Before deploying Fleet Command, initial configuration is required in the following areas: the physical edge site, the Fleet Command user interface, and the NGC account. The following sections cover each of these areas in detail.
In addition to Fleet Command security features, users are also responsible for the physical and network security at the facility where the systems are deployed. Security recommendations include
The system is physically protected from unauthorized access.
The BMC interface is currently not required for Fleet Command operation; this interface may stay disconnected. If BMC is desired, you should connect the BMC interface to a secure management network.
Refer to your corporate policy before completing the steps below.
The system is hosted on a secure network. All internet originating connections should be blocked.
Follow the steps below to prepare your edge sites when deploying Fleet Command on a system.
Ensure outbound connections are allowed via TLS 443.
You can perform this test from any device on the target network by visiting WebSockets. Verify that the web sockets tests pass, and the “HTTP Proxy” value is “No” in your environment.
Ensure that each system is assigned and reserved an IP that does not change during operation. This requirement applies to locations version 1.0.7 or below.
A DHCP reservation creates a “static” IP address assignment that is centrally managed and does not require documenting the IP address manually.
Ensure the system has access to a DNS server.
If you have multiple network interfaces, you have an option to choose the right network interface.
If you plan to add a Proxy to the edge system, you will need to add an HTTP Proxy address.
Ensure the system has access to one or more NTP servers.
time1.google.com
time2.google.com
time3.google.com
time4.google.com
time.cloudflare.com
Locations that have interconnected systems must be on the same network.
Interconnected systems refers to multiple systems at the same Location.
Ensure the system has access to the following servers:
Fleet Command Provisioning Service (EPS): https://eps.egx.nvidia.com
Fleet Command Manager Service (EMS): https://egxdefault.egx.nvidia.com (<customer_name>.egx.nvidia.com)
Fleet Command Token Service (ETS): https://ets.egxdefault.egx.nvidia.com (ets.<customer_name>.egx.nvidia.com)
NGC Registry: https://nvcr.io
The servers listed above is not an exhaustive list. You may need to add servers such as those routed to CDNs (cloudfront.net, weave.works).
To get the customer name, you can reach out to enterprisesupport@nvidia.com.
Fleet Command requires the use of NVIDIA-Certified Systems at edge sites. A comprehensive list of all NVIDIA-Certified Systems is available in the Qualified Systems Catalog. Select the appropriate Category, Workload, System Class and NVIDIA-Certified type for your use case.
The requirements for using NVIDIA-Certified Systems with Fleet Command are:
The systems must be from the Data Center, Industrial Edge, Enterprise Edge, or NVIDIA AI Enterprise Compatible categories.
The systems must include TPM 2.0, SHA-256, and support Secure Boot.
Refer to the NVIDIA-Certified Configuration Guide for detailed system specifications separate from the above requirements.
Once you have an NVIDIA-Certified System, follow the BIOS setup recommendations listed below.
TPM 2.0 with SHA-256 : Enabled
ImportantThe TPM module should be cleared and unowned before provisioning the system. Reset the TPM module if a prior operating system has been installed.
Secure Boot : Enabled
For some GPUs and workloads, additional configuration settings such as the values below may be required. For more information, refer to the system configuration recommendations for your NVIDIA-Certified System.
Configuration
Setting
64-bit MMIO/Above 4G Decoding
Enabled
SR-IOV
Enabled
IOMMU
Enabled
CPU Virtualization/VT
Disabled
ECC Memory (if applicable)
Enabled
Hyper-Threading
Enabled
Power Setting or System Profile
High Performance
CPU Performance (if applicable)
Enterprise or High-Throughput
NGC is NVIDIA’s AI hub that provides access to Fleet Command and to the private registry, which is used for hosting applications.
To get started with Fleet Command, you will need to log in to your NGC account.
This User Guide assumes that an NGC account has already been provisioned, and admin access for the organization has been granted.
For basic NGC setup and instructions, refer to the NGC Overview Documentation.
Once you have your first NGC Fleet Command Admin account, you will need to assign roles to your organization’s users. The table below lists the different roles and their capabilities.
Roles |
Locations |
Applications |
Deployments |
Dashboards |
|---|---|---|---|---|
Fleet Command Admin |
Read, Write, Admin |
Read, Write, Admin |
Read, Write, Admin |
Read |
Fleet Command Operator |
Read |
Read, Write, Admin |
Read, Write, Admin |
Read |
Fleet Command Viewer |
Read |
Read |
Read |
Read |
In addition to these roles, three additional roles only apply to your NGC Private Registry access management:
User Admin: This user can invite other user admins within an organization. This user cannot download/upload, push/pull, delete, or add/remove users at an org level.
Registry User: This user can download, upload, push/pull artifacts within an organization.
Registry Read: This user can download and pull artifacts within an organization.
For more information about managing users and teams, refer to the NGC User Management Guide.
By default, Fleet Command allows you to deploy applications from NGC Catalog and your NGC Private Registry. To access applications in your private registry from Fleet Command, you will need to sync your private registry to Fleet Command using an NGC API Key that provides authenticated access.
The following instructions assume that you do not see an API Key added on the Fleet Command Applications page, and you need to add it.
For security and control purposes, Fleet Command recommends that a user with Registry Read role authenticates access rather than from an admin or other user account. You may want to set up an additional user and email address for this role.
If necessary, log in to NGC to get an API key for the NGC Registry. Click the user account icon in the top right corner, and select Setup. Click Get API Key to open the Setup > API Key page.
Add the API key to Fleet Command user interface by navigating to the Applications page and clicking Add API Key on the top right corner of the page.
You will then be prompted to add an API key.
Click add to complete the process.
NotePaste your API key into the API Key field shown above.
Once the API Key has been added, your NGC private registry and Fleet Command interface have synced applications from the private registry that Fleet Command can now pull during application deployment.
Changing Your API Key
If you have forgotten or lost your API Key, you can create a new one at any time through the NVIDIA NGC portal. When you generate a new API key, the old one is invalidated. Applications deployed with the old API key will keep running but could fail if the API key loses access during a new deployment.
If you’re using ImagePullSecret in your application, a new API key will be updated on the edge system by default. For more information about adding ImagePullSecret to your application, refer to ImagePullSecret for container configuration.