From: Clayton Coleman <ccoleman redhat com>
To: meghdoot bhattacharya <meghdoot_b yahoo com>
Cc: dev lists openshift redhat com
Sent: Monday, March 4, 2013 12:40 PM
Subject: Re: rhc commands targetting individual gears/nodes
----- Original Message -----
> Over the years spending my time in application teams, the situation
> would often arise that a funky behavior is happening only in few
> instances in a large pool or maybe Ops have configured honeypot to
> observe behavior in few instances for app troubleshooting.
> Do we have plans where rhc can be used for targeting individual gear
> or maybe all gears in a node but not the entire app itself?
Yes, today it's fairly limited.
> I just noticed in Openshift Online [have to try it in origin] that
> rhc threaddump not supported for scaled apps.
That is correct, it's a limitation that needs to be corrected.
> Does rhc tail aggregate logs from N gear instances. That would be
It does not, it uses the head gear. We would like to
make rhc target individual gears if a user so chooses.
> It would be nice to have specific targets for these commands to
> provide more value. Same goes for app start/stop commands also
> having option to have specific targets.
Start/stop gears has been discussed, but the user case is usually that we would start stopped gears. Stopping started gears was something that hasn't been brought up before.
> This may open up a question why not ssh into those gears and execute
> it locally. As I am explaining the power of Openshift to our app
> teams, the initial consensus though dev has power to push code and
> execute commands remotely, nobody feels comfortable giving them ssh
> access to gears [even with selinux protections]. Requiring regular
> ssh access to LIVE boxes requires very special approval in our
> current organization.
discussed splitting SSH access to gears into 3 levels:
shell access with read only permissions
The caveat here is that certain commands require read access to data today (tail, threaddump, snapshot) and that a solution would need to be put into place. Also, we haven't really dug into what it would mean to have no shell access but the ability to push code, but the problem is that code that is pushed can do ANYTHING to the gear, so you're not gaining much security by allowing push without shell. Remember too that anyone who can get shell access can view environment variables, so that's a trust level thing.
> So, the second question is right now anybody having git access means
> they have access to all gears in a scaled app [the way ssh keys are
> copied]. It would be nice to separate git operations permission vs
> access to gears. Is
there a way to do it currently?
No way to do it today, but it is in the roadmap.
> dev mailing list
> dev lists openshift redhat com