Back to Blog

Rack 0.8: Introspection, Privacy, and Security

By Matt Manning -

Today we’re releasing Rack 0.8 with improvements for introspection, privacy, and security. Run convox update && convox rack update to update your CLI and Rack to the latest version.

Introspection

You can now view the EC2 instances that make up your cluster using the convox instances command.

View instances and their stats:

    $ convox instances
    ID          AGENT  STATUS  STARTED       PS  CPU    MEM
    i-f6106245  on     active  23 hours ago  3   0.00%  25.89%
    i-f8ae9079  on     active  23 hours ago  0   0.00%  0.00%
    i-c5d1624c  on     active  23 hours ago  2   0.00%  16.18%

SSH onto an instance:

    $ convox instances ssh i-f6106245

       __|  __|  __|
       _|  (   \__ \   Amazon ECS-Optimized Amazon Linux AMI 2015.09.d
     ____|\___|____/

    For documentation visit, http://aws.amazon.com/documentation/ecs
    [ec2-user@ip-10-0-3-25 ~]$

Terminate an instance (and have it automatically replaced):

    $ convox instances terminate i-f6106245
    Successfully sent terminate to instance "i-f6106245"

Processes that are being launched now reflect their pending state:

    $ convox ps
    ID            NAME     RELEASE      SIZE  STARTED         COMMAND
    453258fbdcd4  sidekiq  RICYTPEUKSM  256   54 seconds ago  sh -c bin/sidekiq
    [PENDING]     sidekiq  RICYTPEUKSM  256

Rack now monitors its capacity and will notify you if it doesn’t have room to place containers. You can also get notifications for deployment events, cluster convergence and cluster deconvergence. To get these notifications, add Slack on the “Integrations” tab for your Rack in Grid.

Convox logs are now shipped to Amazon CloudWatch inside your AWS account. CloudWatch is a powerful tool that allows you to set up alarms, monitoring dashboards and integrations with other services.

This release also includes improvements to logging structure.

Privacy

Convox now supports private Docker registries. This is useful to customers who want to pull images from places other than Docker Hub as part of their application build.

Options for –vpc-cidr, –subnet*-cidr have been added to the convox install command to provide more control over VPC network setup, making it easier for users to set up VPC peering. This is a community-contributed feature by Chris LeBlanc. Thanks!

Several improvements have been made Convox’s SSL tools, helping you keep your app communicatons private:

  • convox ssl create can now complete intermediate cert chains for you or allow you to upload your own chain.
  • the --self-signed option will auto-generate and apply a self-signed certificate to your app
  • the --secure option allows you to encrypt traffic all the way to your app, rather than having it terminate at the load balancer
  • convox ssl update can hot swap certificates with no downtime

It’s now possible to configure your app’s processes to use internal load balancers. This means that the ports will only be open to other processes inside the app’s VPC. This enables microservice architectures without opening up everything to the Internet. To configure an internal load balancer, only specify the internal port in your `docker-compose.yml. For example, this:

    ports:
      - "80"

instead of:

    ports:
      - "80:80"

Security

You can count on Convox to stay current with the latest security threats and to react accordingly. When Amazon released a new AMI for its ECS service instances to address a network security threat, Convox reacted quickly to update the AMI version it uses.

Several small but important security improvements were contributed by Alex Gaynor. Thanks!

Other notable changes

  • You can now use the -a option instead of --app to specify an app on the CLI
  • convox deploy now reads .dockerignore and doesn’t ship ignored files to the rack API. This dramatically improves build speeds for apps with large ignored files.
  • convox start will now notify you of environment variables that have been declared but have no value set
  • you can use the -f option to specify a filename other than docker-compose.yml to convox start and convox deploy