Introduction Managing remote servers usually means logging in through SSH (Linux) or RDP (Windows). While that works, it also means managing ports, credentials, and access controls. Oracle Cloud Infrastructure (OCI) offers a cleaner option called Run Command. OCI Run Command allows you to remotely execute commands or scripts on OCI Compute instances directly from the OCI Console, OCI CLI, or API — without logging in to the server manually. This blog explains what OCI Run Command is, how it works, what is required, common statuses, troubleshooting, and best practices. OCI Run Command is a feature that lets you run commands remotely on an OCI Compute instance using the Oracle Cloud Agent installed on that server. Examples: hostname Instead of connecting to the server manually, OCI sends the command securely through the cloud control plane. OCI Run Command is useful when you want to: Run quick administrative commands Administrator Use Inline Commands For: Use Object Storage Scripts For: 1. OCI Compute Instance Target server where command will run. 2. Oracle Cloud Agent Installed on OCI instance. This agent communicates with OCI services. 3. Run Command Plugin Must be enabled inside Oracle Cloud Agent settings. 4. IAM Policies Permissions are needed for: User who creates command 5. Dynamic Group Used to grant permissions to the OCI instance itself. Step 1: Enable Run Command Plugin Go to: OCI Console → Compute Instance → Oracle Cloud Agent Enable: Step 2: Create Dynamic Group Example rule: ALL {instance.compartment.id = ''} This means all servers in that compartment join the Dynamic Group. Step 3: Dynamic Group Policies Example: Allow dynamic-group DeployDG to use instance-agent-command-execution-family in compartment id Allow dynamic-group DeployDG to read instances in compartment id Allow dynamic-group DeployDG to read buckets in compartment id Allow dynamic-group DeployDG to read objects in compartment id where target.bucket.name='' Allow dynamic-group DeployDG to manage objects in compartment id where target.bucket.name='' This allows the server to receive and execute commands. Step 4: User IAM Policies Example: Allow group Admins to manage instance-agent-command-family in compartment id Allow group Admins to read instance-agent-command-execution-family in compartment id Allow group Admins to inspect instances in compartment id ocarun is the local execution user/context used by OCI Run Command plugin on the compute instance. When you send a command through Oracle Cloud Infrastructure Run Command, the instance agent receives it and executes it using the Run Command plugin. On many OCI images/platform setups, that execution is associated with ocarun. -> If you run commands that required sudo privilages then you should provide ocarun user to the admin privilage. oci instance-agent command create \ lifecycle-state Shows execution status. ACCEPTED To check the delivery status oci instance-agent command-execution list --compartment-id ocid1.compartment.oc1..aaaaaaaagz4mern4sk46kbebwqzl6czdowlud7rop7ornezr7axx6ja5jfla --instance-id ocid1.instance.oc1.ap-mumbai-1.anrg6ljr7gqo7aacuco546smbzylzekybcfbvp2vz2ygvwgu52vf62zk7cma --all delivery-state Shows whether command reached the server. ACKED Usually caused by: Wrong Dynamic Group -> If you get delivery status ACKED and exit code =0 then your command / script successfully executed over the remote server. Check Agent Status Linux: systemctl status oracle-cloud-agent For long executions, store logs locally: /tmp/deploy_httpd.log Then upload logs back to bucket using automation. This enables: ✔ Retention ✔ Use least privilege IAM policies Feature SSH OCI Run Command Needs inbound port Yes No Manual session Yes No API driven Limited Yes Auditable Moderate Strong Scalable fleet ops Medium Strong OCI Run Command is a powerful feature for remote server administration. Once properly configured, it becomes one of the easiest and safest ways to execute commands on OCI instances without direct login access. If you manage OCI servers regularly, it is worth enabling and learning.