[20160606214509] VPC Security, Docker Daemon and Papertrail Changes

VPC Security Enhancements

The Rack VPC Security Group no longer exposes the SSH port to the world (0.0.0.0/0). It now accepts traffic only from inside the Rack VPC, which is sufficient because of the convox instances ssh websocket tunneling.

Thanks @beedub for the security improvement!

For more info see PR #716: Change ssh port sg to use vpc cidr, not 0.0.0.0.

Docker Daemon Changes

This week we discovered that Docker 1.11 was surprisingly showing up in production environments, and causing convox run to errantly exit non-zero in some cases.

The new update no longer applies updates on boot for anything but critical system security, effctively pinning Docker back to 1.09.

We will update Docker to 1.11 along with new ECS AMIs in the near future.

This update also changes the Docker Daemon limit for number of open files from 1024 to 1024000.

@awsmsrc found a great suggestion for a higher limit by [@pahud on Medium](https://medium.com/@pahud/ulimit-of-nofile-in-amazon-ecs-optimized-ami-6790aedee582) as a much better setting for modern web applications.

For more information see PR #704 Up ulimit for dockerd and PR #728 dont upgrade all packages.

Papertrail Deprecation

In anticipation of removing Kinesis to save us all money this update blocks convox service create papertrail.

Now you should use convox services create syslog --url tcp+tls://logs1.papertrailapp.com:12345 to forward logs from CloudWatch Logs to Papertrail via secure syslog. See the Syslog Docs for more information.

For more information see PR #719 Syslog bugfixes and Papertrail deprecation.

Scale Down to Delete Unneded ELBs

@mwarkentin reported a couple bugs in the new feature that removes unneeded ELBs. You can now run convox scale redis --count=-1 to remove ELBs, even if they are linked to another process. You can also still convox run redis bash even if the process type is not running.

For more information see PR #721 and #726