New stuff!
This week we’re rolling out a feature that makes it possible to quickly pop a shell on your instances. I’m going to write a lot more about what exactly we’re doing sometime next week, but since it’ll start working this evening, I want to give you all a heads up.
Instances launched tonight will be running a tiny SSH server bound to their internal 6PN addresses.
As a practical matter, what this means is that you can only reach the SSH server by connecting with WireGuard, which you can do with the flyctl wireguard command after you install WireGuard on your host (it’s super easy, and the app store version works great on macOS).
Once you can reach your instances with WireGuard, you can use flyctl to mint SSH credentials. You’ll want to update: flyctl version update.
There are two commands you want to know about right now:
-
flyctl ssh establishcreates a root SSH certificate for your organization. All SSH authorization is (currently) done on an organization-by-organization basis. You can just run that command, it’ll prompt you, and you don’t need to save the output. -
flyctl ssh issueissues a new 24-hour SSH certificate based on your root certificate. By default, it’ll save your certificate in a pair of files (anid_fooand anid_foo-cert.pub; you’ll need both) which you can pass tossh -i.But handling SSH certificates by hand is tedious and I don’t recommend it; instead, make sure you’re running an SSH agent (a trivial way to do that is to run something like
ssh-agent bash) and then runflyctl ssh issue -a. We’ll add the SSH credentials to your current agent and you don’t have to think about them.
You can log into a host as root or fly; we don’t currently do anything with usernames (not everyone runs a container that has them) but certainly will be adding that in the near future.
An obvious question you’ll have is, “how do I find addresses to log into”. The answer right now is clunky! Your WireGuard configuration, the one we generated for you, includes a private DNS server; what we do in practice is just use the dig command to find 6PN addresses. For instance, if your app is drastic-cobweb-39, you can dig aaaa drastic-cobweb-39.internal @your-dns-ip +short to find addresses to log into.
So many caveats!
-
This is a prelease feature. It will be especially janky tonight (in particular, give
flyctl ssh establisha minute or two to propagate). It will get less janky over time. -
The SSH implementation is right now pretty limited; you can get a shell, and you can run commands, but agent forwarding, port forwarding, rsync, all that stuff, I wouldn’t count on right now.
-
In the relatively near future, most of you won’t need WireGuard installed to do simple SSH commands, and you won’t have to manually look up IPv6 addresses. But right now, you do.
Let us know what you think or what questions you have or what you might want features-wise going forward. Thanks as always, fly-friends!