by Devin Yang
(This article was automatically translated.)

Published - 6 years ago ( Updated - 6 years ago )

D-Laravel's fpm image was rebuilt using the official dockerfile of docker php before php 7.2.1.
So I can specify that the preset owner of fpm is dlaravel,
--with-fpm-user=USER Set the user for php-fpm to run as. (default: nobody)
--with-fpm-group=GRP Set the group for php-fpm to run as.

However, the new version of D-Laravel has changed to use the official built image (instead of rewriting the official Image dockerfile and rebuilding it),
The official default fpm execution user is www-data, which will cause D-Laravel to appear when Linux users execute Laravel.
When the storage cannot be written,

Therefore, the latest versions of docker-compose-normal.yml and docker-ocmpose-random.yml have been directly mounted to www.conf by default.
It is convenient for everyone to adjust according to their needs. For security reasons, we can only set www.conf as www-data.
And enter the contianer, change the owner of the folders that need to be uploaded or changed by the php program to www-data,
Or simply, let the fpm user be dlaravel to run Laravel on the container normally.

In the Linux environment, if the gid and uid of the user executing the container are not 1000 on the host side,
We can use D-Laravel's ./console command and ./console chowner to adjust.
If you are a Linux user, you can enter id to check whether your uid and gid are 1000,
When the figure below is 1000, you can use the latest version of d-laravel without executing ./console chowner chowner.
uid and gid

Execute ./console chowner, so that the execution of FPM can be adjusted to be consistent with the uid of the user in the container and the user on the Host side.
To put it bluntly, let fpm php have permission to write files to the laravel project we built .
Of course, the important point is that the owner executed in your www.conf also needs to be set to dlaravel.
https://github.com/DevinY/dlaravel/blob/master/etc/php-fpm.d/www.conf

Directly hit ./console chowner what did it do:
./console chowner

1. Detect whether the user's platform is Linux, it is only necessary for Linux.
2. Obtain the uid and gid of the current user on Linux.
3. Execute the commands in the container through docker-compose , where ( exec php ) refers to executing the php service run by the container .
That is to say, the usermod -u and groupmod -g commands are executed in the container of php fpm .
It is used to adjust the uid and gid of the dlaravel user in the container to be consistent with the uid and guid of the Host user.
4. Finally, chowner changes the /home/dlaravel directory in the container to the new user authority.

Remember, in the docker-compose environment, when docker-compose down ,
The container will be removed, and when it is up , create and execute containenr according to the image as the template (read-only),
That is to say, each up is a brand new environment (the image template is read-only).
./console down

So make sure that we don't need to do the above ./console chowner action again when we start up next time,
We should commit the container changes into a new image , and use this image,
In this way, the latest settings will be retained at the next startup.
docker-compose.yml
If you do not want to adjust the image name of docker-compose.yml , we can directly commit it to the same name, for example: deviny/fpm:7.2.1 (please adjust according to the image you use).

Regarding the short container id of php's fpm, you can use the following command to query
docker ps |grep php_1
For example: commint the latest settings to your own image name:
commit


In the Linux environment, Docker uses the namespace and cgroup built into the Linux kernel to limit, control and separate the resources of a process group (such as CPU, memory, disk input and output, etc.), compared to MacOS (Unix environment ), he executes Docker through HyperKit virtualization technology,
In the Linux environment, using the core native functions, the performance can be much faster (one is built in the core and the other is HyperKit virtual),

This is why D-Laravel users run normally on MacOs, and may need additional permission setting adjustments on Linux.

Finally, regarding this article, I am referring to the security considerations that our general user accounts have bash permissions. For Linux services,
There will be no shell, because there is no need for the user to log in to the shell,
Therefore, the www-data service does not have shell permissions, which is relatively safe.
We can simply cat etc/password in the container to see:
$ cat /etc/passwd|grep www
www-data:x:33:33:www-data:/var/www:/usr/sbin/ nologin

If you encounter any difficulties in executing D-Laravel on MacOS or Linux, welcome to leave a message in the D-Laravel fan group,
I will try my best to help you solve or answer. If you like D-Laravel, please give me a star in D-Laravel's repo , thank you.
https://github.com/DevinY/dlaravel .

Tags: docker dlaravel

Devin Yang

Feel free to ask me, if you don't get it.:)

No Comment

Post your comment

Login is required to leave comments

Similar Stories


certbot,docker,ftp

curlftpfs introduction and manual certificate application

Situation sharing, imagine that you have WebHosting, which only provides FTP connection, and then you want to apply for a certificate manually. In this article, I share how I use Docker to install curlftpfs, mount the FTP folder of the remote host, and then execute certbot in the container to apply for an SSL certificate. Leaving aside the certificate application, when I first discovered the curlftpfs command, I found it very interesting, especially if you are a MacOS user and do not have a satisfactory FTP software at hand. You love scrolling through the command line as much as I do, so maybe you should love this command too. 🤭

docker

Devin Yang's Notes for Beginners with Docker

These are my notes when I first learned Docker. It is a bit rough and I have adjusted it a bit. But I think for Docker beginners, it should be able to provide some preliminary concepts, Welcome to refer to it.