App Engine Flex overwriting public folder permissions on deploy

[Donatas Petrauskas]

I'm deploying a PHP app on the App Engine Flexible environment. I have a command in my post-deploy-cmd scripts in my composer.json file to set permissions for the public/app folder (chmod -R 755 public\/app). However, when I deploy my app, the entire public folder's permissions get overwritten with 550.

I can see in the logs that the following command runs right after my deployment commands  + chmod -R 550 /app/public

How can I run my command after that or stop that command from running at all? Any workarounds?

Thanks

[Justin Beckwith]

Greetings!  Adding a few folks from the PHP team who will be able to help :)

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscribe@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/c74a167c-7aad-4971-9278-42d79eaaa4b4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Justin Beckwith | Google Cloud Platform | @justinbeckwith | http://jbeckwith.com

[Jordan (Cloud Platform Support)]

Is there a specific reason why you require the need to perform writes to your 'public/app' folder? Scalable applications in the cloud should normally never perform writes to the local filesystem, as data written in an App Engine instance is released with the instance when it is no longer needed (e.g. when incoming traffic reduces and your App Engine instances scale down).

It is recommended you perform writes to a non-volatile/persistent location like Google Cloud Storage or the Google Cloud Datastore that can be written/read by your application running in multiple App Engine instances. You can follow the Reading and Writing Files guide for PHP which explains how to use Google Cloud Storage as a wrapper for reading and writing files in an App Engine PHP app.

[Takashi Matsuo]

Hi Donatas,

What's the use case of writing to the public directory? If it is just for writing temporary file (like temporary cache for performance), you can still use other directories (/tmp, /app/otherdir etc). If you want to dynamically update the content in the public directory, unfortunately it won't work, because the files in the local disk are only available to the specific instance, and they are volatile so that when the server restarted for some reason, the files will be lost.

As Jordan said, using Cloud Storage might be a good option. There is a handy GCS stream wrapper available, so you can use the GCS bucket as if they are local directory (of course it's slower than the local disk).

On Mon, Apr 24, 2017 at 11:22 AM 'Jordan (Cloud Platform Support)' via Google App Engine <google-a...@googlegroups.com> wrote:

Is there a specific reason why you require the need to perform writes to your 'public/app' folder? Scalable applications in the cloud should normally never perform writes to the local filesystem, as data written in an App Engine instance is released with the instance when it is no longer needed (e.g. when incoming traffic reduces and your App Engine instances scale down).

It is recommended you perform writes to a non-volatile/persistent location like Google Cloud Storage or the Google Cloud Datastore that can be written/read by your application running in multiple App Engine instances. You can follow the Reading and Writing Files guide for PHP which explains how to use Google Cloud Storage as a wrapper for reading and writing files in an App Engine PHP app.

--

You received this message because you are subscribed to the Google Groups "Google App Engine" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-appengi...@googlegroups.com.
To post to this group, send email to google-a...@googlegroups.com.

Visit this group at https://groups.google.com/group/google-appengine.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/cbe25784-7636-4b88-9386-e680877f6318%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

-- Takashi

[Donatas Petrauskas]

I use PyroCMS and it requires public/app permissions to write admin area image thumbnails and public assets like css and js files. They can be lost, as they get regenerated if the files are not there. However, I do agree with Jordan, there shouldn't be any writes to the public folder on prod, but I'm stuck with that for now. I will have a look at the GCS option, thanks.

[Takashi Matsuo]

Hi Donatas,

We're re-designing the image build process. I think we should provide a way to opt out from the permission locking behavior. I'll let you know when it's available.

For a time be-ing, you can use the custom runtime.

```app.yaml

env: flex

runtime: custom

```

Dockerfile

```                                                                                                                                             

FROM gcr.io/google-appengine/php:latest

                                                                                                                                        

ENV DOCUMENT_ROOT /app/public

RUN chmod +x /app/entrypoint.sh

ENTRYPOINT ["/app/entrypoint.sh"]

CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]

```

Then copy the entrypoint.sh to your project directory and delete these lines:

```

# Lock down the DOCUMENT_ROOT                                                                                                                                      

chown -R root.www-data ${DOCUMENT_ROOT}

chmod -R 550 ${DOCUMENT_ROOT}

```

Then the public directory permission won't be overridden.

Thanks,

To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/c55a7765-6eb1-40e7-bd14-208b11fd7987%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

-- Takashi

[Gary Aure]

Hi,

I have the same question. I need a specific folder in flexible environment to be writable because I am using a chunk uploader that does not support Cloud Storage for temporary storing chunked files. Chunked were deleted once the whole file has completed uploading.

[Santhosh Viswanathan]

Hello Takashi Matsuo,

Has the public folder permission option changed in Google App Engine Flexible ?

I am unable to use WP-ALL-IMPORT Plugin. I get "Uploads folder gs://gcs-media-uploads/1/wpallimport/logs must be writable”

I also tried WP ALL IN ONE MIGRATION Plugin. I get 

"All in One WP Migration is not able to create /app/wordpress/wp-content/ai1wm-backups folder. You will need to create this folder and grant it read/write/execute permissions (0777) for the All in One WP Migration plugin to function properly."

Can you give more simple details to solve the problem?