Usually, your productive apps don’t and shouldn't have SSH access in Cloud Foundry. However, you might need to SSH into an application for debugging purposes. Fortunately, this is achievable by enabling the SSH permission for both the space and the app and be enabled by the operator, after which you can use the cf ssh command. This approach suffices for most scenarios.
But sometimes, this level of access isn’t enough. You might require privileged access to the application container for advanced troubleshooting or debugging. Why might you need this? That’s a question only you can answer, but this blog will show you how it’s done.
Note: This process can only be executed if you are an operator of the Cloud Foundry deployment and can access the Diego cells.
Steps to Gain Privileged Access
- Retrieve the app-guid for the application
cf app <app-name> --guid
- Log in to BOSH and target the Cloud Foundry deployment
bosh -d cf vms
bosh -d cf ssh <diego-cell> #(any Diego cell)
- Use the cfdot utility to locate application details
In Diego terms, applications are referred to as “lrps” (long-running processes). Using the app-guid, identify the lrp instance_id and the diego_cell where the application or process is running.
cfdot actual-lrps | grep -E '<app-guid>' | jq -r '. | select(.index == 0)' # Index 0 is for the 0th instance of the application.
This command will provide the instance_guid and cell_id of the application container.
- SSH into the respective Diego Cell From the cell_id identified in the previous step, SSH into the corresponding Diego Cell.
bosh -d cf ssh <diego_cell>
- Attach to the Garden container You can attach it to the container using one of two methods:
Approach 1: Using runc
sudo /var/vcap/packages/runc/bin/runc --root /run/containerd/runc/garden/ exec <instance_guid> --tty /bin/sh
Approach 2: Using ctr
This approach is not recommended as the ctr command line is not actively maintained and the commands may vary over time.
sudo /var/vcap/packages/containerd/bin/ctr -a /var/vcap/sys/run/containerd/containerd.sock -n garden tasks exec --exec-id my-shell --tty <instance_guid> /bin/sh
After running either of these commands, you will have privileged access to the application container.
! A Word of Caution !
With great power comes great responsibility.
Privileged access should be used sparingly and responsibly if possible NEVER. Always assess the necessity of these steps, and avoid this process unless required.
Things can break here if you are NOT careful!
I've messed up something what do I do
Fear not. Mostly deleting the app instance can reset and set things back to usual.
Top comments (0)