a reconciliation process that runs every four hours that will retry the command on any BMM that wasn't available at the time of the original command. Multiple commands execute in the order received.
20+
21+
There's a maximum number of 12 users defined per Cluster. Attempts to add more than 12 users will result in an error. Delete a user before adding another one when 12 already exists.
22+
23+
## Prerequisites
24+
25+
- Install the latest version of the
26+
[appropriate CLI extensions](./howto-install-cli-extensions.md)
27+
- The on-premise Cluster must have connectivity to Azure.
28+
- The process applies keysets to all running BMMs.
29+
- The users added must be part of an Azure Active Directory (Azure AD) group. For more information, see [How to Manage Groups](../active-directory/fundamentals/how-to-manage-groups.md).
30+
- To restrict access for managing keysets, create a custom role. For more information, see [Azure Custom Roles](../role-based-access-control/custom-roles.md). In this instance, add or exclude permissions for `Microsoft.NetworkCloud/clusters/bmcKeySets`. The options are `/read`. `/write` and `/delete`.
31+
32+
## Creating a BMC keyset
33+
34+
The `bmckeyset create` command creates SSH access to the BMM in a Cluster for a group of users.
35+
36+
The command syntax is:
37+
38+
```azurecli
39+
az networkcloud cluster bmckeyset create \
40+
--name <BMC Keyset Name> \
41+
--extended-location name=<Extended Location ARM ID> \
42+
type="CustomLocation" \
43+
--location <Azure Region> \
44+
--azure-group-id <Azure AAD Group ID> \
45+
--expiration <Expiration Timestamp> \
46+
--jump-hosts-allowed <List of jump server IP addresses> \
47+
--privilege-level <"Administrator" or "ReadOnly"> \
48+
--user-list '[{"description":"<User description>","azureUserName":"<User Name>", \
49+
"sshPublicKey":{"keyData":"<SSH Public Key>"}}]' \
50+
--tags key1=<Key Value> key2=<Key Value> \
51+
--cluster-name <Cluster Name> \
52+
--resource-group <Resource Group>
53+
```
54+
55+
### Create Arguments
56+
57+
```azurecli
58+
--azure-group-id [Required] : The object ID of Azure Active Directory
59+
group that all users in the list must
60+
be in for access to be granted. Users
61+
that are not in the group will not have
62+
access.
63+
--bmc-key-set-name --name -n [Required] : The name of the BMC key set.
64+
--cluster-name [Required] : The name of the cluster.
65+
--expiration [Required] : The date and time after which the users
66+
in this key set will be removed from
67+
the BMCs. The limit is up to 1 year from creation.
68+
Format is "YYYY-MM-DDTHH:MM:SS.000Z"
69+
--extended-location [Required] : The extended location of the cluster
70+
associated with the resource.
71+
Usage: --extended-location name=XX type=XX
72+
name: Required. The resource ID of the extended location on which the resource will be created.
73+
type: Required. The extended location type: "CustomLocation".
74+
--privilege-level [Required] : The access level allowed for the users
75+
in this key set. Allowed values:
76+
"Standard" or "Superuser".
77+
--resource-group -g [Required] : Name of resource group. Optional if
78+
configuring the default group using `az
79+
configure --defaults group=<name>`.
80+
--user-list [Required] : The unique list of permitted users.
81+
Usage: --user-list azure-user-name=XX description=XX key-data=XX
82+
azure-user-name: Required. The Azure Active Directory user name (email name).
83+
description: The free-form description for this user.
84+
key-data: Required. The public ssh key of the user.
85+
86+
Multiple users can be specified by using more than one --user-list argument.
87+
--tags : Space-separated tags: key[=value]
88+
[key[=value] ...]. Use '' to clear
89+
existing tags.
90+
--location -l : Azure Region. Values from: `az account
91+
list-locations`. You can configure the
92+
default location using `az configure
93+
--defaults location=<location>`.
94+
--no-wait : Do not wait for the long-running
95+
operation to finish.
96+
```
97+
98+
### Global Azure CLI arguments (applicable to all commands)
99+
100+
```azurecli
101+
--debug : Increase logging verbosity to show all
102+
debug logs.
103+
--help -h : Show this help message and exit.
104+
--only-show-errors : Only show errors, suppressing warnings.
105+
--output -o : Output format. Allowed values: json,
106+
jsonc, none, table, tsv, yaml, yamlc.
107+
Default: json.
108+
--query : JMESPath query string. See
109+
http://jmespath.org/ for more
110+
information and examples.
111+
--subscription [Required] : Name or ID of subscription. Optional if
112+
configuring the default subscription
113+
using `az account set -s NAME_OR_ID`.
114+
--verbose : Increase logging verbosity. Use --debug
115+
for full debug logs.
116+
```
117+
118+
This example will create a new keyset with two users that have standard access from two jump hosts.
119+
120+
```azurecli
121+
az networkcloud cluster bmckeyset create \
122+
--name "bmcKeySetName" \
123+
--extended-location name="/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ExtendedLocation/customLocations/clusterExtendedLocationName" \
124+
type="CustomLocation" \
125+
--location "location" \
126+
--azure-group-id "f110271b-XXXX-4163-9b99-214d91660f0e" \
127+
--expiration "2023-12-31T23:59:59.008Z" \
128+
--privilege-level "Standard" \
129+
--user-list '[{"description":"Needs access for troubleshooting as a part of the support team",\
130+
"azureUserName":"userABC","sshPublicKey":{"keyData":"ssh-rsa AAtsE3njSONzDYRIZv/WLjVuMfrUSByHp+jfaaOLHTIIB4fJvo6dQUZxE20w2iDHV3tEkmnTo84eba97VMueQD6OzJPEyWZMRpz8UYWOd0IXeRqiFu1lawNblZhwNT/ojNZfpB3af/YDzwQCZgTcTRyNNhL4o/blKUmug0daSsSXISTRnIDpcf5qytjs1XoyYyJMvzLL59mhAyb3p/cD+Y3/s3WhAx+l0XOKpzXnblrv9d3q4c2tWmm/SyFqthaqd0= admin@vm"}},\
131+
{"description":"Needs access for troubleshooting as a part of the support team",\
132+
"azureUserName":"userXYZ","sshPublicKey":{"keyData":"ssh-rsa AAtsE3njSONzDYRIZv/WLjVuMfrUSByHp+jfaaOLHTIIB4fJvo6dQUZxE20w2iDHV3tEkmnTo84eba97VMueQD6OzJPEyWZMRpz8UYWOd0IXeRqiFu1lawNblZhwNT/ojNZfpB3af/YDzwQCZgTcTRyNNhL4o/blKUmug0daSsSXTSTRnIDpcf5qytjs1XoyYyJMvzLL59mhAyb3p/cD+Y3/s3WhAx+l0XOKpzXnblrv9d3q4c2tWmm/SyFqthaqd0= admin@vm"}}]' \
133+
--tags key1="myvalue1" key2="myvalue2" \
134+
--cluster-name "clusterName" \
135+
--resource-group "resourceGroupName"
136+
```
137+
138+
For assistance in creating the `--user-list` structure, see [Azure CLI Shorthand](https://github.com/Azure/azure-cli/blob/dev/doc/shorthand_syntax.md).
139+
140+
## Deleting a BMC keyset
141+
142+
The `bmckeyset delete` command removes SSH access to the BMC for a group of users. All members of the group will no longer have SSH access to any of the BMCs in the Cluster.
143+
144+
The command syntax is:
145+
146+
```azurecli
147+
az networkcloud cluster bmckeyset delete \
148+
--name <BMM Keyset Name> \
149+
--cluster-name <Cluster Name> \
150+
--resource-group <Resource Group Name> \
151+
```
152+
153+
### Delete Arguments
154+
155+
```azurecli
156+
--bmc-key-set-name --name -n [Required] : The name of the BMC key set to be deleted.
157+
--cluster-name [Required] : The name of the cluster.
158+
--resource-group -g [Required] : Name of resource group. Optional if configuring the
159+
default group using `az configure --defaults
160+
group=<name>`.
161+
--no-wait : Do not wait for the long-running operation to finish.
162+
--yes -y : Do not prompt for confirmation.
163+
```
164+
165+
This example will remove the "bmcKeysetName" keyset group in the "clusterName" Cluster.
166+
167+
```azurecli
168+
az networkcloud cluster bmckeyset delete \
169+
--name "bmcKeySetName" \
170+
--cluster-name "clusterName" \
171+
--resource-group "resourceGroupName" \
172+
```
173+
174+
## Updating a BMC Keyset
175+
176+
The `bmckeyset update` command allows users to make changes to an existing keyset group.
177+
178+
The command syntax is:
179+
180+
```azurecli
181+
az networkcloud cluster bmckeyset update \
182+
--name <BMM Keyset Name> \
183+
--jump-hosts-allowed <List of jump server IP addresses> \
184+
--privilege-level <"Standard" or "Superuser"> \
185+
--user-list '[{"description":"<User description>",\
186+
"azureUserName":"<UserName>", \
187+
"sshPublicKey":{"keyData":"<SSH Public Key>"}}]' \
188+
--tags key1=<Key Value> key2=<Key Value> \
189+
--cluster-name <Cluster Name> \
190+
--resource-group <Resource Group>
191+
```
192+
193+
### Update Arguments
194+
195+
```azurecli
196+
--bmc-key-set-name --name -n [Required] : The name of the BMC key set.
197+
--cluster-name [Required] : The name of the cluster.
198+
--expiration : The date and time after which the users
199+
in this key set will be removed from
200+
the BMCs. Format is:
201+
"YYYY-MM-DDTHH:MM:SS.000Z"
202+
--jump-hosts-allowed : The list of IP addresses of jump hosts
203+
with management network access from
204+
which a login will be allowed for the
205+
users. Supports IPv4 or IPv6 addresses.
206+
--privilege-level : The access level allowed for the users
207+
in this key set. Allowed values:
208+
"Standard" or "Superuser".
209+
--user-list : The unique list of permitted users.
210+
Usage: --user-list azure-user-name=XX description=XX key-data=XX
211+
azure-user-name: Required. The Azure Active Directory user name (email name).
212+
description: The free-form description for this user.
213+
key-data: Required. The public SSH key of the user.
214+
215+
Multiple users can be specified by using more than one --user-list argument.
216+
--resource-group -g [Required] : Name of resource group. Optional if
217+
configuring the default group using `az
218+
configure --defaults group=<name>`.
219+
--tags : Space-separated tags: key[=value]
220+
[key[=value] ...]. Use '' to clear
221+
existing tags.
222+
--no-wait : Do not wait for the long-running
223+
operation to finish.
224+
```
225+
226+
This example will add two new users to the "bmcKeySetName" group and will change the expiry time for the group.
227+
228+
```azurecli
229+
az networkcloud cluster bmckeyset update \
230+
--name "bmcKeySetName" \
231+
--expiration "2023-12-31T23:59:59.008Z" \
232+
--user-list '[{"description":"Needs access for troubleshooting as a part of the support team",\
233+
"azureUserName":"userDEF","sshPublicKey":{"keyData":"ssh-rsa AAtsE3njSONzDYRIZv/WLjVuMfrUSByHp+jfaaOLHTIIB4fJvo6dQUZxE20w2iDHV3tEkmnTo84eba97VMueQD6OzJPEyWZMRpz8UYWOd0IXeRqiFu1lawNblZhwNT/ojNZfpB3af/YDzwQCZgTcTRyNNhL4o/blKUmug0daSsSXISTRnIDpcf5qytjs1XoyYyJMvzLL59mhAyb3p/cD+Y3/s3WhAx+l0XOKpzXnblrv9d3q4c2tWmm/SyFqthaqd0= admin@vm"}}]\
234+
--cluster-name "clusterName" \
235+
--resource-group "resourceGroupName"
236+
```
237+
238+
## Listing BMC Keysets
239+
240+
The `bmckeyset list` command allows users to see the existing keyset groups in a Cluster.
241+
242+
The command syntax is:
243+
244+
```azurecli
245+
az networkcloud cluster bmckeyset list \
246+
--cluster-name <Cluster Name> \
247+
--resource-group <Resource Group>
248+
```
249+
250+
### List Arguments
251+
252+
```azurecli
253+
--cluster-name [Required] : The name of the cluster.
254+
--resource-group -g [Required] : Name of resource group. Optional if
255+
configuring the default group using `az
256+
configure --defaults group=<name>`.
257+
```
258+
259+
## Show BMC Keyset Details
260+
261+
The `bmckeyset show` command allows users to see the details of an existing keyset group in a Cluster.
262+
263+
The command syntax is:
264+
265+
```azurecli
266+
az networkcloud cluster bmckeyset show \
267+
--cluster-name <Cluster Name> \
268+
--resource-group <Resource Group>
269+
```
270+
271+
### Show Arguments
272+
273+
```azurecli
274+
--bmc-key-set-name --name -n [Required] : The name of the BMC key set.
275+
--cluster-name [Required] : The name of the cluster.
276+
--resource-group -g [Required] : Name of resource group. You can
277+
configure the default group using `az
278+
configure --defaults group=<name>`.
279+
```

0 commit comments

Comments
 (0)