Skip to content

Nutanix — acli (Command Line)

Deploy the RTA using acli — Nutanix's Acropolis CLI, available on any Controller VM (CVM) in the cluster. SSH to a CVM and run acli to enter the interactive shell, or prefix each command with acli on the shell prompt.

Before you start

Review the Nutanix overview. You will need:

  • SSH access to a CVM (typically nutanix@<cvm-ip>, password from your Nutanix administrator)
  • The two QCOW2 disk URLs — root (<ROOT_URL>) and cidata (<CIDATA_URL>) — provided by your engagement lead
  • A storage container name (<CONTAINER> — ask your administrator, e.g. default)
  • A network/VLAN name (<NETWORK>) with L2 access to the engagement targets

1. Upload both images

Create one image for the root disk and one for the cidata seed disk:

acli image.create rta-root \
  source_url=<ROOT_URL> \
  image_type=kDiskImage \
  container=<CONTAINER>

acli image.create rta-cidata \
  source_url=<CIDATA_URL> \
  image_type=kDiskImage \
  container=<CONTAINER>

image_type=kDiskImage tells the Image Service these are bootable disk images (as opposed to ISOs). Nutanix accepts QCOW2 natively without conversion.

The imports run asynchronously. Wait for both to complete before continuing:

acli image.list

Each image is ready when its state shows kComplete. This may take several minutes depending on image size and network speed.

File upload instead of URL

If you have the QCOW2 files locally rather than URLs, upload them through the Prism Image Configuration UI (see the GUI guide) and then continue from step 2 below — acli image.create requires a URL source.

2. Create the VM

acli vm.create rta \
  num_vcpus=4 \
  num_cores_per_vcpu=1 \
  memory=8G \
  uefi_boot=true

uefi_boot=true is required — the default is Legacy BIOS

Without uefi_boot=true, acli vm.create produces a Legacy BIOS VM. The RTA image will not boot on Legacy BIOS. This is the single most common mistake on Nutanix.

Do not enable Secure Boot

Secure Boot requires the Q35 machine type and a signed bootloader. The RTA bootloader is unsigned. Omitting secure_boot=true (the default) leaves Secure Boot off — which is correct. Do not add it.

3. Add both disks

Clone the root image as the boot disk, then clone the cidata image as a second disk:

acli vm.disk_create rta \
  clone_from_image=rta-root \
  bus=scsi

acli vm.disk_create rta \
  clone_from_image=rta-cidata \
  bus=scsi

This creates a 40 GiB SCSI boot disk and a small SCSI cidata disk, each backed by a clone of its image. The source images are not modified.

Attach both disks — the cidata disk carries the appliance identity

Without the cidata seed disk the appliance has no engagement identity and will not register.

4. Attach the network interface

acli vm.nic_create rta \
  network=<NETWORK>

Replace <NETWORK> with the VLAN or network name that has Layer-2 adjacency to the engagement targets and outbound internet access. Your Nutanix administrator can confirm the correct network name.

5. Power on

acli vm.on rta

Verify

acli vm.list
acli vm.get rta

Confirm the VM shows as on and that uefi_boot is True in the output of vm.get. Then open the Prism console to see the boot output:

Select the VM in Prism → Launch Console.

The appliance is customized for your engagement (the cidata disk carries its identity), so it boots already registered and connects to the Sophos headend automatically — there is no activation step. The console shows a live status and troubleshooting dashboard (network, VPN tunnel, connectivity). You do not normally need to log in.

Default admin user

The local admin account is swag. Credentials are provided separately by your engagement lead if console or SSH access is required.

Full sequence (copy-paste reference)

# Placeholders — fill these in before running
ROOT_URL="<ROOT_URL>"
CIDATA_URL="<CIDATA_URL>"
CONTAINER="<CONTAINER>"
NETWORK="<NETWORK>"

acli image.create rta-root \
  source_url=${ROOT_URL} \
  image_type=kDiskImage \
  container=${CONTAINER}

acli image.create rta-cidata \
  source_url=${CIDATA_URL} \
  image_type=kDiskImage \
  container=${CONTAINER}

# Wait for both images to reach kComplete state
acli image.list

acli vm.create rta \
  num_vcpus=4 \
  num_cores_per_vcpu=1 \
  memory=8G \
  uefi_boot=true

acli vm.disk_create rta \
  clone_from_image=rta-root \
  bus=scsi

acli vm.disk_create rta \
  clone_from_image=rta-cidata \
  bus=scsi

acli vm.nic_create rta \
  network=${NETWORK}

acli vm.on rta

Nutanix v4 API / newer CLIs

AOS 6.7+ ships a v4 REST API and an updated ntnx CLI (Nutanix CLI v4). The acli commands above work on all current AOS 6.x and AOS 10.x/11.x releases. If your team standardises on the v4 ntnx CLI or REST API, the equivalent operations are in the Nutanix Developer Portal.

Network access

The appliance makes one connection to do its job: an outbound tunnel to the Sophos headend. Nothing inbound is ever required — you never open or forward any ports to the appliance.

Allow this outbound destination
Destination connect.remotetesting.secureworks.com
IP addresses 3.33.194.251 and 15.197.255.2 (static — these do not change)
Port / protocol TCP 443, carrying OpenVPN (not HTTPS)
Direction Outbound only

Allow egress on TCP/443 to that destination from the appliance's network. On a next-generation firewall or NAC-controlled network, an L3 "allow 443" rule is often not enough — Layer-7 application control, TLS/SSL decryption, or NAC can still drop the tunnel even when the port is open. See Connectivity Troubleshooting for the exact firewall and NAC exceptions to request.

Troubleshooting

Deployed but something isn't right?

See Nutanix troubleshooting for the most common issues on this platform and how to fix them.