Show Table of Contents
Chapter 3. Locking Cartridges
Cartridge instances on a gear are either locked or unlocked at any given time. Locking a cartridge enables cartridge scripts to have greater access to the gear's files and directories. Application developers have read and write access to unlocked files, and read-only access to locked files. This means that application scripts and hooks cannot override cartridge code when the cartridge is locked.
OpenShift Enterprise controls the lock state of cartridges, moving them between locked and unlocked at various points in the cartridge life cycle.
A cartridge with no
locked_files entry in the $cartridge_name/metadata/managed_files.yml file is permanently unlocked. This approach is not recommended, but it may be sufficient for simple cartridges.
Note
Cartridge file locking is not a security measure. It is designed to prevent application developers from accidentally breaking their applications by modifying cartridge files.
3.1. Cartridge Lock Configuration
The
locked_files entry in the $cartridge_name/metadata/managed_files.yml file lists files and directories that OpenShift Enterprise locks at certain points during the cartridge life cycle.
If a file in the
locked_files list does not exist, OpenShift Enterprise creates the file before your setup script is called. OpenShift Enterprise also creates missing directories if required.
If files require application developers to have read and write access to them while an application is deploying and running, do not allow OpenShift Enterprise to create them from the
locked_files list. For example, create ~/.node-gyp and ~/.npm in a node.js cartridge using a setup or install script.
Entries that begin with
~/ start at the gear directory. All other entries start at the cartridge directory. Entries that end with a forward slash (/) are treated as directories. Entries that end with an asterisk (*) are treated as lists of files. Entries that end with any other character are treated as files.
Note
OpenShift Enterprise does not change entry types. For example, if you enter a directory without a forward slash (/) at the end, OpenShift Enterprise treats it as a file. A cartridge can fail to operate if its
locked_files entries are not accurate.
Example 3.1. PHP locked_files Configuration Entry
locked_files: - ~/.pearrc - bin/ - conf/*
Explanation:
~/.pearrc: when locked, you can edit this file but application developers cannot.php/bin/: the directory is locked but not the files it contains. Only you can add files to the directory, but both you and application developers can edit those files.php/conf/*: the directory is not locked, but the files in the directory are locked. Both you and application developers can add files to the directory, but only you can edit them.
Reserved Files
All visible files and directories in a gear's home directory are reserved. Certain hidden files are also reserved. While a cartridge is unlocked, you can create any unreserved hidden file or directory in the gear's home directory.
Reserved Hidden Files
~/.ssh~/.sandbox~/.tmp~/.env
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.