So I can specify that the preset owner of fpm is dlaravel,
--with-fpm-user=USER Set the user for php-fpm to run as. (default: nobody)
--with-fpm-group=GRP Set the group for php-fpm to run as.
However, the new version of D-Laravel has changed to use the official built image (instead of rewriting the official Image dockerfile and rebuilding it),
The official default fpm execution user is www-data, which will cause D-Laravel to appear when Linux users execute Laravel.
When the storage cannot be written,
Therefore, the latest versions of docker-compose-normal.yml and docker-ocmpose-random.yml have been directly mounted to www.conf by default.
It is convenient for everyone to adjust according to their needs. For security reasons, we can only set www.conf as www-data.
And enter the contianer, change the owner of the folders that need to be uploaded or changed by the php program to www-data,
Or simply, let the fpm user be dlaravel to run Laravel on the container normally.
In the Linux environment, if the gid and uid of the user executing the container are not 1000 on the host side,
We can use D-Laravel's ./console command and
./console chowner
to adjust.If you are a Linux user, you can enter
id
to check whether your uid and gid are 1000,When the figure below is 1000, you can use the latest version of d-laravel without executing
./console chowner
chowner.Execute ./console chowner, so that the execution of FPM can be adjusted to be consistent with the uid of the user in the container and the user on the Host side.
To put it bluntly, let fpm php have permission to write files to the laravel project we built .
Of course, the important point is that the owner executed in your www.conf also needs to be set to dlaravel.
https://github.com/DevinY/dlaravel/blob/master/etc/php-fpm.d/www.conf
Directly hit
./console chowner
what did it do:1. Detect whether the user's platform is Linux, it is only necessary for Linux.
2. Obtain the uid and gid of the current user on Linux.
3. Execute the commands in the container through docker-compose , where ( exec php ) refers to executing the php service run by the container .
That is to say, the
usermod -u
and groupmod -g
commands are executed in the container of php fpm .It is used to adjust the uid and gid of the dlaravel user in the container to be consistent with the uid and guid of the Host user.
4. Finally, chowner changes the /home/dlaravel directory in the container to the new user authority.
Remember, in the docker-compose environment, when
docker-compose down
,The container will be removed, and when it is up , create and execute containenr according to the image as the template (read-only),
That is to say, each up is a brand new environment (the image template is read-only).
So make sure that we don't need to do the above
./console chowner
action again when we start up next time,We should commit the container changes into a new image , and use this image,
In this way, the latest settings will be retained at the next startup.
If you do not want to adjust the image name of docker-compose.yml , we can directly commit it to the same name, for example: deviny/fpm:7.2.1 (please adjust according to the image you use).
Regarding the short container id of php's fpm, you can use the following command to query
docker ps |grep php_1
For example: commint the latest settings to your own image name:
In the Linux environment, Docker uses the namespace and cgroup built into the Linux kernel to limit, control and separate the resources of a process group (such as CPU, memory, disk input and output, etc.), compared to MacOS (Unix environment ), he executes Docker through HyperKit virtualization technology,
In the Linux environment, using the core native functions, the performance can be much faster (one is built in the core and the other is HyperKit virtual),
This is why D-Laravel users run normally on MacOs, and may need additional permission setting adjustments on Linux.
Finally, regarding this article, I am referring to the security considerations that our general user accounts have bash permissions. For Linux services,
There will be no shell, because there is no need for the user to log in to the shell,
Therefore, the www-data service does not have shell permissions, which is relatively safe.
We can simply cat etc/password in the container to see:
$
cat /etc/passwd|grep www
www-data:x:33:33:www-data:/var/www:/usr/sbin/ nologin
If you encounter any difficulties in executing D-Laravel on MacOS or Linux, welcome to leave a message in the D-Laravel fan group,
I will try my best to help you solve or answer. If you like D-Laravel, please give me a star in D-Laravel's repo , thank you.
https://github.com/DevinY/dlaravel .
No Comment
Post your comment