I have a docker (php:7-fpm-alpine) container with supervisor installed. It is added to a default installation by:
RUN apk add nginx composer php7-fpm php7-session supervisor && \
... ... ...
cp supervisord.conf /etc/supervisor.d/conf.ini
Supervisor has its default config (didn't change it after installation), I have added my own config to append to it (supervisord.conf):
[program:php-fpm7]
command = /usr/sbin/php-fpm7 --nodaemonize --fpm-config /etc/php7/php-fpm.d/www.conf
autostart=true
autorestart=true
priority=5
stdout_logfile=/var/log/supervisor/php-fpm.log
stderr_logfile=/var/log/supervisor/php-fpm.error.log
[program:nginx]
command=/usr/sbin/nginx -g "daemon off;"
autostart=true
autorestart=true
priority=10
stdout_logfile=/var/log/supervisor/nginx.log
stderr_logfile=/var/log/supervisor/nginx.error.log
Now the original issue I have is that my Laravel app can't write to storage folder. I could chmod 777 the folder recursively, and it works, but is not what I want.
So steps I took first is to chown -R nginx:nginx /var/www/* leaving permissions as is. This resolved nothing, still can't write.
Doing a ps aux revealed this:
PID USER TIME COMMAND
1 root 0:00 {supervisord} /usr/bin/python2 /usr/bin/supervisord --nodaemon --configuration /etc/supervisord.conf
8 root 0:00 {php-fpm7} php-fpm: master process (/etc/php7/php-fpm.d/www.conf)
9 root 0:00 nginx: master process /usr/sbin/nginx -g daemon off;
10 nginx 0:00 nginx: worker process
11 nginx 0:00 nginx: worker process
12 nginx 0:00 nginx: worker process
13 nginx 0:00 nginx: worker process
14 nginx 0:00 {php-fpm7} php-fpm: pool www
15 nginx 0:00 {php-fpm7} php-fpm: pool www
So php-fpm is running as nginx user (I've changed it's original config to replace user nobody to nginx). This did nothing good, as with this settings instead of nobody user, request returns 502 error.
Nginx master process is running as root, and worker processes as nginx.
This is a tad confusing as I am not sure which user is my web server using here? Root or nginx? Does it take the user from supervisor, nginx master or nginx worker?
I've tried changing supervisor to start as nginx user, but that fails as supervisor needs root access to create pid.
Reverting supervisor to root and adding user=nginx to [program:nginx] section made supervisor not start nginx at all.
How can I do the permissions here the right way?
I think the best you can do , is to run both nginx and php-fpm as www-data:www-data
step one
add/edit this to your nginx.conf:
user www-data www-data;
step two
add/edit php-fpm.conf and set user and group to www-data more info here
I hope that will help you
Related
For local development I try to build a docker image on top of jelastic/nginxphp as suggested in https://docs.jelastic.com/building-custom-container/ . Unfortunately I can not see any server (php-fpm or nginx) once I start the image.
docker run -p 8080:80 jelastic/nginxphp:1.14.2-php-7.2.9
➜ ~ curl 127.0.0.1:8080
curl: (52) Empty reply from server
I can see that systemd gets started, but I do not see php-fpm or nginx.
➜ ~ docker exec 55a454cf01ad ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 191276 10172 ? Ssl 07:58 0:00 /usr/bin/qemu-x86_64 /usr/lib/systemd/systemd
root 9 0.0 0.0 200788 10408 ? Rl+ Nov25 0:00 /usr/bin/ps aux
I wonder how to build my app on top of this image. Is there any documentation or is there an example for jelastic/nginxphp?
Generally, the jelastic/nginxphp docker image is built in a quite different way from, for example, the Nginx repo from the Docker library - that's because it was designed to be launched on Virtuozzo DevOps platform and have the support of all the functionality and automatizations provided there.
If you run
'docker inspect jelastic/nginxphp:1.14.2-php-7.2.9', you can see
"Cmd": [
"/usr/lib/systemd/systemd"
],
To run the image locally, you need to override the CMD during launch
docker run -p 8080:80 jelastic/nginxphp:1.14.2-php-7.2.9 /usr/sbin/nginx '-g daemon off;'
I have a share volume moutn between nginx container and php-fpm container. By following this article https://www.digitalocean.com/community/tutorials/how-to-setup-fastcgi-caching-with-nginx-on-your-vps, Nginx do create cache files. However, I can not delete it due to permission issue.
If I want to delete it from my php-fpm container. I have to go to inspect container and chown -R www-data:www-data the folder. Then Nginx create a new one and I have to do it again
drwx------ 3 root root 4096 Jan 31 10:58 b
Is there a way to solve this?
For starters, this is the list of processes inside my Docker container:
/var/www/html # ps aux
PID USER TIME COMMAND
1 root 0:00 {php-fpm.sh} /bin/sh /php-fpm.sh
6 root 0:02 /usr/sbin/crond
8 root 0:00 /sbin/syslogd -D -s 500
10 root 1:31 php /var/www/html/artisan queue:work --queue=mailer --sleep=3 --tries=3
11 root 0:00 /usr/bin/logger -t mailer
12 root 0:24 php-fpm: master process (/usr/local/etc/php-fpm.conf)
25 root 0:02 /usr/sbin/crond
30 root 0:01 /sbin/syslogd -D -s 500
13505 www-data 6:20 php-fpm: pool www
21682 www-data 0:17 php-fpm: pool www
21837 root 0:00 /bin/sh
22078 www-data 0:00 php-fpm: pool www
22123 root 0:00 ps aux
31186 root 0:00 /bin/sh
31301 root 0:00 /bin/sh
This is the entry point of my container:
#! /bin/sh
# Start cron daemon
/usr/sbin/crond
# Logger, max log file size 500Kb
/sbin/syslogd -D -s 500
( php /var/www/html/artisan queue:work \
--queue=mailer \
--sleep=3 --tries=3 2>&1 | /usr/bin/logger -t mailer & )
# Run PHP-FPM
php-fpm -F
The problem is php /var/www/html/artisan queue:work does not process jobs in the qeueu.
For that to happen I have to log in to the container by running docker exec -it /bin/sh and then run php /var/www/html/artisan queue:work --queue=mailer --sleep=3 --tries=3 and it works just fine.
So the question is what's wrong.
I'm using docker and my container is build over php:5.6-fpm image from php official repo.
Is it somehow possible to restart/reload php-fpm from inside a container?
php-fpm is a process manager which supports the USER2 signal, which is used to reload the config file.
From inside the container:
kill -USR2 1
Outside:
docker exec -it <mycontainer> kill -USR2 1
Complete example:
docker run -d --name test123 php:7.1-fpm-alpine
docker exec -it test123 ps aux
docker exec -it test123 kill -USR2 1
docker exec -it test123 ps aux
You don't have to go inside the container
on your host
ps -ef|grep fpm // find master pid
kill -USR2 <master_pid>
This works for me:
If the command fpm restart fails run this inside the Docker container -> www#:
root#...:/var/www# **ps -ef|grep fpm**
www-data 160 1 0 10:02 ? 00:00:00 php-fpm: pool www
www-data 161 1 0 10:02 ? 00:00:00 php-fpm: pool www
root 1111 170 0 10:04 pts/0 00:00:00 grep --color=auto fpm
root#...:/var/www# **kill -USR2 170**
root#...:/home/user/Docker# **docker-compose stop**
Stopping docker_nginx_1 ... done
Stopping docker_oracle_1 ... done
root#...:/home/user/Docker# **docker-compose up -d**
Starting docker_oracle_1 ... done
Starting docker_nginx_1 ... done
root#...:/home/user/Docker# **docker-compose exec oracle bash**
root#...:/var/www# **/etc/init.d/php7.2-fpm restart**
* Restarting PHP 7.2 FastCGI Process Manager php-fpm7.2 **[ OK ]**
docker container kill --signal USR2 php_container_name
Details: https://docs.docker.com/engine/reference/commandline/container_kill/
You can also just restart the container..
sudo docker restart <container>
Perhaps i'm missing something extremely basic, but how is it that my web server is able execute and serve content from php files that have permission 000?
Here's the file in question: http://178.62.125.162/test.php
Location is:
/usr/share/nginx/html/wordpress/test.php
Here's the ls:
---------- 1 deploy deploy 21 May 22 09:40 test.php
nginx.conf has line:
user www-data;
So it's not running as root or anything.
ps aux | grep [n]ginx
root 30223 0.0 0.1 85876 1364 ? Ss May21 0:00 nginx: master process /usr/sbin/nginx
www-data 30224 0.0 0.1 86172 1796 ? S May21 0:03 nginx: worker process
www-data 30225 0.0 0.1 86172 1796 ? S May21 0:03 nginx: worker process
www-data 30226 0.0 0.2 86516 2732 ? S May21 0:00 nginx: worker process
www-data 30227 0.0 0.1 86172 1796 ? S May21 0:03 nginx: worker process
Looks normal to me, AFAIK the master process running as root is expected.
And php-fm:
ps aux | grep php
root 30311 0.0 1.8 309068 18580 ? Ss May21 0:02 php-fpm: master process (/etc/php5/fpm/php-fpm.conf)
www-data 30314 0.0 3.5 393324 36176 ? S May21 0:01 php-fpm: pool www
www-data 30315 0.0 3.1 388956 32112 ? S May21 0:01 php-fpm: pool www
www-data 30391 0.0 2.9 389828 29528 ? S May21 0:00 php-fpm: pool www
I can't even open the file myself, logged in as deploy:
cat test.php
cat: test.php: Permission denied
php test.php
Could not open input file: test.php
Googled everywhere, but most things I find are related to the opposite- people getting Forbidden errors.
Perhaps it's because it's in /usr/share? Thanks!
Extra info:
Ubuntu x64 LTS
PHP-FM
Update:
Restarting the php-fm service after changing the permission fixes it. But this makes no sense to me:
chmod 000 test.php - web echos "test"
service php5-fm restart - Access Denied
chmod 644 test.php - web echos "test". No need for a restart this time?
chmod 000 test.php - web echos "test".
Thanks to Alexander Ushakov for providing the answers.
The file with the readable permission had been cached by php-fm. Restarting php-fm meant that the cache was cleared and the web server then served the new file with the restricted access.