Troubleshooting guide on configuring and using CF SSH
search cancel

Troubleshooting guide on configuring and using CF SSH

book

Article ID: 298185

calendar_today

Updated On:

Products

VMware Tanzu Application Service for VMs

Issue/Introduction

This article applies to Pivotal Cloud Foundry (PCF) versions 1.8 and above.

Note: PCF is now VMware Tanzu Application Service (TAS) for VMs. 

You are unable to ssh into an application container using:

cf ssh <app_name>


There can be multiple reasons why cf ssh is unable to connect to the application container. Here is a list of possible error messages.

  • Error opening SSH connection: dial tcp 10.7.19.185:2222: getsockopt: connection timed out
  • Error opening SSH connection: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
  • Error opening SSH connection: dial tcp <load balancer ip>:2222: getsockopt: connection refuse
  • Error: SSH session allocation failed: ssh: rejected: administratively prohibited (SSH is not supported on windows cells)


Environment

Product Version: 1.10

Resolution

Start with this checklist to confirm the platform is properly configured for cf ssh and that the user trying to SSH to the application container has the correct permissions to do so.

  • Please check the elastic runtime tile configuration to make sure SSH is enabled for application containers. Go to the Ops Manager Web UI and click on the Elastic Runtime tile. Proceed to the `Application Containers` configuration page. Make sure the checkmark is present in the `Allow SSH access to app containers` checkbox. Here is a screenshot for reference. 
  • cf ssh requires CF CLI version 6.13 or higher. Please run cf version to verify the CF CLI version installed.

Verify that the application is allowing SSH:

cf target -o <org> -s <space> - Target the org and space where the application resides

cf ssh-enabled <app_name>


If SSH is not enabled for this application, please enable it by running the following:

cf enable-ssh <app_name>


Verify the space is allowing SSH where the application resides:

cf target -o <org> -s <space> - Target the org and space where the application resides

cf space-ssh-allowed <space_name>


If SSH is not allowed in this space please enable it by running the following:

cf allow-space-ssh <space_name>


Any user attempting to SSH to an application container, including the admin user, needs to be assigned SpaceDeveloper permissions to the space, where the application resides. This can be granted in the Apps Manager web UI or by using CF CLI.

Here is a screenshot of the apps manager web UI. Select the correct org and then click on Members. Assign SpaceDeveloper permissions to the user which requires cf ssh access and save changes.


Alternatively, CF CLI can be used to change the permissions as well.

cf target -o <org> -s <space> - Target the org and space where the application resides

Example:  cf target -o system -s system

cf set-space-role <user> <org_name> <space_name> SpaceDeveloper

Example: cf set-space-role admin system autoscaling SpaceDeveloper- This is an example of giving the admin user SpaceDeveloper permission to the autoscaling space in the system org.


Also ensure that there is a DNS entry for ssh.<system-domain> when using a remote cloud service such as Microsoft Azure, Amazon Web Service, or Google Cloud Platform.

Follow the checklist above and resolve issues if found. Please open a ticket with Support  if you are unable to identify the problem using the steps above.

 

Powered by Wolken Software