Project

General

Profile

Actions

Feature #17668

closed

[Documentation] Container shell access

Added by Tom Clegg over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Story points:
-
Release relationship:
Auto

Description

(moved from #17657)

Need to document the ShellAccess feature. I know we don't have doc yet for arvados-client, but I think this feature should be documented separately.

We should add a note about firewalling to the configuration reference, at a minimum. And something in the user guide on how to use the feature (under "debugging containers", perhaps).

It would be nice to have a page in the architecture section, under "Computation with crunch" that describes how the feature works (the interaction between a-d-c and controller and crunch-run), why it is secure, and how to use it.


Subtasks 1 (0 open1 closed)

Task #17683: review 17668-doc-container-shell-accessResolvedWard Vandewege05/14/2021Actions

Related issues 2 (0 open2 closed)

Related to Arvados - Feature #17657: [container shell] support SSH port forwardingResolvedTom Clegg05/10/2021Actions
Blocks Arvados - Idea #17512: Release Arvados 2.2ResolvedPeter Amstutz05/03/2021Actions
Actions #1

Updated by Tom Clegg over 3 years ago

  • Description updated (diff)
Actions #2

Updated by Tom Clegg over 3 years ago

  • Related to Feature #17657: [container shell] support SSH port forwarding added
Actions #3

Updated by Ward Vandewege over 3 years ago

  • Target version set to 2021-05-26 sprint
  • Assigned To set to Ward Vandewege
Actions #4

Updated by Peter Amstutz over 3 years ago

  • Release set to 38
Actions #5

Updated by Ward Vandewege over 3 years ago

Actions #6

Updated by Ward Vandewege over 3 years ago

  • Status changed from New to In Progress

Ready for review at 3751d9e286c214dbe8c0cf078b4919c94a7c3407 on branch 17668-doc-container-shell-access

Actions #7

Updated by Tom Clegg over 3 years ago

This is great, thanks.

On the install side:

When enabling, the change will only affect containers started from that point on.

Unless I'm forgetting something, this isn't true -- the config knob only determines whether controller will accept new connections, so you can enable/disable on the fly while containers are running. On that note, is it worth mentioning that restarting controller will unceremoniously kill any active connections?

On the user side:

"tool has a number of command line arguments" seems a bit odd since there's only one... and (related) it might be worth mentioning that everything after user@container is passed through to your OpenSSH client, so many other SSH features can also be used, like -g, -f, -N, -n...

Bikeshed: Perhaps using "echo hello | nc localhost 8888" would make it easier to show the difference between the "hello" that is typed and the "hello" that comes out at the other end?

Actions #8

Updated by Ward Vandewege over 3 years ago

Tom Clegg wrote:

This is great, thanks.

On the install side:

When enabling, the change will only affect containers started from that point on.

Unless I'm forgetting something, this isn't true -- the config knob only determines whether controller will accept new connections, so you can enable/disable on the fly while containers are running. On that note, is it worth mentioning that restarting controller will unceremoniously kill any active connections?

On the user side:

"tool has a number of command line arguments" seems a bit odd since there's only one... and (related) it might be worth mentioning that everything after user@container is passed through to your OpenSSH client, so many other SSH features can also be used, like -g, -f, -N, -n...

Bikeshed: Perhaps using "echo hello | nc localhost 8888" would make it easier to show the difference between the "hello" that is typed and the "hello" that comes out at the other end?

Excellent points, thanks, updated in 6fa1fbd935fd665494ea87716aef901144d14479

Actions #9

Updated by Tom Clegg over 3 years ago

LGTM, thanks!

Actions #10

Updated by Ward Vandewege over 3 years ago

  • % Done changed from 0 to 100
  • Status changed from In Progress to Resolved
Actions #11

Updated by Peter Amstutz over 3 years ago

  • Status changed from Resolved to Feedback

nits:

This means many other SSH features can be used, e.g. -g, -f -N, -n, …

You're kind of giving the user homework to look up what those commands do. Either explain them or just leave it at "everything is passed through" because you demonstrate it with -L in the examples.

~$ ./arvados-client shell ce8i5-dz642-h1cl0sa62d4i430 -L8888:localhost:80

These examples all start with ./ but the instructions are to install the arvados-client package which means it will be in $PATH.

Actions #12

Updated by Ward Vandewege over 3 years ago

Peter Amstutz wrote:

nits:

[...]

You're kind of giving the user homework to look up what those commands do. Either explain them or just leave it at "everything is passed through" because you demonstrate it with -L in the examples.

[...]

These examples all start with ./ but the instructions are to install the arvados-client package which means it will be in $PATH.

Okay, those changes have been made.

Actions #13

Updated by Peter Amstutz over 3 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF