You can enable debug mode for a VM. In debug mode, principals who have the Owner, Editor, and App Engine Admin roles on the project have root access to the VM. While debug mode is turned on, the automatic rollout of operating system updates and security patches is disabled. However, the VM is still part of the load balancer pool, and continues to receive external requests.
Whenever you enable or disable debugging, a "VM instance debugging enable/disable"
event appears in the Google Cloud console and the event will be logged in the VM's
/var/log/syslog.log
file.
Enabling and disabling debug mode
You can use gcloud
to enable and disable debug mode for an
instance. In order to debug an instance, your role must contain the
appengine.instances.enableDebug
permission.
To enable and disable debug mode in gcloud
:
-
Use the gcloud
app instances enable-debug command to debug the VMs for a particular
instance and version, as follows:
gcloud app --project PROJECT-ID instances enable-debug
Replace PROJECT-ID with your own project ID, and follow the prompts to specify the instance version to debug. -
When finished debugging, disable debug mode as follows:
gcloud app --project PROJECT-ID instances disable-debug
Follow the prompts to specify the instance version
When you disable debug mode, the VM is stopped and a new instance of your app is started, running on a clean, new VM.
Connecting to the instance
Console
To connect to an instance in the console:
Visit the Google Cloud console instances page for your project:
Click SSH in the far right of the row containing the instance you want to access:
This puts the instance into debug mode, and opens an SSH session for the instance in a terminal window.
You can also select different options to start an SSH session from the drop-down list.
At this point you are in the instance host, which has several containers running in it. See Understanding common containers next for more information about these.
In the terminal window, list the containers running in the instance:
sudo docker ps
The output of the
sudo docker ps
command lists each container by row; locate the row that contains your project ID: this is the container running your code. Note the NAME of this container.Optionally, list logging information for your application by invoking:
sudo docker logs CONTAINER-NAME
Start a shell in the container that is running your code:
sudo docker exec -it CONTAINER-NAME /bin/bash
When finished debugging, enter
exit
to exit the container, thenexit
again to exit the SSH session.Disable debugging for your instance to allow it to resume normal operation.
gcloud
To connect to an instance using gcloud:
With the instance enabled for debugging, invoke the command:
gcloud beta app instances --project PROJECT-ID ssh INSTANCE-NAME --service SERVICE --version VERSION
At this point you are in the instance host, which has several containers running. See Understanding common containers next for more information about these.
In the terminal window, list the containers running in the instance:
sudo docker ps
The output of the
sudo docker ps
command lists each container by row; locate the row that contains your project ID: this is the container running your code. Note the NAME of this container.Optionally, list logging information for your application by invoking:
sudo docker logs CONTAINER-NAME
Start a shell in the container that is running your code:
docker exec -it CONTAINER-NAME /bin/bash
When finished debugging, enter
exit
to exit the container, thenexit
again to exit the SSH session.Disable debugging for your instance to allow it to resume normal operation.
Understanding common containers
In addition to the container running your application code, your instance may also have the following containers:
Container and Source Code | Description |
---|---|
cloud-sql | Ensures secure connections to your Cloud SQL instance. |
fluentd_logger | Logging agent. |
nginx_proxy | Proxies requests to the application. |
opentelemetry-collector | Receives, processes, and exports telemetry data. |
stackdriver-monitoring-agent | Collects, stores, and monitors system information. |
Note that these sidecar containers are subject to change without notice.