All Products
Search

This Product

    Container Service for Kubernetes:Work with the administrative container of ContainerOS

    Document Center

    Container Service for Kubernetes:Work with the administrative container of ContainerOS

    Last Updated:Oct 08, 2024

    To mitigate security risks, ContainerOS restricts direct system logon for untraceable operations and SSH logons. For administrative tasks such as troubleshooting and package installation, ContainerOS provides an administrative container. This topic describes how to perform common administrative operations in ContainerOS, including logon, startup, shutdown, restart, and status query.

    Compared with hosts, the administrative container is pre-installed with additional software packages and allows package installations by using the software package manager YUM. In the administrative container, you can view information about system processes, networks, and system configurations. In addition, the administrative container also provides commands that you can use to log on to the host from the container. This logon method is similar to the method when you log on to the instance by using Workbench.

    Prerequisites

    • The logon type of the Elastic Compute Service (ECS) instance or the cluster must be set to Key Pair. You can log on to the administrative container only by using key pairs. This means that you must set the logon type to Key Pair when you create the instance or cluster. If you do not specify Key Pair as the logon type when you create the instance, you need to associate a key pair with the instance after the instance is created. For more information about how to associate a key pair with an ECS instance, see Bind an SSH key pair.

    • The Cloud Assistant client is installed on the ECS instance. The administrative container is managed by using the Cloud Assistant client to call API operations. For more information about how to install and use the Cloud Assistant client, see Install Cloud Assistant Agent and Overview.

    • Traffic on port 22 is allowed by the security group. Otherwise, you cannot log on to the ECS instance by using Workbench. For more information about how to configure a security group to allow traffic on a port, see Security group overview.

    • Secret-free logon is enabled for the ECS instance.

      image

    Enter the host environment

    1. Log on to the ECS console and go to the Create Command panel of the Cloud Assistant page. For more information, see Use the immediate execution feature.

    2. Run the following command in the Create Command panel to start the administrative container: 

      sudo lifseacli container start

      Expected output:启动运维容器.png

      The output shows that the administrative container is restarted by using Cloud Assistant.

    3. Run the following command to log on to the administrative container by using the specified private key from a terminal that supports SSH commands.

      Note

      • Replace <ssh-private-key.pem> with the private key from the key pair that is associated with the instance, and <instance-ip> with the IP address of the instance.

      • Alternatively, you can log on directly as admin by using Workbench. The private key is from the key pair that is associated with the instance. Make sure that port 22 is open on the instance.

      ssh -i <ssh-private-key.pem> admin@<instance-ip>

      The page in the following figure appears after you log on to the administrative container. The root file system of the host is mounted in read-only mode to the /.lifsea/rootfs directory of the administrative container. You can directly obtain system information and configurations from the directory.

      登录运维容器.png

    4. Run the following command to log on to the host from the administrative container:

      sudo superman

    5. Run the ls command to query the available system commands.

      Expected output:进入目录.png

      The output indicates that the host offers a limited set of system commands.

    Other operations

    After you log on to the host environment, you can use the exit command to exit the host environment. Run the exit command once more to exit the administrative container. The administrative container is still running and can be reconnected by using SSH. Additionally, you can stop, restart, or delete the administrative container by using the relevant commands.

    Stop the administrative container

    sudo lifseacli container stop

    Restart the administrative container

    If you associate a new key pair with or disassociate the key pair from the instance after you start the administrative container, you must restart the container for the change to take effect.

    sudo lifseacli container restart

    Delete the administrative container

    sudo lifseacli container rm
    Important

    Deleting the administrative container also removes installed software and saved files. Restarting the container initializes a new environment. Do not save business-critical data in the administrative container.

    Query the status of the administrative container 

    sudo lifseacli container status

    FAQ

    What do I do if the error UNPROTECTED PRIVATE KEY FILE! occurs when I connect to the administrative container?

    Description

    This error occurs when you attempt to connect to the administrative container.

    FAQ.png

    Cause

    The private key file is accessible by other users.

    Solution

    Run the chmod 400 <ssh-private-key.pem> command to adjust the permissions to 400 on the private key file. Replace <ssh-private-key.pem> with the name of your private key file.