Proc_open and Capifony issue - php

I'm trying to use Capifony with my web app in Symfony2.1 to accelerate the deployment process.
Here is my deploy.rb file :
default_run_options[:pty] = true
set :application, "mywebsite"
set :domain, "mywebsite.com"
set :deploy_to, "~/git/mywebsite.git"
set :app_path, "app"
set :repository, "git#github.com:myname/mywebsite.git"
set :scm, :git
# Or: `accurev`, `bzr`, `cvs`, `darcs`, `subversion`, `mercurial`, `perforce`, or `none`
set :user, "myserveruser" # The server's user for deploys
set :model_manager, "doctrine"
# Or: `propel`
role :web, domain # Your HTTP server, Apache/etc
role :app, domain # This may be the same as your `Web` server
role :db, domain, :primary => true # This is where Symfony2 migrations will run
set :use_composer, true
set :update_vendors, true
set :use_sudo, false
set :keep_releases, 3
set :shared_files, ["app/config/parameters.yml"]
set :shared_children, [app_path + "/logs", web_path + "/uploads"]
set :deploy_via, :rsync_with_remote_cache
set :ssh_options, { :forward_agent => true }
ssh_options[:keys] = %w(/.ssh/id_rsa)
ssh_options[:port] = xxxx
# Be more verbose by uncommenting the following line
logger.level = Logger::MAX_LEVEL
And here is my error :
The Process class relies on proc_open, which is not available on your PHP installation.
when the script runs php composer.phar update
more details here : http://pastebin.com/hNJaMvwf
But I'm in a shared hosting and my hoster told me that I can't have proc_open enabled, is there a way to get it working though ?
Thanks a lot for your help !

Composer needs to be able to run command-line processes (it does this using the symfony/process component). There is no way to have Composer run if your host does not support proc_open.
As an alternative deployment strategy, you could upload the vendor/ directory manually to the production machine (you can use the upload functionality in your Capistrano recipe). That said, virtual servers are affordable these days, and I would not recommend deploying Symfony2 applications to a shared hosting anyway. Maybe you should be looking for a different hosting solution?

I also encountered a similar (but different) problem with my web host when using Composer to install the Sematic extension for my Mediawiki installation. I was not using Cafinony but using using Putty and SSH to run Composer on a "remote' command line. Composer failed with the same error;
The Process class relies on proc_open, which is not available on your PHP installation.
However, I was able to fix it another way.
proc_open is a PHP function that is typically "disabled' by most web hosts. It is disabled by including the function in the list of disabled functions which are set with the PHP configuration setting, disable_functions. In other words, if it is included in the list it is disabled; if it is removed from the list it is enabled.
You can therefore effectively enable proc_open "on the fly" by using the php command line -d option to remove the disabled functions (which includes proc_open). In other words, by removing the list of disable_functions you effectively "enable all" functions, including proc _pen.
To use -d to enable proc_open, you must set the disable_functions setting to an empty string. This will remove all the list of disabled functions (including proc_open)
When installing at the command line using an SSH client such as Putty, use a command similar to this:
php -f composer.phar -d detect_unicode=Off -d disable_functions= require mediawiki/semantic-media-wiki "1.9.*,>=1.9.0.1"
So, if you can figure out a way to pass "-d settings" with your ruby file, you may be able to solve your problem.
I know this does not fully address your problem, but it may help others with overcoming annoying default php settings on shared servers, that get in the way of Composer!
I hope this helps someone.

Related

How does one enable the OCI8 PHP extension, using the Oracle Instant Client, in Ubuntu 18.04 LTS with PHP-FPM and NGINX?

I'm using the latest PHP packages available from https://launchpad.net/~ondrej/+archive/ubuntu/php .
When I build and install the OCI8 extension, everything appears to be in order, but despite enabling the extension in the PHP-FPM configuration, its presence is not reflected in the output from phpinfo().
The following Gist details the exact process that I'm using to configure, build, and install the OCI8 PHP extension:
https://gist.github.com/cbj4074/fa761f60b6f8db431539d76ebfba828e
The very same process and configuration work perfectly well on Ubuntu 16.04 LTS, so it seems that there is some fundamental difference on Ubuntu 18.04 LTS, whether with the operating system or the PHP packages in question.
As a bit of important (and I suspect relevant to this issue) background information, on Ubuntu 18.04 LTS, the extension fails to load in the CLI environment out-of-the-box, with the error:
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20160303/oci8.so' - libmql1.so: cannot open shared object file: No such file or directory in Unknown on line 0
I resolved the issue like so:
# echo 'LD_LIBRARY_PATH="/opt/oracle/instantclient_12_2"' >> /etc/environment
I thought that perhaps adding the LD_LIBRARY_PATH to the PHP-FPM environment configuration might resolve the equivalent issue there:
# echo "env['LD_LIBRARY_PATH'] = /opt/oracle/instantclient_12_2" >> /etc/php/7.2/fpm/pool.d/www.conf
# systemctl restart php7.2-fpm
This does indeed cause the LD_LIBRARY_PATH value, as specified, to be reflected in both the Environment section of phpinfo() (when rendered via PHP-FPM + NGINX and requested from a browser) and the PHP Variables section, as $_SERVER['LD_LIBRARY_PATH'].
Oddly, even with PHP-FPM's logging set to debug, I don't see any trace of the libmql1.so error that I experience with the CLI. The OCI8 extension simply fails to load, silently. display_startup_errors = On in PHP-FPM's effective php.ini, too.
I elected to see if the OCI8 extension works in Apache, on the same server, and it does, provided I add export LD_LIBRARY_PATH=/opt/oracle/instantclient_12_2 to /etc/apache2/envvars; in its absense, Apache complains on startup:
PHP Warning: PHP Startup: Unable to load dynamic library 'oci8.so' (tried: /usr/lib/php/20170718/oci8.so (libmql1.so: cannot open shared object file: No such file or directory), /usr/lib/php/20170718/oci8.so.so (/usr/lib/php/20170718/oci8.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
None of this business with the LD_LIBRARY_PATH is necessary on Ubuntu 16.04 LTS, and based on my observations herein and the comments regarding https://stackoverflow.com/a/45242468/1772379 , that changed in Ubuntu 17.10 and Ubuntu 18.04 LTS.
Has anybody else tried this, on Ubuntu 18.04 LTS, specifically?
I've tried this on two different Vagrant VMs, laravel/homestead box 6.0.0, and ubuntu/bionic64 box v20180509.0.0, and the behavior is the same in both.
Any other ideas would be most appreciated!
EDIT 1:
I asked about this issue on the package maintainer's GitHub tracker and he suggested that the problem stems from failing to set an appropriate RPATH at compile time.
I explain in my reply that I am setting an appropriate value, but the issue remains closed.
I do notice an interesting detail, however, which is that the compiled extension on Ubuntu 18.04 uses RUNPATH (and not RPATH, which is used in Ubuntu 16.04). If PHP-FPM ignores RUNPATH, and looks only for RPATH, it would explain this behavior.
EDIT 2:
This still-open report looks like an excellent candidate for having introduced the observed behavior:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859732
(discovered through comments on use RPATH but not RUNPATH? )
EDIT 3:
On a commenter's advice, I reexamined updating the ld configuration before building the extension and that resolved the issue! I had tried this before, but must have overlooked something between build attempts:
# echo /opt/oracle/instantclient_12_2 > /etc/ld.so.conf.d/oracle-instantclient.conf
# ldconfig
I still don't know why LD_LIBRARY_PATH doesn't work as it should in this instance, but adding the Instant Client library path to the linker configuration seems a better approach besides.
EDIT 4:
I stated in my previous edit that modifying the ldconfig constitutes a better approach, but came to realize (on a commenter's good advice) that doing so can cause undesirable library conflicts, because the effects are system-wide.
In hindsight, it makes sense to minimize the "collateral damage" from runtime library linkage modifications by limiting them to the execution environment via the LD_LIBRARY_PATH. Accordingly, I am motivated to determine why this does not work on Ubuntu 18.04 LTS.
I feel that I have established definitively that the PHP-FPM daemon ignores LD_LIBRARY_PATH on Ubuntu (and has since at least Ubuntu 16.04 LTS; see Comments for explanation).
The ld.so(8) manpage states (in relation to the order in which runtime library paths are searched):
Using the environment variable LD_LIBRARY_PATH (unless the executable is being run in secure-execution mode; see below). [sic] in which case it is ignored.
As yet, I cannot think of any other reason for which the path would be ignored. Of secure-execution mode, the same document says:
Secure-execution mode
For security reasons, the effects of some environment variables are voided or modified if the dynamic linker determines that the binary
should be run in secure-execution mode. (For details, see the discussion of individual environment variables below.) A binary is exe‐
cuted in secure-execution mode if the AT_SECURE entry in the auxiliary vector (see getauxval(3)) has a nonzero value. This entry may
have a nonzero value for various reasons, including:
* The process's real and effective user IDs differ, or the real and effective group IDs differ. This typically occurs as a result of
executing a set-user-ID or set-group-ID program.
* A process with a non-root user ID executed a binary that conferred capabilities to the process.
* A nonzero value may have been set by a Linux Security Module.
Firstly, Secure-Execution Mode seems not to be in effect, as the PHP executables don't exhibit this flag (AT_SECURE is 0):
LD_SHOW_AUXV=1 /usr/sbin/php-fpm7.1 -daemonize --fpm-config /etc/php/7.1/fpm/php-fpm.conf
AT_SYSINFO_EHDR: 0x7ffc569e1000
AT_HWCAP: 178bfbff
AT_PAGESZ: 4096
AT_CLKTCK: 100
AT_PHDR: 0x55ceab0c4040
AT_PHENT: 56
AT_PHNUM: 9
AT_BASE: 0x7f823c77f000
AT_FLAGS: 0x0
AT_ENTRY: 0x55ceab19e360
AT_UID: 0
AT_EUID: 0
AT_GID: 0
AT_EGID: 0
AT_SECURE: 0
AT_RANDOM: 0x7ffc56962349
AT_HWCAP2: 0x0
AT_EXECFN: /usr/sbin/php-fpm7.1
AT_PLATFORM: x86_64
It occurred to me that the child FPM pool processes might exhibit different AT_SECURE values, but the output is identical for the PHP-FPM daemon itself, as well as any child processes. The parent and the children all have the following values:
# od -t d8 /proc/851/auxv
0000000 33 140722944548864
0000020 16 395049983
0000040 6 4096
0000060 17 100
0000100 3 93903778242624
0000120 4 56
0000140 5 9
0000160 7 140365152313344
0000200 8 0
0000220 9 93903779136352
0000240 11 0
0000260 12 0
0000300 13 0
0000320 14 0
0000340 23 0
0000360 25 140722944193929
0000400 26 0
0000420 31 140722944196579
0000440 15 140722944193945
0000460 0 0
Secondly, none of these reasons seem to apply, given the following:
1) There is no indication that PHP-FPM or its child processes have real and effective user or group IDs that differ (thanks to https://unix.stackexchange.com/a/202359 for this command):
# ps -e -o user= -o ruser= | awk '$1 != $2'
systemd+ systemd-timesync
systemd+ systemd-resolve
beansta+ beanstalkd
message+ messagebus
daemon root
systemd+ systemd-network
# ps -e -o group= -o rgroup= | awk '$1 != $2'
systemd+ systemd-timesync
systemd+ systemd-resolve
beansta+ beanstalkd
message+ messagebus
daemon root
systemd+ systemd-network
2) The binaries in question do not have any capabilities (the following commands produce no output):
# getcap /usr/lib/php/20170718/oci8.so
# getcap -r /opt/oracle/instantclient_12_2/
3) I have ensured that AppArmor is disabled (it doesn't have a policy that should affect PHP-FPM, anyway):
# systemctl disable apparmor
Synchronizing state of apparmor.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable apparmor
# reboot
# aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
So, why does PHP-FPM ignore LD_LIBRARY_PATH, if not for any of the aforementioned reasons?
EDIT 5 (Solution):
An astute commenter, #vinc17 , points-out that on systems running systemd, environment variables, such as LD_LIBRARY_PATH, are not necessarily propagated to processes that are started via a systemd Unit.
In other words, PHP-FPM isn't "ignoring" LD_LIBRARY_PATH, but rather, it is not being conveyed to the process. And attempts to set LD_LIBRARY_PATH within the PHP-FPM configuration are futile, because it's too late to do anything useful with the value.
On this advice, it occurred to me to set LD_LIBRARY_PATH in the systemd context, namely, in the Unit file(s) that start the PHP-FPM daemon(s), in which case PHP-FPM loads the OCI8 extension successfully.
Needless to say, we want to avoid editing the package maintainer's file (to avoid conflicts during future upgrades), so we extend it instead:
# mkdir /etc/systemd/system/php7.1-fpm.service.d
# touch /etc/systemd/system/php7.1-fpm.service.d/environment.conf
To this file we add the following:
[Service]
Environment=LD_LIBRARY_PATH=/opt/oracle/instantclient_12_2
And to make the change effective:
# systemctl daemon-reload
# systemctl restart php7.1-fpm
For a more complete example, which addresses multiple co-installed PHP versions, please see my post at https://github.com/oerdnj/deb.sury.org/issues/865#issuecomment-395441936 .
First, Debian bug 859732 is a completely different issue (I would even say an opposite issue): for this bug, several versions of the library are present in the search path (one in some directory specified by LD_LIBRARY_PATH and a different one in some directory specified by the run path), but the wrong one is chosen by the dynamic linker.
In your case, the problem is that the requested library is not found anywhere in the search path. Note also that in your case, it is PHP that seems to try to open the library (via dlopen?), since the message starts with "PHP Warning:". However, it seems that the mechanisms are the same as with usual dynamic linking.
After installing the library, what you need is at least one of:
Nothing special if the library has been installed in a directory that is searched by default. Since you get an error, this is not your case.
Providing the directory in a run path, which must be specified at compile time of the software that will need the library. The problem is that under Linux, this is not done in standard by the build tools, and it may be complex to do it right without breaking other things. However, in the context of dlopen, the software (here, PHP) may have set up what one can call a "plugin search path", where you can put your libraries.
Providing the directory in LD_LIBRARY_PATH. This is what you tried, but your LD_LIBRARY_PATH seems incorrect. Libraries are usually installed in subdirectories named lib (or lib32 or lib64 in specific cases). So, export LD_LIBRARY_PATH=/opt/oracle/instantclient_12_2 seems wrong. Search for the full pathname of the library oci8.so, and just take the directory part of this pathname for LD_LIBRARY_PATH.
Note: strace may be useful to see what directories are considered to search for the libraries. EDIT: ldd and objdump -p are other useful tools to find what's going on with the search paths.
EDIT 2: Another point to note when choosing to use a run path is that indirect library dependencies are found when RPATH is used, but not when RUNPATH is used (so, in this latter case, all dependencies also need to have a run path if they depend on other libraries so that all libraries can be found without resorting to LD_LIBRARY_PATH). This is documented in recent versions of the ld.so(8) man page:
Using the directories specified in the DT_RUNPATH dynamic section attribute of the binary if present. Such directories are searched only to find those objects required by DT_NEEDED (direct dependencies) entries and do not apply to those objects' children, which must themselves have their own DT_RUNPATH entries. This is unlike DT_RPATH, which is applied to searches for all children in the dependency tree.
This is probably why, without using LD_LIBRARY_PATH, this was working with 16.04 (where RPATH is used) but not with 18.04 (where RUNPATH is used).

Running Rscript from within PHP: cannot load shared libraries

I am trying to run R code from within PHP. I am using RHEL 7.4.
However, because Apache runs as a different user than installed the R packages, it cannot load packages:
My PHP code has this line:
echo shell_exec("(Rscript -e 'library(lme4, lib.loc = \"/var/www/R/lib\")')2>&1");
which produces this error in the browser:
Error: package or namespace load failed for 'lme4' in dyn.load(file, DLLpath = DLLpath, ...):
unable to load shared object '/var/www/R/lib/Rcpp/libs/Rcpp.so':
/var/www/R/lib/Rcpp/libs/Rcpp.so: failed to map segment from shared object: Permission denied
Execution halted
The file /var/www/R/lib/Rcpp/libs/Rcpp.so has permissions 775, so I don't think the permissions are actually the problem.
How can I tell Apache / PHP where to look for the shared libraries?
The server is not public-facing, so I would take any solution from properly accessing the shared library, to giving user apache sudo access with NOPASSWD to run as my user (or something similarly reckless, since that didn't actually work...).
Thank you!
This appears due in part to an SELinux setting in Red Hat. I'm not entirely sure whether this is Red Hat-centric, or specific to the configuration at my university (who installed Red Hat in the first place).
Originally:
$ getenforce
Enforcing
Fix:
$ sudo setenforce 0
$ getenforce
Permissive
Persistent fix: modify /etc/selinux/config to have the line
SELINUX=Permissive
Credit to this StackOverflow thread.

Drush command(s) run on Drupal 6 sites, but not Drupal 7?

I am running into an issue with a customer's Drupal sites. He has a number of D6 installs, and a new D7 that he's just starting on. All of these sites are on the same shared hosting package.
The problem is when running certain drush commands only on the D7 site. There are no issues on the D6 sites. The specific error for drush up on the D7 site follows:
foo#bar [~/www/foo]# drush up
Command pm-update needs a higher bootstrap level to run - you will need to invoke drush [error]
from a more functional Drupal environment to run this command.
Command pm-update needs the following modules installed/enabled to run: update. [error]
The drush command 'up' could not be executed. [error]
Drush was not able to start (bootstrap) the Drupal database. [error]
Hint: This may occur when Drush is trying to:
* bootstrap a site that has not been installed or does not have a configured database. In
this case you can select another site with a working database setup by specifying the URI
to use with the --uri parameter on the command line. See `drush topic docs-aliases` for
details.
* connect the database through a socket. The socket file may be wrong or the php-cli may
have no access to it in a jailed shell. See http://drupal.org/node/1428638 for details.
Drush was attempting to connect to:
Drupal version : 7.28
Site URI : http://default
Database driver : mysql
Database username : username_foo
Database name : database_foo
PHP configuration :
PHP OS : Linux
Drush version : 7.0-dev
Drush temp directory : /tmp
Drush configuration :
Drush alias files :
Drupal root : /home/foo/www/foo
Site path : sites/default
Everything I can find (and indeed the link in the error message) say the solution is to change the host value in the settings.php file from localhost to 127.0.0.1. However, this has not been the solution for us.
The frontend site has no problems connecting to the database, and drush itself seemingly does in many cases too.
drush sql-connect will generate a string that you can use to connect to MySQL.
drush sql-cli will successfully connect to MySQL
The settings.php file is definitely in a folder called default (path: www/foo/sites/default) and I get the exact same error when specifying --root and --uri options.
Drush was originally a ~5.x release, and it had the same issues. We updated to the ~7.x to try to eliminate the error. The host value in settings.php has been localhost as well as 127.0.0.1 with equally poor results.
We've verified that MySQL is available via socket from the PHP CLI. Drush is up to date and a fresh install. The Drupal 7 site is a brand new fresh install.
I'm at a loss. Why would this work with the D6 sites, but not the D7? Any suggestions?
Is your settings.php file in a folder called 'default'? If not, you might need to tell Drush where to find it by using --uri=mysite.com or -l mysite.com.
There are several ways to specify which Drupal site Drush will target. The most basic option is fairly verbose; run:
$ drush --root=/path/to/drupal --uri=http://example.com status
You can do the same thing with a slightly different syntax:
$ drush /path/to/drupal#example.com status
You can also specify the Drupal site implicitly, by setting the cwd to the folder that contains the settings.php file for your site:
cd /path/to/drupal/sites/default # or /path/to/drupal/sites/mysite.com, as appropriate
$ drush status
In all of the cases above, if settings.php is in a folder called "default", then you do not need to specify the --uri component; you may, for example, cd /path/to/drupal followed by drush status, and the correct Drupal site will be found. If settings.php is not in a folder named 'default', then you will need to either specify --uri, or cd to the folder that contains the settings.php file.
Source
According to this message:
pm-update needs the following modules installed/enabled to run: update
Drush requires Update module to be enabled, so the following command should fix the problem:
drush -y en update

phabricator on redhat's openshift

I installed phabricator on openshift using a quickstart from github
https://github.com/CodeBlock/phabricator-openshift-quickstart
I got it running up fine, but I now have two issues:
1.) A setup issue that says apc.stat is enabled and that must be disabled in
/var/lib/openshift/my-user-hash/php/configuration/etc/php.ini
however I cannot access that with sudo command(sudo permission denied), even if I open it normally, I didn't find any apc.stat settings in the php.ini
2.) I can't figure out how set the local path for tracking repositories for diffusion. It says
I must give a path which should be read-writable by phabricator, I tried to give the persistent storage location ..data/ , but it gives me an exception as follows :
Unhandled Exception ("CommandException")
Command failed with error #1!
COMMAND
(cd '../data/' && HOME='/var/lib/openshift/my-user-hash/app-root/runtime/repo/phabricator/support/empty/' git cat-file --batch)
STDOUT
(empty)
STDERR
sh: line 0: cd: ../data/: No such file or directory
how do I fix this?
1) According to Num Duong answer, it seems like u currently could not resolve this issue, probably u should wait for openshift php.ini permissions policy changes.
Anyway this is minor non blocking issue.
2) Modify config file and re-deploy to openshift.
Look for available phabricator options here
U need smth like this: 'repository.default-local-path' => getenv('OPENSHIFT_DATA_DIR'),
P.S. Anyway there is one particular issue with phabricator on openshift that possibly never got resolved: cloning git repositories from OpenShift instances into Phabricator do not
work by SSH, due to permissions regarding the ssh configuration.

Deploying my Symfony2 app with Capifony has started breaking the live release's cache

This could be a bit of a niche issue but I'm hoping somebody can help. This was always working fine until yesterday when I was attempting to push some changes to production, but since then the last 3 deployments have all temporarily broken the live site. Here's one of the exceptions from the logs:
[2012-12-18 12:12:16] request.CRITICAL: Exception thrown when handling an exception (InvalidArgumentException: The directory "/path/to/app/releases/20121217134758/app/cache/prod/jms_diextra/metadata" is not writable.) [] []
[2012-12-18 12:12:18] request.CRITICAL: InvalidArgumentException: The directory "/path/to/app/releases/20121217134758/app/cache/prod/jms_diextra/metadata" is not writable. (uncaught exception) at /path/to/app/releases/20121217134758/vendor/jms/metadata/src/Metadata/Cache/FileCache.php line 17 [] []
I don't understand why the cache directory of the previous release (current before deploying) should be affected though! Here is where it happens in my deployment:
--> Updating code base with remote_cache strategy
--> Creating cache directory...........................✔
--> Creating symlinks for shared directories...........✔
--> Creating symlinks for shared files.................✔
--> Normalizing asset timestamps.......................✔
Do you want to copy last release vendor dir then do composer install ?: (y/N)
y
--> Copying vendors from previous release..............✔
--> Downloading Composer...............................✔
--> Updating Composer dependencies..................... BREAK HAPPENS HERE OR SOON BEFORE
As you can see, my cache directory isn't even shared between deployments:
# in deploy.rb
set :shared_files, ["app/config/parameters.yml"]
set :shared_children, [app_path + "/logs", web_path + "/uploads", web_path + "/videos", app_path + "/spool"]
Thankfully I was ready for it after the first time and had an ssh console sat there with a sudo chmod -R 0777 app/cache/ app/logs/ ready to be fired, but this isn't exactly a permanent solution.
NOTE: I'm currently handling permissions of cache/log directories as a custom post-deploy hook:
# in deploy.rb
after "deploy:finalize_update" do
# Ensure htaccess points to app.php and not app_dev.php
run "sed -i 's/app_dev/app/' #{latest_release}/#{web_path}/.htaccess"
# Use a unique APC prefix to guarantee there are no clashes
run "sed -i 's/_VERSION/_#{release_name}/' #{latest_release}/#{web_path}/app.php"
# Set permissions of all 'writable_dirs' using sudo
pretty_print "--> Setting permissions"
dirs = []
writable_dirs.each do |link|
if shared_children && shared_children.include?(link)
absolute_link = shared_path + "/" + link
else
absolute_link = latest_release + "/" + link
end
dirs << absolute_link
end
sudo sprintf("chmod -R 0777 %s", dirs.join(' '))
end
Update
During my latest deployment, I noticed the exceptions started occurring at a later point, so it isn't anything to do with the dependencies. I suspect the cause of this could be when a cron is executed that calls the current version's console and then obviously affects the cache. This would make sense as I only set the cron live recently.
But I'm not sure how to resolve this. Looking at the Setting up permissions section in the docs, it appears that there could be a couple of options. I don't know anything about setfacl so I'd be worried about breaking something. Would using the umask option be a good idea?
I ended up going for the umask option as I mentioned in the update. Although, as I figured it was a problem caused by the console, I only uncommented the umask(1000); line in app/console - not web/app.php or web/app_dev.php. The problem hasn't occurred for the few deployments I've made since making this change so I guess it's done the trick.

Categories