This week we’re rolling out a feature that makes it possible to quickly pop a shell on your instances. I’m going to write a lot more about what exactly we’re doing sometime next week, but since it’ll start working this evening, I want to give you all a heads up.
Instances launched tonight will be running a tiny SSH server bound to their internal 6PN addresses.
As a practical matter, what this means is that you can only reach the SSH server by connecting with WireGuard, which you can do with the
flyctl wireguard command after you install WireGuard on your host (it’s super easy, and the app store version works great on macOS).
Once you can reach your instances with WireGuard, you can use
flyctl to mint SSH credentials. You’ll want to update:
flyctl version update.
There are two commands you want to know about right now:
flyctl ssh establishcreates a root SSH certificate for your organization. All SSH authorization is (currently) done on an organization-by-organization basis. You can just run that command, it’ll prompt you, and you don’t need to save the output.
flyctl ssh issueissues a new 24-hour SSH certificate based on your root certificate. By default, it’ll save your certificate in a pair of files (an
id_foo-cert.pub; you’ll need both) which you can pass to
But handling SSH certificates by hand is tedious and I don’t recommend it; instead, make sure you’re running an SSH agent (a trivial way to do that is to run something like
ssh-agent bash) and then run
flyctl ssh issue -a. We’ll add the SSH credentials to your current agent and you don’t have to think about them.
You can log into a host as
fly; we don’t currently do anything with usernames (not everyone runs a container that has them) but certainly will be adding that in the near future.
An obvious question you’ll have is, “how do I find addresses to log into”. The answer right now is clunky! Your WireGuard configuration, the one we generated for you, includes a private DNS server; what we do in practice is just use the
dig command to find 6PN addresses. For instance, if your app is
drastic-cobweb-39, you can
dig aaaa drastic-cobweb-39.internal @your-dns-ip +short to find addresses to log into.
So many caveats!
This is a prelease feature. It will be especially janky tonight (in particular, give
flyctl ssh establisha minute or two to propagate). It will get less janky over time.
The SSH implementation is right now pretty limited; you can get a shell, and you can run commands, but agent forwarding, port forwarding, rsync, all that stuff, I wouldn’t count on right now.
In the relatively near future, most of you won’t need WireGuard installed to do simple SSH commands, and you won’t have to manually look up IPv6 addresses. But right now, you do.
Let us know what you think or what questions you have or what you might want features-wise going forward. Thanks as always, fly-friends!