Pivotal Knowledge Base

Follow

How to login an app's container as root?

Environment

Product Version
Pivotal Cloud Foundry® (PCF) 1.6.x, 1.7.x

Purpose

This article discusses how to login an app's container as root.

Cause 

Sometimes the user may want to run commands in a container, which requires root privilege. When we run 'cf ssh <appname>', we can only login in container as vcap user.

Procedure

1. Run 'cf curl /v2/apps/<guid>/stats' for the specific app. This will show you the port number, the host IP address of the Diego cell in which the app instance is running. 

ubuntu@pivotal-ops-manager:~$ cf app cook1 --guid
9d22bd4b-e047-4ccd-b55b-7d5a413e5d5d
ubuntu@pivotal-ops-manager:~$ cf curl /v2/apps/9d22bd4b-e047-4ccd-b55b-7d5a413e5d5d/stats
{
"0": {
"state": "RUNNING",
"stats": {
"name": "cook1",
"uris": [
"cooke1.apps.azhao.com"
],
"host": "192.168.7.90",
"port": 60116,
"uptime": 525952,
"mem_quota": 536870912,
"disk_quota": 1073741824,
"fds_quota": 16384,
"usage": {
"time": "2016-06-13T05:33:42.001386709Z",
"cpu": 0.0015737299194776544,
"mem": 345284608,
"disk": 178515968
}
}
}
}


 2. Run 'bosh vms | grep <host>' to get the diego cell name where host is the IP address listed in step 1. Then run 'bosh ssh', select the diego cell to login. Run 'ps aux | grep <port-number> | grep -v spawn | grep -v sshd | grep -v grep' . 


bosh_o5zqctjgv@31ca2cf1-9147-4f5b-b521-a48099d603f4:~$ ps aux | grep 60116 | grep -v spawn | grep -v sshd | grep -v grep
root 28077 0.0 0.0 145212 5084 ? S<l Jun07 0:04 /var/vcap/data/garden/depot/ib2acg2jbnr/bin/wsh --socket /var/vcap/data/garden/depot/ib2acg2jbnr/run/wshd.sock --readSignals --user vcap --env CF_INSTANCE_ADDR=192.168.7.90:60116 --env CF_INSTANCE_GUID=3876647b-ce99-4028-5b94-6111dc7e0dc3 --env CF_INSTANCE_INDEX=0 --env CF_INSTANCE_IP=192.168.7.90 --env CF_INSTANCE_PORT=60116 --env CF_INSTANCE_PORTS=[{"external":60116,"internal":8080},{"external":60117,"internal":2222}] --env CF_TARGET=https://api.system.azhao.com --env INSTANCE_GUID=3876647b-ce99-4028-5b94-6111dc7e0dc3 --env INSTANCE_INDEX=0 --env LANG=en_US.UTF-8 --env MEMORY_LIMIT=512m --env PORT=8080 --env SPRING_PROFILES_ACTIVE=dev --env VCAP_APPLICATION={"limits":{"mem":512,"disk":1024,"fds":16384},"application_id":"9d22bd4b-e047-4ccd-b55b-7d5a413e5d5d","application_version":"316f7f38-bed6-4eae-a0b9-a1eb19c6cd4d","application_name":"cook1","application_uris":["cooke1.apps.azhao.com"],"version":"316f7f38-bed6-4eae-a0b9-a1eb19c6cd4d","name":"cook1","space_name":"development","space_id":"be00a5ea-567e-4757-b1d7-d210e87f2c7f","uris":["cooke1.apps.azhao.com"]} --env VCAP_SERVICES={"p-config-server":[{"name":"config-server","label":"p-config-server","tags":["configuration","spring-cloud"],"plan":"standard","credentials":{"uri":"https://config-c9dd5f7b-27be-4a0f-aea3-31b459d48f96.apps.azhao.com","client_id":"p-config-server-c601bb38-1d72-4f3b-a2d2-6cd8c708648b","client_secret":"9M4NyKOuhioF","access_token_uri":"https://p-spring-cloud-services.uaa.system.azhao.com/oauth/token"}}]} /tmp/lifecycle/launcher app CALCULATED_MEMORY=$($PWD/.java-buildpack/open_jdk_jre/bin/java-buildpack-memory-calculator-2.0.0_RELEASE -memorySizes=metaspace:64m.. -memoryWeights=heap:75,metaspace:10,native:10,stack:5 -memoryInitials=heap:100%,metaspace:100% -totMemory=$MEMORY_LIMIT) && SERVER_PORT=$PORT $PWD/.java-buildpack/open_jdk_jre/bin/java -cp $PWD/.:$PWD/.java-buildpack/spring_auto_reconfiguration/spring_auto_reconfiguration-1.10.0_RELEASE.jar -Djava.io.tmpdir=$TMPDIR -XX:OnOutOfMemoryError=$PWD/.java-buildpack/open_jdk_jre/bin/killjava.sh $CALCULATED_MEMORY org.springframework.boot.loader.JarLauncher

3. Copy the wsh part of this command (but leave off the --user arg) and run it. That will put you into the container as root.

bosh_o5zqctjgv@31ca2cf1-9147-4f5b-b521-a48099d603f4:~$ sudo su -
root@31ca2cf1-9147-4f5b-b521-a48099d603f4:~# /var/vcap/data/garden/depot/ib2acg2jbnr/bin/wsh --socket /var/vcap/data/garden/depot/ib2acg2jbnr/run/wshd.sock
#
 

Impact/Risks

Please be aware that this can only be used for debugging, troubleshooting and monitoring purposes with care. Any changes made via root will be lost when the application is restarted/restaged. 

Additional Information

This guide is for Diego Garden-Linux containers. If you want to SSH to a DEA container (before PCF 1.7) as root, you can refer to this link: 

https://docs.cloudfoundry.org/running/troubleshooting/troubleshooting-apps.html#access-warden 

Comments

Powered by Zendesk