Allow to push an app with ssh enabled per default

KaiHofstetter commented 2 years ago

Feature Request

Allow to push an app with ssh enabled per default.

Issue

It's currently not possible to directly push an app with ssh enabled.

The current workaround is to 1) push the app with "--no-start", 2) enable ssh and then 3) start the app:

cf push testapp --no-start
cf enable-ssh testapp
cf start testapp

Since pushing the app is usually automated, an enable ssh flag and a way to configure this flag needs to be added to every deployment automation, so that it either directly pushes the app or uses the mentioned 3 steps. This is additional effort for the implementation of the deployment automations and feels more like a workaround then a good solution.

Developers configure the deployment of their apps via the manifest, so it is more natural to enable ssh for the app in the manifest.

Context

Why do we need ssh for our apps?

Having ssh enabled on development and test environments is very useful...

for remote debugging
for getting Garbage Collector logs (via jcmd)
- Heap consumption is a constant topic and being able to see live Garbage Collector logs is a big help to tackle heap issues.
for creating heap dumps
for creating stack traces
for connecting via JMX to get JVM insights

In order to enable ssh on a running app, the app needs to be restarted. A lot of runtime issues are temporary and gone with an app restart (e.g. heap dump issues, performance issues,..). Often the apps on development and test environments have only one instance for cost reasons and to save landscape resources. So, restarting one of these apps also implies a small downtime. For that reason, it is usually not a good option to enable ssh manually on demand.

There is already an open GitHub issue "cf enable-ssh requires a restart of the app": https://github.com/cloudfoundry/cli/issues/2133 It goes in the right direction, but it's not 100% what we would need, since we would need to optionally enable ssh per default (e.g. with a deployment manifest attribute).

Possible Solution

A possible solution could be to add 'app feature flags' to the manifest attributes [1]. The CF API v3 implements a concept of application feature flags [2]. One of the two existing feature flags is “ssh” (it is used by “cf enable/disable-ssh” as well). E.g.:

version: 1
applications:
- name: testapp
  memory: 128M
  buildpacks:
  - binary_buildpack
  random-route: true
  features:
  - ssh: true

This would allow to push the app with enabled ssh access right away (provided that ssh is enabled on space level).

[1] https://docs.cloudfoundry.org/devguide/deploy-apps/manifest-attributes.html [2] https://v3-apidocs.cloudfoundry.org/version/3.122.0/index.html#supported-app-features

Gerg commented 2 years ago

Some other design options:

features:
  - name: ssh
    enabled: true

or

features:
  ssh: true

or

features:
  ssh:
    enabled: true

KaiHofstetter commented 1 year ago

Since this issue is over 7 months old, I would like to kindly ask whether there is a realistic chance to get this feature or whether CF users should rather invest in an alternative implementation on their deployment automation side, as described above.

I assume that a lot of developers would like to have ssh enabled per default on their dev landscapes, in order to be able to debug issues in case of an error. This feature is especially important for errors, which cannot be reproduced.

Thank you!

cloudfoundry / cloud_controller_ng