1# Container Apps Day-2 Operations
2 
3Operational tasks for running Container Apps in production: restart, exec, logs, environment updates, and secret rotation.
4 
5## Restart and Lifecycle
6 
7| Action | Command |
8|--------|---------|
9| Restart active revision | `az containerapp revision restart -n $APP -g $RG --revision $REV` |
10| Scale to zero (stop) | `az containerapp update -n $APP -g $RG --min-replicas 0 --max-replicas <current-max>` |
11| Resume (restore scaling) | `az containerapp update -n $APP -g $RG --min-replicas <previous-min> --max-replicas <current-max>` |
12| List replicas | `az containerapp replica list -n $APP -g $RG --revision $REV` |
13 
14> 💡 **Tip:** Restarting a revision replaces all running replicas gracefully. No new revision is created.
15 
16## Exec into a Container
17 
18Open a shell inside a running replica for debugging:
19 
20```bash
21# Interactive shell
22az containerapp exec -n $APP -g $RG --command /bin/sh
23 
24# Target a specific replica and container
25az containerapp exec -n $APP -g $RG \
26  --replica $REPLICA_NAME \
27  --container $CONTAINER_NAME \
28  --command /bin/sh
29```
30 
31> ⚠️ **Warning:** Exec sessions are for debugging only. Changes to the container filesystem are lost on restart.
32 
33## Log Streaming
34 
35### Real-time Logs
36 
37```bash
38# Stream system logs
39az containerapp logs show -n $APP -g $RG --type system --follow
40 
41# Stream application (console) logs
42az containerapp logs show -n $APP -g $RG --type console --follow
43 
44# Filter to a specific revision or replica
45az containerapp logs show -n $APP -g $RG \
46  --type console --revision $REV --follow
47```
48 
49### Log Analytics (KQL)
50 
51Query historical logs via the Container Apps environment's Log Analytics workspace:
52 
53```kql
54// Azure Monitor destination (new environments — default)
55ContainerAppConsoleLogs
56| where ContainerAppName == "my-app"
57| where TimeGenerated > ago(1h)
58| project TimeGenerated, Log, RevisionName
59| order by TimeGenerated desc
60 
61// Log Analytics destination (legacy environments)
62// ContainerAppConsoleLogs_CL
63// | where ContainerAppName_s == "my-app"
64// | project TimeGenerated, Log_s, RevisionName_s
65```
66 
67## Environment Variable Updates
68 
69Updating environment variables creates a new revision:
70 
71```bash
72# Set or update env vars
73az containerapp update -n $APP -g $RG \
74  --set-env-vars "DB_HOST=newhost.postgres.database.azure.com" \
75                 "CACHE_TTL=300"
76 
77# Remove an env var
78az containerapp update -n $APP -g $RG \
79  --remove-env-vars "OLD_SETTING"
80```
81 
82### Bicep — Env Vars with Secret References
83 
84```bicep
85configuration: {
86  secrets: [
87    { name: 'db-password', value: dbPassword }  // or use keyVaultUrl + identity
88  ]
89}
90template: {
91  containers: [
92    {
93      name: 'api'
94      image: '${acrName}.azurecr.io/api:latest'
95      env: [
96        { name: 'DB_HOST', value: dbHost }
97        { name: 'DB_PASSWORD', secretRef: 'db-password' }
98      ]
99    }
100  ]
101}
102```
103 
104## Secret Management
105 
106### Create and Update Secrets
107 
108```bash
109# Add a secret (use Key Vault references in production — avoid plaintext secrets)
110az containerapp secret set -n $APP -g $RG \
111  --secrets "db-password=<secret-value>"
112 
113# Reference a Key Vault secret (managed identity required)
114az containerapp secret set -n $APP -g $RG \
115  --secrets "db-password=keyvaultref:https://myvault.vault.azure.net/secrets/db-pwd,identityref:/subscriptions/.../userAssignedIdentities/my-id"
116```
117 
118> ⚠️ **Warning:** Avoid passing plaintext secrets on the command line — they may appear in shell history and process listings. Prefer Key Vault references. If you must use plaintext, use shell substitution like `--secrets "key=$(cat secret.txt)"` to avoid literals on the command line.
119 
120> 💡 **Tip:** Use Key Vault references instead of plain-text secrets. The Container App pulls the latest value on each new revision or replica start.
121 
122### Secret Rotation Workflow
123 
1241. Update the secret value in Key Vault
1252. Create a new revision to pick up the updated value:
126   ```bash
127   az containerapp revision copy -n $APP -g $RG
128   ```
1293. Verify the new revision is healthy
1304. Shift traffic to the new revision
131 
132> ⚠️ **Warning:** Existing replicas do NOT hot-reload Key Vault references. A new revision or replica restart is required.
133 
134## Health Monitoring
135 
136| Check | How |
137|-------|-----|
138| Revision health | `az containerapp revision list -n $APP -g $RG -o table` |
139| Replica status | `az containerapp replica list -n $APP -g $RG --revision $REV` |
140| System logs | `az containerapp logs show -n $APP -g $RG --type system` |
141| Metrics | Azure Monitor → Container Apps → Requests, Replicas, CPU, Memory |
142 
143## Common Troubleshooting
144 
145| Symptom | Likely Cause | Remediation |
146|---------|-------------|-------------|
147| Replica crash loop | App startup failure | Check console logs; exec into container |
148| 0 replicas running | Scale-to-zero + no traffic | Set `minReplicas: 1` or send a request |
149| Env var not updating | Old revision still serving traffic | Verify the latest revision exists, then update ingress traffic weights or route to `latestRevision` |
150| Secret value stale | Key Vault ref not refreshed | Create or verify the refreshed revision, then shift traffic to that revision |
151| High memory/CPU | Resource limits too low | Update `resources.cpu` / `resources.memory` |
152