Feature #17668
closed
[Documentation] Container shell access
Description
(moved from #17657)
Need to document the ShellAccess feature. I know we don't have doc yet for arvados-client, but I think this feature should be documented separately.
We should add a note about firewalling to the configuration reference, at a minimum. And something in the user guide on how to use the feature (under "debugging containers", perhaps).
It would be nice to have a page in the architecture section, under "Computation with crunch" that describes how the feature works (the interaction between a-d-c and controller and crunch-run), why it is secure, and how to use it.
Related issues
Updated by Tom Clegg almost 3 years ago
- Related to Feature #17657: [container shell] support SSH port forwarding added
Updated by Ward Vandewege almost 3 years ago
- Target version set to 2021-05-26 sprint
- Assigned To set to Ward Vandewege
Updated by Ward Vandewege almost 3 years ago
- Blocks Idea #17512: Release Arvados 2.2 added
Updated by Ward Vandewege almost 3 years ago
- Status changed from New to In Progress
Ready for review at 3751d9e286c214dbe8c0cf078b4919c94a7c3407 on branch 17668-doc-container-shell-access
Updated by Tom Clegg almost 3 years ago
This is great, thanks.
On the install side:
When enabling, the change will only affect containers started from that point on.
Unless I'm forgetting something, this isn't true -- the config knob only determines whether controller will accept new connections, so you can enable/disable on the fly while containers are running. On that note, is it worth mentioning that restarting controller will unceremoniously kill any active connections?
On the user side:
"tool has a number of command line arguments" seems a bit odd since there's only one... and (related) it might be worth mentioning that everything after user@container is passed through to your OpenSSH client, so many other SSH features can also be used, like -g, -f, -N, -n...
Bikeshed: Perhaps using "echo hello | nc localhost 8888" would make it easier to show the difference between the "hello" that is typed and the "hello" that comes out at the other end?
Updated by Ward Vandewege almost 3 years ago
Tom Clegg wrote:
This is great, thanks.
On the install side:
When enabling, the change will only affect containers started from that point on.
Unless I'm forgetting something, this isn't true -- the config knob only determines whether controller will accept new connections, so you can enable/disable on the fly while containers are running. On that note, is it worth mentioning that restarting controller will unceremoniously kill any active connections?
On the user side:
"tool has a number of command line arguments" seems a bit odd since there's only one... and (related) it might be worth mentioning that everything after user@container is passed through to your OpenSSH client, so many other SSH features can also be used, like
-g,-f,-N,-n...Bikeshed: Perhaps using "echo hello | nc localhost 8888" would make it easier to show the difference between the "hello" that is typed and the "hello" that comes out at the other end?
Excellent points, thanks, updated in 6fa1fbd935fd665494ea87716aef901144d14479
Updated by Ward Vandewege almost 3 years ago
- % Done changed from 0 to 100
- Status changed from In Progress to Resolved
Applied in changeset arvados|2d0fb353b939cd2eaf0bb99afc369f30059723f7.
Updated by Peter Amstutz almost 3 years ago
- Status changed from Resolved to Feedback
nits:
This means many other SSH features can be used, e.g. -g, -f -N, -n, …
You're kind of giving the user homework to look up what those commands do. Either explain them or just leave it at "everything is passed through" because you demonstrate it with -L in the examples.
~$ ./arvados-client shell ce8i5-dz642-h1cl0sa62d4i430 -L8888:localhost:80
These examples all start with ./ but the instructions are to install the arvados-client package which means it will be in $PATH.
Updated by Ward Vandewege almost 3 years ago
Peter Amstutz wrote:
nits:
[...]
You're kind of giving the user homework to look up what those commands do. Either explain them or just leave it at "everything is passed through" because you demonstrate it with -L in the examples.
[...]
These examples all start with
./but the instructions are to install the arvados-client package which means it will be in $PATH.
Okay, those changes have been made.
Updated by Peter Amstutz almost 3 years ago
- Status changed from Feedback to Resolved