Latest version of balena-cli (v20.2) being used. How do people ssh into containers running on production devices? I saw some older posts from 2021 saying that ssh had not been implemented in openBalena. Is this still the case? I have tried “balena device ssh device-id” and it asks for a password for admin@ssh.devices.my-domain. But the superuser-password, which is generated during installation of openBalena on the server does not work. What is the current state of and solution for logging into production devices with openBalena?
For me, on openBalena, there are always problems when I want to keep the systems up-to-date (to use latest Balena Cli 20, for example). Sometimes, using newer Balena Cli will not work with older server, or older Cli with newer server, so I try not to update. And updating a server has been a pain. I would like to use open-balena-admin, for example, but it doesn’t work any more (so much has changed). Anyway, I have upgraded (read: started from scratch) an OpenBalena server from openBalena Getting Started Guide | Open Balena
And now I can tell you how I managed to log in to a production device. I needed to add my public key first and use the tunnel command. I’m using Linux. This worked for me:
balena ssh-key add a_name_for_my_linux_rsa ~/.ssh/id_rsa.pub
balena device tunnel uuid_of_device -p 22222
#Keep this open. Then in another terminal, use port 22222 that was tunneled to device uuid_of_device:
ssh -l admin -p 22222 localhost
Thanks, jaan513, for the feedback. One quick follow up question. With the method you described, can you log into individual containers or does that only give you ssh access to the host system?
It gives you SSH access to host, then you can use shell access to get inside the containers (I mostly use /bin/bash instead of /bin/sh, depends on what you have in your container)
#After logged in to the Balena device:
root@uuid:~# balena ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
container_id_1 ...
container_id_2 ...
root@uuid:~# balena exec -it container_id_1 /bin/sh
uuid:/usr/src/app#
After the “ssh -l admin -p 22222 localhost”, it’s asking for a password. Is it supposed to use a password, or did I miss an important step?
The balena tunnel command shows when connections are made (last line):
user@local:~> balena device tunnel uuid -p 22222
[Info] Opening a tunnel to uuid...
[Info] - tunnelling localhost:22222 to uuid:22222
[Info] Waiting for connections...
[Logs] ::1:41692 => ::1:22222 ===> uuid:22222
In another terminal, it doesn’t ask for password. If you would like to try another port on the localhost, try for example 22221:
balena device tunnel uuid -p 22222:22221
# And in another terminal:
ssh -l admin -p 22221 localhost
I believe the device is in development mode, if it asks for password (try user ‘root’).
I am in the same LAN as the device, in this case I can also log in straight to the device with ssh:
ssh -l admin -p 22222 lan_address_of_openbalena_device
Anyway, back to the tunnel method.
# For me, it seems to work only with admin now, and never asks for password.
# (I don't have set up any other user than admin, yet):
user@local:~> ssh -l root -p 22222 localhost
root@localhost: Permission denied (publickey).
user@local:~> ssh -l randomuser -p 22222 localhost
fdfd@localhost: Permission denied (publickey).
user@local:~> ssh -l admin -p 22222 localhost
# Works without asking for a password
root@uuid:~# exit
I hope this helps.