TeenodeTeenode

Launch a TEE VM

This guide covers launching and managing Trusted Execution Environment (TEE) Virtual Machines on Teenode. TEE VMs give you full control over your computing environment with hardware-level AMD SEV-SNP encryption.

What is a TEE VM?

A TEE VM is a virtual machine that runs in a Trusted Execution Environment, providing:

  • Full Linux server with root access
  • Hardware-level memory encryption via AMD SEV-SNP
  • Protection against hypervisor attacks
  • Cryptographic attestation for verification
  • SSH access with your own keys
  • Customizable resources (CPU, memory, storage)
  • Support for any Linux workload

Prerequisites

  • Teenode CLI installed and authenticated
  • SSH key pair generated locally
  • Sufficient account balance or active subscription
  • Basic Linux command-line knowledge

Step 1: Generate SSH Keys

If you don’t have SSH keys, generate them:

# Generate ED25519 key (recommended)
ssh-keygen -t ed25519 -f ~/.ssh/teenode_vm -N ""

# Or RSA key (if ED25519 not supported)
ssh-keygen -t rsa -b 4096 -f ~/.ssh/teenode_vm -N ""

# Verify keys were created
ls -la ~/.ssh/teenode_vm*

Your keys should be in ~/.ssh:

-rw-------  1 user  staff   419 Oct 19 10:00 ~/.ssh/teenode_vm
-rw-r--r--  1 user  staff    98 Oct 19 10:00 ~/.ssh/teenode_vm.pub

Step 2: Add SSH Key to Teenode

# Add your public key to Teenode
teenode ssh-key add \
  --name my-vm-key \
  --key-file ~/.ssh/teenode_vm.pub

# List all your keys
teenode ssh-key list

# View specific key details
teenode ssh-key describe my-vm-key
You can add multiple SSH keys for different machines or team members.

Step 3: Launch a TEE VM

Basic Launch

teenode vm create \
  --name my-first-vm \
  --region us-east \
  --cpu 2 \
  --memory 4096 \
  --ssh-key my-vm-key

With Custom Configuration

teenode vm create \
  --name production-server \
  --region us-east \
  --cpu 8 \
  --memory 16384 \
  --storage 100 \
  --ssh-key my-vm-key \
  --tags "production,web-server"

Parameter meanings:

  • --name - VM identifier (lowercase, alphanumeric, hyphens)
  • --region - Deployment region (us-east, eu-west, etc.)
  • --cpu - Number of vCPUs (1-16)
  • --memory - RAM in MB (512-65536)
  • --storage - Disk space in GB (10-1000, default 20)
  • --ssh-key - SSH key name from teenode ssh-key list
  • --tags - Comma-separated labels for organization

Step 4: Monitor VM Launch

Check the VM status:

# View all VMs
teenode vm list

# Check specific VM details
teenode vm describe my-first-vm

# Watch boot progress
teenode vm logs my-first-vm --follow

Expected output:

VM Name:     my-first-vm
Status:      RUNNING
IP Address:  203.0.113.42
Region:      us-east
CPU:         2 vCPUs
Memory:      4096 MB
Storage:     20 GB
SSH Key:     my-vm-key
Created:     2024-10-19T10:15:30Z
Uptime:      5 minutes 23 seconds
Your TEE VM is now running and encrypted with AMD SEV-SNP!

Step 5: SSH into Your VM

Connect to your VM:

# Option 1: Use Teenode CLI (easiest)
teenode vm ssh my-first-vm

# Option 2: SSH directly with key
ssh -i ~/.ssh/teenode_vm [email protected]

# Option 3: Configure SSH config
# Add to ~/.ssh/config:
# Host teenode-vm
#   HostName 203.0.113.42
#   User root
#   IdentityFile ~/.ssh/teenode_vm

ssh teenode-vm

First login prompt (accept the host key):

The authenticity of host '203.0.113.42' can’t be established.
ECDSA key fingerprint is SHA256:...
Are you sure you want to continue connecting (yes/no)?
# Type 'yes' and press Enter

# You’re now logged into your TEE VM!
root@my-first-vm:~#

Step 6: Verify AMD SEV-SNP

Verify your VM is running in a confidential environment:

# From your local machine
teenode vm attest my-first-vm

# This retrieves and verifies the SEV-SNP attestation report

Inside the VM, check SEV-SNP support:

# SSH into VM
teenode vm ssh my-first-vm

# Check for SEV support
grep -i sev /proc/cpuinfo

# Check dmesg for SEV-SNP messages
dmesg | grep -i sev

# Output should show:
# SEV-SNP enabled
# SNP guest detected

Basic Server Management

Update System

# SSH into VM
teenode vm ssh my-first-vm

# Update package lists
apt update

# Upgrade packages
apt upgrade -y

# Install useful tools
apt install -y curl wget git htop

Install Node.js

# Inside VM
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
apt install -y nodejs

# Verify installation
node --version
npm --version

Install Docker

# Inside VM
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh

# Add user to docker group
sudo usermod -aG docker root

# Verify installation
docker --version
docker run hello-world

Install Python

# Inside VM
apt install -y python3 python3-pip

# Verify installation
python3 --version
pip3 --version

File Transfer

Upload Files to VM

# From your local machine
scp -i ~/.ssh/teenode_vm -r ./my-app [email protected]:/root/

# Or using Teenode CLI
teenode vm scp my-first-vm ./my-app /root/ --upload

Download Files from VM

# Download single file
scp -i ~/.ssh/teenode_vm [email protected]:/root/output.txt ./

# Download directory
scp -i ~/.ssh/teenode_vm -r [email protected]:/root/results ./

# Or using Teenode CLI
teenode vm scp my-first-vm /root/results ./results --download

Deploy Applications

Deploy a Web Server

# SSH into VM
teenode vm ssh my-first-vm

# Create application directory
mkdir -p /opt/myapp
cd /opt/myapp

# Create simple Node.js app
cat > index.js << 'EOF'
const http = require('http');
const PORT = process.env.PORT || 3000;

const server = http.createServer((req, res) => {
  res.writeHead(200, { 'Content-Type': 'application/json' });
  res.end(JSON.stringify({
    message: 'Hello from Teenode TEE VM',
    hostname: require('os').hostname(),
    timestamp: new Date().toISOString()
  }));
});

server.listen(PORT, '0.0.0.0', () => {
  console.log(`Server running on port ${PORT}`);
});
EOF

# Start application
node index.js

Test from your local machine:

curl http://203.0.113.42:3000

# Response:
# {
#   "message": "Hello from Teenode TEE VM",
#   "hostname": "my-first-vm",
#   "timestamp": "2024-10-19T10:30:45.123Z"
# }

Running Services with Systemd

# Create systemd service file inside VM
sudo cat > /etc/systemd/system/myapp.service << 'EOF'
[Unit]
Description=My Teenode Application
After=network.target

[Service]
Type=simple
User=root
WorkingDirectory=/opt/myapp
ExecStart=/usr/bin/node /opt/myapp/index.js
Restart=always
RestartSec=10
Environment="PORT=3000"

[Install]
WantedBy=multi-user.target
EOF

# Enable and start service
sudo systemctl daemon-reload
sudo systemctl enable myapp
sudo systemctl start myapp

# Check status
sudo systemctl status myapp

# View logs
sudo journalctl -u myapp -f

Monitoring and Performance

Monitor VM Resources

# From local machine
teenode vm metrics my-first-vm

# Inside VM, check system resources
htop
top
df -h
free -h

View VM Logs

# View recent logs
teenode vm logs my-first-vm --limit 100

# Follow logs in real-time
teenode vm logs my-first-vm --follow

# View specific time range
teenode vm logs my-first-vm --since 2024-10-19T10:00:00Z

VM Lifecycle Management

Stop VM

# Graceful shutdown
teenode vm stop my-first-vm

# Force immediate stop
teenode vm stop my-first-vm --force

Start VM

teenode vm start my-first-vm

Resize VM Resources

# Scale up VM resources (requires restart)
teenode vm resize my-first-vm \
  --cpu 4 \
  --memory 8192 \
  --storage 50
Resizing requires restarting the VM. There will be a brief downtime.

Delete VM

# Delete VM
teenode vm delete my-first-vm

# Confirm deletion
# This is permanent and cannot be undone!

Advanced Configuration

Multiple SSH Keys

# Add multiple keys during creation
teenode vm create \
  --name multi-user-vm \
  --ssh-keys key1,key2,key3

# Add key to existing VM
teenode vm ssh-key add my-first-vm --key-name another-key

# Remove key from VM
teenode vm ssh-key remove my-first-vm --key-name old-key

Firewall and Network

Configure inbound access:

# Allow specific ports
teenode vm firewall my-first-vm \
  --allow-port 80 \
  --allow-port 443 \
  --allow-port 22

# Restrict to specific IP
teenode vm firewall my-first-vm \
  --allow-port 22 \
  --from-ip 203.0.113.100

# View firewall rules
teenode vm firewall my-first-vm --list

Custom Startup Script

# Create init script
cat > ~/startup.sh << 'EOF'
#!/bin/bash
apt update
apt install -y docker.io
systemctl start docker
echo "Docker installed and started"
EOF

# Launch VM with init script
teenode vm create \
  --name app-vm \
  --init-script ~/startup.sh \
  --ssh-key my-vm-key

Backup and Recovery

Create Snapshot

# Take snapshot of running VM
teenode vm snapshot create my-first-vm \
  --name backup-2024-10-19

# List snapshots
teenode vm snapshot list my-first-vm

# View snapshot details
teenode vm snapshot describe my-first-vm backup-2024-10-19

Restore from Snapshot

# Restore VM to snapshot state
teenode vm snapshot restore my-first-vm \
  --snapshot backup-2024-10-19

# Create new VM from snapshot
teenode vm create-from-snapshot \
  --name restored-vm \
  --snapshot backup-2024-10-19

Security Best Practices

SSH Hardening

# SSH into VM
teenode vm ssh my-first-vm

# Disable password authentication
sudo sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config

# Disable root login (optional)
sudo sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config

# Restart SSH
sudo systemctl restart ssh

# Verify changes
sudo sshd -T | grep -i password

Firewall Setup

# Inside VM - install and configure UFW
sudo apt install -y ufw

# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow specific services
sudo ufw allow 22/tcp    # SSH
sudo ufw allow 80/tcp    # HTTP
sudo ufw allow 443/tcp   # HTTPS

# Enable firewall
sudo ufw enable

# Check status
sudo ufw status

Attestation Verification

# From local machine - verify attestation
teenode vm attest my-first-vm --verify

# Save attestation report
teenode vm attest my-first-vm --output attestation.json

# Verify it cryptographically
teenode verify-attestation attestation.json

Troubleshooting

Cannot Connect via SSH

# Check VM is running
teenode vm describe my-first-vm

# Check SSH key permissions
ls -la ~/.ssh/teenode_vm
# Should be: -rw------- (600)

# Fix permissions if needed
chmod 600 ~/.ssh/teenode_vm

# Test connection with verbose output
ssh -vvv -i ~/.ssh/teenode_vm [email protected]

VM Won’t Start

# Check VM logs
teenode vm logs my-first-vm

# Check VM status
teenode vm describe my-first-vm

# Restart VM
teenode vm stop my-first-vm
sleep 10
teenode vm start my-first-vm

Out of Disk Space

# Inside VM - check disk usage
df -h
du -sh *

# Clean up
apt clean
apt autoclean
rm -rf /tmp/*

# If still full, resize VM
# From local machine:
teenode vm resize my-first-vm --storage 50

Cost Optimization

Tips to reduce costs:

  • Stop VMs when not in use (you’re only charged for running time)
  • Use smaller resource allocations for development/testing
  • Delete old snapshots you no longer need
  • Use Reserved Instances for long-term workloads
  • Monitor resource usage and right-size as needed
# Stop VM to save costs
teenode vm stop my-first-vm

# Check pricing before creating VM
teenode vm pricing --cpu 2 --memory 4096 --region us-east

Next Steps

You now have a fully operational Trusted Execution Environment virtual machine running on Teenode!
PreviousDeploy a Git App
NextSSH Access & Connection
    Launch a TEE VM - Teenode Guides