-
Notifications
You must be signed in to change notification settings - Fork 224
/
Copy pathapp-ssh-overview.html.md.erb
66 lines (45 loc) · 3.4 KB
/
app-ssh-overview.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
---
title: Configuring SSH access for your deployment
owner: Diego
---
If you need to troubleshoot an instance of an application, you can gain SSH access to the app using the SSH proxy and daemon.
For example, one of the app instances might be unresponsive, or the log output from the app is inconsistent or incomplete. You can SSH into the individual VM to troubleshoot the problem instance.
<%= vars.mutual_tls_ssh %>
## <a id="diego-ssh-concepts"></a> About SSH access
The SSH system components include the SSH proxy and daemon, and the system also supports authentication and load balancing of incoming SSH traffic. For a conceptual overview, see [App SSH components and processes](../../concepts/diego/ssh-conceptual.html).
## <a id="ssh-access-control-hierarchy"></a> SSH access control hierarchy
Operators, space managers, and space developers can configure SSH access for <%= vars.app_runtime_abbr %>,
for spaces, and for apps as described in the table:
<table id='TK-NAME' class="table" >
<thead><tr>
<th><strong>User role</strong></th>
<th><strong>Scope of SSH permissions control</strong></th>
<th><strong>How they define SSH permissions</strong></th>
</tr></thead>
<tr>
<td>Operator</td>
<td>Entire deployment</td>
<td>Configure the deployment to allow or prohibit SSH access (one-time). <%=vars.config_ssh_link%></td>
</tr><tr>
<td>Space manager</td>
<td>Space</td>
<td>cf CLI <a href="http://cli.cloudfoundry.org/en-US/cf/allow-space-ssh.html">allow-space-ssh</a> and <a href="http://cli.cloudfoundry.org/en-US/cf/disallow-space-ssh.html">disallow-space-ssh</a> commands</td>
</tr><tr>
<td>Space developer</td>
<td>App</td>
<td>cf CLI <a href="http://cli.cloudfoundry.org/en-US/cf/enable-ssh.html">enable-ssh</a> and <a href="http://cli.cloudfoundry.org/en-US/cf/disable-ssh.html">disable-ssh</a> commands</td>
</tr>
</table>
An app is SSH-accessible only if operators, space managers, and space developers all grant SSH access at their respective levels. For example, the following image shows a deployment in whi:
* An operator allowed SSH access at the deployment level.
* A space manager allowed SSH access for apps running in spaces "A" and "B," but not "C".
* A space developer activated SSH access for apps that include "Foo", "Bar," and "Baz".
As a result, apps "Foo", "Bar," and "Baz" accept SSH requests.
Space A has SSH Access Enabled, indicated by a green check mark, for apps "Foo" and "Bar," Space A does not have SSH Access allowed for the third app, indicated by a red X.
Space B has has SSH Access Enabled, indicated by a green check mark, for app "Baz". Space B does not have SSH Access allowed for the other two apps, indicated by a red X.
Space C does not have SSH Access allowed for all three apps, indicated by a red X.
## <a id='app-ssh-config'></a> SSH access for apps and spaces
Space managers and space developers can configure SSH access from the CLI. The Cloud Foundry Command Line Interface (cf CLI) also includes commands to return the value of the SSH access setting. To use and configure SSH at both the app level and the space level, see [Accessing apps with Diego SSH](./ssh-apps.html).
## <a id="platform-ssh-config"></a> Configuring SSH access for <%= vars.app_runtime_full %>
<%= vars.platform_ssh_configuration %>