Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Permission denied error when app image is run as user that can't write to /layers #89

Open
edmorley opened this issue Mar 18, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@edmorley
Copy link
Member

The upstream CNB spec now states that the build and run images should use different Linux users:
https://github.com/buildpacks/spec/blob/main/platform.md#run-image
https://github.com/buildpacks/rfcs/blob/main/text/0085-run-uid.md

As such, for Heroku-24 we've switched to using the heroku-build user for the build, and the heroku user for the run image:
https://github.com/heroku/base-images/blob/6af6d3a1b20b684402691b59f9bb360766935f97/heroku-24/setup.sh#L200-L201

Heroku-24 isn't yet available, however, I was curious what impact this user change will have on our existing CNBs, so backported equivalent changes to Heroku-22 in this builder repo branch:
heroku/cnb-builder-images@main...edmorley/split-user-test

The CI run for it shows the issue for the PHP CNB:
https://github.com/heroku/cnb-builder-images/actions/runs/8326016245/job/22780888755

DOCUMENT_ROOT changed to 'web/'
Assuming 512MB of RAM
PHP memory_limit is 128M Bytes
Starting php-fpm with 4 workers...
Starting httpd...
(13)Permission denied: AH00091: httpd: could not open error log file /layers/heroku_php/webservers/var/apache2/log/error_log.
AH00015: Unable to open logs
Process exited unexpectedly: httpd, shutting down...
Stopping php-fpm gracefully...
Shutdown complete.

The CNB should configure Apache to write the logs to /tmp or $HOME (both of which are guaranteed by the spec to be writeable at runtime, unlike /layers or the app directory).

Note: Even if we decide not to use separate users for Heroku-24, other platforms already use separate users (or read-only /layers), so our buildpacks need to handle this case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant