Table of contents

Guidance

Responsibility model

Your responsibilities differ depending on whether you use a standard buildpack, custom buildpack or Docker image to deploy your app.

Responsibility Standard Buildpack Custom Buildpack Docker Images
Your app
- apply security updates to app dependencies
- run pen tests
Yours Yours Yours
Language / runtime
- update language and runtime
- provide consistent app build process
- monitor and patch runtime vulnerabilities
PaaS Yours Yours
Base operating system
- update OS libraries
PaaS PaaS Yours
App instance lifecycle
- ensure app is running
- ensure high availability
- ensure provisioning capacity
- stream application logs and metrics
PaaS PaaS PaaS
Backing services
- maintain service availability
- apply security patches
PaaS PaaS PaaS
Underlying infrastructure
- resolve hardware failures
- encrypt network data traffic
PaaS PaaS PaaS

Standard buildpacks

You are only responsible for the app code and its dependencies. This includes penetration testing your app.

If you’re relatively new to cloud or have a small development team, we recommend using the standard buildpacks to maximise the support you will receive from GOV.UK PaaS.

Custom buildpacks

You are responsible for managing a custom buildpack’s language and runtime, as well as the app code and its dependencies. This applies both to setting up the app, and running it in production.

When setting up the app:

  • Use a buildpack that has been created and is maintained by a community (rather than creating your own buildpack), so that you can ask that community for support with any issues
  • Test deploy with the buildpack early in your build process, not just before go-live

When running the app in production:

  • Ensure you have sufficient time to fix issues yourself as using them for deadline-driven development may be risky
  • Regularly maintain your buildpack to update your runtime and dependencies as new security vulnerabilities are discovered and fixed
  • We may not be able to offer support for P1 or out-of-hours incidents and standard SLAs will not apply

Contact us at gov-uk-paas-support@digital.cabinet-office.gov.uk if you are interested in this feature. If a custom buildpack is requested by multiple tenants, we will look into improving our support in this area.

Docker images

You are responsible for your Docker container and custom image. Learn about this experimental feature.

Custom buildpacks compared to Docker images

Custom buildpacks provide some advantages over choosing a Docker solution:

  • they provide a standard way of building and staging apps
  • they are not dependent on a Docker registry such as Docker Hub being available
  • there is a large variety of open source buildpacks, meaning your deployment pipeline doesn’t need to include Docker image creation
  • buildpacks are designed for 12-factor apps; some Docker images may contain databases or other forms of storage that should be provisioned as an external backing service

Docker images also provide some advantages over custom buildpacks:

  • the same image can be run locally on developer machines, or on any Linux-based machine
  • exactly the same Docker image can be promoted between environments as an immutable asset, rather than being rebuilt each time (CF support for this is still experimental)

Penetration testing

It is your responsibility to penetration test your app to make sure it’s secure. Note that you can only penetration test your app; you cannot penetration test the platform.

You must send the below information to gov-uk-paas-support@digital.cabinet-office.gov.uk so that we are aware of your penetration test and can approve it.

Supplied by penetration tester
Tester phone number
Emergency email and phone number contact details
Will the requests originate from the tester’s office?
The origin IPs
Peak bandwidth that the tests will consume in gigabits per second
Peak number of requests per second the tests will perform
Start and end dates and times of the test in the format YYYY-MM-DDTHH:MM:SSZ for example 2017-09-26T09:00:00Z
Is it possible to stop the test immediately if there is an issue?

If your request is approved, your penetration test is only authorised for the dates and times you have specified.

Further information

You can find more information on penetration testing in:

Connect a PHP app to PostgreSQL or MySQL

If your PHP app uses a PostgreSQL or MySQL database, it must connect to that database securely using SSL.

These instructions assume that your app uses the PHP Data Objects (PDO) library to connect to either a MySQL or PostgreSQL backing service database.

You must configure your app to use a SSL connection by inserting the following code into the config.ini file located within .bp-config/php/php.ini.d/:

extension=pdo.so
extension=pdo_mysql.so OR pdo_pgsql.so
extension=openssl.so

You should use this method instead of the now-deprecated method of defining PHP extensions in the .bp-config/options.json buildpack config file.

You can find more information about how to configure the PHP buildpack at the PHP buildpack configuration documentation.

Refer to the code below for examples on how to connect your app to MySQL or PostgreSQL.

Example code - MySQL

$vcapServices = json_decode(getenv('VCAP_SERVICES'), true);
$creds = $vcapServices['mysql'][0]['credentials'];

try {
  $pdo = new PDO(
    sprintf('mysql:host=%s;port=%d;dbname=%s', $creds['host'], $creds['port'], $creds['name']),
    $creds['username'],
    $creds['password'],
    array(PDO::MYSQL_ATTR_SSL_CAPATH => '/etc/ssl/certs')
  );
  printf("Result was: %s\n", $pdo->query('SELECT 1')->fetchColumn());
} catch(Expection $e) {
  printf("Error: %s\n", $e->getMessage());
}

Example code - PostgreSQL

$vcapServices = json_decode(getenv('VCAP_SERVICES'), true);
$creds = $vcapServices['postgres'][0]['credentials'];

try {
  $pdo = new PDO(
    sprintf('pgsql:host=%s;port=%d;dbname=%s', $creds['host'], $creds['port'], $creds['name']),
    $creds['username'],
    $creds['password']
  );
  printf("Result was: %s\n", $pdo->query('SELECT 1')->fetchColumn());
} catch(Expection $e) {
  printf("Error: %s\n", $e->getMessage());
}

Connect Drupal to MySQL

If your Drupal app uses MySQL, it must connect to the database securely using SSL. You must configure Drupal to use a SSL connection by:

  • enabling required PHP extensions
  • setting up the database connection

Enable required PHP extensions

  1. Create a mysql.ini file within .bp-config/php/php.ini.d/.
  2. Add the following code to this .ini file:

    extension=pdo.so
    extension=pdo_mysql.so
    extension=openssl.so
    

    You should use this method instead of the now-deprecated method of defining PHP extensions in the .bp-config/options.json buildpack config file.

You can find more information about how to configure the PHP buildpack at the PHP buildpack configuration documentation.

Set up the database connection

Include the following code in your Drupal configuration file, located by default at sites/default/settings.php:

$vcapServices = json_decode(getenv('VCAP_SERVICES'), true);
$mysqlCreds = $vcapServices['mysql'][0]['credentials'];

$databases['default']['default'] = array(
  'driver' => 'mysql',
  'database' => $mysqlCreds['name'],
  'username' => $mysqlCreds['username'],
  'password' => $mysqlCreds['password'],
  'host' => $mysqlCreds['host'],
  'port' => $mysqlCreds['port'],
  'prefix' => 'drupal_',
  'collation' => 'utf8mb4_general_ci', // For Drupal 8
  // 'collation' => 'utf8_general_ci', // For Drupal 7 or earlier
  'pdo' => array(PDO::MYSQL_ATTR_SSL_CAPATH => '/etc/ssl/certs')
);

Connect Wordpress to MySQL

Your Wordpress app must connect to MySQL securely using SSL. You must configure Wordpress to use a SSL connection by:

  • enabling required PHP extensions
  • setting up the database connection
  • patching Wordpress to enable SSL connections

Enable required PHP extensions

  1. Create a mysql.ini file within .bp-config/php/php.ini.d/.
  2. Add the following code to this .ini file:
extension=mysqli.so
extension=openssl.so

You should use this method instead of the deprecated method of defining PHP extensions in the .bp-config/options.json buildpack config file.

You can find more information about how to configure the PHP buildpack at the PHP buildpack configuration documentation.

Set up the database connection

Replace the database configuration code in your wp-config.php file with the following code:

$vcapServices = json_decode(getenv('VCAP_SERVICES'), true);
$mysqlCreds = $vcapServices['mysql'][0]['credentials'];

define('DB_NAME', $mysqlCreds["name"]);
define('DB_USER', $mysqlCreds["username"]);
define('DB_PASSWORD', $mysqlCreds["password"]);
define('DB_HOST', $mysqlCreds["host"]);
define('MYSQL_CLIENT_FLAGS', MYSQLI_CLIENT_SSL);
define('MYSQL_SSL_CAPATH', "/etc/ssl/certs");
define('DB_CHARSET', 'utf8');
define('DB_COLLATE', '');

Patch Wordpress to enable SSL connections

Insert the following code before the mysqli_real_connect function call in the wp-includes/wp-db.php file:

[...]

// Included block start
mysqli_ssl_set($this->dbh, null, null, null, MYSQL_SSL_CAPATH, null);
// Included block end

if ( WP_DEBUG ) {
    mysqli_real_connect( $this->dbh, $host, $this->dbuser, $this->dbpassword, null, $port, $socket, $client_flags );
} else {
    @mysqli_real_connect( $this->dbh, $host, $this->dbuser, $this->dbpassword, null, $port, $socket, $client_flags );
}
[...]

Useful Plugins

Conduit

Conduit enables you to connect from your local system to your remote backing service instances. This allows you to use the standard PostgreSQL and MySQL CLI tools to easily make backups and interrogate your backing services. For more information on how to implement this, check the Conduit readme on Github.

Upgrading from cflinuxfs2

When you run an app on the PaaS using a buildpack, it runs on top of a version of Ubuntu Linux. We are upgrading the version of Ubuntu used from Ubuntu Trusty to Ubuntu Bionic. In Cloud Foundry, this takes the form of upgrading the stack your apps use from cflinuxfs2 to cflinuxfs3.

Ubuntu Trusty is no longer getting security updates and to ensure the security of the platform we will need to forcibly upgrade all apps. It is possible that this will break your application. You can prevent this happening by manually upgrading.

To check if you are affected by this change, sign in to your GOV.UK PaaS admin tool for Ireland or London. Select each of your organisations. If you are affected then the interface will warn you and list the affected apps.

Newly created apps will automatically be on cflinuxfs3 unless you have specified cflinuxfs2.

To see what stack your app is using

If you look at your apps in your admin panel for Ireland or London, it will tell you the stack and whether you need to upgrade.

From the command line, run cf app NAME_OF_YOUR_APP and check what it says the stack: is.

To upgrade from cflinuxfs2 to cflinuxfs3

How you manually upgrade from cflinuxfs2 depends on how you deploy your app. You can:

  • Add stack: cflinuxfs3 to the manifest.yml of your app, and then redeploy that app;
  • Deploy a new app which will automatically use cflinuxfs3;
  • Specify the -s cflinuxfs3 argument when running cf push on your app.

Contact us by emailing gov-uk-paas-support@digital.cabinet-office.gov.uk if you have any questions.