forked from pivotal-cf/docs-ops-guide
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig-ssh.html.md.erb
32 lines (18 loc) · 2.78 KB
/
config-ssh.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
---
title: Configuring SSH Access for PCF
owner: Diego
---
<strong><%= modified_date %></strong>
To help troubleshoot applications hosted by a deployment, [Pivotal Cloud Foundry (PCF)](https://network.pivotal.io/products/pivotal-cf) supports SSH access into running applications. This document describes how to configure a PCF deployment to allow SSH access to application instances, and how to configure load balancing for those application SSH sessions.
## <a id='diego-configuration'></a> Elastic Runtime Configuration
This section describes how to configure Elastic Runtime to enable or disable deployment-wide SSH access to application instances. In addition to this deployment-wide configuration, Space Managers have SSH access control over their Space, and Space Developers have SSH access control over their to their Applications. For details about SSH access permissions, see the [Application SSH Overview](../devguide/deploy-apps/app-ssh-overview.html) topic.
To configure Elastic Runtime SSH access for application instances:
1. Open the **Pivotal Elastic Runtime** tile in Ops Manager.
1. Under the **Settings** tab, select the **Application Containers** section.
1. Enable or disable the <strong>Allow SSH access to app containers</strong> checkbox.
1. Optionally, select **Enable SSH when an app is created** to enable SSH access for new apps by default in spaces that allow SSH. If you deselect this checkbox, developers can still enable SSH after pushing their apps by running `cf enable-ssh APP-NAME`.
<%= image_tag("./images/er-config-app-containers.png") %>
## <a id="ssh-load-balancer-configuration"></a> SSH Load Balancer Configuration
If you use HAProxy as a load balancer and SSH access is enabled, SSH requests are load balanced by HAProxy. This configuration relies on the presence of the same Consul server cluster that Diego components use for service discovery. This configuration also works well for deployments where all traffic on the system domain and its subdomains is directed towards the HAProxy job, as is the case for a BOSH-Lite Cloud Foundry deployment on the default `192.0.2.34.xip.io` domain.
For AWS deployments, where the infrastructure offers load-balancing as a service through ELBs, the deployment operator can provision an ELB to balance load across the SSH proxy instances. You should configure this ELB to listen to TCP traffic on the port given in `app_ssh.port` and to send it to port 2222.
To register the SSH proxies with this ELB, add the ELB identifier to the `elbs` property in the `cloud_properties` hash of the Diego manifest `access_zN` resource pools. If you used the Spiff-based manifest-generation templates to produce the Diego manifest, specify these `cloud_properties` hashes in the `iaas_settings.resource_pool_cloud_properties` section of the `iaas-settings.yml` stub.