Hmm, here's an idea that I haven't through and so is probably rubbish...
How about an immutability enforcer? Recursively checksum the expanded
contents of a droplet, and kill-with-fire anything that doesn't match it.
It'd need to be optional for folks storing ephemeral data on their
ephemeral disk, and a non-invasive (ie no changes to CF components)
implementation would *depend* on `cf ssh` or a chained buildpack, but maybe
that's a nice compromise that could be quicker to develop than waiting for
mainline code changes to CF?
Daniel Jones - CTO
+44 (0)79 8000 9153
*EngineerBetter* Ltd <http://www.engineerbetter.com
> - UK Cloud Foundry
On Thu, Dec 22, 2016 at 10:01 AM, David Illsley <davidillsley(a)gmail.com>
I have no idea why the idea hasn't be implemented, but pondering it, it
seems like it's hard to do because of the cases you mention. Some people
need a policy that 'app teams won’t abuse it by creating app snowflakes',
and in some (most?) cases you need the flexibility to do debugging as you
I think it's possible to combine the SSH authorized events, and the
instance uptime details from the API to build audit capability - identify
instances which have been SSH'd to and not recycled within some time period
(eg 1 hour). You could have either some escalations process to get a human
to do something about it (in case there's a reason an hour wasn't enough),
or more brutally, give the audit code the ability to do a restart instance.
On Tue, Dec 20, 2016 at 12:48 PM, Daniel Jones <
An implementation whereby the recycling behaviour can be feature-flagged
by space or globally would be nice, so you could turn it off whilst
debugging in a space, and then re-enable it when you've finished debugging
via a series of short-lived SSH sessions.
Daniel Jones - CTO
+44 (0)79 8000 9153 <07980%20009153>
*EngineerBetter* Ltd <http://www.engineerbetter.com> - UK Cloud Foundry
On Tue, Dec 20, 2016 at 8:06 AM, DHR <lists(a)dhrapson.com> wrote:
Thanks Jon. The financial services clients I have worked with would also
like the ability to turn on ‘cf ssh’ support in production, safe in the
knowledge that app teams won’t abuse it by creating app snowflakes.
I see that the audit trail mentioned in the thread you posted have been
implemented in ‘cf events’. Like this:
time event actor
2016-12-19T16:20:36.00+0000 audit.app.ssh-authorized user index: 0
2016-12-19T15:30:33.00+0000 audit.app.ssh-authorized user index: 0
2016-12-19T12:00:53.00+0000 audit.app.ssh-authorized user index: 0
That said: I still think the container recycle functionality, available
as say a feature flag, would be really appreciated by the large enterprise
On 19 Dec 2016, at 18:25, Jon Price <jon.price(a)intel.com> wrote:seen any discussion about it in quite some time. Here is one of the
This is something that has been on our wishlist as well but I haven't
original discussions about it: https://lists.cloudfoundry.org
sort of recycling policy for containers in some of our more secure
It would go a long way with our security team if we could have some