Feature #17668

[Documentation] Container shell access

Added by Tom Clegg 8 months ago. Updated 8 months ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Start date:
05/14/2021
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
-
Release relationship:
Auto

Description

(moved from #17657)

Need to document the ShellAccess feature. I know we don't have doc yet for arvados-client, but I think this feature should be documented separately.

We should add a note about firewalling to the configuration reference, at a minimum. And something in the user guide on how to use the feature (under "debugging containers", perhaps).

It would be nice to have a page in the architecture section, under "Computation with crunch" that describes how the feature works (the interaction between a-d-c and controller and crunch-run), why it is secure, and how to use it.


Subtasks

Task #17683: review 17668-doc-container-shell-accessResolvedWard Vandewege


Related issues

Related to Arvados - Feature #17657: [container shell] support SSH port forwardingResolved05/10/2021

Blocks Arvados - Story #17512: Release Arvados 2.2Resolved05/03/2021

Associated revisions

Revision 2d0fb353
Added by Ward Vandewege 8 months ago

Merge branch '17668-doc-container-shell-access'

closes #17668

Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <>

Revision f0f77a85 (diff)
Added by Ward Vandewege 8 months ago

A few more doc tweaks.

refs #17668

Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <>

History

#1 Updated by Tom Clegg 8 months ago

  • Description updated (diff)

#2 Updated by Tom Clegg 8 months ago

  • Related to Feature #17657: [container shell] support SSH port forwarding added

#3 Updated by Ward Vandewege 8 months ago

  • Target version set to 2021-05-26 sprint
  • Assigned To set to Ward Vandewege

#4 Updated by Peter Amstutz 8 months ago

  • Release set to 38

#5 Updated by Ward Vandewege 8 months ago

#6 Updated by Ward Vandewege 8 months ago

  • Status changed from New to In Progress

Ready for review at 3751d9e286c214dbe8c0cf078b4919c94a7c3407 on branch 17668-doc-container-shell-access

#7 Updated by Tom Clegg 8 months ago

This is great, thanks.

On the install side:

When enabling, the change will only affect containers started from that point on.

Unless I'm forgetting something, this isn't true -- the config knob only determines whether controller will accept new connections, so you can enable/disable on the fly while containers are running. On that note, is it worth mentioning that restarting controller will unceremoniously kill any active connections?

On the user side:

"tool has a number of command line arguments" seems a bit odd since there's only one... and (related) it might be worth mentioning that everything after user@container is passed through to your OpenSSH client, so many other SSH features can also be used, like -g, -f, -N, -n...

Bikeshed: Perhaps using "echo hello | nc localhost 8888" would make it easier to show the difference between the "hello" that is typed and the "hello" that comes out at the other end?

#8 Updated by Ward Vandewege 8 months ago

Tom Clegg wrote:

This is great, thanks.

On the install side:

When enabling, the change will only affect containers started from that point on.

Unless I'm forgetting something, this isn't true -- the config knob only determines whether controller will accept new connections, so you can enable/disable on the fly while containers are running. On that note, is it worth mentioning that restarting controller will unceremoniously kill any active connections?

On the user side:

"tool has a number of command line arguments" seems a bit odd since there's only one... and (related) it might be worth mentioning that everything after user@container is passed through to your OpenSSH client, so many other SSH features can also be used, like -g, -f, -N, -n...

Bikeshed: Perhaps using "echo hello | nc localhost 8888" would make it easier to show the difference between the "hello" that is typed and the "hello" that comes out at the other end?

Excellent points, thanks, updated in 6fa1fbd935fd665494ea87716aef901144d14479

#9 Updated by Tom Clegg 8 months ago

LGTM, thanks!

#10 Updated by Ward Vandewege 8 months ago

  • % Done changed from 0 to 100
  • Status changed from In Progress to Resolved

#11 Updated by Peter Amstutz 8 months ago

  • Status changed from Resolved to Feedback

nits:

This means many other SSH features can be used, e.g. -g, -f -N, -n, …

You're kind of giving the user homework to look up what those commands do. Either explain them or just leave it at "everything is passed through" because you demonstrate it with -L in the examples.

~$ ./arvados-client shell ce8i5-dz642-h1cl0sa62d4i430 -L8888:localhost:80

These examples all start with ./ but the instructions are to install the arvados-client package which means it will be in $PATH.

#12 Updated by Ward Vandewege 8 months ago

Peter Amstutz wrote:

nits:

[...]

You're kind of giving the user homework to look up what those commands do. Either explain them or just leave it at "everything is passed through" because you demonstrate it with -L in the examples.

[...]

These examples all start with ./ but the instructions are to install the arvados-client package which means it will be in $PATH.

Okay, those changes have been made.

#13 Updated by Peter Amstutz 8 months ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF