When running a Docker container, what is the correct way allow Apache write access to a synced volume?
Important, I would like the folder synced so local changes are immediately reflected inside the container as is happening now with the current run command
When running the container with:
docker run -v /Local/folder/toSync:/var/www/html -p 8080:80 --sig-proxy=false the-image
The Docker Apache process does not have write access to the folder because the owner and group of that folder is set to 1000 staff Where I believe 1000 is replacing my local username (which is absent from the container). Apache is running as www-data and therefore cannot write to the file.
Attempting to set the local folder user/group to www-data results in chown: www-data: illegal user name
What is the correct way to set permissions and/or mount the volume to permit Apache write access?
You need to put the :z on the end of your volume.
-v /Local/folder/toSync:/var/www/html:z
Also, the syntax of your chown statement doesn't looks right. Changing the owner of the volume should work fine, and you will still need to do this.
FROM php:7.4-apache
WORKDIR /var/www/html
EXPOSE 80
WORKDIR /var/www
RUN chown -R www-data html
Related
I have been asked to look at a wordpress site that is on google cloud - the Wordpress admin works fine - the front end of the site doesn't show the css
I believe it to be a file permission issue
Replicating the site and placing it on a different server with correct wordpress file permissions it works fine.
However on google cloud I have issues with trying to change the file permissions.
I have ftp access using Filezilla but can't change file permissions that way and if I try to use the apache ssh console to change file permissions that wont apply either.
So looking at the owner of the folder var/www/html and the group it is showing as www-data not root - so first question is what should be the correct owner and group ?
To change folder & file permissions and ownership do the following.
SSH into the VM, google cloud provide a SSH browser based terminal.
SSH will open a linux terminal, if you are root user no need to type 'sudo' for the following commands.
Type 'sudo vim /etc/apache2/envvars'
read what the config file says, defaults are:
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
Exit the config file back to the linux terminal command line.
Type the following commands to give Apache appropriate User and Group permissions in the public wordpress directory, change user and group name as appropriate
sudo chown -R www-data:www-data /var/www/html
sudo find /var/www/html -type d -exec chmod 750 {} \;
sudo find /var/www/html -type f -exec chmod 640 {} \;
You can now exit the SSH terminal. Note if you want to see the new permissions in FileZilla press F5 to refresh FileZilla.
I am trying to set up a local dev LEMP stack for a Slim-4 project using podman-compose. So far I have containers for PHP and Nginx. Nginx runs but gives a 500 error on trying to access the log directory - permission denied. This directory is outside of the public directory that is served by nginx.
I have selinux set to permissive to eliminate its issues.
I have used podman unshare to set ownership to the container's Nginx UID:GID.
I tried the setup with only a simple index file - the file is served with no issues. So, nginx/podman has access to the nginx configuration file on the host. The issue must be with write permissions.
Here is my docker-compose file:
version: '3.7'
# Services
services:
# Nginx Service
nginx:
image: nginx:1.17
ports:
- 8090:80
volumes:
- .:/var/www/php:z
- ./.docker/nginx/conf.d:/etc/nginx/conf.d:ro
depends_on:
- php
# PHP Service
php:
image: php:7.4-fpm
working_dir: /var/www/php
volumes:
- .:/var/www/php
What am I missing?
The issue was that I incorrectly assumed I needed to set permissions to allow Nginx to have access.
Instead I needed to grant the group www-data access permissions.
How I did it:
log into the running Nginx container podman exec -it [container ID] bash
find the www-data GID (Group ID) - from the container command line, cat /etc/passwd | grep www-data
note the GID (in the result you will see something like ...x:33:33... 33:33 is the user:group)
exit the container cli with exit
in your development/host cli, at the root of your project, run podman unshare chown -R 0:[the www-data GID you found above] . (don't miss the '.')
Explanation:
podman unshare puts you in a modified userspace that matches the container
chown changes ownership
-R means recursive
the number to the left of the ':' is the UID (User ID), the number to the right is the GID
the '.' is the current directory.
I hope this helps someone. I spent hours learning the above.
I'm distributing load between two web servers, which means all of the Apache settings and vhosts are pretty much identical, and I wanted to make sure they stay that way by using LSync (or if there's another solution that helps with the problem I'm having, let me know)
So obviously Apache runs as the apache user, and we cant enable root SSH logins, so I created an lsync user that can SSH between the two servers using RSA keys.
And now I'm running into some permissions errors, which is kinda what I expected to happen really. What I'm trying now is I added the lsync user to the apache group, and the apache user to the lsync group... and that seems to work ok, as long as the files are chowned 7 for both the user and the group...
I thought about setting a cron job to chown apache.apache every so often, and maybe even chmod +rwx for the group and user, but I'm sure that would cause some other issues.
I thought about having lsync run as the apache user, but it looks like the apache home directory needs to actually be owned by root.root.. so that would cause issues with the apache user trying to ssh in and read from the .ssh directory.
I couldn't find much about this when I looked on Google... Most people just used the root user for lsync, which is out of the question.
So if anyone has a fix, that would be great! thanks
P.S. I know that I can allow the lsync user to execute specific commands via sudo, if I properly configure the sudoers configuration... is there a way to have it sudo chown apache.apache /var/www && sudo chmod -R u+rwx /var/www or something?
rsync has an option for forcing the permissions of the files it creates on the destination: --chmod=<blah>. lsyncd does not have direct support for this, but can pass-through rsync flags.
Try adding this to your lsyncd configuration:
_extra = {"--chmod=Dug+rwx,Fug+rw"}
That should ensure that directories, D, have read/write/execute permissions for owner and group, and files, F, have read/write permissions for owner and group. Any other permissions should be set as they are on the source server.
If you need the files to be owned by the apache user then you could set up a chown cron job, as you suggest, but you might find that a constantly running script that reads the output from inotifywatch will be more responsive (and mostly idle).
You might consider having the apache user run an rsync daemon. It's little used since tunnelling rsync through ssh is more convenient and more secure, but it might help you side-step this problem.
You need to set up a configuration file, and then simply launch it with rsync --daemon using whatever init system your distro has.
You can then configure your lsynd with target = "rsync://server/path".
If the connection between the servers is local and the network is trusted then you're done, otherwise you should configure the rsync daemon to listen only on 127.0.0.1, and then use an ssh -L port mapping to route the traffic through an encrypted tunnel (the owner of the tunnel is not important).
Setup:
Websites are setup as users in /home/
Website users restricted to home directories as /home/websiteuser/ is
owned by root
Website users are part of the websites group
www-data is part of the websites group
Virtual host points to: /home/websiteuser/html/
/home/websiteuser/html/ is set to -R 755
Files inside /html/ are owned by websiteuser:websites
Website user is used to access website via sftp
Everything works great except apache requires us to recursively chmod 777 the /home/websiteuser/html/files/ directory or images won’t display and the CMS can’t write it’s mysql backups.
The website user owns the files so the sftp access works but do I have to make www-data own the files - or is there a way where sftp login works and apache can still have access as well?
We've seen many questions around this but don’t understand the answers sorry - any help would be much appreciated.
Cheers
We've solved this by making a "websites" group and adding the apache user (www-data) to this group like this (must be done as root - switch to root with $ su root or use sudo in front of the commands like this $ sudo useradd username:
Add a new group - this will be the name of the group used for all websites:
$ addgroup websites
List groups to check it was created
$ getent websites
Add the apache user to the websites-group so apache has access to run the websites
$ usermod -G websites www-data
Check www-data is part of the websites-group:
$ grep '^ websites' /etc/group
Add a new website user (this will be the user used to run the website)
$ useradd username
Give the user a password
$ passwd username
Follow the prompts to add a password
Add website user to websites group
$ usermod -G websites username
Create a new directory for the user to serve websites from:
$ mkdir /home/username
The owner of the website directory must be root or sftp will fail
Make root the owner and group of website user’s home directory:
$ chown root:websites /home/username
Give website user limited access to their home directory:
$ chmod 750 /home/username
Move into the website user’s directory:
$ cd /home/username
Make a web root directory (this is the opublic directory where the website's files will live):
$ mkdir html
Give website user owner:group on web root:
$ chown username:websites html
Change permissions on the html directory:
$ chmod 750 html
Copy all the website's files into the html directory
Recursively set ownership on all files within the web-root
$ chown -R username:ssb-websites html
Recursively set premissions on all files within the web-root (owner and group have read, write, execute permissions):
$ chmod -R 770 html
Recursively set permissions on all files within web-root:
$ chmod 644 $(find . ! -type d)
If having issues, make sure directory permissions are set like this (the top-level website directory /home/username/ must be owned by root or sFTP access won't work):
/home/username | drwxr-x--- | root:websites
/home/username/html | drwxr-x--- | username:websites
/home/username/html/directories/ | drwxrwx--- | username:websites
/home/username/html/files.html | -rw-r--r-- | username:websites
We're designers so this is the way we worked it out, if anyone can see improvements, feel free to edit!
I have installed apache webserver apache in linux ,I used following code to upload a file, but i get permission denied
scp -i adjmp.pem index.html ec2-user#ec2-50-17-88-33.compute-1.amazonaws.com:/var/www/html/hi
How can i upload a file to EC2 ?
You most likely need to change the filesystem permissions. This is usually done using the chmod command. You may also need to modify file ownership (using the chown command).
If you need help with the exact steps, you can provide the output of the following two commands and I will try to help:
sudo ls -al /var/www/html/hi
id