Connecting to a Container

Containers are treated as immutable infrastructure and therefore it is generally not recommended to modify the content of a container through SSH or running custom commands inside the container. Nevertheless, in some use-cases, such as debugging an application, it might be beneficial to access a container and inspect the application.

Exercise: Remote Shell Session to a Container Using the CLI

OpenShift allows establishing remote shell sessions to a container without the need to run an SSH service inside each container. In order to establish an interactive session inside a container, you can use the oc rsh command. First, get the list of available Pods:

oc get pods

You should see an output similar to the following:

NAME                        READY   STATUS    RESTARTS   AGE
parksmap-65c4f8b676-fxcrq   1/1     Running   0          52m

Now you can establish a remote shell session to the Pod by using the Pod name:

oc rsh parksmap-65c4f8b676-fxcrq

You will see the following output:

sh-4.2$

The default shell used by oc rsh is /bin/sh. If the deployed container does not have sh installed and uses another shell (e.g., bash), the shell command can be specified after the Pod name in the issued command.

Run the following command to list the files in the root directory:

ls /

anaconda-post.log  bin  dev  etc  home  lib  lib64  lost+found  media  mnt  opt  parksmap.jar  proc  root  run  sbin  srv  sys  tmp  usr  var

Remember the default Service Account mentioned previously? You can view the token associated with that Service Account that was injected into the container using the following command:

cat /var/run/secrets/kubernetes.io/serviceaccount/token

Exercise: Remote Shell Session to a Container Using the Web Console

The OpenShift Web Console also provides a convenient way to access a terminal session on the container without having to use the CLI.

To access a Pod’s terminal via the Web Console, go to the Topology view, click the parksmap entry, and then click on the Pod.

Once you are viewing the information for the selected Pod, click on the Terminal tab to open a shell session.

Go ahead and execute the same commands you did when using the CLI to see how the Web Console-based terminal behaves.

Before proceeding, close the connection to the Pod:

exit

Exercise: Execute a Command in a Container

In addition to remote shell, it is also possible to run a command remotely in an already running container using the oc exec command. This does not require a shell to be installed, but only that the desired command is present and in the executable path.

To show just the parksmap application’s JAR file, run the following:

oc exec parksmap-65c4f8b676-fxcrq -- ls -l /parksmap.jar

You should see something like the following:

-rw-r--r--. 1 root root 39138901 Apr  1 16:54 /parksmap.jar

The -- syntax in the oc exec command delineates where exec’s options end and where the actual command to execute begins. Take a look at oc exec --help for more details.

You can also specify the shell commands to run directly with the oc rsh command:

oc rsh parksmap-65c4f8b676-fxcrq whoami

You will see something like:

1000580000

It is important to understand that, for security reasons, OpenShift does not run containers as the user specified in the Dockerfile by default. In fact, when OpenShift launches a container, its user is actually randomized.

If you need to allow OpenShift users to deploy container images that expect to run as root (or any specific user), a small configuration change is needed. You can learn more about the container image guidelines for OpenShift.