App SSH Overview
This topic introduces SSH configuration for apps in your deployment.
If you need to troubleshoot an instance of an app, you can gain SSH access to the app using the SSH proxy and daemon.
For example, one of your app instances may be unresponsive, or the log output from the app may be inconsistent or incomplete. You can SSH into the individual VM that runs the problem instance to troubleshoot.
Operators, space managers, and space developers can configure SSH access for PWS, for spaces, and for apps as described in this table:
|User Role||Scope of SSH Permissions Control||How They Define SSH Permissions|
|Operator||Entire deployment||Configure the deployment to allow or prohibit SSH access (one-time).|
|Space Manager||Space||cf CLI allow-space-ssh and disallow-space-ssh commands|
|Space Developer||App||cf CLI enable-ssh and disable-ssh commands|
An app is SSH-accessible only if operators, space managers, and space developers all grant SSH access at their respective levels. For example, the image below shows a deployment where:
- An operator allowed SSH access at the deployment level.
- A space manager allowed SSH access for apps running in spaces “A” and “B” but not “C”.
- A space developer enabled SSH access for apps that include “Foo”, “Bar”, and “Baz”.
As a result, apps “Foo”, “Bar”, and “Baz” accept SSH requests.
Space managers and space developers can configure SSH access from the command line. The Cloud Foundry Command Line Interface (cf CLI) also includes commands to return the value of the SSH access setting. To use and configure SSH at both the app level and the space level, see Accessing Apps with Diego SSH.
The PWS deployment supports SSH access to applications by default. See the links above to set the app and space SSH controls.
The SSH system components include the SSH proxy and daemon, and the system also supports authentication and load balancing of incoming SSH traffic. For a conceptual overview, see App SSH Components and Processes.