Single-runtime image

See all of the options for controlling your apps and how they’re built and deployed on Platform.sh.

For single-app projects, the configuration is all done in a .platform.app.yaml file, usually located at the root of your app folder in your Git repository. Multi-app projects can be set up in various ways.

See a comprehensive example of a configuration in a .platform.app.yaml file.

For reference, see a log of changes to app configuration.

Top-level properties

The following table presents all properties available at the top level of the YAML for the app.

The column Set in instance? defines whether the given property can be overridden within a web or workers instance. To override any part of a property, you have to provide the entire property.

Root directory

Some of the properties you can define are relative to your app’s root directory. The root defaults to the location of your .platform.app.yaml file.

That is, if a custom value for source.root is not provided in your configuration, the default behavior is equivalent to the above.

To specify another directory, for example for a multi-app project, use the source.root property.

Types

The type defines the base container image used to run the application. The version is the major (X) and sometimes minor (X.Y) version numbers, depending on the service, as in the following table. Security and other patches are taken care of for you automatically.

Available languages and their supported versions:

Example configuration

These are used in the format runtime:version:

type: 'php:8.3'

Sizes

Resources are distributed across all containers in an environment from the total available from your plan size. So if you have more than just a single app, it doesn’t get all of the resources available. Each environment has its own resources and there are different sizing rules for preview environments.

By default, resource sizes (CPU and memory) are chosen automatically for an app based on the plan size and the number of other containers in the cluster. Most of the time, this automatic sizing is enough.

You can set sizing suggestions for production environments when you know a given container has specific needs. Such as a worker that doesn’t need much and can free up resources for other apps. To do so, set size to one of the following values:

• S
• M
• L
• XL
• 2XL
• 4XL

The total resources allocated across all apps and services can’t exceed what’s in your plan.

Container profiles: CPU and memory

By default, Platform.sh allocates a container profile to each app and service depending on:

• The range of resources it’s expected to need
• Your plan size, as resources are distributed across containers. Ideally you want to give databases the biggest part of your memory, and apps the biggest part of your CPU.

The container profile and the size of the container determine how much CPU and memory (in MB) the container gets.

There are three container profiles available: HIGH_CPU, BALANCED, and HIGH_MEMORY.

HIGH_CPU container profile

BALANCED container profile

HIGH_MEMORY container profile

Container profile reference

The following table shows which container profiles Platform.sh applies when deploying your project.

Sizes in preview environments

Containers in preview environments don’t follow the size specification. Application containers are set based on the plan’s setting for Environments application size. The default is size S, but you can increase it by editing your plan. (Service containers in preview environments are always set to size S.)

Relationships

To allow containers in your project to communicate with one another, you need to define relationships between them. You can define a relationship between an app and a service, or between two apps.

The quickest way to define a relationship between your app and a service is to use the service’s default endpoint.
However, some services allow you to define multiple databases, cores, and/or permissions. In these cases, you can’t rely on default endpoints. Instead, you can explicitly define multiple endpoints when setting up your relationships.

To define a relationship between your app and a service:

relationships:
    SERVICE_NAME:

relationships:
    mariadb:

relationships:
    mariadb:
        service: mariadb
        endpoint: mysql

relationships:
    mariadb:
    redis:
    elasticsearch:

relationships: {SERVICE_NAME_A, SERVICE_NAME_B, SERVICE_NAME_C}

SERVICE_NAME_A:
    type: mariadb:11.4
    disk: 256
SERVICE_NAME_B:
    type: redis:7.2
    disk: 256
SERVICE_NAME_C:
    type: elasticsearch:8.5
    disk: 256

relationships:
    RELATIONSHIP_NAME:
        service: SERVICE_NAME
        endpoint: ENDPOINT_NAME

relationships:
    database: # The name of the relationship.
        service: mariadb
        endpoint: db1

relationships:
    database1:
        service: mariadb
        endpoint: admin
    database2:
        service: mariadb
        endpoint: legacy
    cache:
        service: redis
    search:
        service: elasticsearch

relationships:
    <RELATIONSHIP_NAME>: "<SERVICE_NAME>:<ENDPOINT_NAME>"

relationships:
    database: "mariadb:mysql"

Available disk space

The maximum total space available to all apps and services is set by the storage in your plan settings. When deploying your project, the sum of all disk keys defined in app and service configurations must be equal or less than the plan storage size.

So if your plan storage size is 5 GB, you can, for example, assign it in one of the following ways:

• 2 GB to your app, 3 GB to your database
• 1 GB to your app, 4 GB to your database
• 1 GB to your app, 1 GB to your database, 3 GB to your OpenSearch service

If you exceed the total space available, you receive an error on pushing your code. You need to either increase your plan’s storage or decrease the disk values you’ve assigned.

You configure the disk size in MB. Your actual available disk space is slightly smaller with some space used for formatting and the filesystem journal. When checking available space, note whether it’s reported in MB or MiB.

Downsize a disk

You can decrease the size of an existing disk for an app. If you do so, be aware that:

• Backups from before the downsize are incompatible and can no longer be used. You need to create new backups.
• The downsize fails if there’s more data on the disk than the desired size.

Mounts

After your app is built, its file system is read-only. To make changes to your app’s code, you need to use Git.

For enhanced flexibility, Platform.sh allows you to define and use writable directories called “mounts”. Mounts give you write access to files generated by your app (such as cache and log files) and uploaded files without going through Git.

When you define a mount, you are mounting an external directory to your app container, much like you would plug a hard drive into your computer to transfer data.

Define a mount

To define a mount, use the following configuration:

mounts:
    'MOUNT_PATH':
        source: MOUNT_TYPE
        source_path: SOURCE_PATH_LOCATION

MOUNT_PATH is the path to your mount within the app container (relative to the app’s root). If you already have a directory with that name, you get a warning that it isn’t accessible after the build. See how to troubleshoot the warning.

The accessibility to the web of a mounted directory depends on the web.locations configuration. Files can be all public, all private, or with different rules for different paths and file types.

Note that when you remove a local mount from your .platform.app.yaml file, the mounted directory isn’t deleted. The files still exist on disk until manually removed (or until the app container is moved to another host during a maintenance operation in the case of a tmp mount).

Example configuration

mounts:
    'web/uploads':
        source: local
        source_path: uploads
    '/.tmp_platformsh':
        source: tmp
        source_path: files/.tmp_platformsh
    '/build':
        source: local
        source_path: files/build
    '/.cache':
        source: tmp
        source_path: files/.cache
    '/node_modules/.cache':
        source: tmp
        source_path: files/node_modules/.cache

For examples of how to set up a service mount, see the dedicated Network Storage page.

Ensure continuity when changing the name of your mount

Changing the name of your mount affects the default source_path.

Say you have a /my/cache/ mount with an undefined source_path:

mounts:
    '/my/cache/':
        source: tmp

If you rename the mount to /cache/files/, it will point to a new, empty /cache/files/ directory.

To ensure continuity, you need to explicitly define the source_path as the previous name of the mount, without leading or trailing slashes:

mounts:
   '/cache/files/':
       source: tmp
       source_path: my/cache

The /cache/files/ mount will point to the original /my/cache/ directory, maintaining access to all your existing files in that directory.

Overlapping mounts

The locations of mounts as they are visible to application containers can overlap somewhat. For example:

applications:
  my_app:
    # ...
    mounts:
      'var/cache_a':
        source: service
        service: ns_service
        source_path: cacheA
      'var/cache_b':
        source: tmp
        source_path: cacheB
      'var/cache_c':
        source: local
        source_path: cacheC

In this case, it does not matter that each mount is of a different source type. Each mount is restricted to a subfolder within var, and all is well.

The following, however, is not allowed and will result in a failure:

applications:
  my_app:
    # ...
    mounts:
      'var/':
        source: service
        service: ns_service
        source_path: cacheA
      'var/cache_b':
        source: tmp
        source_path: cacheB
      'var/cache_c':
        source: local
        source_path: cacheC

The service mount type specifically exists to share data between instances of the same application, whereas tmp and instance are meant to restrict data to build time and runtime of a single application instance, respectively. These allowances are not compatible, and will result in an error if pushed.

Web

Use the web key to configure the web server running in front of your app. Defaults may vary with a different image type.

See some examples of how to configure what’s served.

Web commands

Example:

web:
    commands:
        start: 'uwsgi --ini conf/server.ini'

This command runs every time your app is restarted, regardless of whether or not new code is deployed.

Required command

On all containers other than PHP, the value for start should be treated as required.

On PHP containers, it’s optional and defaults to starting PHP-FPM (/usr/bin/start-php-app). It can also be set explicitly on a PHP container to run a dedicated process, such as React PHP or Amp. See how to set up alternate start commands on PHP.

Upstream

For PHP, the defaults are configured for PHP-FPM and shouldn’t need adjustment. For all other containers, the default for protocol is http.

The following example is the default on non-PHP containers:

web:
    upstream:
        socket_family: tcp
        protocol: http

Where to listen

Where to listen depends on your setting for web.upstream.socket_family (defaults to tcp).

If your application isn’t listening at the same place that the runtime is sending requests, you see 502 Bad Gateway errors when you try to connect to your website.

Locations

Each key in the locations dictionary is a path on your site with a leading /. For example.com, a / matches example.com/ and /admin matches example.com/admin. When multiple keys match an incoming request, the most-specific applies.

The following table presents possible properties for each location:

Rules

The rules dictionary can override most other keys according to a regular expression. The key of each item is a regular expression to match paths exactly. If an incoming request matches the rule, it’s handled by the properties under the rule, overriding any conflicting rules from the rest of the locations dictionary.

Under rules, you can set all of the other possible locations properties except root, index and request_buffering.

In the following example, the allow key disallows requests for static files anywhere in the site. This is overridden by a rule that explicitly allows common image file formats.

web:
    locations:
        '/':
            # Handle dynamic requests
            root: 'public'
            passthru: '/index.php'
            # Disallow static files
            allow: false
            rules:
                # Allow common image files only.
                '\.(jpe?g|png|gif|svgz?|css|js|map|ico|bmp|eot|woff2?|otf|ttf)$':
                    allow: true

Request buffering

Request buffering is enabled by default to handle chunked requests as most app servers don’t support them. The following table shows the keys in the request_buffering dictionary:

The default configuration would look like this:

web:
    locations:
        '/':
            passthru: true
            request_buffering:
                enabled: true
                max_request_size: 250m

Workers

Workers are exact copies of the code and compilation output as a web instance after a build hook. They use the same container image.

Workers can’t accept public requests and so are suitable only for background tasks. If they exit, they’re automatically restarted.

The keys of the workers definition are the names of the workers. You can then define how each worker differs from the web instance using the top-level properties.

Each worker can differ from the web instance in all properties except for:

• build and dependencies properties, which must be the same
• crons as cron jobs don’t run on workers
• hooks as the build hook must be the same and the deploy and post_deploy hooks don’t run on workers.

A worker named queue that was small and had a different start command could look like this:

workers:
    queue:
        size: S
        commands:
            start: |
                ./worker.sh                

For resource allocation, using workers in your project requires a Medium plan or larger.

Access

The access dictionary has one allowed key:

In the following example, only users with admin permissions for the given environment type can access the deployed environment via SSH:

access:
    ssh: admin

Variables

Platform.sh provides a number of ways to set variables. Variables set in your app configuration have the lowest precedence, meaning they’re overridden by any conflicting values provided elsewhere.

All variables set in your app configuration must have a prefix. Some prefixes have specific meanings.

Variables with the prefix env are available as a separate environment variable. All other variables are available in the PLATFORM_VARIABLES environment variable.

The following example sets two variables:

• A variable named env:AUTHOR with the value Juan that’s available in the environment as AUTHOR
• A variable named d8config:system.site:name with the value My site rocks that’s available in the PLATFORM_VARIABLES environment variable

variables:
    env:
        AUTHOR: 'Juan'
    d8config:
        "system.site:name": 'My site rocks'

You can also define and access more complex values.

Firewall

Set limits in outbound traffic from your app with no impact on inbound requests.

The outbound key is required and contains one or more rules. The rules define what traffic is allowed; anything unspecified is blocked.

Each rule has the following properties where at least one is required and ips and domains can’t be specified together:

The default settings would look like this:

firewall:
    outbound:
        - ips: ["0.0.0.0/0"]

Support for rules

Where outbound rules for firewalls are supported in all environments. For Dedicated Gen 2 projects, contact support for configuration.

Multiple rules

Multiple firewall rules can be specified. In such cases, a given outbound request is allowed if it matches any of the defined rules.

So in the following example requests to any IP on port 80 are allowed and requests to 1.2.3.4 on either port 80 or 443 are allowed:

firewall:
    outbound:
        - ips: ["1.2.3.4/32"]
          ports: [443]
        - ports: [80]

Outbound traffic to CDNs

Be aware that many services are behind a content delivery network (CDN). For most CDNs, routing is done via domain name, not IP address, so thousands of domain names may share the same public IP addresses at the CDN. If you allow the IP address of a CDN, you are usually allowing many or all of the other customers hosted behind that CDN.

Outbound traffic by domain

You can filter outbound traffic by domain. Using domains in your rules rather than IP addresses is generally more specific and secure. For example, if you use an IP address for a service with a CDN, you have to allow the IP address for the CDN. This means that you allow potentially hundreds or thousands of other servers also using the CDN.

An example rule filtering by domain:

firewall:
    outbound:
        - protocol: tcp
        domains: ["api.stripe.com", "api.twilio.com"]
        ports: [80, 443]
        - protocol: tcp
        ips: ["1.2.3.4/29","2.3.4.5"]
        ports: [22]

Determine which domains to allow

To determine which domains to include in your filtering rules, find the domains your site has requested the DNS to resolve. Run the following command to parse your server’s dns.log file and display all Fully Qualified Domain Names that have been requested:

awk '/query\[[^P]\]/ { print $6 | "sort -u" }' /var/log/dns.log

The output includes all DNS requests that were made, including those blocked by your filtering rules. It doesn’t include any requests made using an IP address.

Example output:

facebook.com
fastly.com
platform.sh
www.google.com
www.platform.sh

Build

The only property of the build dictionary is flavor, which specifies a default set of build tasks to run. Flavors are language-specific.

See what the build flavor is for your language:

• Node.js
• PHP

In all languages, you can also specify a flavor of none to take no action at all (which is the default for any language other than PHP and Node.js).

build:
    flavor: none

Dependencies

Installs global dependencies as part of the build process. They’re independent of your app’s dependencies and are available in the PATH during the build process and in the runtime environment. They’re installed before the build hook runs using a package manager for the language.

The format for package names and version constraints are defined by the specific package manager.

An example of dependencies in multiple languages:

dependencies:
    php: # Specify one Composer package per line.
        drush/drush: '8.0.0'
        composer/composer: '^2'
    python2: # Specify one Python 2 package per line.
        behave: '*'
        requests: '*'
    python3: # Specify one Python 3 package per line.
        numpy: '*'
    ruby: # Specify one Bundler package per line.
        sass: '3.4.7'
    nodejs: # Specify one NPM package per line.
        pm2: '^4.5.0'

Hooks

There are three different hooks that run as part of the process of building and deploying your app. These are places where you can run custom scripts. They are: the build hook, the deploy hook, and the post_deploy hook. Only the build hook is run for worker instances, while web instances run all three.

The process is ordered as:

1. Variables accessible at build time become available.
2. Build flavor runs if applicable.
3. Any dependencies are installed.
4. The build hook is run.
5. The file system is changed to read only (except for any mounts).
6. The app container starts. Variables accessible at runtime and services become available.
7. The deploy hook is run.
8. The app container begins accepting requests.
9. The post_deploy hook is run.

Note that if an environment changes by no code changes, only the last step is run. If you want the entire process to run, see how to manually trigger builds.

Writable directories during build

During the build hook, there are three writeable directories:

• PLATFORM_APP_DIR: Where your code is checked out and the working directory when the build hook starts. Becomes the app that gets deployed.
• PLATFORM_CACHE_DIR: Persists between builds, but isn’t deployed. Shared by all builds on all branches.
• /tmp: Isn’t deployed and is wiped between each build. Note that PLATFORM_CACHE_DIR is mapped to /tmp and together they offer about 8GB of free space.

Hook failure

Each hook is executed as a single script, so they’re considered to have failed only if the final command in them fails. To cause them to fail on the first failed command, add set -e to the beginning of the hook.

If a build hook fails for any reason, the build is aborted and the deploy doesn’t happen. Note that this only works for build hooks – if other hooks fail, the app is still deployed.

Automated testing

It’s preferable that you set up and run automated tests in a dedicated CI/CD tool. Relying on Platform.sh hooks for such tasks can prove difficult.

During the build hook, you can halt the deployment on a test failure but the following limitations apply:

• Access to services such as databases, Redis, Vault KMS, and even writable mounts is disabled. So any testing that relies on it is sure to fail.
• If you haven’t made changes to your app, an existing build image is reused and the build hook isn’t run.
• Test results are written into your app container, so they might get exposed to a third party.

During the deploy hook, you can access services but you can’t halt the deployment based on a test failure. Note that there are other downsides:

• Your app container is read-only during the deploy hook, so if your tests need to write reports and other information, you need to create a file mount for them.
• Your app can only be deployed once the deploy hook has been completed. Therefore, running automated testing via the deploy hook generates slower deployments.
• Your environment isn’t available externally during the deploy hook. Unit and integration testing might work without the environment being available, but you can’t typically perform end-to-end testing until after the environment is up and available.

Crons

The keys of the crons definition are the names of the cron jobs. The names must be unique.

If an application defines both a web instance and worker instances, cron jobs run only on the web instance.

See how to get cron logs.

The following table shows the properties for each job:

Note that you can cancel pending or running crons.

Cron commands

crons:
    mycommand:
        spec: 'H * * * *'
        commands:
            start: sleep 60 && echo sleep-60-finished && date
            stop: killall sleep
        shutdown_timeout: 18

In this example configuration, the cron specification uses the H syntax.

Note that this syntax is only supported on Grid and Dedicated Gen 3 projects. On Dedicated Gen 2 projects, use the standard cron syntax.

Example cron jobs

type: 'php:8.3'
crons:
    # Run Drupal's cron tasks every 19 minutes.
    drupal:
        spec: '*/19 * * * *'
        commands:
            start: 'cd web ; drush core-cron'
    # But also run pending queue tasks every 7 minutes.
    # Use an odd number to avoid running at the same time as the `drupal` cron.
    drush-queue:
        spec: '*/7 * * * *'
        commands:
            start: 'cd web ; drush queue-run aggregator_feeds'

type: 'ruby:3.3'
crons:
    # Execute a rake script every 19 minutes.
    ruby:
        spec: '*/19 * * * *'
        commands:
            start: 'bundle exec rake some:task'

type: 'php:8.3'
crons:
    # Run Laravel's scheduler every 5 minutes.
    scheduler:
        spec: '*/5 * * * *'
        commands:
            start: 'php artisan schedule:run'

type: 'php:8.3'
crons:
    # Take a backup of the environment every day at 5:00 AM.
    snapshot:
        spec: 0 5 * * *
        commands:
            start: |
                # Only run for the production environment, aka main branch
                if [ "$PLATFORM_ENVIRONMENT_TYPE" = "production" ]; then
                    croncape symfony ...
                fi                

Conditional crons

If you want to set up customized cron schedules depending on the environment type, define conditional crons. To do so, use a configuration similar to the following:

crons:
  update:
    spec: '0 0 * * *'
    commands:
      start: |
        if [ "$PLATFORM_ENVIRONMENT_TYPE" = production ]; then
          platform backup:create --yes --no-wait
          platform source-operation:run update --no-wait --yes
        fi        

Cron job timing

Minimum time between cron jobs being triggered:

For each app container, only one cron job can run at a time. If a new job is triggered while another is running, the new job is paused until the other completes.

To minimize conflicts, a random offset is applied to all triggers. The offset is a random number of seconds up to 20 minutes or the cron frequency, whichever is smaller.

Crons are also paused while activities such as backups are running. The crons are queued to run after the other activity finishes.

To run cron jobs in a timezone other than UTC, set the timezone property.

Paused crons

Preview environments are often used for a limited time and then abandoned. While it’s useful for environments under active development to have scheduled tasks, unused environments don’t need to run cron jobs. To minimize unnecessary resource use, crons on environments with no deployments are paused.

This affects all environments that aren’t live environments. This means all environments on Development plans and all preview environments on higher plans.

Such environments with deployments within 14 days have crons with the status running. If there haven’t been any deployments within 14 days, the status is paused.

You can see the status in the Console or using the CLI by running platform environment:info and looking under deployment_state.

Restarting paused crons

If the crons on your preview environment are paused but you’re still using them, you can push changes to the environment or redeploy it.

To restart crons without changing anything:

platform redeploy

Runtime

The following table presents the various possible modifications to your PHP or Lisp runtime:

You can also set your app’s runtime timezone.

Extensions

You can enable PHP extensions just with a list of extensions:

runtime:
    extensions:
        - geoip
        - tidy

Alternatively, if you need to include configuration options, use a dictionary for that extension:

runtime:
    extensions:
        - geoip
        - name: blackfire
          configuration:
            server_id: foo
            server_token: bar

In this case, the name property is required.

Sizing hints

The following table shows the properties that can be set in sizing_hints:

See more about PHP-FPM workers and sizing.

Source

The following table shows the properties that can be set in source:

Additional hosts

If you’re using a private network with specific IP addresses you need to connect to, you might want to map those addresses to hostnames to better remember and organize them. In such cases, you can add a map of those IP addresses to whatever hostnames you like. Then when your app tries to access the hostname, it’s sent to the proper IP address.

So in the following example, if your app tries to access api.example.com, it’s sent to 192.0.2.23.

additional_hosts:
  api.example.com: "192.0.2.23"
  web.example.com: "203.0.113.42"

This is equivalent to adding the mapping to the /etc/hosts file for the container.