laravel-bridge icon indicating copy to clipboard operation
laravel-bridge copied to clipboard
verified publisher icon brefphp

storage directory creation causes permission issues with bref/php-82-fpm-dev:2

Open aknosis opened this issue 2 years ago • 7 comments

When storage directories are created for the first time they get created as root:root (due to being executed by bref hooks).

The issue is that web requests cannot write to the storage directory because fpm runs under the nobody user and you end up with errors like below.

If I delete /tmp/storage after initial creation and fire a web request, it will happily create the storage directories as nobody:nobody.

Curious on thoughts of how to solve this.

Exception: Unable to create lockable file: /tmp/storage/framework/cache/ec/c4/ecc49f49f4da6b940dcde13f0571e79c299871e6. Please ensure you have permission to create files in this location. in file /var/task/vendor/laravel/framework/src/Illuminate/Filesystem/LockableFile.php on line 73

#0 /var/task/vendor/laravel/framework/src/Illuminate/Filesystem/LockableFile.php(43): Illuminate\Filesystem\LockableFile->createResource('/tmp/storage/fr...', 'c+')
#1 /var/task/vendor/laravel/framework/src/Illuminate/Cache/FileStore.php(108): Illuminate\Filesystem\LockableFile->__construct('/tmp/storage/fr...', 'c+')
#2 /var/task/vendor/laravel/framework/src/Illuminate/Cache/Repository.php(318): Illuminate\Cache\FileStore->add('a75f3f172bfb296...', 1683138765, 60)
#3 /var/task/vendor/laravel/framework/src/Illuminate/Cache/RateLimiter.php(118): Illuminate\Cache\Repository->add('a75f3f172bfb296...', 1683138765, 60)
#4 /var/task/vendor/laravel/framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php(149): Illuminate\Cache\RateLimiter->hit('a75f3f172bfb296...', 60)
...

aknosis avatar May 03 '23 18:05 aknosis

Thank you for the detailed report and investigation!

Maybe a simple fix could be to chmod 777 the storage dir? Any downside?

mnapoli avatar May 03 '23 20:05 mnapoli

Is this only an issue on the dev images, or on all fpm images?

georgeboot avatar May 04 '23 15:05 georgeboot

oh good point!

mnapoli avatar May 05 '23 08:05 mnapoli

I tested in Lambda with php-82-fpm and it seems that everything is run under sbx_user1051. This means that the initial bref startup and the fpm user are both the same so this won't be an issue in Lambda.

Startup logs:

INIT_START Runtime Version: provided:al2.v17	Runtime Version ARN: arn:aws:lambda:us-east-1::runtime:f35635a04216ba4e6a0e74d3c2db080d443709a8f3f2e71fedf54a4f8756705d
Creating storage directories: /tmp/storage/bootstrap/cache, /tmp/storage/framework/cache, /tmp/storage/framework/views, /tmp/storage/psysh
NOTICE: [pool default] 'user' directive is ignored when FPM is not running as root

Output of ls -alR /tmp:

/tmp:
total 16
drwx------ 4 sbx_user1051 990 4096 May 8 17:04 .
drwxr-xr-x 1 root root 4096 Nov 3 2022 ..
drwxrwxr-x 2 sbx_user1051 990 4096 May 8 17:04 .bref
drwxr-xr-x 5 sbx_user1051 990 4096 May 8 17:04 storage

/tmp/.bref:
total 12
drwxrwxr-x 2 sbx_user1051 990 4096 May 8 17:04 .
drwx------ 4 sbx_user1051 990 4096 May 8 17:04 ..
-rw-r--r-- 1 sbx_user1051 990 2 May 8 17:04 php-fpm.pid
srw-rw---- 1 sbx_user1051 990 0 May 8 17:04 php-fpm.sock

/tmp/storage:
total 20
drwxr-xr-x 5 sbx_user1051 990 4096 May 8 17:04 .
drwx------ 4 sbx_user1051 990 4096 May 8 17:04 ..
drwxr-xr-x 3 sbx_user1051 990 4096 May 8 17:04 bootstrap
drwxr-xr-x 4 sbx_user1051 990 4096 May 8 17:04 framework
drwxr-xr-x 2 sbx_user1051 990 4096 May 8 17:04 psysh

/tmp/storage/bootstrap:
total 12
drwxr-xr-x 3 sbx_user1051 990 4096 May 8 17:04 .
drwxr-xr-x 5 sbx_user1051 990 4096 May 8 17:04 ..
drwxr-xr-x 2 sbx_user1051 990 4096 May 8 17:04 cache

/tmp/storage/bootstrap/cache:
total 8
drwxr-xr-x 2 sbx_user1051 990 4096 May 8 17:04 .
drwxr-xr-x 3 sbx_user1051 990 4096 May 8 17:04 ..

/tmp/storage/framework:
total 16
drwxr-xr-x 4 sbx_user1051 990 4096 May 8 17:04 .
drwxr-xr-x 5 sbx_user1051 990 4096 May 8 17:04 ..
drwxr-xr-x 2 sbx_user1051 990 4096 May 8 17:04 cache
drwxr-xr-x 2 sbx_user1051 990 4096 May 8 17:04 views

/tmp/storage/framework/cache:
total 8
drwxr-xr-x 2 sbx_user1051 990 4096 May 8 17:04 .
drwxr-xr-x 4 sbx_user1051 990 4096 May 8 17:04 ..

/tmp/storage/framework/views:
total 8
drwxr-xr-x 2 sbx_user1051 990 4096 May 8 17:04 .
drwxr-xr-x 4 sbx_user1051 990 4096 May 8 17:04 ..

/tmp/storage/psysh:
total 8
drwxr-xr-x 2 sbx_user1051 990 4096 May 8 17:04 .
drwxr-xr-x 5 sbx_user1051 990 4096 May 8 17:04 ..

777 perms on storage will work, but I am curious why are we assigning the user to nobody?

aknosis avatar May 08 '23 17:05 aknosis

but I am curious why are we assigning the user to nobody?

IIRC this is because when running in Docker, things run as root and FPM doesn't like running as root.

mnapoli avatar May 09 '23 08:05 mnapoli

Maybe a simple fix could be to chmod 777 the storage dir? Any downside?

I'm fine with this, I don't foresee any negative impact in the dev image or in Lambda

aknosis avatar May 09 '23 16:05 aknosis