Orch CLI User Guide#
The orch-cli tool is a binary executable that provides a command-line interface for managing the orchestration of edge infrastructure. It allows users to perform various tasks related to the deployment and management of edge devices and services.
Download#
Ensure that you have oras available on your system or follow the instructions in the
oras documentation to install it.
The tool is made available in the public AWS* Elastic Container Registry. It can be pulled without any credentials using commands like below:
oras pull registry-rs.edgeorchestration.intel.com/edge-orch/files/orch-cli:v2026.1.0
The package will be an archive which needs to be unpacked to access the binary named orch-cli. Together with the binary as part of the archive the source code and the package signatures are downloaded.
tar xf orch-cli-package.tar.gz
The orch-cli binary can be verified using the cosign software and the provided public key and signature files.
cosign verify-blob \
--bundle "cosign.bundle.json" \
--certificate-identity-regexp "https://github.com/open-edge-platform/.*/.*/.*\\.yml@.*" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
orch-cli
To install the binary on Linux system copy the file to an install path (/usr/local/bin or equivalent):
cp orch-cli /usr/local/bin
Building from source#
The orch-cli binary can be build from source. The source code is available in the orch-cli GitHub repository To build the binary from source run the make target from top level directory:
make build
The binary will be available at ./build/_output/orch-cli, it can be installed on a Linux system using:
make install
Endpoint and project configuration#
The orch-cli is expected to communicate with an edge orchestrator’s exposed endpoints. The endpoints can be provided during each command run with –project and –api-endpoint flags or pre-set to be used seamlessly across command usage. To configure for project and endpoint to be used automatically with every command run the config command:
./orch-cli config set api-endpoint https://api.<CLUSTER_FQDN>
./orch-cli config set project <PROJECT>
The orch-cli configuration file can be found at ~/.orch-cli/orch-cli.yaml
User management#
The orch-cli supports the common IAM bootstrap tasks for local Keycloak
users.
The current CLI supports:
list usersandget userincluding optional group and realm-role outputcreate useranddelete userset userfor password updates, group membership changes, and realm-role assignment or removallist groupsorganization and project management commands
For the step-by-step workflow, see Configure IAM and multi tenancy using CLI (Optional).
Advanced Keycloak administration such as external identity providers, realm customization, or direct client management still requires the Keycloak UI or Keycloak’s kcadm Admin CLI.
Note
Certain modular deployments/workflows of Edge Manageability Framework or it’s components may not include support for multitenancy - in those cases a default user/tenant is created and configuring user management may not be needed.
Authentication#
The orch-cli authenticates with the edge orchestrator by logging in to the orchestrator and obtaining a JWT token for further communication. The JWT token is cached locally after logging in and valid for one hour. The network communication happens over HTTPS using TLS v1.3 and JWT token. The token is removed on logout. User must logout and login after token expiry.
The keycloak service endpoint for containing the CLUSTER_FQDN of a given edge orchestrator must be provided during login - this is automatically done if the api-endpoint was provided as per Endpoint and project configuration - otherwise add –keycloak https://keycloak.<CLUSTER_FQDN>/realms/master to below commands.
There are two login methods available:
- Interactive shell - The default way to authenticate with Edge Orchestrator is to log in by providing username as first argument and using an interactive prompt.
The prompt will ask for password. This is the recommended way to log in. .. code-block:: bash
./orch-cli login <USER> Enter Password:
Password argument - Alternatively the password can be provided as a second command line argument - the recommended way is to use prompt based login above. When using this method, be cautious as the password may be exposed in the command line history. If using this method exporting the password as an environment variable is recommended.
./orch-cli login <USER> <PASSWORD>
Autocompletion#
The orch-cli supports autocompletion for the CLI commands. To enable autocompletion in bash shell create the completion file and reload the terminal:
./orch-cli completion bash | sudo tee /etc/bash_completion.d/orch-cli source ~/.bashrc
Running commands#
Generally the orch-cli commands follow this pattern for execution:
./orch-cli <verb> <noun> <subject(s)> --<options>
The endpoint and the project must be specified for most commands - this is automatically done if the api-endpoint and project was provided as per Endpoint and project configuration - otherwise add below to commands:
--api-endpoint https://api.<CLUSTER_FQDN>
--project <PROJECT_NAME>
For the list commands the –verbose flag can be used to include additional information in the output.
The orch-cli supports advanced filtering, sorting, and templating of the output of the commands. For more information see the Orch CLI advanced usage document.
Note that some of the get and delete commands support usage of both resource ID or resource name as the subject field. Due to the fact that some resources do not have unique names the usage of resource name may fail and prompt the user to select and provide the precise resource ID instead.
Dynamic EMF feature support within CLI#
The orch-cli tool supports dynamic feature detection based on the connected Edge Orchestrator’s capabilities exposed by the Edge Orchestrator’s Component Status service. When a command is executed the tool queries the orchestrator for supported features and only presents the commands that are supported. This allows the same tool to be used across different versions and deployments of Edge Orchestrator without compatibility issues.
Note
For the dynamic feature detection to work the Edge Orchestrator must have the “Component Status” service enabled and accessible. Previous versions of Edge Orchestrator may not have this service available - in those cases the tool will assume all features are supported.
Currently the CLI dynamically enables/disables groups of commands based on the following features criteria:
Multitenancy support - organization and project management commands.
Host onboarding support - host onboarding commands.
Host provisioning support - commands for management of resources related to provisioned Edge Nodes and creation of an instance during provisioning.
Out-of-band (OOB) support - AMT profile management commands and AMT/vPRO related features for host management.
Day 2 OS Update support - day 2 OS update commands and commands for creating associated resources.
Cluster management support - cluster management commands.
Application management support - application management commands.
OXM support - standalone Edge Node config commands.
To get the current version of the CLI and the connected Edge Orchestrator run the following command:
./orch-cli version
To get the list of supported features of the connected Edge Orchestrator run the following command:
./orch-cli list features
Note
It is possible to override the dynamic feature detection for debugging or experimental purposes - for more information see: Overriding dynamic feature detection
Organization Management#
Edge Orchestrator offers a two-level tenancy structure, with organizations that can contain one or more projects. To create an organization the orch-cli user must be part of the “Org Admin Group”. See Configure Multi-Tenancy
To create an organization run the create command, –description is an optional field.
./orch-cli create organization myorg --description "myorg"
To list organizations run the list command.
./orch-cli list organizations
To get information about specific organization run the get command.
./orch-cli get organization myorg
To delete an organization run the delete command.
./orch-cli delete organization myorg
Note
Certain modular deployments/workflows of Edge Manageability Framework or it’s components may not include support for multitenancy - in those cases a default organization is created and configuring it is not needed.
Project Management#
To create a project the orch-cli user must be associated with the organization group. See Configure Multi-Tenancy
To create a project run the create command, –description is an optional field.
./orch-cli create project myproject --description "myproject"
To list project run the list command.
./orch-cli list project
To get information about specific project run the get command.
./orch-cli get project myproject
To delete a project run the delete command.
./orch-cli delete project myproject
Note
Certain modular deployments/workflows of Edge Manageability Framework or it’s components may not include support for multitenancy - in those cases a default organization is created and configuring it is not needed.
Local SSH Account Management#
The orch-cli supports adding public SSH keys that can be later used for accessing EN.
To create a local account containing the key run the create command, specify the name of the user/key and the path to the key.
./orch-cli create sshkey mysshkey /path/to/publickey.pub
To list the local SSH accounts run the list command.
./orch-cli list sshkey
To get specific information about local SSH keys run the get command.
./orch-cli get sshkey mysshkey
To delete a local SSH key run the delete command.
./orch-cli delete sshkey mysshkey
OS Profile Management#
The tool allows for management of OS profiles. For an example of a valid OS profile see the infra-core repo.
To create an OS profile run the create command with a path to a valid OS profile YAML file.
./orch-cli create osprofile newosprofile.yaml
To list OS profiles run the list command.
./orch-cli list osprofile
To get individual OS profile details run the get command.
./orch-cli get osprofile <OS_PROFILE_NAME>
To delete OS profiles run the delete command.
./orch-cli delete osprofile <OS_PROFILE_NAME>
Region Management#
Regions must be created in order to create a site and in turn associate edge node with a site. To manage the regions the following commands are provided.
To create a region run the create command with a region name as an argument and –type flag, additionally optional –parent-region flag can be provided to create a sub-region. Accepted region types are country/state/county/region/city.
./orch-cli create region <NAME> --type <TYPE>
./orch-cli create region <NAME> --type <TYPE> --parent-region <REGION_ID or REGION_NAME>
To list all regions and their associated sites run list command. –region flag provides for listing specific region level.
./orch-cli list region
To get information about specific region run the get command.
./orch-cli get region <REGION_ID or REGION_NAME>
To delete a region run the delete command.
./orch-cli delete region <REGION_ID or REGION_NAME>
Site Management#
Sites must be created and allocated to regions in order to provision edge nodes. To manage sites the following commands are provided.
To create a site run the create command with a site name as an argument and –region flag to specify the region. Optional –longitude and –latitude flags can be provided to specify the site’s location.
./orch-cli create site <NAME> --region <REGION_ID or REGION_NAME>
To list all sites and their associated regions run the list command.
./orch-cli list site
To get information about specific site run the get command.
./orch-cli get site <SITE_ID or SITE_NAME>
To delete a site run the delete command.
./orch-cli delete site <SITE_ID or SITE_NAME>
Custom Cloud Init Management#
An optional custom cloud init can be created and used by the edge node during provisioning. To create this custom configuration a path to a valid cloud init YAML file must be provided.
For more information on the custom cloud init feature see: Custom Configuration
To create this custom configuration run create command.
./orch-cli create customconfig <NAME> <PATH> --file <PATH_TO_CLOUD_INIT_YAML>
To list all custom configurations run the list command.
./orch-cli list customconfig
To get information about specific custom configuration run the get command.
./orch-cli get customconfig <NAME>
To delete a custom configuration run the delete command.
./orch-cli delete customconfig <NAME>
Host Management#
The host management functionality of the orch-cli allows for onboarding, provisioning and managing host machines. The creation of a host takes care of registering and associating the host with the appropriate resource automatically. It allows for registration of edge nodes in bulk. For details on how to prepare the input .csv file and advanced options to create the hosts see: Register Edge Nodes in Edge Manageability Framework
Note
In EMF deployments where the EIM’s provisioning feature is disabled the host creation command will allow for registration and onboarding of the edge nodes without an association to the OS Profile and Site. Provisioning of an OS will not happen and it is expected that the OS on the Edge Node and deployment of necessary agents is done by the user.
To create a host in bulk mode run the create command with the –import-from-csv flag pointing to .csv filepath.
./orch-cli create host --import-from-csv <PATH_TO_CSV_FILE>
To create a single host run the create command with required flags for hostname, site, and os profile along with optional flags for additional configuration.
./orch-cli create host <HOST_NAME> --serial <SERIAL_NUMBER> --uuid <UUID> --os-profile <OS_PROFILE ID or NAME> --site <SITE ID or NAME>
To list all hosts run the list command.
./orch-cli list host
To get a specific host run get command.
./orch-cli get host <HOST_ID or HOST_NAME>
Note
In EMF deployments where the EIM’s provisioning feature is disabled the “list” and “get” commands will print a simplified output.
To delete a specific host run the delete command.
./orch-cli delete host <HOST_ID or HOST_NAME>
AMT/vPRO Management on a Host#
For more information on AMT/vPRO management features see: Intel® vPro® Power Management
The orch-cli provides a set of commands for managing AMT/vPRO-enabled devices. These commands allow users to perform various operations such as powering on/off, restarting, and configuring AMT settings on the devices.
To activate/deactivate AMT on a host run the activation command.
./orch-cli set host <HOST_ID or HOST_NAME> --amt-state provisioned|unprovisioned
The activation/deactivation can also be done in bulk with a .csv file as an input. To generate file, with current AMT state of hosts for bulk activation/deactivation run the following command.
./orch-cli set host --generate-csv test.csv
Once the file is generated edit the “AMTState” column to the desired state (provisioned or unprovisioned) and then run the command to execute the changes.
./orch-cli set host --import-from-csv test.csv
To power on/off or restart an AMT-enabled host run the power command. Note that power policy commands will not take effect on hosts with deactivated AMT.
./orch-cli set host <HOST_ID or HOST_NAME> --power on|off|restart
To change the power policy of an AMT-enabled host run the power-policy command.
./orch-cli set host <HOST_ID or HOST_NAME> --power-policy immediate|ordered
To set a desired control mode for AMT run the control mode command.
./orch-cli set host <HOST_ID or HOST_NAME> --control-mode admin|client
Note that the control mode changes can also be done in bulk with a .csv file as an input, similar to/along the AMT activation/deactivation process described above.
AMT Policy Management#
AMT domain profiles are necessary components for managing AMT-enabled devices. They define the configuration and policies applied to these devices during provisioning and operation.
To create an AMT domain profile run the create command. User will be prompted for certificate password.
./orch-cli create amtprofile <NAME> --cert <PATH_TO_CERTIFICATE> --cert-format <CERT_FORMAT> --domain-suffix <DOMAIN>
To list all AMT domain profiles run the list command.
./orch-cli list amtprofile
To get information about a specific AMT domain profile run the get command.
./orch-cli get amtprofile <NAME>
To delete an AMT domain profile run the delete command.
./orch-cli delete amtprofile <NAME>
KVM and SOL Session Management#
The orch-cli supports starting and stopping KVM (Keyboard, Video, Mouse) and SOL (Serial Over LAN) remote sessions on AMT/vPRO-enabled Edge Nodes. These features require the OOB (out-of-band) support to be enabled on the connected Edge Nodes.
Building the Binary#
SOL sessions use the standard orch-cli binary and do not require any additional build steps. Build and install the binary as described in Building from source:
make build
make install
KVM sessions require a special build that embeds the KVM Viewer Angular UI as static assets
into the orch-cli binary. The KVM Viewer UI source is located in ui/kvm-viewer/ of the
orch-cli repository.
Refer to ui/kvm-viewer/README.md in that repository for details on the Angular application.
Prerequisites for the KVM build
Node.js v22.22.3 (x64) must be installed before building. Install it using nvm or your preferred Node version manager:
nvm install 22.22.3
nvm use 22.22.3
Verify the active version:
node --version
# v22.22.3
KVM build and install
Once Node.js v22.22.3 is active, run the build-kvm target from the top-level directory of the
orch-cli repository. This first compiles the KVM Viewer Angular UI (build-kvm-ui), embeds the
resulting static files into the binary, and then produces a KVM-enabled orch-cli binary:
make build-kvm
To install the resulting KVM-enabled binary to /usr/local/bin:
make install
The KVM-enabled binary supports all standard orch-cli commands in addition to the KVM session
management commands. The standard binary (make build) is sufficient for SOL sessions.
Starting and Stopping a KVM Session#
CCM mode (Client Control Mode) — no AMT password is required. Start the KVM session directly:
./orch-cli set host <HOST_ID or HOST_NAME> --session-type kvm --session-state start --orch-ca orch-ca.crt
ACM mode (Admin Control Mode) — the AMT password must be exported before starting the session. Use the password that was set during deployment time in edge-out-of-band-manageability/post-orch/post-orch.env:
export AMT_PASSWORD="<AMT_PASSWORD>"
./orch-cli set host <HOST_ID or HOST_NAME> --session-type kvm --session-state start --orch-ca orch-ca.crt
The --orch-ca flag must point to the cluster CA certificate file (orch-ca.crt).
To stop a running KVM session (both CCM and ACM modes):
./orch-cli set host <HOST_ID or HOST_NAME> --session-type kvm --session-state stop
Alternatively, the KVM session can be stopped by clicking the Disconnect button in the KVM Viewer Angular browser application.
Starting and Stopping a SOL Session#
CCM mode — no AMT password is required:
./orch-cli set host <HOST_ID or HOST_NAME> --session-type sol --session-state start --orch-ca orch-ca.crt
ACM mode — export the AMT password from post-orch.env before starting:
export AMT_PASSWORD="<AMT_PASSWORD>"
./orch-cli set host <HOST_ID or HOST_NAME> --session-type sol --session-state start --orch-ca orch-ca.crt
To stop a running SOL session (both CCM and ACM modes):
./orch-cli set host <HOST_ID or HOST_NAME> --session-type sol --session-state stop
Checking KVM and SOL Session Status#
Use the get host command to inspect the current KVM and SOL session state of a host. The
output includes the current state, desired state, session status, and overall KVM/SOL status
fields:
./orch-cli get host <HOST_ID or HOST_NAME>
The relevant fields in the output are:
KVM Current State — the active KVM session state reported by the device.
KVM Desired State — the requested KVM session state.
KVM Session Status — the status of the KVM session negotiation.
KVM Status — overall KVM availability status.
SOL Current State — the active SOL session state reported by the device.
SOL Desired State — the requested SOL session state.
SOL Session Status — the status of the SOL session negotiation.
Note
The --session-type flag accepts kvm or sol.
The --session-state flag accepts start or stop.
In ACM mode, AMT_PASSWORD must be exported before running the start command. The
password is the one configured in
edge-out-of-band-manageability/post-orch/post-orch.env
at deployment time. CCM mode does not require a password.
Cluster Template Management#
The orch-cli can be used to list available cluster templates. To list the templates use the list command.
./orch-cli list clustertemplates
To get more detailed view and content of the template in JSON format run the list command with verbose option.
./orch-cli list clustertemplates -v
Cluster Management#
A single node K3s cluster can be deployed to an onboarded/provisioned host using the orch-cli.
To create a cluster with a default template and all roles run the create command –nodes <hostID or UUID>:<role> flag requires the ENs UUID or the host resource ID and the expected roles (all = etcd,control plane,worker roles).
./orch-cli create cluster cli-cluster --nodes <HOST UUID or NAME or ID>:all
To create a cluster with specific template and specific labels use the following create command:
./orch-cli create cluster cli-cluster --nodes <HOST UUID or NAME or ID>:all --labels sample-label=samplevalue,another-label=another-value
To list clusters use the list command.
./orch-cli list clusters
To get information about a specific cluster use the get command.
./orch-cli get cluster mycluster
To delete a specific cluster use the delete command.
./orch-cli delete cluster mycluster
OS Update Policy Management#
OS Update Policies are used to define how an update should be performed on an Edge Node. For detailed steps on how to effectively use the OS Update Policies see the Day 2 updates document.
To create an OS Update Policy use the create command. A path to a policy definition must be provided.
./orch-cli create osupdatepolicy path/to/osupdatepolicy.yaml
To list OS Update Policies run the list command:
./orch-cli list osupdatepolicy
To get information about a specific OS Update Policy run the get command with the policy’s resource ID as an input.
./orch-cli get osupdatepolicy <POLICY_ID or POLICY_NAME>
To delete an OS Update Policy run the delete command.
./orch-cli delete osupdatepolicy <POLICY_ID or POLICY_NAME>
To associate a policy with an Edge Node to be used during a scheduled update run the “set host <host-id>” command.
./orch-cli set host <HOST_ID or HOST_NAME> --osupdatepolicy <POLICY_ID or POLICY_NAME>
Schedule Management#
The orch-cli supports schedule of maintenance window for either general maintenance or OS Update of the Edge Nodes. The schedules can be a one off or repeated cron jobs either by day of a week or day of a month for specified months. The schedules can target a specific Edge Node, a whole Site, or a whole Region.
To create a repeated OS Update schedule use the create command.
./orch-cli create schedules my-schedule --timezone GMT --frequency-type repeated --maintenance-type osupdate --target <TARGET_ID or TARGET_NAME> --frequency weekly --start-time "10:10" --day-of-week "1-3,5" --months "2,4,7-8" --duration 3600
To create a single maintenance schedule use the create command.
./orch-cli create schedules my-schedule --timezone GMT --frequency-type single --maintenance-type maintenance --target <TARGET_ID or TARGET_NAME> --start-time "2026-12-01 20:20" --end-time "2027-12-01 20:20"
See –help on how to create other combinations for schedule.
To list schedules run the list command.
./orch-cli list schedules
To get details of a specific schedule run the get command.
./orch-cli get schedule <SCHEDULE_ID or SCHEDULE_NAME>
To edit an existing single schedule run the set command.
./orch-cli set schedules <SCHEDULE_ID or SCHEDULE_NAME> --timezone GMT --maintenance-type osupdate --start-time "2026-02-02 10:10" --end-time "2026-02-02 10:10"
To edit an existing repeated schedule run the set command.
./orch-cli set schedules <SCHEDULE_ID or SCHEDULE_NAME> --timezone GMT --maintenance-type osupdate --frequency weekly --start-time "10:10" --day-of-week "1-3,5" --months "2,4,7-8" --duration 3600
See –help on how to set other combinations for schedule.
To delete a schedule run the delete command.
./orch-cli delete schedule <SCHEDULE_ID or SCHEDULE_NAME>
OS Update Run Management#
After a scheduled maintenance window is completed an OS Update Run resource is created.
To list OS Update Runs run the list command.
./orch-cli list osupdaterun
To get specific OS Update Run information run the get command.
./orch-cli get osupdaterun <RUN_ID or RUN_NAME>
To delete an OS Update Run run the delete command.
./orch-cli delete osupdaterun <RUN_ID or RUN_NAME>
One-click Host Update#
The orch-cli provides a simplified procedure for one off OS Updates of host OS to be run via a single command. Executing the update-os on a host will result in a near immediate schedule of a single, open ended OS Update for a host. The update can be performed on an single host or a bulk of host with .csv file as an input.
To update a single host with an already assigned OS Update Policy.
./orch-cli update-os host <HOST_ID or HOST_NAME>
To update a single host and assign a new OS Update Policy.
./orch-cli update-os host <HOST_ID or HOST_NAME> --osupdatepolicy <OSUPDATEPOLICY_ID or OSUPDATEPOLICY_NAME>
To generate a blank file for bulk update of hosts.
./orch-cli update-os host --generate-csv test.csv
To generate a file for bulk update of hosts which includes a number of existing hosts and their OS Update Policies based on a required filter. To establish available filters see:
orch-cli update-os host --generate-csv test.csv --filter=<filter>
To generate a file for bulk update of hosts which includes a number of existing hosts and their OS Update Policies based on a required site or region. Note –site and –region flags are mutually exclusive, either can be used with conjunction of –filter flag.
orch-cli update-os host --generate-csv test.csv --site <SITE_ID or SITE_NAME>
orch-cli update-os host --generate-csv test.csv --region <REGION_ID or REGION_NAME>
The required input .csv file should be of following format to execute the update.
Name - Name of the machine - mandatory field
ResourceID - Unique Identifier of host - mandatory field
OSUpdatePolicy - Desired update policy - optional field - currently set policy for the host will be used if not provided
Name,ResourceID,OSUpdatePolicy
host-1,host-1234abcd,osupdatepolicy-1234abcd
host-2,host-2234abcd
host-3,host-3234abcd,osupdatepolicy-1234abcd
To execute bulk OS Update on multiple hosts
orch-cli update-os host --import-from-csv test.csv
To view existing OS Update schedules
orch-cli list schedules -v
Help#
For help with any of the commands run the command with –help.
Additional commands#
The application level CLI commands are covered under this CLI guide.
See “./orch-cli <verb> <noun> –help” for current usage and capabilities of these commands.
Overriding dynamic feature detection#
The dynamic feature detection can be overridden temporarily for debug or experimental purposes by overriding the viper configuration which stores the detected features. The viper configuration file is located at ~/.orch-cli/orch-cli.yaml
To override and unlock or lock the execution of commands and their subsequent API calls edit the file directly or run the following commands and set the feature to true or false as an example:
# To unlock application orchestration commands
orch-cli config set orchestrator.features.application-orchestration.installed true
# To lock cluster orchestration commands
orch-cli config set orchestrator.features.cluster-orchestration.installed false
# To lock multitenancy commands
orch-cli config set orchestrator.features.multitenancy.installed false
# To unlock the EIM onboarding commands
orch-cli config set orchestrator.features.edge-infrastructure-manager.onboarding.installed true
# To unlock the EIM provisioning commands
orch-cli config set orchestrator.features.edge-infrastructure-manager.provisioning.installed true
# To unlock the EIM Day2 updates commands
orch-cli config set orchestrator.features.edge-infrastructure-manager.day2.installed true
# To lock the EIM OOB commands
orch-cli config set orchestrator.features.edge-infrastructure-manager.oob.installed false
# To lock the EIM OXM commands
orch-cli config set orchestrator.features.edge-infrastructure-manager.oxm-profile.installed false
The overridden configuration will persist until a login or a logout command is run - which will reset the configuration to the dynamically detected features/defaults (on login) or disable all configurations (on logout). Note that overriding the features in this way does not change the actual capabilities of the connected Edge Orchestrator - attempting to run commands that are not supported by the Edge Orchestrator will result in error responses.