Feature #17668
closed
[Documentation] Container shell access
Added by Tom Clegg over 3 years ago.
Updated over 3 years ago.
Estimated time:
(Total: 0.00 h)
Release relationship:
Auto
Description
(moved from #17657)
Need to document the ShellAccess feature. I know we don't have doc yet for arvados-client, but I think this feature should be documented separately.
We should add a note about firewalling to the configuration reference, at a minimum. And something in the user guide on how to use the feature (under "debugging containers", perhaps).
It would be nice to have a page in the architecture section, under "Computation with crunch" that describes how the feature works (the interaction between a-d-c and controller and crunch-run), why it is secure, and how to use it.
- Description updated (diff)
- Related to Feature #17657: [container shell] support SSH port forwarding added
- Assigned To set to Ward Vandewege
- Target version set to 2021-05-26 sprint
- Status changed from New to In Progress
This is great, thanks.
On the install side:
When enabling, the change will only affect containers started from that point on.
Unless I'm forgetting something, this isn't true -- the config knob only determines whether controller will accept new connections, so you can enable/disable on the fly while containers are running. On that note, is it worth mentioning that restarting controller will unceremoniously kill any active connections?
On the user side:
"tool has a number of command line arguments" seems a bit odd since there's only one... and (related) it might be worth mentioning that everything after user@container is passed through to your OpenSSH client, so many other SSH features can also be used, like -g, -f, -N, -n...
Bikeshed: Perhaps using "echo hello | nc localhost 8888" would make it easier to show the difference between the "hello" that is typed and the "hello" that comes out at the other end?
Tom Clegg wrote:
This is great, thanks.
On the install side:
When enabling, the change will only affect containers started from that point on.
Unless I'm forgetting something, this isn't true -- the config knob only determines whether controller will accept new connections, so you can enable/disable on the fly while containers are running. On that note, is it worth mentioning that restarting controller will unceremoniously kill any active connections?
On the user side:
"tool has a number of command line arguments" seems a bit odd since there's only one... and (related) it might be worth mentioning that everything after user@container is passed through to your OpenSSH client, so many other SSH features can also be used, like -g, -f, -N, -n...
Bikeshed: Perhaps using "echo hello | nc localhost 8888" would make it easier to show the difference between the "hello" that is typed and the "hello" that comes out at the other end?
Excellent points, thanks, updated in 6fa1fbd935fd665494ea87716aef901144d14479
- Status changed from In Progress to Resolved
- % Done changed from 0 to 100
- Status changed from Resolved to Feedback
nits:
This means many other SSH features can be used, e.g. -g, -f -N, -n, …
You're kind of giving the user homework to look up what those commands do. Either explain them or just leave it at "everything is passed through" because you demonstrate it with -L in the examples.
~$ ./arvados-client shell ce8i5-dz642-h1cl0sa62d4i430 -L8888:localhost:80
These examples all start with ./ but the instructions are to install the arvados-client package which means it will be in $PATH.
Peter Amstutz wrote:
nits:
[...]
You're kind of giving the user homework to look up what those commands do. Either explain them or just leave it at "everything is passed through" because you demonstrate it with -L in the examples.
[...]
These examples all start with ./ but the instructions are to install the arvados-client package which means it will be in $PATH.
Okay, those changes have been made.
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by