How to use get cf ssh-code password

Question

We are using CF Diego API 2.89 version, Currently I was able to use it and see the vcap and the app resources when running cf ssh myApp. Now it's become harder :-)

I want to deploy App1 that will "talk" with "APP2" and have access to to it file system (as it available in the command line when you run ls...) via code (node.js), is it possible ?

I've found this lib which are providing the ability to connect to ssh via code but not sure what I should put inside host port etc

In the connect I provided the password which should be retrieved via code

EDIT

});
}).connect({
host: 'ssh.cf.mydomain.com',
port: 2222,
username: 'cf:181c32e2-7096-45b6-9ae6-1df4dbd74782/0',
password:'qG0Ztpu1Dh'

});

Now when I use cf ssh-code (To get the password) I get lot of requests which I try to simulate with Via postman without success, Could someone can assist? I Need to get the password value somehow ... if I dont provide it I get following error:

SSH Error: All configured authentication methods failed

Btw, let's say that I cannot use CF Networking functionality, volume services and I know that the container is ephemeral....

Are you attempting to ssh from one container into another container at runtime? — K.AJ, Aug 09 '17 at 14:24
I have been working with CF for a while and never had a need to do something like that. Just curious, why? Can you explain your use case? Do you just need a common file system resource shared between the two apps? — K.AJ, Aug 09 '17 at 14:26
BTW, what you are asking goes against cloud native principles. A cloud native app should only be dependent on the cloud environment. The cloud environment should provide everything it needs. And it cannot depend on any other app. Because remember, an app and its container can be replaced with a new instance by CF without any notice to any other apps. — K.AJ, Aug 09 '17 at 14:30
For host/port, run `bx info`. US South is `ssh.ng.bluemix.net:2222`. You'd also need app guid and a `bx cf ssh-code` to connect though. See as a starter https://stackoverflow.com/questions/41858496/how-to-copy-files-from-liberty-on-bluemix-to-windows I am in agreement with @K.AJ here. This ain't a cloud native design. — amadain, Aug 09 '17 at 14:36
@K.AJ - I know that, Im familiar with 12 factor etc still I want to do this POC...Hopefully you can assist — Jenny Hilton, Aug 09 '17 at 14:45
The endpoints are static. Drop the bx to use cf outside of bx context. — amadain, Aug 09 '17 at 15:02

score 2 · Accepted Answer · answered Aug 10 '17 at 01:20

2

The process of what happens behind the scenes when you run cf ssh is documented here.

It obtains an ssh token, this is the same as running cf ssh-code, which is just getting an auth code from UAA. If you run CF_TRACE=true cf ssh-code you can see exactly what it's doing behind the scenes to get that code.
You would then need an SSH client (probably a programmatic one) to connect using the following details:
- port -> 2222
- user -> cf:<app-guid>/<app-instance-number> (ex: cf:54cccad6-9bba-45c6-bb52-83f56d765ff4/0`)
- host -> ssh.system_domain (look at cf curl /v2/info if you're not sure)

Having said this, don't go this route. It's a bad idea. The file system for each app instance is ephemeral. Even if you're connecting from other app instances to share the local file system, you can still lose the contents of that file system pretty easily (cf restart) and for reasons possibly outside of your control (unexpected app crash, platform admin does a rolling upgrade, etc).

Instead store your files externally, perhaps on S3 or a similar service, or look at using Volume services.

answered Aug 10 '17 at 01:20

Daniel Mikusa

13,716
1
22
28

Hi Daniel, I've test it as you mentioned but I got error, please see my edit.. if I miss something . btw, Im aware to all the problematic issue's that can be. this is just some test... – Jenny Hilton Aug 16 '17 at 06:50
1

I think the host and port should come from `cf curl /v2/info` app_ssh_endpoint instead of ssh.system_domain. – opiethehokie Aug 16 '17 at 13:57
There are non-cf CLI instructions at https://docs.cloudfoundry.org/devguide/deploy-apps/ssh-apps.html#other-ssh-access – opiethehokie Aug 16 '17 at 13:58
@opiethehokie - Exactly I use app_ssh_endpoint value to connect with the port but it's not working see my edit please...any idea what could be missing ? I also try with another ssh lib from node (i'll update my question in 2 min ) please see if you can assit..thanks! – Jenny Hilton Aug 16 '17 at 14:04
Can you do a `cf ssh` and access the application? A typical cause of `All configured authentication methods failed` is that you don't have the SpaceDev for your user. – Daniel Mikusa Aug 16 '17 at 14:43
Also, the password is *very* short lived. You should generate a new one on every attempt to login. – Daniel Mikusa Aug 16 '17 at 14:44
And to confirm `system_domain` is a place holder for the system domain used by your platform. You can find the exact name by running `cf curl /v2/info` as @opiethehokie correctly said above. – Daniel Mikusa Aug 16 '17 at 14:45
@DanielMikusa - Yes I can do it when I use cf ssh myapp I got after 2 sec vcap@c7d049d3-4d11-4782-1c40-23f5:~$ – Jenny Hilton Aug 16 '17 at 14:46
@DanielMikusa - I took the pwd put it in the connect obj and push the app , is it ok ? – Jenny Hilton Aug 16 '17 at 14:49
@DanielMikusa - To take the pass I use: `cf ssh-code | pbcopy` – Jenny Hilton Aug 16 '17 at 14:52
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/152070/discussion-between-daniel-mikusa-and-jenny-hilton). – Daniel Mikusa Aug 16 '17 at 14:59
@DanielMikusa - It will be great if you can provide the request to get the password since it's very confusing , I try to simulate it with postman, for `v2/info` and I got data but for `/oauth/token` I got error `An Authentication object was not found in the SecurityContext` and this is for postman, I dont know how I should handle the token when I used by code... – Jenny Hilton Aug 16 '17 at 15:51
@DanielMikusa - There is a chance that you can give some direction, I'm stuck with this more then a week without any success. the CF ssh-code is output is very confusing :( . Thanks in advance! – Jenny Hilton Aug 16 '17 at 20:12
This works for me: https://gist.github.com/dmikusa-pivotal/8807d037c1f1f460c8cdd11e8966520f – Daniel Mikusa Aug 17 '17 at 15:25
@DanielMikusa - Thanks a Lot! that also works for me :) (closing the questoin :) ) i've two questions 1. Why I need to provide a user& password if I run it from another app in that space 2. The password is coming from the catch method why ? and if we can avoid it ? Thanks again! – Jenny Hilton Aug 17 '17 at 15:51
1.) The app in the container has no authentication. There's nothing to identify it to UAA. This script uses the password flow to get an Oauth2 access token. You could use a different flow, but ultimately you need to identify your application to UAA. 2.) Agree that's a little odd. I'm not a node expert, so maybe that can be done differently. The request results in a 302 and we pull the link out of the Location header. I had to do this from the catch block because the success block wasn't called with a 302. – Daniel Mikusa Aug 17 '17 at 16:58
HI Daniel, 2 last question :- ). point 2 is OK, I'll try to fix it... regard point 1. what do you mean by different flow, can you please give hint ? since using user password is a bit strange(when im already app which running on CF...) . 2 .to add new file from the ssh app to the target app 'fs' should I use `scp` ? Thanks a lot for your support! – Jenny Hilton Aug 17 '17 at 20:07
1.) Forget the fact you're running on PCF. It provides no guarantee of your identity. Your application needs to do that and credentials would be one way to identify your application. Another might be a client credentials. You should read up on Oauth2 flows, it will help to explain what is happening more. 2.) Yes, probably scp or sftp. – Daniel Mikusa Aug 17 '17 at 20:36

score 0 · Answer 2 · answered Aug 09 '17 at 14:59

I have exclusively worked with PCF, so please take my advice with a grain of salt given your Bluemix platform.

If you have a need to look at files created by App2 from App1, what you need is a common resource.

You can inject an S3 resource as a CUPS service and create a service instance and bind to both apps. That way both will read / write to the same S3 endpoint.

Quick Google search for Bluemix S3 Resource shows - https://console.bluemix.net/catalog/infrastructure/cloud_object_storage

Ver 1.11 of Pivotal Cloud Foundry comes with Volume Services.

Seems like Bluemix has a similar resource - https://console.bluemix.net/docs/containers/container_volumes_ov.html#container_volumes_ov

You may want to give that a try.

How to use get cf ssh-code password

2 Answers2