Rack 0.8: Introspection, Privacy, and Security
Today we’re releasing Rack 0.8 with improvements for introspection, privacy, and security. Run
convox update && convox rack update to update your CLI and Rack to the latest version.
You can now view the EC2 instances that make up your cluster using the
convox instances command.
View instances and their stats:
$ convox instances ID AGENT STATUS STARTED PS CPU MEM i-f6106245 on active 23 hours ago 3 0.00% 25.89% i-f8ae9079 on active 23 hours ago 0 0.00% 0.00% i-c5d1624c on active 23 hours ago 2 0.00% 16.18%
SSH onto an instance:
$ convox instances ssh i-f6106245 __| __| __| _| ( \__ \ Amazon ECS-Optimized Amazon Linux AMI 2015.09.d ____|\___|____/ For documentation visit, http://aws.amazon.com/documentation/ecs [ec2-user@ip-10-0-3-25 ~]$
Terminate an instance (and have it automatically replaced):
$ convox instances terminate i-f6106245 Successfully sent terminate to instance "i-f6106245"
Processes that are being launched now reflect their pending state:
$ convox ps ID NAME RELEASE SIZE STARTED COMMAND 453258fbdcd4 sidekiq RICYTPEUKSM 256 54 seconds ago sh -c bin/sidekiq [PENDING] sidekiq RICYTPEUKSM 256
Rack now monitors its capacity and will notify you if it doesn’t have room to place containers. You can also get notifications for deployment events, cluster convergence and cluster deconvergence. To get these notifications, add Slack on the “Integrations” tab for your Rack in Grid.
Convox logs are now shipped to Amazon CloudWatch inside your AWS account. CloudWatch is a powerful tool that allows you to set up alarms, monitoring dashboards and integrations with other services.
This release also includes improvements to logging structure.
Convox now supports private Docker registries. This is useful to customers who want to pull images from places other than Docker Hub as part of their application build.
Options for –vpc-cidr, –subnet*-cidr have been added to the
convox install command to provide more control over VPC network setup, making it easier for users to set up VPC peering. This is a community-contributed feature by Chris LeBlanc. Thanks!
Several improvements have been made Convox’s SSL tools, helping you keep your app communicatons private:
convox ssl createcan now complete intermediate cert chains for you or allow you to upload your own chain.
--self-signedoption will auto-generate and apply a self-signed certificate to your app
--secureoption allows you to encrypt traffic all the way to your app, rather than having it terminate at the load balancer
convox ssl updatecan hot swap certificates with no downtime
It’s now possible to configure your app’s processes to use internal load balancers. This means that the ports will only be open to other processes inside the app’s VPC. This enables microservice architectures without opening up everything to the Internet. To configure an internal load balancer, only specify the internal port in your `docker-compose.yml. For example, this:
ports: - "80"
ports: - "80:80"
You can count on Convox to stay current with the latest security threats and to react accordingly. When Amazon released a new AMI for its ECS service instances to address a network security threat, Convox reacted quickly to update the AMI version it uses.
Other notable changes
- You can now use the
-aoption instead of
--appto specify an app on the CLI
convox deploynow reads
.dockerignoreand doesn’t ship ignored files to the rack API. This dramatically improves build speeds for apps with large ignored files.
convox startwill now notify you of environment variables that have been declared but have no value set
- you can use the
-foption to specify a filename other than