To mitigate security risks, ContainerOS restricts direct system logon for untraceable operations and SSH logons. For administrative tasks such as troubleshooting and package installation, ContainerOS provides an administrative container. This topic describes how to perform common administrative operations in ContainerOS, including logon, startup, shutdown, restart, and status query.
Compared with hosts, the administrative container is pre-installed with additional software packages and allows package installations by using the software package manager YUM. In the administrative container, you can view information about system processes, networks, and system configurations. In addition, the administrative container also provides commands that you can use to log on to the host from the container. This logon method is similar to the method when you log on to the instance by using Workbench.
Prerequisites
The logon type of the Elastic Compute Service (ECS) instance or the cluster must be set to Key Pair. You can log on to the administrative container only by using key pairs. This means that you must set the logon type to Key Pair when you create the instance or cluster. If you do not specify Key Pair as the logon type when you create the instance, you need to associate a key pair with the instance after the instance is created. For more information about how to associate a key pair with an ECS instance, see Bind an SSH key pair.
The Cloud Assistant client is installed on the ECS instance. The administrative container is managed by using the Cloud Assistant client to call API operations. For more information about how to install and use the Cloud Assistant client, see Install Cloud Assistant Agent and Overview.
Traffic on port 22 is allowed by the security group. Otherwise, you cannot log on to the ECS instance by using Workbench. For more information about how to configure a security group to allow traffic on a port, see Security group overview.
Secret-free logon is enabled for the ECS instance.
Enter the host environment
Log on to the ECS console and go to the Create Command panel of the Cloud Assistant page. For more information, see Use the immediate execution feature.
Run the following command in the Create Command panel to start the administrative container:
sudo lifseacli container start
Expected output:
The output shows that the administrative container is restarted by using Cloud Assistant.
Run the following command to log on to the administrative container by using the specified private key from a terminal that supports SSH commands.
NoteReplace
<ssh-private-key.pem>
with the private key from the key pair that is associated with the instance, and<instance-ip>
with the IP address of the instance.Alternatively, you can log on directly as admin by using Workbench. The private key is from the key pair that is associated with the instance. Make sure that port 22 is open on the instance.
ssh -i <ssh-private-key.pem> admin@<instance-ip>
The page in the following figure appears after you log on to the administrative container. The root file system of the host is mounted in read-only mode to the /.lifsea/rootfs directory of the administrative container. You can directly obtain system information and configurations from the directory.
Run the following command to log on to the host from the administrative container:
sudo superman
Run the
ls
command to query the available system commands.Expected output:
The output indicates that the host offers a limited set of system commands.
Other operations
After you log on to the host environment, you can use the exit
command to exit the host environment. Run the exit
command once more to exit the administrative container. The administrative container is still running and can be reconnected by using SSH. Additionally, you can stop, restart, or delete the administrative container by using the relevant commands.
Stop the administrative container
sudo lifseacli container stop
Restart the administrative container
If you associate a new key pair with or disassociate the key pair from the instance after you start the administrative container, you must restart the container for the change to take effect.
sudo lifseacli container restart
Delete the administrative container
sudo lifseacli container rm
Deleting the administrative container also removes installed software and saved files. Restarting the container initializes a new environment. Do not save business-critical data in the administrative container.
Query the status of the administrative container
sudo lifseacli container status
FAQ
What do I do if the error UNPROTECTED PRIVATE KEY FILE!
occurs when I connect to the administrative container?
Description
This error occurs when you attempt to connect to the administrative container.
Cause
The private key file is accessible by other users.
Solution
Run the chmod 400 <ssh-private-key.pem>
command to adjust the permissions to 400 on the private key file. Replace <ssh-private-key.pem>
with the name of your private key file.