This article contains the updates required to create our 3-Tier demonstration app on PhotonOS 3 rather than v1.0 that was described in the original series from 2017.

If you are not familiar with the intent of the original pose, the idea is to have a distributed but simple “application” that can be used to demonstrate a variety of scenarios in a lab environment, including micro segmentation and load balancing (you can scale the web and app tiers pretty easily and part 5 covers some ideas). I add in some SSL to make things interesting and, hopefully, a bit more realistic. While the new VMs are a little larger than their old counterparts, PhotonOS still boots lightning fast in a vSphere VM.

I think this is equally useful for home labs as our Hands-on Labs environments and many of our customers agree.We have received a lot of positive feedback on these articles and some great suggestions for tweaks. Frankly, this update is long overdue.

For reference, the old series is available at the following links.


While my goal here is to keep things simple and flexible for the base app, some changes are required due to alterations in the packages included with the minimal PhotonOS installation that is provided, and others are modifications to make the app give a bit better “feel” and demo. Other changes are required because PhotonOS 2 and higher use Python 3.x rather than 2.x, so some syntax has to change in the script — I also cleaned up a bit of the code to make it more Pythonic.

Before we get too far into the text, a picture of the updated app.

Updated Diagram

One of the most requested changes was to move the db-01a VM from listening on port 80/tcp to something more”database-y” like, for example, 3306/tcp. This is the port that MySQL uses and some people feel that it gives the app more realism.

It is still HTTP traffic, but it looks more like a database on the network. The following updated diagram represents the configuration of this new version.

aplication diagram


Summary of Changes

Thanks to the simplicity of the application, the number of changes required has not been excessive

  • General updates
    • PhotonOS 3, Rev 2 base OVA
      • 1 vCPU
      • 2 GB RAM
      • 16 GB disk (thin provisioned and consumes ~700 MB once configured)
    • Updated scripts ( and due to Python 2.x to 3.x switch
      • NOTE: The updated scripts are available on github (
  • Build the Template (Part 1)
    • Begin with the new OVA
    • Open firewall port for 3306/tcp
    • A small hack to make Apache start properly after a reboot
  • DB Server (Part 2)
    • Installing sqlite (it is no longer part of the base install of PhotonOS)
    • Moving the database from listening on port 80 (http) to 3306 (mysql)
    • Updated script
    • Change different lines in httpd.conf (updated Apache config)
    • Specify the new port when testing/validating the setup
  • App Server (Part 3)
    • Updated script (includes the change required to access db-01a on port 3306)
    • Change different lines in httpd.conf (updated Apache config)
  • Web Server (Part 4)
    • No changes needed!

The Updates

  • Build the Template
  • Create the db-01a VM
  • Create the app-01a VM
  • Create the web-01a VM

Build the Template

We start with a PhotonOS 3 base OS. This guide assumes you are using Photon3-Rev2 – photon-hw11-3.0-9355405.ova – from

(If you prefer, you can also deploy your own VM using the ISO, selecting a Minimal installation, although you may have some additional work to do.)

Deploy a copy of the OVA into your environment and follow the same instructions as in the original document.

The process is nearly identical except for the following

Network interface config script has a new name

The file is named now.

Open port 3306/tcp in the firewall

When you modify the /etc/systemd/scripts/iptables file on your base template, make it look like this (added the open of tcp/3306)

#Enable ping by anyone
iptables -A INPUT -p icmp -j ACCEPT

#Enable web and app traffic 
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT

A small hack to make Apache start properly on boot

This version of PhotonOS wipes out the /var/run/httpd directory at startup, which breaks Apache. To make sure the webserver can start after a reboot, add the following line at the bottom of /usr/lib/tmpfiles.d/var.conf file

d /var/run/httpd 0755 - - -

Create the db-01a VM

Install sqlite

When installing httpd, also install the sqlite package with

# tdnf install sqlite

Updated script

Remembering that whitespace is very important in Python, use the following script in place of the one in the original article.

#!/usr/bin/env python3
# - script used to produce database results over HTTP for simple sqlite3 database

import cgi
import sqlite3

conn = sqlite3.connect('/etc/httpd/db/clients.db')
curs = conn.cursor()


form = cgi.FieldStorage()
querystring = form.getvalue("querystring")
if querystring != None:
    queryval = "%" + querystring + "%"
    select = "SELECT * FROM clients WHERE name LIKE '" + queryval + "'"
    select = "SELECT * FROM clients"

for row in curs.execute(select):
    if len(row) == 4:
        for item in row:


Change different lines in /etc/http/httpd.conf

  • Instead of line 176, go to 180 and add
LoadModule cgi_module /usr/lib/httpd/modules/
  • Instead of line 379, go to 383 and add
#database directory
<Directory "/etc/httpd/db">
AllowOverride None
Options None
Require all granted

NEW: Change listening port 80/tcp to 3306/tcp

  • On line 52, change
Listen 80 -> Listen 3306
  • And, on line 221, change
ServerName localhost:80 -> db-01a:3306

Specify the new port when testing/validating the setup

Because we changed the listening port, we need to update the command we use to test the functionality. You must specify the new port number as part of the test URL:

# curl http://db-01a:3306/cgi-bin/

Create the app-01a VM

There are fewer changes required to the app-01a VM since we are not making significant changes to the design at this layer.

Updated script

Remembering that whitespace is very important in Python, use the following script in place of the one in the original article.

#!/usr/bin/env python3

# - script used to process database results for presentation

import os
import cgi
import requests

webservers = {
  '': 'web-01a',
  '': 'web-02a',
  '': 'web-03a'

print("<head><title>Customer Database</title></head>\n")
print("<h1>Customer Database Access</h1>\n")

remote = os.getenv("REMOTE_ADDR")
form = cgi.FieldStorage()
querystring = form.getvalue("querystring")

if remote in webservers:
    accessName = webservers[remote]
    accessName = remote

print("Accessed via:", accessName, "\n<p>")

if querystring != None:
    url = 'http://db-01a:3306/cgi-bin/' + querystring
    url = 'http://db-01a:3306/cgi-bin/'
    querystring = ""

r = requests.get(url)

print('<form action="/cgi-bin/">')
print(' Name Filter (blank for all records):')
print(' <input type="text" name="querystring" value="'+querystring+'">')
print(' <input type="submit" value="Apply">')

print("\n<table border=1 bordercolor=black cellpadding=5 cellspacing=0>")


# deal with the data coming across the wire
a = r.text.split("|\n#")
for row in a:
    if len(row) != 1:
        splitrow = row.split("|")
        for item in splitrow:
            if item != None:

Change different lines in /etc/http/httpd.conf

  • Instead of line 176, go to 180 and add
LoadModule cgi_module /usr/lib/httpd/modules/
  • Instead of line 508, go to 521 and uncomment
Include conf/extra/httpd-ssl.conf

Create the web-01a VM

The web tier of this application is very simple and, other than starting with the update base template above, there are no additional changes to the process defined in the original article.


At this point, you should be able to use these three VMs just like the original versions, but with all of the updated PhotonOS 3.0 goodness.

Be sure to check out HOL Three-Tier Application, Part 5 – Use Cases for some ideas — just remember that the db-01a listens on 3306/tcp instead of 80/tcp now.