Re: container restart on logout

Daniel Jones

Hmm, here's an idea that I haven't through and so is probably rubbish...

How about an immutability enforcer? Recursively checksum the expanded
contents of a droplet, and kill-with-fire anything that doesn't match it.
It'd need to be optional for folks storing ephemeral data on their
ephemeral disk, and a non-invasive (ie no changes to CF components)
implementation would *depend* on `cf ssh` or a chained buildpack, but maybe
that's a nice compromise that could be quicker to develop than waiting for
mainline code changes to CF?

Daniel Jones - CTO
+44 (0)79 8000 9153
@DanielJonesEB <>
*EngineerBetter* Ltd <> - UK Cloud Foundry

On Thu, Dec 22, 2016 at 10:01 AM, David Illsley <davidillsley(a)>

I have no idea why the idea hasn't be implemented, but pondering it, it
seems like it's hard to do because of the cases you mention. Some people
need a policy that 'app teams won’t abuse it by creating app snowflakes',
and in some (most?) cases you need the flexibility to do debugging as you

I think it's possible to combine the SSH authorized events, and the
instance uptime details from the API to build audit capability - identify
instances which have been SSH'd to and not recycled within some time period
(eg 1 hour). You could have either some escalations process to get a human
to do something about it (in case there's a reason an hour wasn't enough),
or more brutally, give the audit code the ability to do a restart instance.

On Tue, Dec 20, 2016 at 12:48 PM, Daniel Jones <
daniel.jones(a)> wrote:

Plus one!

An implementation whereby the recycling behaviour can be feature-flagged
by space or globally would be nice, so you could turn it off whilst
debugging in a space, and then re-enable it when you've finished debugging
via a series of short-lived SSH sessions.

Daniel Jones - CTO
+44 (0)79 8000 9153 <07980%20009153>
@DanielJonesEB <>
*EngineerBetter* Ltd <> - UK Cloud Foundry

On Tue, Dec 20, 2016 at 8:06 AM, DHR <lists(a)> wrote:

Thanks Jon. The financial services clients I have worked with would also
like the ability to turn on ‘cf ssh’ support in production, safe in the
knowledge that app teams won’t abuse it by creating app snowflakes.

I see that the audit trail mentioned in the thread you posted have been
implemented in ‘cf events’. Like this:

time event actor
2016-12-19T16:20:36.00+0000 user index: 0
2016-12-19T15:30:33.00+0000 user index: 0
2016-12-19T12:00:53.00+0000 user index: 0

That said: I still think the container recycle functionality, available
as say a feature flag, would be really appreciated by the large enterprise

On 19 Dec 2016, at 18:25, Jon Price <jon.price(a)> wrote:

This is something that has been on our wishlist as well but I haven't
seen any discussion about it in quite some time. Here is one of the
original discussions about it:

It would go a long way with our security team if we could have some
sort of recycling policy for containers in some of our more secure

Jon Price
Intel Corporation

Join to automatically receive all group messages.