Date
1 - 6 of 6
How to install things on specfic APP container
|
Stanley Shen <meteorping@...>
Hello, all
For some purpose, I would like to install things on specific APP container. For example, I have a web application, and I want to do virus scan for uploading attachments, originally on ubuntu VM we can do "sudo apt-get install scan-virus" and make it a service process. How can we do such things now? |
|
|
|
Daniel Mikusa
You don't have root access in application containers. You could bundle the
toggle quoted message
Show quoted text
software into a custom build pack. Again, you can't install stuff with root so you have to manually extract the files somewhere writeable by the vcap user and run them from that location. A log of build packs use `/home/vcap/app/vendor`. Docker might be another option at least to more easily install the software. You'd still need a command to run it as the vcap user. I don't think you could run it as a service. Dan On Thu, May 5, 2016 at 10:00 PM, Stanley Shen <meteorping(a)gmail.com> wrote:
Hello, all |
|
|
|
Danny Rosen
Stanley,
toggle quoted message
Show quoted text
I am curious as to why you would prefer to do scanning of an application after it is pushed rather than before on something like a CI system. On Fri, May 6, 2016 at 6:55 AM, Daniel Mikusa <dmikusa(a)pivotal.io> wrote:
You don't have root access in application containers. You could bundle --
Danny Rosen <https://goo.gl/eNWhJU> |
|
|
|
Scott Frederick <scottyfred@...>
Using the app container’s file system like this is generally discouraged.
toggle quoted message
Show quoted text
See the Cloud Foundry docs <http://docs.cloudfoundry.org/devguide/deploy-apps/prepare-to-deploy.html#filesystem> for an explanation. If your web app is storing uploaded attachments on the container’s file system, you will lose the files if the app crashes or the container needs to be recycled for any reason. If you follow the advice in the docs and store the uploaded files in storage outside of the container then you can periodically scan that external data store. On Fri, May 6, 2016 at 4:14 PM, Danny Rosen <danny.rosen(a)gmail.com> wrote:
Stanley, |
|
|
|
Stanley Shen <meteorping@...>
Yes, the file is actually stored in database, we don't rely on the FS of the container.
Just we want to do virus scan and other checks before we accept it and store it to database. |
|
|
|
Michal Tekel
Hi,
toggle quoted message
Show quoted text
depending on which buildpack you use it might be easier or more complicated to launch custom scripts at app runtime. In these scripts you can install apps, but only in "userspace" - that is, not as root. This is possible for various ubuntu packages, but it involves manual resolution of dependencies, which all need to be installed in the same userspace. In our case we have run nmap to do port scan from within app container (to verify what everything is reachable by deployed apps). We have used install script [1], which we added into bin/post_compile (python buildpack) - which would run at the end of staging and put installed packages into the final app droplet, making them available inside app container on launch. We then run the scan by using another script [2] where we explicitly define LD_LIBRARY_PATH to point to dependencies that we have also installed in "userspace". This is quite cumbersome, but at least it can be done this way. Some other PAASes support direct installation of package dependencies in their buildpacks [3]. [1] https://github.com/alphagov/paas-cf/blob/c0db1e38a9294112b8ecbfd7e0eee3dea5cf94ac/tests/example-apps/port-scan/nmap_portable.sh [2] https://github.com/alphagov/paas-cf/blob/c0db1e38a9294112b8ecbfd7e0eee3dea5cf94ac/tests/example-apps/port-scan/scan.sh [3] https://docs.tsuru.io/stable/using/python.html - see requirements.apt file description On 7 May 2016 at 03:52, Stanley Shen <meteorping(a)gmail.com> wrote:
Yes, the file is actually stored in database, we don't rely on the FS of |
|
|