If you need to troubleshoot an instance of an app, you can gain SSH access to the app using the SSH proxy and daemon. For example, one of your app instances might be unresponsive, or the log output from the app is inconsistent or incomplete. You can SSH into the individual VM to troubleshoot the problem instance.
NoteIf you have mutual TLS between the Gorouter and app containers, app containers accept incoming communication only from the Gorouter. This disables cf ssh
. For more information, see the TLS to apps and other back end services section of the HTTP routing topic.
The SSH system components include the SSH proxy and daemon, and the system also supports authentication and load balancing of incoming SSH traffic. For a conceptual overview, see App SSH Components and Processes.
Operators, space managers, and space developers can configure SSH access for TAS for VMs, for spaces, and for apps as described in this table:
User Role | Scope of SSH Permissions Control | How They Define SSH Permissions |
---|---|---|
Operator | Entire deployment | Configure the deployment to allow or prohibit SSH access (one-time). For more information, see Configuring SSH Access for TAS for VMs. |
Space Manager | Space | cf CLI allow-space-ssh and disallow-space-ssh commands |
Space Developer | App | cf CLI enable-ssh and disable-ssh commands |
An app is SSH-accessible only if operators, space managers, and space developers all grant SSH access at their respective levels. For example, the image below shows a deployment where:
As a result, apps “Foo”, “Bar”, and “Baz” accept SSH requests.
Space A has SSH Access Enabled, indicated by a green checkmark, for apps “Foo” and “Bar”. Space A does not have SSH Access Enabled for the third app, indicated by a red X.
Space B has has SSH Access Enabled, indicated by a green checkmark, for app “Baz”. Space B does not have SSH Access Enabled for the other two apps, indicated by a red X.
Space C does not have SSH Access Enabled for all three apps, indicated by a red X.
Space managers and space developers can configure SSH access from the command line. The Cloud Foundry Command Line Interface (cf CLI) also includes commands to return the value of the SSH access setting. To use and configure SSH at both the app level and the space level, see Accessing Apps with Diego SSH.
Tanzu Operations Manager deployments control SSH access to apps at the TAS for VMs level. Additionally, TAS for VMs supports load balancing of SSH sessions with your load balancer. For information about setting SSH access for your deployment, see Configuring SSH Access.