This page describes how to enable interactive access to an instance's serial console to debug boot and networking issues, troubleshoot malfunctioning instances, interact with the GRand Unified Bootloader (GRUB), and perform other troubleshooting tasks.
A virtual machine (VM) instance has four virtual serial ports. Interacting with a serial port is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support. The instance's operating system, BIOS, and other system-level entities often write output to the serial ports, and can accept input such as commands or answers to prompts. Typically, these system-level entities use the first serial port (port 1) and serial port 1 is often referred to as the serial console.
If you only need to view serial port output without issuing any commands to
the serial console, you can call the
getSerialPortOutput
method or use Cloud Logging to read information that your instance has
written to
its serial port; see
Viewing serial port logs.
However, if you run into problems accessing your instance through SSH or need to
troubleshoot an instance that is not fully booted, you can enable interactive
access to the serial console, which lets you connect to and interact with any of
your instance's serial ports. For example, you can directly run commands
and respond to prompts in the serial port.
When you enable or disable the serial port, you can use any Boolean value that is accepted by the metadata server. For more information, see Boolean values.
Before you begin
-
If you haven't already, then set up authentication.
Authentication is
the process by which your identity is verified for access to Google Cloud services and APIs.
To run code or samples from a local development environment, you can authenticate to
Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
-
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
- Set a default region and zone.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
For more information, see Authenticate for using REST in the Google Cloud authentication documentation.
-
Enabling interactive access on the serial console
Enable interactive serial console access for individual VM instances or for an entire project.
Enabling access for a project
Enabling interactive serial console access on a project enables access for all VM instances that are part of that project.
By default, interactive serial port access is disabled. You can also explicitly
disable it by setting the serial-port-enable
key to FALSE
. In
either case, any per-instance setting overrides the project-level setting or
the default setting.
Console
- In the Google Cloud console, go to the Metadata page.
- Click Edit to edit metadata entries.
- Add a new entry that uses the key serial-port-enable and value TRUE.
- Save your changes.
gcloud
Using the Google Cloud CLI, enter the
project-info add-metadata
command as follows:
gcloud compute project-info add-metadata \ --metadata serial-port-enable=TRUE
REST
In the API, make a request to the
projects().setCommonInstanceMetadata
method, providing the serial-port-enable
key with a value of TRUE
:
{ "fingerprint": "FikclA7UBC0=", "items": [ { "key": "serial-port-enable", "value": "TRUE" } ] }
Enabling access for a VM instance
Enable interactive serial console access for a specific instance. A per-instance
setting, if it exists, overrides any project-level setting. You can also
disable access for a specific instance, even if access is enabled on the project
level, by setting serial-port-enable
to FALSE
, instead of TRUE
. Similarly,
you can enable access for one or more instances even if it is disabled for the
project, explicitly or by default.
Console
- In the Google Cloud console, go to the VM instances page.
- Click the instance you want to enable access for.
- Click Edit.
- Under the Remote access section, toggle the Enable connecting to serial ports checkbox.
- Save your changes.
gcloud
Using the Google Cloud CLI, enter the
instances add-metadata
command, replacing instance-name
with the name of
your instance.
gcloud compute instances add-metadata instance-name \ --metadata serial-port-enable=TRUE
REST
In the API, make a request to the
instances().setMetadata
method with the serial-port-enable
key and a value of TRUE
:
POST https://compute.googleapis.com/compute/v1/projects/myproject/zones/us-central1-a/instances/example-instance/setMetadata { "fingerprint": "zhma6O1w2l8=", "items": [ { "key": "serial-port-enable", "value": "TRUE" } ] }
Configure serial console for a bare metal instance
For bare metal instances, increase the bit rate, also known as baud rate, for the serial console to 115,200 bps (~11.5kB/sec). Using a slower speed results in garbled or missing console output.
Bootloader configuration varies between operating systems and OS versions. Refer to the OS distributor's documentation for instructions.
If modifying the bit rate on the command line for the current session, use a command similar to the following:
console=ttyS0,115200
If modifying the GRUB configuration, use a command similar to the following:
serial --speed=115200
Make sure that you update the actual bootloader configuration. This can be done
with update-grub
, grub2-mkconfig
, or a similar command.
Connecting to a serial console
Compute Engine offers regional serial console gateways for each Google Cloud region. After enabling interactive access for a VM's serial console, you can connect to a regional serial console.
The serial console authenticates users with SSH keys. Specifically, you must add your public SSH key to the project or instance metadata and store your private key on the local machine from which you want to connect. The gcloud CLI and the Google Cloud console automatically add SSH keys to the project for you. If you are using a third-party client, you might need to add SSH keys manually.
Console
To connect to a VM's regional serial console, do the following:
- In the Google Cloud console, go to the VM instances page.
- Click the instance you want to connect to.
- Under Remote access, click Connect to serial console to connect on the default port (port 1).
- If you want to connect to another serial port, click the down arrow next to the Connect to serial console button and change the port number accordingly.
- For Windows instances, open the drop-down menu next to the button and connect to Port 2 to access the serial console.
gcloud
To connect to a VM's regional serial console, use the
gcloud compute connect-to-serial-port
command:
gcloud compute connect-to-serial-port VM_NAME
--port=PORT_NUMBER
Replace the following:
VM_NAME
: the name of the VM whose serial console you want to connect to.PORT_NUMBER
: the port number you want to connect. For Linux VMs, use1
, for Windows VMs, use2
. To learn more about port numbers, see Understanding serial port numbering.
Other SSH clients
You can connect to an instance's serial console using other third-party SSH clients, as long as the client lets you connect to TCP port 9600.
To connect to a VM's regional serial console, run one of the following commands, depending on your VM's OS:
To connect to a Linux VM:
ssh -i PRIVATE_SSH_KEY_FILE -p 9600 PROJECT_ID.ZONE.VM_NAME.USERNAME.OPTIONS@REGION-ssh-serialport.googleapis.com
To connect to a Windows VM:
ssh -i PRIVATE_SSH_KEY_FILE -p 9600 PROJECT_ID.ZONE.VM_NAME.USERNAME.OPTIONS.port=2@REGION-ssh-serialport.googleapis.com
Replace the following:
PRIVATE_SSH_KEY_FILE
: The private SSH key for the instance.PROJECT_ID
: The project ID for this VM instance.ZONE
: The zone of the VM instance.REGION
: The region of the VM instance.VM_NAME
: The name of the VM instance.USERNAME
: The username you are using to connect to your instance. Typically, this is the username on your local machine.OPTIONS
: Additional options you can specify for this connection. For example, you can specify a certain serial port and specify any advanced option. The port number can be 1 through 4, inclusively. To learn more about port numbers, see understanding serial port numbering. If omitted, you will connect to serial port 1.
If you are having trouble connecting using a third-party SSH client, you can
run the gcloud compute connect-to-serial-port
command with the --dry-run
command-line option to see the SSH command that it would have run on your
behalf. Then you can compare the options with the command you are using.
Setting up a secure connection
When you use a third-party SSH client that isn't the Google Cloud CLI, you can ensure that you're protected against impersonation or man-in-the-middle attacks by checking Google's Serial Port server SSH key. To set up your system to check the server SSH key, complete the following steps:
- Download the server SSH key for the serial console you will be using:
- For regional connections, the server SSH key for a region can be found at
https://www.gstatic.com/vm_serial_port/region/region.pub
- For global connections, download Google's Serial Port server SSH key
- For regional connections, the server SSH key for a region can be found at
- Open your known hosts file, generally located at
~/.ssh/known_hosts
. Add the contents of the server SSH key, with the server's hostname prepended to the key. For example, if the us-central1 server key contains the line
ssh-rsa AAAAB3NzaC1yc...
, then~/.ssh/known_hosts
should have a line like this:[us-central1-ssh-serialport.googleapis.com]:9600 ssh-rsa AAAAB3NzaC1yc...
For security reasons, Google might occasionally change the Google Serial Port server SSH key. If your client fails to authenticate the server key, immediately end the connection attempt and complete the earlier steps to download a new Google Serial Port server SSH key.
If, after updating the host key, you continue to receive a host authentication error from your client, stop attempts to connect to the serial port and contact Google support. Don't provide any credentials over a connection where host authentication has failed.
Disconnecting from the serial console
To disconnect from the serial console:
- Press the
ENTER
key. - Type
~.
(tilde, followed by a period).
You can discover other commands by typing ~?
or by examining the man page
for SSH:
man ssh
Don't try to disconnect using any of the following methods:
The
CTRL+ALT+DELETE
key combination or other similar combinations. This doesn't work because the serial console does not recognize PC keyboard combinations.The
exit
orlogout
command doesn't work because the guest is not aware of any network or modem connections. Using this command causes the console to close and then reopen again, and you remain connected to the session. If you would like to enableexit
andlogout
commands for your session, you can enable it by setting theon-dtr-low
option.
Connecting to a serial console with a login prompt
If you are trying to troubleshoot an issue with a VM that has booted completely or trying to troubleshoot an issue that occurs after VM has booted past single user mode, you might be prompted for login information when trying to access the serial console.
By default, Google-supplied Linux system images are not configured to allow password-based logins for local users. However, Google-supplied Windows images are configured to allow password-based logins for local users.
If your VM is running an image that is preconfigured with serial port logins, you need to set up a local password on the VM so that you can sign in to the serial console, if prompted. You can set up a local password after connecting to the VM or by using a start-up script.
Setting up a local password using a startup script
You can use a startup script to set up a local password that lets you connect to the serial console during or after VM creation.
To set up a local password in an existing VM, select one of the following options:
Linux
In the Google Cloud console, go to the VM instances page.
In the Name column, click the name of the VM for which you want to add a local password.
The details page of the VM opens.
Click
Edit.The page to edit the details of the VM opens.
In the Metadata > Automation section, do the following:
If the VM has an existing startup script, then remove it and store the script somewhere safe.
Add the following startup script:
#!/bin/bash useradd USERNAME echo USERNAME:PASSWORD | chpasswd usermod -aG google-sudoers USERNAME
Replace the following:
USERNAME
: the username that you want to add.PASSWORD
: the password for the username. As some operating systems require minimal password length and complexity, specify a password as follows:Use at least 12 characters.
Use a mix of upper and lower case letters, numbers, and symbols.
Click Save.
The details page of the VM opens.
Click Reset.
When prompted, enter your login information.
Windows
In the Google Cloud console, go to the VM instances page.
In the Name column, click the name of the VM for which you want to add a local password.
The details page of the VM opens.
Click
Edit.The page to edit the details of the VM opens.
In the Metadata section, do the following:
If the VM has an existing startup script, then store the script somewhere safe, and then, to delete the script, click
Delete item.Click Add item.
In the Key field, enter
windows-startup-script-cmd
.In the Value field, enter the following script:
net user USERNAME PASSWORD /ADD /Y net localgroup administrators USERNAME /ADD
Replace the following:
USERNAME
: the username that you want to add.PASSWORD
: the password for the username. As some operating systems require minimal password length and complexity, specify a password as follows:Use at least 12 characters.
Use a mix of upper and lower case letters, numbers, and symbols.
Click Save.
The details page of the VM opens.
Click Reset.
When prompted, enter your login information.
After the user has been created, replace the startup script with the startup script that you stored in this section.
Setting up a local password using passwd
on the VM
The following instructions describe how to set up a local password for a user on a VM so that the user can log on to the serial console of that VM using the specified password.
Connect to the VM. Replace
instance-name
with the name of your instance.gcloud compute ssh instance-name
On the VM, create a local password with the following command. This sets a password for the user that you are currently logged in as.
sudo passwd $(whoami)
Follow the prompts to create a password.
Next, log out of the instance and connect to the serial console.
Enter your login information when prompted.
Setting up a login on other serial ports
Login prompts are enabled on port 1 by default on most Linux operating systems. However, port 1 can often be overwhelmed by logging data and other information being printed to the port. Instead, you can choose to enable a login prompt on another port, such as port 2 (ttyS1), by executing one of the following commands on your VM. You can see a list of available ports for an VM in Understanding serial port numbering.
The following table lists images preconfigured with a serial console login and the default ports.
Operating system | Ports with a login prompt by default | Service management |
---|---|---|
CentOS 6 | 1 | upstart |
CentOS 7 | 1 | systemd |
CoreOS | 1 | systemd |
COS | 1 | systemd |
Debian 8 | 1 | systemd |
Debian 9 | 1 | systemd |
OpenSUSE 13 | 1 | systemd |
OpenSUSE Leap | 1 | systemd |
RHEL 6 | 1 | upstart |
RHEL 7 | 1 | systemd |
SLES 11 | 1 | sysvinit |
SLES 12 | 1 | systemd |
Ubuntu 14.04 | 1 | upstart |
Ubuntu 16.04 | 1 | systemd |
Ubuntu 17.04 | 1 | systemd |
Ubuntu 17.10 | 1 | systemd |
Windows | COM2 | N/A |
To enable login prompts on additional serial ports, complete the following instructions.
systemd
For Linux operating systems using systemd
:
Enable the service temporarily until the next reboot:
sudo systemctl start serial-getty@ttyS1.service
Enable the service permanently, starting with the next reboot:
sudo systemctl enable serial-getty@ttyS1.service
upstart
For Linux operating systems using upstart
:
Create a new
/etc/init/ttyS1.conf
file to reflectttyS1
by copying and modifying an existingttyS0.conf
file. For example:On Ubuntu 14.04:
sudo sh -c "sed -e s/ttyS0/ttyS1/g < /etc/init/ttyS0.conf > /etc/init/ttyS1.conf"
On RHEL 6.8 and CentOS 6.8
sudo sh -c "sed -ne '/^# # ttyS0/,/^# exec/p' < /etc/init/serial.conf | sed -e 's/ttyS0/ttyS1/g' -e 's/^# *//' > /etc/init/ttyS1.conf"
Start on a login prompt on
ttyS1
without restarting:sudo start ttyS1
sysvinit
For Linux operating systems using sysvinit
, run the following command:
sudo sed -i~ -e 's/^#T([01])/T\1/' /etc/inittab sudo telinit q
Understanding serial port numbering
Each virtual machine instance has four serial ports. For consistency with the
getSerialPortOutput
API, each port is numbered 1 through 4. Linux and other similar systems number
their serial ports 0 through 3. For example, on many operating system images,
the
corresponding devices are /dev/ttyS0
through /dev/ttyS3
. Windows refers to
serial ports as COM1
through COM4
. To connect to what Windows considers
COM3
and Linux considers ttyS2
, you would specify port 3. Use
the following table to help you figure out which port you want to connect to.
Virtual machine instance serial ports | Standard Linux serial ports | Windows COM ports |
---|---|---|
1 |
/dev/ttyS0 |
COM1 |
2 |
/dev/ttyS1 |
COM2 |
3 |
/dev/ttyS2 |
COM3 |
4 |
/dev/ttyS3 |
COM4 |
Note that many Linux images use port 1 (/dev/ttyS0
) for logging messages from
the kernel and system programs.
Sending a serial break
The Magic SysRq key feature lets you perform low-level tasks regardless of the system's state. For example, you can sync file systems, reboot the instance, end processes, and unmount file systems using the Magic SysRq key feature.
To send a Magic SysRq command using a simulated serial break:
- Press the
ENTER
key. - Type
~B
(tilde, followed by uppercaseB
). - Type the Magic SysRq command.
Viewing serial console audit logs
Compute Engine provides audit logs to track who has connected and disconnected from an instance's serial console. To view logs, you must have permissions for the Logs Viewer or be a project viewer or editor.
- In the Google Cloud console, go to the Logs Explorer page.
- Expand the drop-down menu and select GCE VM Instance.
- In the search bar, type
ssh-serialport.googleapis.com
and press Enter. A list of audit logs appears. The logs describe connections and disconnections from a serial console. Expand any of the entries to get more information:
For any of the audit logs, you can:
- Expand the
protoPayload
property. - Look for
methodName
to see activity this log applies to (either a connection or disconnection request). For example, if this log tracks a disconnection from the serial console, the method name would say"google.ssh-serialport.v1.disconnect"
. Similarly, a connection log would say"google.ssh-serialport.v1.connect"
. An audit log entry is recorded at the beginning and end of each session on the serial console.
There are different audit log properties for different log types. For example, audit logs relating to connections have properties that are specific to connection logs, while audit logs for disconnections have their own set of properties. There are certain audit log properties that are also shared between both log types.
All serial console logs
The following table provides audit log properties and their values for all serial console logs:
Property | Value |
---|---|
requestMetadata.callerIp |
The IP address and port number from which the connection originated. |
serviceName |
ssh-serialport.googleapis.com |
resourceName |
A string containing the project ID, zone, instance name, and
serial port number to indicate which serial console this pertains to.
For example, projects/myproject/zones/us-east1-a/instances/example-instance/SerialPort/2
is port number 2, also known as COM2 or /dev/ttyS1, for the instance
example-instance .
|
resource.labels |
Properties identifying the instance ID, zone, and project ID. |
timestamp |
A timestamp indicating when the session began or ended. |
severity |
NOTICE |
operation.id |
An ID string uniquely identifying the session; you can use this to associate a disconnect entry with the corresponding connection entry. |
operation.producer |
ssh-serialport.googleapis.com |
Connection logs
The following table provides audit log properties and their values specific for connection logs:
Property | Value |
---|---|
methodName |
google.ssh-serialport.v1.connect |
status.message |
Connection succeeded. |
request.serialConsoleOptions |
Any options that were specified with the request, including the serial port number. |
request.@type |
type.googleapis.com/google.compute.SerialConsoleSessionBegin |
request.username |
The username specified for this request. This is used to select the public key to match. |
operation.first |
TRUE |
status.code |
For successful connection requests, a status.code value of
google.rpc.Code.OK indicates that the operation completed
successfully without any errors. Because the enum value for this property is
0 , the status.code property is not displayed.
However, any code that checks for a status.code value of
google.rpc.Code.OK will work as expected. |
Disconnection logs
The following table provides audit log properties and their values specific for disconnection logs:
Property | Value |
---|---|
methodName |
google.ssh-serialport.v1.disconnect |
response.duration |
The amount of time, in seconds, that the session lasted. |
response.@type |
type.googleapis.com/google.compute.SerialConsoleSessionEnd |
operation.last |
TRUE |
Failed connection logs
When a connection fails, Compute Engine creates an audit log entry. A failed connection log looks very similar to a successful connection entry, but has the following properties to indicate a failed connection.
Property | Value |
---|---|
severity |
ERROR |
status.code |
The canonical Google API error code that best describes the error. The following are possible error codes that might appear:
|
status.message |
The human-readable message for this entry. |
Disabling interactive serial console access
You can disable interactive serial console access by changing metadata on the specific instance or project, or by setting an Organization Policy that disables interactive serial console access to all VM instances for one or more projects that are part of the organization.
Disabling interactive serial console on a particular instance or project
Project owners and editors, as well as users who have been granted the
compute.instanceAdmin.v1
role, can disable access to the serial console by
changing the metadata on the particular instance or project. Similar to
enabling serial console access,
set the serial-port-enable
metadata to FALSE
:
serial-port-enable=FALSE
For example, using the Google Cloud CLI, you can apply this metadata to a specific instance like so:
gcloud compute instances add-metadata instance-name \ --metadata=serial-port-enable=FALSE
To apply the metadata to the project:
gcloud compute project-info add-metadata \ --metadata=serial-port-enable=FALSE
Disabling interactive serial console access through Organization Policy
If you have been granted the orgpolicy.policyAdmin
role on the organization,
you can set an
organization policy
that prevents interactive access to the serial console, regardless of whether
interactive serial console access is enabled on the metadata server. After the
organization policy is set, the policy effectively overrides the
serial-port-enable
metadata key,
and no users of the organization or project can enable interactive serial
console access. By default, this constraint is set to FALSE
.
The constraint for disabling interactive serial console access is as follows:
compute.disableSerialPortAccess
Complete the following instructions to set this policy on the organization. After setting up a policy, you can grant exemptions on a per-project basis.
gcloud
To set the policy using the Google Cloud CLI, run the
resource-manager enable-enforce
command. Replace
organization-id
with your
organization ID.
For example, 1759840282
.
gcloud resource-manager org-policies enable-enforce \ --organization organization-id compute.disableSerialPortAccess
REST
To set a policy in the API, make a POST
request to the following URL.
Replace organization-name
with your
organization name.
For example, organizations/1759840282
.
POST https://cloudresourcemanager.googleapis.com/v1/organization-name:setOrgPolicy
The request body should contain a policy
object with the following
constraint:
"constraint": "constraints/compute.disableSerialPortAccess"
For example:
{ "policy": { "booleanPolicy": { "enforced": TRUE }, "constraint": "constraints/compute.disableSerialPortAccess" } }
The policy is immediately effective, so any projects under the organization immediately stop allowing interactive access to the serial console.
To temporarily disable the policy, use the disable-enforce
command:
gcloud resource-manager org-policies disable-enforce \ --organization organization-id compute.disableSerialPortAccess
Alternatively, you can make an API request where the request body sets the
enforced
parameter to FALSE
:
{ "policy": { "booleanPolicy": { "enforced": FALSE }, "constraint": "constraints/compute.disableSerialPortAccess" } }
Setting the organization policy at the project level
You can set the same organizational policy on a per-project basis. This overrides the setting at the organization level.
gcloud
To turn off enforcement of this policy for a specific project. Replace
project-id
with your project ID.
gcloud resource-manager org-policies disable-enforce \ --project project-id compute.disableSerialPortAccess
You can turn on enforcement of this policy by using the enable-enforce
command with the same values.
REST
In the API, make a POST
request to the following URL to enable interactive
serial console access for the project, replacing
project-id
with the project ID:
POST https://cloudresourcemanager.googleapis.com/v1/projects/project-id:setOrgPolicy
The request body should contain a policy
object with the following
constraint:
"constraint": "constraints/compute.disableSerialPortAccess"
For example:
{ "policy": { "booleanPolicy": { "enforced": FALSE }, "constraint": "constraints/compute.disableSerialPortAccess" } }
Tips and tricks
If you are having trouble connecting using a standard SSH client, but
gcloud compute connect-to-serial-port
connects successfully, it might be helpful to rungcloud compute connect-to-serial-port
with the--dry-run
command-line option to see the SSH command that it would have run on your behalf, and compare the options with the command you are using.Setting the bit rate, also known as baud rate, you can set any bit rate you like, such as
stty 9600
, but the feature normally forces the effective rate to 115,200 bps (~11.5kB/sec). This is because many public images default to slow bit rates, such as 9,600 on the serial console, and would boot slowly.Some OS images have inconvenient defaults on the serial port. For example, on CentOS 7, the
stty icrnl
default for the Enter key on the console is to send aCR
, also known as^M
. The bash shell might mask this until you try to set a password, at which point you might wonder why it seems stuck at thepassword:
prompt.Some public images have job control keys that are disabled by default if you attach a shell to a port in certain ways. Some examples of these keys include
^Z
and^C
. Thesetsid
command might fix this. Otherwise, if you see ajob control is disabled in this shell
message, be careful not to run commands that you will need to interrupt.You might find it helpful to tell the system the size of the window you're using, so that bash and editors can manage it properly. Otherwise, you might experience odd display behavior because bash or editors attempt to manipulate the display based on incorrect assumptions about the number of rows and columns available. Use the
stty rows Y cols X
command andstty -a
flag to see what the setting is. For example:stty rows 60 cols 120
(if your window is 120 chars by 60 lines).If, for example, you connect using SSH from machine A to machine B, and then to machine C, creating a nested SSH session, and you want to use tilde (~) commands to disconnect or send a serial break signal, you will need to add enough extra tilde characters to the command to get to the right SSH client. A command following a single tilde is interpreted by the SSH client on machine A; a command following two consecutive tildes (Enter~~) is interpreted by the client on machine B, and so forth. You only need to press Enter one time because that is passed all the way through to the innermost SSH destination. This is true for any use of SSH clients that provide the tilde escape feature.
If you lose track of how many tilde characters you need, press the Enter key and then type tilde characters one at a time until the instance echoes the tilde back. This echo indicates that you have reached the end of the chain and you now know that to send a tilde command to the most nested SSH client, you need one less tilde than however many tildes you typed.
Advanced options
You can also use the following advanced options with the serial port.
Controlling max connections
You can set the max-connections
property to control how many concurrent
connections can be made to this serial port at a time. The default and
maximum number of connections is 5. For example:
gcloud compute connect-to-serial-port instance-name \ --port port-number \ --extra-args max-connections=3
ssh -i private-ssh-key-file -p 9600 project-id.zone.instance-name.username.max-connections=3@ssh-serialport.googleapis.com
Setting replay options
By default, each time you connect to the serial console, you will receive a replay of the last 10 lines of data, regardless of whether the last 10 lines have been seen by another SSH client. You can change this setting and control how many and which lines are returned by setting the following options:
replay-lines=N
: SetN
to the number of lines you want replayed. For example, ifN
is 50, then the last 50 lines of the console output is included.replay-bytes=N
: Replays the most recentN
bytes. You can also setN
tonew
which replays all output that has not yet been sent to any client.replay-from=N
: Replays output starting from an absolute byte index that you provide. You can get the current byte index of serial console output by making agetSerialPortOutput
request. If you setreplay-from
, all other replay options are ignored.
With the Google Cloud CLI, append the following to your
connect-to-serial-port
command, where N
is the specified number of lines
(or bytes or absolute byte index, depending on which replay option you are
selecting):
--extra-args replay-lines=N
If you are using a third-party SSH client, provide this option in your SSH command:
ssh -i private-ssh-key-file -p 9600 myproject.us-central1-f.example-instance.jane.port=3.replay-lines=N@ssh-serialport.googleapis.com
You can also use a combination of these options as well. For example:
replay-lines=N
andreplay-bytes=new
- Replay the specified number of lines OR replay all output not previously
sent to any client, whichever is larger. The first client to connect with this
flag combination will see all the output that has been sent to the serial
port, and clients that connect subsquently will only see the last
N
lines. Examples:
gcloud compute connect-to-serial-port instance-name--port port-number --extra-args replay-lines=N,replay-bytes=new
ssh -i private-ssh-key-file -p 9600 project-id.zone.instance-name.username.replay-lines=N.replay-bytes=new@ssh-serialport.googleapis.com
replay-lines=N
andreplay-bytes=M
- Replay lines up to, but not more than, the number of lines or bytes
described by these flags, whichever is less. This option won't replay more
than
N
orM
bytes.
gcloud compute connect-to-serial-port instance-name--port port-number --extra-args replay-lines=N,replay-bytes=M
ssh -i private-ssh-key-file -p 9600 project-id.zone.instance-name.username.replay-lines=N.replay-bytes=M@ssh-serialport.googleapis.com
Handling dropped output
The most recent 1 MiB of output for each serial port is always available and
generally, your SSH client shouldn't miss any output from the serial port.
If, for some reason, your SSH client stops accepting output for a period of
time but does not disconnect, and more than 1 MiB of new data is produced,
your SSH client might miss some output. When your SSH
client is not accepting data fast enough to keep up with the output on the
serial console port, you can set the on-dropped-output
property to determine
how the console behaves.
Set any of the following applicable options with this property:
insert-stderr-note
: Insert a note on the SSH client'sstderr
indicating that output was dropped. This is the default option.ignore
: Silently drops output and does nothing.disconnect
: Stop the connection.
For example:
gcloud compute connect-to-serial-port instance-name \ --port port-number \ --extra-args on-dropped-output=ignore
ssh -i private-ssh-key-file -p 9600 project-id.zone.instance-name.username.on-dropped-output=ignore@ssh-serialport.googleapis.com
Enabling disconnect using exit or logout commands
You can enable disconnecting on exit or logout commands by setting the
on-dtr-low
property to disconnect
when you connect to the serial console.
On the Google Cloud CLI, append the following flag to your
connect-to-serial-port
command:
--extra-args on-dtr-low=disconnect
If you are using a third-party SSH client, provide this option in your SSH command:
ssh -i private-ssh-key-file -p 9600 myproject.us-central1-f.example-instance.jane.port=3.on-dtr-low=disconnect@ssh-serialport.googleapis.com
Enabling the disconnect
option might cause your instance to disconnect one or
more times when you are rebooting the instance because the operating system
resets the serial ports while booting up.
The default setting for the on-dtr-low
option is none
. If you use the
default setting none
, you can reboot your instance without being disconnected
from the serial console, but the console won't disconnect through normal
means such as exit
or logout
commands, or normal key combinations like
Ctrl+D.
What's next
- Learn more about the
getSerialPortOutput
API. - Learn how to retain and view serial port output even after a VM instance is deleted.
- Read more troubleshooting tips.
- Learn more about applying metadata.
- Learn about SSH keys.