I'm trying to deploy a very simple Symfony application using nginx & php-fpm via Docker.
Two docker services :
1. web : running nginx
2. php : running php-fpm; containing application source.
I want to build images that can be deployed without any external dependency.
That's why I'm copying source code within the php container.
On development process; i'm overriding /var/www/html volume with local path.
# file: php-fpm/Dockerfile
FROM php:7.1-fpm-alpine
COPY ./vendor /var/www/html
COPY . /var/www/html
VOLUME /var/www/html
Now the docker-compose configuration file.
# file : docker-compose-prod.yml
version: '2'
services:
web:
image: "private/web"
ports:
- 80:80
volumes_from:
- php
php:
image: "private/php"
ports:
- 9000:9000
The problem is about permissions.
When accessing localhost, Symfony is botting up, but cache / logs / sessions folders are not writable.
nginx is using /var/www/html to serve static files.
php-fpm is using /var/www/html to execute php files.
I'm not sure about the problem.
But how can I be sure about the following:
/var/www/html have to be readable for nginx ?
/var/www/html have to be writable for php-fpm ?
Note: I'm building images from MacbookPro; cache / logs / sessions are 777.
docker-compose.yml supports a user directive under services. The docs only mention it in the run command, but it works the same.
I have a similar setup and this is how I do it:
# file : docker-compose-prod.yml
version: '2'
services:
web:
image: "private/web"
ports:
- 80:80
volumes_from:
- php
php:
image: "private/php"
ports:
- 9000:9000
user: "$UID"
I have to run export UID before running docker-compose and then that sets the default user to my current user. This allows logging / caching etc. to work as expected.
I am using this solution "Docker for Symfony" https://github.com/StaffNowa/docker-symfony
New features on
./d4d start
./d4s stop
./d4d help
I've found a solution;
But if someone can explain best practices, it will be appreciate !
Folders cache / logs / sessions from docker context where not empty (on host).
Now that folders have been flushed, Symfony creates them with good permissions.
I've found people using usermod to change UID, ie: 1000 for www-data / nginx ...
But it seems to be an ugly hack. What do you think about ?
Related
I ran docker php-fpm container with the following config
php-fpm:
tty: true
image: bitnami/php-fpm:latest
volumes:
- ./www:/www
php-fpm is running as daemon:daemon. How to properly change user/group for the container? For example, run it as www:www...
Build this into your Docker image. In your Dockerfile:
FROM bitnami/php-fpm:latest # (Debian-based)
# Create the non-root runtime user. It does not need a
# specific uid, shell, home directory, or other settings.
RUN adduser --system --no-create-home --group www
# Copy the files in as root, so they don't accidentally get
# overwritten at runtime
# (The base image sets WORKDIR /app)
COPY www ./
# Then set the runtime user
USER www
# The base image provides a useful CMD; leave it as is
(Some of the details around the base image's WORKDIR and CMD come from looking up the bitnami/php-fpm image on Docker Hub, and in turn following the link to the image's Dockerfile.)
Then your docker-compose.yml file just needs to specify the details to use this Dockerfile. You do not need volumes:; the code is already built into the image.
version: '3.8'
services:
php-fpm:
build: .
# ports: ['9000:9000']
# no volumes:
In practice it usually doesn't matter much what specific user ID a container process is running as, just so long as it isn't (or, depending on your needs, is) the special root user (with user ID 0). There shouldn't be a difference between the container process running as daemon vs. www. Conversely, looking at the bitnami/php-fpm Dockerfile, it isn't obvious to me that anything would cause the container to not run as root.
Instead of creating a Dockerfile, I have created a common.conf file:
user=www-data
group=www-data
listen.owner=www-data
listen.group=www-data
in docker-compose.yml:
php:
image: bitnami/php-fpm:8.0 # or any other
...
volumes:
# path to common.conf may differ if using a different image
- ./path-to/common.conf:/opt/bitnami/php/etc/common.conf:ro
To check the user, I have a index.php:
<?php
echo exec('whoami');
Looking at a common docker-compose setup for a Nginx / combo like:
version: '3'
services:
nginx-example:
image: nginx:1.13-alpine
ports:
- "80:80"
volumes:
- ./www:/www
- ./config/site.conf:/etc/nginx/conf.d/default.conf
php-example:
image: php-fpm
volumes:
- ./www:/www
You find many examples like that to make sure, that if you change something in your local www folder it will be immediately picked up by a running container.
But when I do not want that and copy some php files/content etc. into the container:
Is it enough to create a volume of the same name for both containers and copy my files into that folder e.g. in Dockerfile?
Or is it even possible to not have a volume but create a directory in the container and copy the files there... and in that case: do I have to do for both nginx and php-fpm with the same files?
Perhaps my misunderstanding is around how the php-fpm container works in that combination (of course fastcgi... in conf points to the php-example:9000 standard)
My ideal solution would be to copy once and making sure that file permissions are handled.
I are using Docker for our deployments and for local development. We are running the same Laravel application for many customers .env file. In order to get our local to work properly with multiple sites we needed to figure out a way for each site to have it's own environment file. We created a folder structure like the following.
docker/
- src/ <-- Laravel App Here
- local/
- env/
- site1.env
- site2.env
The directory we are using for our environment files is being used in our docker-compose.yml file currently as a volume.
- ./local/env/site1.env:/var/www/html/.env:delegated
This is copying the proper env file to our containers /var/www/html directory and this works great. However, where we are experiencing an issue is that when you do docker-compose up -d it is syncing the .env file back to our src/ directory since we have a mount for that as well.
- ./src:/var/www/html/:delegated
Where the issues start to arise is when you open the .env file that is synced back to src/, not only is the file an empty file but if you add anything to it and save it will sync back to the container killing the site because it no longer has all of the env entries.
I would like to figure out a way to ignore the .env file so that it does not sync back to the src/ directory. Laravel requires it to exist in the /var/www/html directory in the container and I understand why it is syncing back down to the src/ directory but I am unsure how to stop it or if it is even possible.
Am I doing this wrong? I thought I would give configs a shot but I found that I cannot use configs because we are not running in swarm mode.
An example docker-compose entry is below
site1:
build:
context: .
dockerfile: DevDockerfile
working_dir: /var/www/html
environment:
DB_HOST: mysql
DB_PORT: 3306
DB_DATABASE: dbname
DB_USERNAME: dbusername
DB_PASSWORD: password-here
volumes:
- ./src:/var/www/html/:delegated
- ./local/client/site1/:/var/opt/client/:delegated
- ./local/env/site1.env:/var/www/html/.env:delegated
networks:
- ournetwork
depends_on:
- mysql
- smtp
How do I deliver the code of a containerized PHP application, whose image is based on busybox and contains only the code, between separate NGINX and PHP-FPM containers? I use the 3rd version of docker compose.
The Dockerfile of the image containing the code would be:
FROM busybox
#the app's code
RUN mkdir /app
VOLUME /app
#copy the app's code from the context into the image
COPY code /app
The docker-compose.yml file would be:
version: "3"
services:
#the application's code
#the volume is currently mounted from the host machine, but the code will be copied over into the image statically for production
app:
image: app
volumes:
- ../../code/cms/storage:/storage
networks:
- backend
#webserver
web:
image: web
depends_on:
- app
- php
networks:
- frontend
- backend
ports:
- '8080:80'
- '8081:443'
#php
php:
image: php:7-fpm
depends_on:
- app
networks:
- backend
networks:
cms-frontend:
driver: "bridge"
cms-backend:
driver: "bridge"
The solutions I thought of, neither appropriate:
1) Use the volume from the app's container in the PHP and NGINX containers, but compose v3 doesn't allow it (the volumes_from directive). Can't use it.
2) Place the code in a named volume and connect it to the containers. Going this way I can't containerize the code. Can't use. (I'll also have to manually create this volume on every node in a swarm?)
3) Copy the code twice directly into images based on NGINX and PHP-FPM. Bad idea, I'll have to maintain them to be in concert.
Got stuck with this. Any other options? I might have misunderstood something, only beginning with Docker.
I too have been looking around to solve a similar issue and it seems Nginx + PHP-FPM is one of those exceptions when it is better to have both services running in one container for production. In development you can bind mount the project folder to both nginx and php containers. As per Bret Fisher's guide for good defaults for php: php-docker-good-defaults
So far, the Nginx + PHP-FPM combo is the only scenario that I recommend using multi-service containers for. It's a rather unique problem that doesn't always fit well in the model of "one container, one service". You could use two separate containers, one with nginx and one with php:fpm but I've tried that in production, and there are lots of downsides. A copy of the PHP code has to be in each container, they have to communicate over TCP which is much slower than Linux sockets used in a single container, and since you usually have a 1-to-1 relationship between them, the argument of individual service control is rather moot.
You can read more about setting up multiple service containers on the docker page here (it's also listed in the link above): Docker Running Multiple Services in a Container
The way I see it, you have two options:
(1) Using Docker-compose : (this is for very simplistic development env)
You will have to build two separate container from nginx and php-fpm images. And then simply serve app folder from php-fpm on a web folder on nginx.
# The Application
app:
build:
context: ./
dockerfile: app.dev.dockerfile
working_dir: /var/www
volumes:
- ./:/var/www
expose:
- 9000
# The Web Server
web:
build:
context: ./
dockerfile: web.dev.dockerfile
working_dir: /var/www
volumes_from:
- app
links:
- app:app
ports:
- 80:80
- 443:443
(2) Use a single Dockerfile to build everything in it.
Start with some flavor of linux or php image
install nginx
Build your custom image
And serve multi services docker container using supervisord
I have a small theoretical problem with combination of php-fpm, nginx and app code in Docker.
I'm trying to stick to the model when docker image does only one thing -> I have separate containers for php-fpm and nginx.
php:
image: php:5-fpm-alpine
expose:
- 9000:9000
volumes:
- ./:/var/www/app
nginx:
image: nginx:alpine
ports:
- 3000:80
links:
- php
volumes:
- ./nginx/app.conf:/etc/nginx/conf.d/app.conf
- ./:/var/www/app
NOTE: In app.conf is root /var/www/app;
Example schema from Symfony
This is great in development, but I don't know how to convert this to production ready state. Mount app directory in production is really bad practice (if I'm not wrong). In best case I copy app source code into container and use this prebuilded code (COPY . /var/www/app in Dockerfile), but in this case is impossible or I don't know how.
I need share app source code between two contatiner (nginx container and php-fpm container) because booth of that need it.
Of course I can make own nginx and php-fpm container and add COPY . /var/www/app into both of them, but I thing that is wrong way because I duplicate code and the whole build process (install dependencies, build source code, etc...) must be in both (nginx/php-fpm) containers.
I try to search but I don't find any idea how to solve this problem. A lot of articles show how to do this with docker-compose file and mount code with --volume but I didn't find any example how to use this on production (without volume).
Only one acceptable solutions for me (in this time) is make one container with nginx and php-fpm together but I'm not sure when is a good way (I try to find best practice).
Do you have any experiences with this or any idea how to solve it?
Thanks for any response!
I solve the problem by making a shared volume with the docker-compose file:
version: '3'
volumes:
share_place:
services:
php:
image: php:5-fpm-alpine
ports:
- 9000:9000
volumes:
- share_place:/var/www/app
nginx:
image: nginx:alpine
ports:
- 3000:80
volumes:
- share_place:/var/www/app
This will create a volume share_place that will share the data between the two container.
At this time I use smth like:
Dockerfile:
FROM php:fpm
COPY . /var/www/app/
WORKDIR /var/www/app/
RUN composer install
EXPOSE 9000
VOLUME /var/www/app/web
Dockerfile.nginx
FROM nginx
COPY default /etc/nginx/default
docker-compose.yml
app:
build:
context: .
web:
build:
context: .
dockerfile: Dockerfile.nginx
volumes_from: app
But in few days on 17.05 release we can do in one Dockerfile smth like:
FROM php:cli AS builder
COPY . /var/www/app/
WORKDIR /var/www/app/
RUN composer install && bin/console assets:dump
FROM php:fpm AS app
COPY --from=builder /var/www/app/src /var/www/app/vendor /var/www/app/
COPY --from=builder /var/www/app/web/app.php /var/www/app/vendo /var/www/app/web/
FROM nginx AS web
COPY default /etc/nginx/default
COPY --from=builder /var/www/app/web /var/www/app/web