Work with the administrative container of ContainerOS - Container Service for Kubernetes

To improve security, ContainerOS does not allow you to directly log on to Elastic Compute Service (ECS) instances and does not support SSH logon. If you want to log on to ECS instances to manage containers, you must enable and log on to the administrative container. This topic describes the operations that you can perform on the administrative container of ContainerOS.

Prerequisites

The Cloud Assistant client is installed on the ECS instance. To manage the administrative container, you must install the Cloud Assistant client and call specific API operations. For more information about how to install and use the Cloud Assistant client, see Install the Cloud Assistant client and Overview.
The logon type of the ECS instance or the cluster must be set to Key Pair. You can log on to the administrative container only by using key pairs. This means that you must set the logon type to Key Pair when you create the instance or cluster. If you do not specify Key Pair as the logon type when you create the instance, you can associate a key pair with the instance after the instance is created. For more information about how to associate a key pair with an ECS instance, see Unbind an SSH key pair.
Traffic on port 22 is allowed by the security group. Otherwise, you cannot log on to the ECS instance by using Workbench. For more information about how to configure a security group to allow traffic on a port, see Overview.

Background information

Compared with hosts, the administrative container is provided with more software packages. You can also use the software package manager YUM to install the required software. In the administrative container, you can view information about system processes, networks, and system configurations. In addition, the administrative container also provides commands that you can use to log on to the host from the container. This logon method is similar to the method when you log on to the instance by using Workbench.

Enter the host environment

Log on to the ECS console and go to the Create Command panel of the Cloud Assistant page. For more information, see Immediate execution.
Run the following command in the Create Command panel to start the administrative container:
```
lifseacli container start
```
After you run the command in the Create Command panel, the following output is returned.
Run the following command to log on to the container by using the specified key pair:
```
ssh -i <ssh-private-key.pem> admin@<instance-ip>
```
<ssh-private-key.pem> specifies the key pair that is associated with the instance. <instance-ip> specifies the IP address of the instance.

Notice You can also log on to the container by using Workbench. The username is admin and the private key is the key pair that is associated with the instance. Make sure that port 22 is open on the instance. Otherwise, you cannot log on to the container by using Workbench.

The page in the following figure appears after you log on to the administrative container.
The root file system of the host is mounted to the /.lifsea/rootfs directory of the administrative container. The root file system is mounted in read-only mode. You can directly obtain system information and configurations from the directory.
Run the following command to enter the system:
```
sudo superman
```
Expected output.
Run the ls command to query the system commands that you can use.
Expected output.
The output indicates that the available system commands are limited.

What to do next

After you enter the host environment, you can run the exit command to exit the host environment. If you run the exit command again, you can exit the administrative container. The administrative container is still enabled and running after you exit the container. You can reconnect to the container by using SSH and then disable, restart, and delete the container by using relevant commands.

Disable the administrative container:
```
lifseacli container stop
```
Restart the administrative container:
```
lifseacli container restart
```
Note If you associate a new key pair with or disassociate the key pair from the instance after you start the administrative container, you must restart the container for the change to take effect.
Delete the administrative container:
```
lifseacli container rm
```
Notice After you delete the administrative container, the software that you install and the files that you save in the container are also deleted. If you restart the administrative container, a new container environment is used. Do not save business-critical data in the administrative container.
Query the status of the administrative container:
```
lifseacli container status
```

FAQ

What do I do if the following error occurs when I connect to the administrative container: UNPROTECTED PRIVATE KEY FILE!?

Symptom

The following error occurs when you connect to the administrative container.

Cause

The private key file can be accessed by other users.

Solution

Run the chmod 400 <ssh-private-key.pem> command to change the permissions on the private key file. Replace <ssh-private-key.pem> with the name of your private key file.