How to install things on specfic APP container
Stanley Shen <meteorping@...>
For some purpose, I would like to install things on specific APP container.
For example, I have a web application, and I want to do virus scan for uploading attachments, originally on ubuntu VM we can do "sudo apt-get install scan-virus" and make it a service process.
How can we do such things now?
You don't have root access in application containers. You could bundle thetoggle quoted messageShow quoted text
software into a custom build pack. Again, you can't install stuff with
root so you have to manually extract the files somewhere writeable by the
vcap user and run them from that location. A log of build packs use
`/home/vcap/app/vendor`. Docker might be another option at least to more
easily install the software. You'd still need a command to run it as the
vcap user. I don't think you could run it as a service.
On Thu, May 5, 2016 at 10:00 PM, Stanley Shen <meteorping(a)gmail.com> wrote:
Stanley,toggle quoted messageShow quoted text
I am curious as to why you would prefer to do scanning of an application
after it is pushed rather than before on something like a CI system.
On Fri, May 6, 2016 at 6:55 AM, Daniel Mikusa <dmikusa(a)pivotal.io> wrote:
You don't have root access in application containers. You could bundle
Danny Rosen <https://goo.gl/eNWhJU>
Scott Frederick <scottyfred@...>
Using the app container’s file system like this is generally discouraged.toggle quoted messageShow quoted text
See the Cloud Foundry docs
for an explanation.
If your web app is storing uploaded attachments on the container’s file
system, you will lose the files if the app crashes or the container needs
to be recycled for any reason. If you follow the advice in the docs and
store the uploaded files in storage outside of the container then you can
periodically scan that external data store.
On Fri, May 6, 2016 at 4:14 PM, Danny Rosen <danny.rosen(a)gmail.com> wrote:
Stanley Shen <meteorping@...>
Yes, the file is actually stored in database, we don't rely on the FS of the container.
Just we want to do virus scan and other checks before we accept it and store it to database.
Hi,toggle quoted messageShow quoted text
depending on which buildpack you use it might be easier or more complicated
to launch custom scripts at app runtime. In these scripts you can install
apps, but only in "userspace" - that is, not as root. This is possible for
various ubuntu packages, but it involves manual resolution of dependencies,
which all need to be installed in the same userspace.
In our case we have run nmap to do port scan from within app container (to
verify what everything is reachable by deployed apps). We have used install
script , which we added into bin/post_compile (python buildpack) - which
would run at the end of staging and put installed packages into the final
app droplet, making them available inside app container on launch. We then
run the scan by using another script  where we explicitly define
LD_LIBRARY_PATH to point to dependencies that we have also installed in
This is quite cumbersome, but at least it can be done this way. Some other
PAASes support direct installation of package dependencies in their
 https://docs.tsuru.io/stable/using/python.html - see requirements.apt
On 7 May 2016 at 03:52, Stanley Shen <meteorping(a)gmail.com> wrote:
Yes, the file is actually stored in database, we don't rely on the FS of