- Article
Caution
Note that this procedure is used in emergency situations when all other troubleshooting options using Azure have been exhausted. SSH access to these bare metal machines is restricted to users managed through this method from the specified jump host list.
(Video) Module 07 Virtual Machine Management
There are rare cases where a user needs to investigate and resolve issues with a bare metal machine and all other avenues have been exhausted through Azure. Azure Operator Nexus provides theaz networkcloud cluster baremetalmachinesetcommand so that users can manage SSH access to these bare metal machines.
See Also
Security: Getting to Know Windows LAPS for Active Directory - First LookTypes of Active Directory Groups – TheITBrosWhen the command is executed, it is executed on every bare metal machine in the Cluster. If a bare metal machine is unavailable or disabled at the time the command is executed, the status of the command reflects which bare metal machines were unable to execute the command. There is a reconciliation process that runs periodically and replays the command on any bare metal machine that was not available at the time of the original command. Multiple commands are executed in the order received.
There is no limit to the number of users in a group.
Caution
(Video) How to Configure Networks in ESXi Server
Notes on the IP addresses of the switch host
- The key set generation/update process adds the IP addresses of the switch host to the IP tables for the cluster. The process adds these addresses to IP tables and restricts SSH access to only those IPs.
- It is important to specify the IP addresses that the cluster sees for the jump hosts. These IP addresses may be different from the public IP address used to access the host.
- Once added, users can access bare metal machines from any specified host IP address, including a host IP assigned to another bare metal machine key group.
- Existing SSH access remains when adding the first set of bare metal machine keys. However, the keyset command restricts an existing user's SSH access to the specified go-to host IPs in the keyset commands.
Prerequisites
- Install its latest versionappropriate CLI extensions.
- Your on-premises cluster must have connectivity to Azure.
- Get the resource group name for the
Complexresource. - The process applies keysets to all running bare metal machines.
- Added users must be part of an Azure Active Directory (Azure AD) group. For more information, seeHow to manage groups.
- To restrict access to manage key sets, create a custom role. For more information, seeCustom Azure roles. In this case, add or exclude permissions for
Microsoft.NetworkCloud/clusters/bareMetalMachineKeySets. The options are/reading,/I am writing, and/delete.
Thebaremetalmachinekeyset creationThe command creates SSH access to the bare metal machine in a cluster for a group of users.
The command syntax is:
az networkcloud cluster baremetalmachinekeyset create \ --name \ --extended-location name= \ type="CustomLocation" \ --location\ --azure-group -id\ --expiration\ --jump-hosts-allowed \ --os-group-name\ - -privilege-level <"Standard" or "Superuser"> \ --user-list '[{"description":"","azureUserName":"",\ "sshPublicKey ": {"keyData":""}}]' \ --tags key1= key2= \ --cluster name \ --resource group
Creating arguments
--azure-group-id [Required] : The object ID of the Azure Active Directory group that all users in the list must be in to be granted access. Users who do not belong to the group do not have access. --bare-metal-machine-key-set-name --name -n [Required] : The name of the bare metal machine key set. --cluster-name [Required] : The name of the cluster. --expiration [Required] : The date and time after which users on this keyset are removed from bare metal machines. The format is: "YYYY-MM-DDTHH:MM:SS.000Z" --extended-location [Required] : The extended location of the cluster associated with the resource. Usage: --extended-location name=XX type=XX name: Required. The resource ID of the extended location where the resource is created. type: Mandatory. The extended location type: "CustomLocation". --jump-hosts-allowed [Required] : The list of IP addresses of jump hosts with access to the management network from which users are allowed to connect. Supports IPv4 or IPv6 addresses. --privilege-level [Required] : The level of access users are allowed to this key set. Allowed values: "Standard" or "Superuser". --resource-group -g [Required] : Resource group name. Optional if configuring the default group using 'az configure --defaults group='. --user-list [Required] : The unique list of allowed users. Usage: --user-list azure-user-name=XX description=XX key-data=XX azure-user-name: Required. Username used to connect to the server. description: The free-form description for this user. data-key: Required. The user's public ssh key. Multiple users can be specified using more than one --user-list argument. --os-group-name : The name of the group that the users are assigned to on the machines operating system. --tags : Space-separated tags: key[=value] [key[=value] ...]. Use '' to delete existing tags. --location -l : Azure Region. Prices from: "az account list-locations". You can configure the default location using `az configure --defaults location=`. --no-wait : Do not wait for long-running operation to complete. General Azure CLI arguments (applies to all commands)
--debug : Increase logging verbosity to display all debug logs. --help -h : Display this help message and exit. --only-show-errors : Show only errors, suppressing warnings. --output -o : Output format. Allowed values: json, jsonc, none, table, tsv, yaml, yamlc. Default: json. --query: JMESPath query string. See http://jmespath.org/ for more information and examples. --subscription [Required] : Subscription name or ID. Optional if you configure the default subscription using "az account set -s NAME_OR_ID". --verbose : Increase logging verbosity. Use --debug for full debug logs.This example creates a new keyset with two users that have standard access from two hosts.
az networkcloud cluster baremetalmachinekeyset creation \ --name "bareMetalMachineKeySetName" \ --extended-location name="/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ExtendedLocation/customectation \custendedLoctomoctations \CustendedLoctomactionName"Customer. ation" \ --location "location" \ --azure-group-id "f110271b-XXXX-4163-9b99-214d91660f0e" \ --expiration "2022-12-31T23:59:59.008Z" \ --jump-hosts -allowed "2.12. " "192.0.2.5" \ --os-group-name "standardAccessGroup" \ --privilege-level "Standard" \ --user-list '[{"description":"Need access for troubleshooting as part of team support ","azureUserName":"userABC", "sshPublicKey":{"keyData":"ssh-rsa AAtsE3njSONzDYRIZv/WLjVuMfrUSByHp+jfaaOLHTIIB4fJvo6dQUZxE20w2iDmHVVMV3MZ4E pz8UYWOd0IXeRqiFu1lawNblZhwNT/ojNZfpB3af/YDzwQCZgTcTRyNNhL4o/blKUmu g0daSsSXISTRnIDpcf5qytjs1XoyYyJMvzLL59mhAyb3p/xlW30+ c2tWmm/SyFqthaqd0= admin@vm" }},\ { "description":"Need access to troubleshoot as part of support team","azureUserName":"userXYZ","sshPublicKey":{"keyData":"ssh-rsa AAtsE3njSONzDYRIZv/WLjVuMfrUSByRiZv/WLjVuMfrUSByHpHp2UMfrUSByHpHp+j 3tEkmnTo84eba97VMueQD6OzJPEyWZMRpz8UY WOd0IXeRqiFu1lawNblZhwNT/ ojNZfpB3af/ YDzwQCZgTcTRyNNhL4o/blKUmug0daSsSXTSTRnIDpcf5qytjs1XoyYyJMvzLL59mhAyb3p/cD+Y3/s3WhAx+l0XOKpzXnblrvrv20tmin ad@mmw20min ad@ }]' \ --tags key1="myvalue1" key2="myvalue2" \ --cluster-name "clusterName" --resource -group " resourceGroupName"For help creating it--list of usersstructure, seeAbbreviation for Azure CLI.
(Video) Dont Touch That! Addressing Edge Infrastructure Management
Bare metal machine key deletion
Thebaremetalmachinekeyset deletecommand removes SSH access to the bare metal machine for a group of users. All members of the group no longer have SSH access to any of the bare metal machines in the Cluster.
The command syntax is:
az networkcloud cluster baremetalmachinekeyset delete \ --name \ --cluster-name\ --resource-group Delete arguments
--bare-metal-machine-key-set-name --name -n [Required] : The name of the bare metal machine key set to delete. --cluster-name [Required] : The name of the cluster. --resource-group -g [Required] : Resource group name. Optional if configuring the default group using 'az configure --defaults group='. --no-wait : Do not wait for long-running operation to complete. --yes -y : Don't ask for confirmation. This example removes the "bareMetalMachineKeysetName" keyset in the "ClusterName" cluster.
az networkcloud cluster baremetalmachinekeyset delete \ --name "bareMetalMachineKeySetName" \ --cluster-name "clusterName" \ --resource-group "resourceGroupName"TheUpdate baremetalmachinekeysetThe command allows users to make changes to an existing keyset group.
The command syntax is:
(Video) RHCSA 2023 Red Hat Certified System Administrator | Tech Arkit
az networkcloud cluster baremetalmachinekeyset update \ --name \ --jump-hosts-allowed \ --privilege-level <"Standard" or "Superuser"> \ -- list users '[{"description":"","azureUserName":"",\ "sshPublicKey":{"keyData":""}}]' \ - -tags key1= key2= \ --cluster name \ --resource group
Update arguments
--bare-metal-machine-key-set-name --name -n [Required] : The name of the bare metal machine key set. --cluster-name [Required] : The name of the cluster. --expire: The date and time after which users in this keyset are removed from bare metal machines. The format is: "YYYY-MM-DDTHH:MM:SS.000Z" --jump-hosts-allowed : The list of IP addresses of jump hosts with access to the management network from which users are allowed to connect. Supports IPv4 or IPv6 addresses. --privilege-level : The level of access users are allowed to this keyset. Allowed values: "Standard" or "Superuser". --user-list: The unique list of allowed users. Usage: --user-list azure-user-name=XX description=XX key-data=XX azure-user-name: Required. Username used to connect to the server. description: The free-form description for this user. data-key: Required. The user's public SSH key. Multiple users can be specified using more than one --user-list argument. --resource-group -g [Required] : Resource group name. Optional if configuring the default group using 'az configure --defaults group='. --tags : Space-separated tags: key[=value] [key[=value] ...]. Use '' to delete existing tags. --no-wait : Do not wait for long-running operation to complete. This example adds two new users to the group "baremetalMachineKeySetName" and changes the expiration time for the group.
az networkcloud cluster baremetalmachinekeyset update \ --name "bareMetalMachineKeySetName" \ --expiration "2023-12-31T23:59:59.008Z" \ --user-list '[{"description":"Need access to troubleshoot as part of the support team",\ "azureUserName":"userABC", "sshPublicKey":{"keyData":"ssh-rsa AAtsE3njSONzDYRIZv/WLjVuMfrUSByHp+jfaaOLHTIIB4fJvo6dQUZxE20w2EebaQuDHVTo ZMRpz8UYWOd0IXeRqiFu1lawNblZhwNT/ojNZfpB3af/YDzwQCZgTcTRyNNhL4o /blKUmug0daSsSXISTRnIDpcf5qytjs1XoyYyJMvzLL59mhAyWXhb3p3p/ 3q4c2tWmm/SyFqthaqd0= admin @vm"} }; WOd0IXeRqiFu1lawNblZhwNT/ ojQNZmLzT/ojCNZmLzf ug0daSsSXTSTRnIDpcf5qytjs1XoyYyJMvzLL59mhAyb3p/cD+Y3/s3WhAx+l0XOKpzXnblrv9d3q4c2tWmm/SyFqthaqd0= admin@vm\"}-upgroname \"\"\"-upgroname\"Register Bare Metal Machine Keysets
Thebaremetalmachinekeyset listThe command allows users to view the existing keyset groups in a cluster.
The command syntax is:
az networkcloud cluster baremetalmachinekeyset list \ --cluster-name\ --resource-group List of arguments
--cluster-name [Required] : The name of the cluster. --resource-group -g [Required] : Resource group name. Optional if configuring the default group using 'az configure --defaults group='. Thebaremetalmachinekeyset showThe command allows users to view the details of an existing keyset group in a cluster.
The command syntax is:
(Video) Container Management and Orchestration with SC//Platform from Scale Computing
az networkcloud cluster baremetalmachinekeyset show \ --cluster-name\ --resource-group Show arguments
--bare-metal-machine-key-set-name --name -n [Required] : The name of the bare metal machine key set. --cluster-name [Required] : The name of the cluster. --resource-group -g [Required] : Resource group name. You can configure the default group using `az configure --defaults group=`.