Additional location for public apps other than /var/www/ood/apps/sys

[mjbludwig]

Hi All,

Figured I would reach out to see if this is a feature that might make sense for general support outside of it helping my container setup.

Would it make sense to have some configuration variable in ood_portal.yml named something like ood_extra_sys_apps_dir where an arbitrary location can be specified. Then OOD just adds that dir to the path it looks down for sys apps?

At the moment, /var/www/ood/apps/sys is the only directory for "system" apps. Folks then either add their custom apps to this dir or sym link them in place. For baremetal setups, this works beautifully but is a little restricting when trying to separate the "core" ood apps with other custom (but site wide apps) when using bind mounts into containers.

In my containerized setup, since each build of OOD might have some changes to those core apps, I don't want to have to maintain copies of those new apps outside the container and then bind mount them to /var/www/ood/apps/sys inside the container. What I currently do is not bind mount over /var/www/ood/apps/sys and instead via an entrypoint script in the container, I sym link my custom apps into place when the container starts. For instance, I will stick the custom apps in /srv/ood/apps/sys which the container bind mounts and my entrypoint then goes and sym links each one into place in /var/www/ood/apps/sys when the container starts.

If there was the ability for OOD to have a secondary or arbitrary additional directories for apps to live in, that would make it possible for me to just bind mount that extra location so then I can just add apps to that bind mounted dir and not rely on symlinks which currently need to be made by hand inside the container or by restarting it so the entrypoint will run and pickup the new dir to be symlinked.

Thanks!
Morgan

[johrstrom]

Why not just mount every one individually like /opt/some/myapp:/var/www/ood/apps/sys/app/myapp? My knee jerk reaction is to hesitate adding complexity on our side.

Since these are system installed apps there's a security concern here too where we'd likely have to check every directory and see if it's root owned.

[mjbludwig]

Ah yeah, didn't think about security there. I have done the per app mounts too but that also requires restarting the container.

I would say let's not worry about it then if you have reservations about what checks would be needed. Using my sym link method and restarting the container is honestly a pretty non-disruptive process anyways.

[johrstrom]

Well I'm happy to have the discussion at least, I just hesitate is all, not outright oppose it.

[mjbludwig]

Maybe we can float it at GOOD and see if there are other use cases. I know some of my deployments (both containerized and not) use git repos to maintain their apps (again usually then just sym linked in place once new apps are added) so I guess this might allow for that sym link step to not be needed?

[johrstrom]

Yea symlinks give me pause too for security reasons. Seems like if anything this should adhere to the allowlist paths which check the real location.

[mjbludwig]

If that is the case then there might be more impetus for this. I know at least half a dozen prod installs that use sym linking to put apps into place.