Skip to Content

As you might know it is possible to SSH into a CloudFoundry container (meaning to have a terminal connection into it in case Linux is not your first home…). BUT there are obstacles. I am not aware if this is just an awkward handling of things or even a bug. However, I know that at least three people spend hours to find out what’s the problem (and I’m sure there are loads more of them).

SSH into CF, in theory

Once you have installed the command line interface for Cloudfoundry (CF CLI) it is easy for you to access a lot of useful stuff which is described in the CloudFoundry manuals

One of them is the ssh command. But before it works you need to enable it with

cf enable-ssh myapp

You need to understand that the application and also your space has to be ssh enabled. the latter usually is, the app is not. In fact it looks like it automatically switches off the enabling after a while (and that might be the change that caused a lot of head scratching).

All the details about ssh command can be found in Application SSH Overview.

SSH into CF, reality

Now, even if you have done all of this you might experience this:

C:\Users\d034365>cf ssh myapp
FAILED
Error opening SSH connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain

You are exactly at the point where I got some more gray hair and had to find out the hard way that enabling ssh is not enough. Because what you need to do after enabling is to restart your app!

C:\Users\d034365>cf restart myapp
Restarting app myapp in org A-Team_shared / space 06_Wukla as benny.schaich-lebek@sap.com...

Stopping app...

Waiting for app to start...

name: myapp
requested state: started
instances: 1/1
usage: 1G x 1 instances
routes: xxxxxxxx.cfapps.eu10.hana.ondemand.com, xxxxx.cfapps.eu10.hana.ondemand.com
last uploaded: Wed 12 Sep 08:39:43 CEST 2018
stack: cflinuxfs2
docker image: xxxxx/dev:sap_0.1.8
start command: /home/xxxxxxx/app/entrypoint.sh /bin/bash start.sh

state since cpu memory disk details
#0 running 2018-09-12T08:27:06Z 38.3% 138.3M of 1G 1.8G of 4G

C:\Users\d034365>cf ssh-enabled myapp
ssh support is enabled for 'myapp'

 

Only now you can do the ssh command:

C:\Users\d034365>cf ssh myapp
root@xxxx-xxxx-xxxx-xxxx:~#

And suddenly you are in the arms of Linux.

There is more possible. For example port forwarding so you can use your favorite tools, but others have described this already, so I just link there at the end of this blog entry.

I did not yet find out why this has been changed to a more complicated way (at least I assume it was a change as others did not mention it in their blogs) but have an imagination that there is some security issue behind that -as usual.

Hope this helps!

 

Others describing more details:

SSH your SAP Cloud Platform CF app

Very in detail:

How to use an SSH tunnel with SCP Cloud Foundry backing-service

 

Update:

This can be also found in SAP notes: https://launchpad.support.sap.com/#/notes/2585659

To report this post you need to login first.

4 Comments

You must be Logged on to comment or reply to a post.

  1. Vadim Klimov

    Hello Benny,

    Thank you for highlighting this very crucial step when enabling SSH for the application! I share your concern regarding confusion that can be experienced when the one executes enable-ssh command, receives OK response, and then fails to access the application via ssh command (assuming that SSH is already enabled on space level). Or, when SSH status of the application for which SSH was just enabled, is shown as enabled in the output of the command ssh-enabled, but SSH connection to the application fails because it wasn’t restarted yet.

    This has been raised as a usability issue for command line client for Cloud Foundry (refer to https://github.com/cloudfoundry/cli/issues/1282), and it was taken into consideration, but I haven’t yet noticed enable-ssh to provide any enhanced warning or information message saying that application restart is required after SSH is enabled (tested it with command line client for Cloud Foundry version 6.39.0+607d4f8be.2018-09-11 against SAP Cloud Foundry API version 2.115.0). This lets me think that probably, in future versions of either CF CLI or CF API, this will be enhanced, but I haven’t seen confirmation on this.

    Given restart of the application is required currently for circumstances you described in details, it might be worth adding a reference to SAP Note 2585659 (SSH access to applications fails with “Error opening SSH connection”) that also mentions similar symptoms and actions to be taken to overcome them.

    Regards,

    Vadim

    (0) 

Leave a Reply