Project

General

Profile

Actions

Feature #17668

closed

[Documentation] Container shell access

Added by Tom Clegg about 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Start date:
05/14/2021
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
-
Release relationship:
Auto

Description

(moved from #17657)

Need to document the ShellAccess feature. I know we don't have doc yet for arvados-client, but I think this feature should be documented separately.

We should add a note about firewalling to the configuration reference, at a minimum. And something in the user guide on how to use the feature (under "debugging containers", perhaps).

It would be nice to have a page in the architecture section, under "Computation with crunch" that describes how the feature works (the interaction between a-d-c and controller and crunch-run), why it is secure, and how to use it.


Subtasks 1 (0 open1 closed)

Task #17683: review 17668-doc-container-shell-accessResolvedWard Vandewege05/14/2021

Actions

Related issues

Related to Arvados - Feature #17657: [container shell] support SSH port forwardingResolvedTom Clegg05/10/2021

Actions
Blocks Arvados - Story #17512: Release Arvados 2.2ResolvedPeter Amstutz05/03/2021

Actions
Actions #1

Updated by Tom Clegg about 1 year ago

  • Description updated (diff)
Actions #2

Updated by Tom Clegg about 1 year ago

  • Related to Feature #17657: [container shell] support SSH port forwarding added
Actions #3

Updated by Ward Vandewege about 1 year ago

  • Target version set to 2021-05-26 sprint
  • Assigned To set to Ward Vandewege
Actions #4

Updated by Peter Amstutz about 1 year ago

  • Release set to 38
Actions #5

Updated by Ward Vandewege about 1 year ago

Actions #6

Updated by Ward Vandewege about 1 year ago

  • Status changed from New to In Progress

Ready for review at 3751d9e286c214dbe8c0cf078b4919c94a7c3407 on branch 17668-doc-container-shell-access

Actions #7

Updated by Tom Clegg about 1 year ago

This is great, thanks.

On the install side:

When enabling, the change will only affect containers started from that point on.

Unless I'm forgetting something, this isn't true -- the config knob only determines whether controller will accept new connections, so you can enable/disable on the fly while containers are running. On that note, is it worth mentioning that restarting controller will unceremoniously kill any active connections?

On the user side:

"tool has a number of command line arguments" seems a bit odd since there's only one... and (related) it might be worth mentioning that everything after user@container is passed through to your OpenSSH client, so many other SSH features can also be used, like -g, -f, -N, -n...

Bikeshed: Perhaps using "echo hello | nc localhost 8888" would make it easier to show the difference between the "hello" that is typed and the "hello" that comes out at the other end?

Actions #8

Updated by Ward Vandewege about 1 year ago

Tom Clegg wrote:

This is great, thanks.

On the install side:

When enabling, the change will only affect containers started from that point on.

Unless I'm forgetting something, this isn't true -- the config knob only determines whether controller will accept new connections, so you can enable/disable on the fly while containers are running. On that note, is it worth mentioning that restarting controller will unceremoniously kill any active connections?

On the user side:

"tool has a number of command line arguments" seems a bit odd since there's only one... and (related) it might be worth mentioning that everything after user@container is passed through to your OpenSSH client, so many other SSH features can also be used, like -g, -f, -N, -n...

Bikeshed: Perhaps using "echo hello | nc localhost 8888" would make it easier to show the difference between the "hello" that is typed and the "hello" that comes out at the other end?

Excellent points, thanks, updated in 6fa1fbd935fd665494ea87716aef901144d14479

Actions #9

Updated by Tom Clegg about 1 year ago

LGTM, thanks!

Actions #10

Updated by Ward Vandewege about 1 year ago

  • % Done changed from 0 to 100
  • Status changed from In Progress to Resolved
Actions #11

Updated by Peter Amstutz about 1 year ago

  • Status changed from Resolved to Feedback

nits:

This means many other SSH features can be used, e.g. -g, -f -N, -n, …

You're kind of giving the user homework to look up what those commands do. Either explain them or just leave it at "everything is passed through" because you demonstrate it with -L in the examples.

~$ ./arvados-client shell ce8i5-dz642-h1cl0sa62d4i430 -L8888:localhost:80

These examples all start with ./ but the instructions are to install the arvados-client package which means it will be in $PATH.

Actions #12

Updated by Ward Vandewege about 1 year ago

Peter Amstutz wrote:

nits:

[...]

You're kind of giving the user homework to look up what those commands do. Either explain them or just leave it at "everything is passed through" because you demonstrate it with -L in the examples.

[...]

These examples all start with ./ but the instructions are to install the arvados-client package which means it will be in $PATH.

Okay, those changes have been made.

Actions #13

Updated by Peter Amstutz about 1 year ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF