Skip to content

Commit 8fe7123

Browse files
Court72Court72
authored
Merge pull request #234850 from JAC0BSMITH/jac0bsmith_BMM
Managing Method C for BMM and BMC
2 parents be0dd76 + 2b68a2d commit 8fe7123

File tree

3 files changed

+585
-0
lines changed

3 files changed

+585
-0
lines changed

articles/operator-nexus/TOC.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,10 @@
3636
href: howto-baremetal-run-read.md
3737
- name: BareMetal Review Output Run-Read
3838
href: howto-baremetal-review-read-output.md
39+
- name: BareMetal BMM Access Setup
40+
href: howto-baremetal-bmm-ssh.md
41+
- name: BareMetal BMC Access Setup
42+
href: howto-baremetal-bmc-ssh.md
3943
- name: Isolation Domain
4044
href: howto-configure-isolation-domain.md
4145
- name: AKS-Hybrid

articles/operator-nexus/howto-baremetal-bmc-ssh.md

Lines changed: 280 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,280 @@
1+
---
2+
title: Manage emergency access to a bare metal machine using the `az networkcloud cluster bmckeyset` command for Azure Operator Nexus
3+
description: Step by step guide on using the `az networkcloud cluster bmckeyset` command to manage emergency access to a bare metal machine.
4+
author: eak13
5+
ms.author: ekarandjeff
6+
ms.service: azure-operator-nexus
7+
ms.topic: how-to
8+
ms.date: 04/18/2023
9+
ms.custom: template-how-to
10+
---
11+
12+
# Manage emergency access to a bare metal machine using the `az networkcloud cluster bmckeyset`
13+
14+
> [!CAUTION]
15+
> Please note this process is used in emergency situations when all other troubleshooting options via Azure have been exhausted. SSH access to these bare metal machines (BMM) is restricted to users managed via this method from the specified jump host list.
16+
17+
There are rare situations where a user needs to investigate & resolve issues with a BMM and all other ways using Azure have been exhausted. Operator Nexus provides the `az networkcloud cluster bmckeyset` command so users can manage SSH access to the baseboard management controller (BMC) on these BMMs.
18+
19+
When the command runs, it executes on each BMM in the Cluster. If a BMM is unavailable or powered off at the time of command execution, the status of the command reflects which BMMs couldn't have the command executed. There's a reconciliation process that runs periodically that retries the command on any BMM that wasn't available at the time of the original command. Multiple commands execute in the order received.
20+
21+
There's a maximum number of 12 users defined per Cluster. Attempts to add more than 12 users results in an error. Delete a user before adding another one when 12 already exists.
22+
23+
## Prerequisites
24+
25+
- Install the latest version of the
26+
[appropriate CLI extensions](./howto-install-cli-extensions.md)
27+
- The on-premises Cluster must have connectivity to Azure.
28+
- Get the Resource group name that you created for `Cluster` resource
29+
- The process applies keysets to all running BMMs.
30+
- The users added must be part of an Azure Active Directory (Azure AD) group. For more information, see [How to Manage Groups](../active-directory/fundamentals/how-to-manage-groups.md).
31+
- To restrict access for managing keysets, create a custom role. For more information, see [Azure Custom Roles](../role-based-access-control/custom-roles.md). In this instance, add or exclude permissions for `Microsoft.NetworkCloud/clusters/bmcKeySets`. The options are `/read`, `/write` and `/delete`.
32+
33+
## Creating a BMC keyset
34+
35+
The `bmckeyset create` command creates SSH access to the BMM in a Cluster for a group of users.
36+
37+
The command syntax is:
38+
39+
```azurecli
40+
az networkcloud cluster bmckeyset create \
41+
--name <BMC Keyset Name> \
42+
--extended-location name=<Extended Location ARM ID> \
43+
type="CustomLocation" \
44+
--location <Azure Region> \
45+
--azure-group-id <Azure AAD Group ID> \
46+
--expiration <Expiration Timestamp> \
47+
--jump-hosts-allowed <List of jump server IP addresses> \
48+
--privilege-level <"Administrator" or "ReadOnly"> \
49+
--user-list '[{"description":"<User description>","azureUserName":"<User Name>", \
50+
"sshPublicKey":{"keyData":"<SSH Public Key>"}}]' \
51+
--tags key1=<Key Value> key2=<Key Value> \
52+
--cluster-name <Cluster Name> \
53+
--resource-group <Resource Group Name>
54+
```
55+
56+
### Create Arguments
57+
58+
```azurecli
59+
--azure-group-id [Required] : The object ID of Azure Active Directory
60+
group that all users in the list must
61+
be in for access to be granted. Users
62+
that are not in the group do not have
63+
access.
64+
--bmc-key-set-name --name -n [Required] : The name of the BMC key set.
65+
--cluster-name [Required] : The name of the cluster.
66+
--expiration [Required] : The date and time after which the users
67+
in this key set are removed from
68+
the BMCs. The limit is up to 1 year from creation.
69+
Format is "YYYY-MM-DDTHH:MM:SS.000Z"
70+
--extended-location [Required] : The extended location of the cluster
71+
associated with the resource.
72+
Usage: --extended-location name=XX type=XX
73+
name: Required. The resource ID of the extended location on which the resource is created.
74+
type: Required. The extended location type: "CustomLocation".
75+
--privilege-level [Required] : The access level allowed for the users
76+
in this key set. Allowed values:
77+
"Standard" or "Superuser".
78+
--resource-group -g [Required] : Name of resource group. Optional if
79+
configuring the default group using `az
80+
configure --defaults group=<name>`.
81+
--user-list [Required] : The unique list of permitted users.
82+
Usage: --user-list azure-user-name=XX description=XX key-data=XX
83+
azure-user-name: Required. The Azure Active Directory user name (email name).
84+
description: The free-form description for this user.
85+
key-data: Required. The public ssh key of the user.
86+
87+
Multiple users can be specified by using more than one --user-list argument.
88+
--tags : Space-separated tags: key[=value]
89+
[key[=value] ...]. Use '' to clear
90+
existing tags.
91+
--location -l : Azure Region. Values from: `az account
92+
list-locations`. You can configure the
93+
default location using `az configure
94+
--defaults location=<location>`.
95+
--no-wait : Do not wait for the long-running
96+
operation to finish.
97+
```
98+
99+
### Global Azure CLI arguments (applicable to all commands)
100+
101+
```azurecli
102+
--debug : Increase logging verbosity to show all
103+
debug logs.
104+
--help -h : Show this help message and exit.
105+
--only-show-errors : Only show errors, suppressing warnings.
106+
--output -o : Output format. Allowed values: json,
107+
jsonc, none, table, tsv, yaml, yamlc.
108+
Default: json.
109+
--query : JMESPath query string. See
110+
http://jmespath.org/ for more
111+
information and examples.
112+
--subscription [Required] : Name or ID of subscription. Optional if
113+
configuring the default subscription
114+
using `az account set -s NAME_OR_ID`.
115+
--verbose : Increase logging verbosity. Use --debug
116+
for full debug logs.
117+
```
118+
119+
This example creates a new keyset with two users that have standard access from two jump hosts.
120+
121+
```azurecli
122+
az networkcloud cluster bmckeyset create \
123+
--name "bmcKeySetName" \
124+
--extended-location name="/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ExtendedLocation/customLocations/clusterExtendedLocationName" \
125+
type="CustomLocation" \
126+
--location "location" \
127+
--azure-group-id "f110271b-XXXX-4163-9b99-214d91660f0e" \
128+
--expiration "2023-12-31T23:59:59.008Z" \
129+
--privilege-level "Standard" \
130+
--user-list '[{"description":"Needs access for troubleshooting as a part of the support team",\
131+
"azureUserName":"userABC","sshPublicKey":{"keyData":"ssh-rsa AAtsE3njSONzDYRIZv/WLjVuMfrUSByHp+jfaaOLHTIIB4fJvo6dQUZxE20w2iDHV3tEkmnTo84eba97VMueQD6OzJPEyWZMRpz8UYWOd0IXeRqiFu1lawNblZhwNT/ojNZfpB3af/YDzwQCZgTcTRyNNhL4o/blKUmug0daSsSXISTRnIDpcf5qytjs1XoyYyJMvzLL59mhAyb3p/cD+Y3/s3WhAx+l0XOKpzXnblrv9d3q4c2tWmm/SyFqthaqd0= admin@vm"}},\
132+
{"description":"Needs access for troubleshooting as a part of the support team",\
133+
"azureUserName":"userXYZ","sshPublicKey":{"keyData":"ssh-rsa AAtsE3njSONzDYRIZv/WLjVuMfrUSByHp+jfaaOLHTIIB4fJvo6dQUZxE20w2iDHV3tEkmnTo84eba97VMueQD6OzJPEyWZMRpz8UYWOd0IXeRqiFu1lawNblZhwNT/ojNZfpB3af/YDzwQCZgTcTRyNNhL4o/blKUmug0daSsSXTSTRnIDpcf5qytjs1XoyYyJMvzLL59mhAyb3p/cD+Y3/s3WhAx+l0XOKpzXnblrv9d3q4c2tWmm/SyFqthaqd0= admin@vm"}}]' \
134+
--tags key1="myvalue1" key2="myvalue2" \
135+
--cluster-name "clusterName" \
136+
--resource-group "resourceGroupName"
137+
```
138+
139+
For assistance in creating the `--user-list` structure, see [Azure CLI Shorthand](https://github.com/Azure/azure-cli/blob/dev/doc/shorthand_syntax.md).
140+
141+
## Deleting a BMC keyset
142+
143+
The `bmckeyset delete` command removes SSH access to the BMC for a group of users. All members of the group will no longer have SSH access to any of the BMCs in the Cluster.
144+
145+
The command syntax is:
146+
147+
```azurecli
148+
az networkcloud cluster bmckeyset delete \
149+
--name <BMM Keyset Name> \
150+
--cluster-name <Cluster Name> \
151+
--resource-group <Resource Group Name> \
152+
```
153+
154+
### Delete Arguments
155+
156+
```azurecli
157+
--bmc-key-set-name --name -n [Required] : The name of the BMC key set to be deleted.
158+
--cluster-name [Required] : The name of the cluster.
159+
--resource-group -g [Required] : Name of resource group. Optional if configuring the
160+
default group using `az configure --defaults
161+
group=<name>`.
162+
--no-wait : Do not wait for the long-running operation to finish.
163+
--yes -y : Do not prompt for confirmation.
164+
```
165+
166+
This example removes the "bmcKeysetName" keyset group in the "clusterName" Cluster.
167+
168+
```azurecli
169+
az networkcloud cluster bmckeyset delete \
170+
--name "bmcKeySetName" \
171+
--cluster-name "clusterName" \
172+
--resource-group "resourceGroupName" \
173+
```
174+
175+
## Updating a BMC Keyset
176+
177+
The `bmckeyset update` command allows users to make changes to an existing keyset group.
178+
179+
The command syntax is:
180+
181+
```azurecli
182+
az networkcloud cluster bmckeyset update \
183+
--name <BMM Keyset Name> \
184+
--jump-hosts-allowed <List of jump server IP addresses> \
185+
--privilege-level <"Standard" or "Superuser"> \
186+
--user-list '[{"description":"<User description>",\
187+
"azureUserName":"<UserName>", \
188+
"sshPublicKey":{"keyData":"<SSH Public Key>"}}]' \
189+
--tags key1=<Key Value> key2=<Key Value> \
190+
--cluster-name <Cluster Name> \
191+
--resource-group <Resource Group Name>
192+
```
193+
194+
### Update Arguments
195+
196+
```azurecli
197+
--bmc-key-set-name --name -n [Required] : The name of the BMC key set.
198+
--cluster-name [Required] : The name of the cluster.
199+
--expiration : The date and time after which the users
200+
in this key set are removed from
201+
the BMCs. Format is:
202+
"YYYY-MM-DDTHH:MM:SS.000Z"
203+
--jump-hosts-allowed : The list of IP addresses of jump hosts
204+
with management network access from
205+
which a login is allowed for the
206+
users. Supports IPv4 or IPv6 addresses.
207+
--privilege-level : The access level allowed for the users
208+
in this key set. Allowed values:
209+
"Standard" or "Superuser".
210+
--user-list : The unique list of permitted users.
211+
Usage: --user-list azure-user-name=XX description=XX key-data=XX
212+
azure-user-name: Required. The Azure Active Directory user name (email name).
213+
description: The free-form description for this user.
214+
key-data: Required. The public SSH key of the user.
215+
216+
Multiple users can be specified by using more than one --user-list argument.
217+
--resource-group -g [Required] : Name of resource group. Optional if
218+
configuring the default group using `az
219+
configure --defaults group=<name>`.
220+
--tags : Space-separated tags: key[=value]
221+
[key[=value] ...]. Use '' to clear
222+
existing tags.
223+
--no-wait : Do not wait for the long-running
224+
operation to finish.
225+
```
226+
227+
This example adds two new users to the "bmcKeySetName" group and changes the expiry time for the group.
228+
229+
```azurecli
230+
az networkcloud cluster bmckeyset update \
231+
--name "bmcKeySetName" \
232+
--expiration "2023-12-31T23:59:59.008Z" \
233+
--user-list '[{"description":"Needs access for troubleshooting as a part of the support team",\
234+
"azureUserName":"userDEF","sshPublicKey":{"keyData":"ssh-rsa AAtsE3njSONzDYRIZv/WLjVuMfrUSByHp+jfaaOLHTIIB4fJvo6dQUZxE20w2iDHV3tEkmnTo84eba97VMueQD6OzJPEyWZMRpz8UYWOd0IXeRqiFu1lawNblZhwNT/ojNZfpB3af/YDzwQCZgTcTRyNNhL4o/blKUmug0daSsSXISTRnIDpcf5qytjs1XoyYyJMvzLL59mhAyb3p/cD+Y3/s3WhAx+l0XOKpzXnblrv9d3q4c2tWmm/SyFqthaqd0= admin@vm"}}]\
235+
--cluster-name "clusterName" \
236+
--resource-group "resourceGroupName"
237+
```
238+
239+
## Listing BMC Keysets
240+
241+
The `bmckeyset list` command allows users to see the existing keyset groups in a Cluster.
242+
243+
The command syntax is:
244+
245+
```azurecli
246+
az networkcloud cluster bmckeyset list \
247+
--cluster-name <Cluster Name> \
248+
--resource-group <Resource Group Name>
249+
```
250+
251+
### List Arguments
252+
253+
```azurecli
254+
--cluster-name [Required] : The name of the cluster.
255+
--resource-group -g [Required] : Name of resource group. Optional if
256+
configuring the default group using `az
257+
configure --defaults group=<name>`.
258+
```
259+
260+
## Show BMC Keyset Details
261+
262+
The `bmckeyset show` command allows users to see the details of an existing keyset group in a Cluster.
263+
264+
The command syntax is:
265+
266+
```azurecli
267+
az networkcloud cluster bmckeyset show \
268+
--cluster-name <Cluster Name> \
269+
--resource-group <Resource Group Name>
270+
```
271+
272+
### Show Arguments
273+
274+
```azurecli
275+
--bmc-key-set-name --name -n [Required] : The name of the BMC key set.
276+
--cluster-name [Required] : The name of the cluster.
277+
--resource-group -g [Required] : Name of resource group. You can
278+
configure the default group using `az
279+
configure --defaults group=<name>`.
280+
```

0 commit comments

Comments
 (0)