SSH into CloudFoundry – Trouble?
As you might know it is possible to SSH into a CloudFoundry container (meaning to have a terminal connection into it in case Linux is not your first home…). BUT there are obstacles. I am not aware if this is just an awkward handling of things or even a bug. However, I know that at least three people spend hours to find out what’s the problem (and I’m sure there are loads more of them).
SSH into CF, in theory
Once you have installed the command line interface for Cloudfoundry (CF CLI) it is easy for you to access a lot of useful stuff which is described in the CloudFoundry manuals
One of them is the ssh command. But before it works you need to enable it with
cf enable-ssh myapp
You need to understand that the application and also your space has to be ssh enabled. the latter usually is, the app is not. In fact it looks like it automatically switches off the enabling after a while (and that might be the change that caused a lot of head scratching).
All the details about ssh command can be found in Application SSH Overview.
SSH into CF, reality
Now, even if you have done all of this you might experience this:
C:\Users\d034365>cf ssh myapp
FAILED
Error opening SSH connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
You are exactly at the point where I got some more gray hair and had to find out the hard way that enabling ssh is not enough. Because what you need to do after enabling is to restart your app!
C:\Users\d034365>cf restart myapp
Restarting app myapp in org A-Team_shared / space 06_Wukla as benny.schaich-lebek@sap.com...
Stopping app...
Waiting for app to start...
name: myapp
requested state: started
instances: 1/1
usage: 1G x 1 instances
routes: xxxxxxxx.cfapps.eu10.hana.ondemand.com, xxxxx.cfapps.eu10.hana.ondemand.com
last uploaded: Wed 12 Sep 08:39:43 CEST 2018
stack: cflinuxfs2
docker image: xxxxx/dev:sap_0.1.8
start command: /home/xxxxxxx/app/entrypoint.sh /bin/bash start.sh
state since cpu memory disk details
#0 running 2018-09-12T08:27:06Z 38.3% 138.3M of 1G 1.8G of 4G
C:\Users\d034365>cf ssh-enabled myapp
ssh support is enabled for 'myapp'
Only now you can do the ssh command:
C:\Users\d034365>cf ssh myapp
root@xxxx-xxxx-xxxx-xxxx:~#
And suddenly you are in the arms of Linux.
There is more possible. For example port forwarding so you can use your favorite tools, but others have described this already, so I just link there at the end of this blog entry.
I did not yet find out why this has been changed to a more complicated way (at least I assume it was a change as others did not mention it in their blogs) but have an imagination that there is some security issue behind that -as usual.
Hope this helps!
Others describing more details:
SSH your SAP Cloud Platform CF app
Very in detail:
How to use an SSH tunnel with SCP Cloud Foundry backing-service
Update:
This can be also found in SAP notes: https://launchpad.support.sap.com/#/notes/2585659
Hello Benny,
Thank you for highlighting this very crucial step when enabling SSH for the application! I share your concern regarding confusion that can be experienced when the one executes enable-ssh command, receives OK response, and then fails to access the application via ssh command (assuming that SSH is already enabled on space level). Or, when SSH status of the application for which SSH was just enabled, is shown as enabled in the output of the command ssh-enabled, but SSH connection to the application fails because it wasn't restarted yet.
This has been raised as a usability issue for command line client for Cloud Foundry (refer to https://github.com/cloudfoundry/cli/issues/1282), and it was taken into consideration, but I haven't yet noticed enable-ssh to provide any enhanced warning or information message saying that application restart is required after SSH is enabled (tested it with command line client for Cloud Foundry version 6.39.0+607d4f8be.2018-09-11 against SAP Cloud Foundry API version 2.115.0). This lets me think that probably, in future versions of either CF CLI or CF API, this will be enhanced, but I haven't seen confirmation on this.
Given restart of the application is required currently for circumstances you described in details, it might be worth adding a reference to SAP Note 2585659 (SSH access to applications fails with "Error opening SSH connection") that also mentions similar symptoms and actions to be taken to overcome them.
Regards,
Vadim
Thanks Vladim for that hint. Added the link to note.
With kind regards,
Benny
Just to SSH to an instance this much stuff ?. Unless you never heard of AWS / Azure / GCP
As always with new technology! That's why we call it "cutting edge".....
"ssh support is disabled" for any app in my space on trial account 🙁
In cloud foundry documentation:
Note: To enable SSH access to your app, SSH access must also be enabled for both the space that contains the app and Cloud Foundry. See the App SSH Overview topic for more details.
Command "cf space-ssh-allowed dev" give me "ssh support is enabled in space 'dev' " .
As mentioned on Pivotal support:
Please check that the following conditions are met:
My space roles are:
cf ssh-enabled <app-name>."ssh support is disabled"
cf space-ssh-allowed <space-name>.ssh support is enabled in space 'dev'
Don't have really more options beside to "Configuring SSH Access for Cloud Foundry" ?? https://docs.cloudfoundry.org/running/config-ssh.html