Symfony 3.4 deployer fails due to permission denied of shared folder

up vote
0
down vote

favorite

I have developed a webapp based on Symfony3.4. On production it is deployed on a Ubuntu 18.04 Server via deployer (deployer.org).
Everything runs fine so far. The webapp is deployed in /opt/app/prod done by a user that is part of group www-data.

My webapp allows the upload of files. To support this I have added the folder data which stores the uploaded files.

In order to sustain access to the files after another release I have added the data folder to the list of shared folders.

My deploy.php looks as follows:

set('bin_dir', 'bin');

// Symfony console bin

set('bin/console', function () {

    return sprintf('{{release_path}}/%s/console', trim(get('bin_dir'), '/'));

});



// Project name

set('application', 'appname');

set('http_user', 'www-data');

set('writable_mode', 'acl');



// Project repository

set('repository', '<MY_GITREPO>');



// [Optional] Allocate tty for git clone. Default value is false.

set('git_tty', true);



// Shared files/dirs between deploys

add('shared_files', );

add('shared_dirs', ['data']);





// Writable dirs by web server

add('writable_dirs', ['{{release_path}}','data']);





// Hosts

host('prod')

    ->hostname('<MY_HOST>')

    ->user('<MY_USER>')

    ->stage('prod')

    ->set('deploy_path', '/opt/app/prod/<MY_APPNAME>');

This leads to the following folder structure:

.

├── current -> releases/5

├── releases

│   ├── 2

│   ├── 3

│   ├── 4

│   └── 5

└── shared

    ├── app

    └── data

So everything fine so far - with one exception:
Deployer wants to setfacl the data folder which is not allowed as the files in data belongs to www-data:www-data where deployer tries to change this as .

The command "export SYMFONY_ENV='prod'; cd /opt/app/prod/<MY_APPNAME>/releases/5 && (setfacl -RL -m u:"www-data":rwX -m u:`whoami`:rwX /opt/app/prod/<MY_APPNAME>/releases/5)" failed.

setfacl: /opt/app/prod/<MY_APPNAME>/releases/5/data/child/679/ba7f9641061879554e5cafbd6a3a557b.jpeg: Operation not permitted

I have the impression that I did a mistake in my deployer.php or I missed something.
Has someone an idea what I need to do in order to get my deployment running?

Thanks and best regards

asked Nov 8 at 8:33

Oliver Koehler

2642315

Just to get this right. /opt/app/prod/<app>/releases is owned by www-data:www-data and group-writeable, you're deploying as a different user user-x who is member of www-data and the command setfacl -RL -m u:"www-data":rwX -m u:user-x:rwX /opt/app/prod/<MY_APPNAME>/releases/5 fails? Can you confirm/double-check all files in the shared/data folder and especially the file child/679/ba7f9641061879554e5cafbd6a3a557b.jpeg are owned by www-data:www-data ?
– nifr
Nov 8 at 9:25

No, /opt/app/prod/<app>/releases is owned by <MY_USER>:www-data but the given folder and all subfolder are group-writeable. And yes, I am trying to deploy as <MY_USER>. Just checked: All files in shared/data are owned by www-data:www-data as it has been created by the webserver.
– Oliver Koehler
Nov 8 at 11:10

add a comment |

up vote
0
down vote

favorite

My webapp allows the upload of files. To support this I have added the folder data which stores the uploaded files.

In order to sustain access to the files after another release I have added the data folder to the list of shared folders.

My deploy.php looks as follows:

set('bin_dir', 'bin');

// Symfony console bin

set('bin/console', function () {

    return sprintf('{{release_path}}/%s/console', trim(get('bin_dir'), '/'));

});



// Project name

set('application', 'appname');

set('http_user', 'www-data');

set('writable_mode', 'acl');



// Project repository

set('repository', '<MY_GITREPO>');



// [Optional] Allocate tty for git clone. Default value is false.

set('git_tty', true);



// Shared files/dirs between deploys

add('shared_files', );

add('shared_dirs', ['data']);





// Writable dirs by web server

add('writable_dirs', ['{{release_path}}','data']);





// Hosts

host('prod')

    ->hostname('<MY_HOST>')

    ->user('<MY_USER>')

    ->stage('prod')

    ->set('deploy_path', '/opt/app/prod/<MY_APPNAME>');

This leads to the following folder structure:

.

├── current -> releases/5

├── releases

│   ├── 2

│   ├── 3

│   ├── 4

│   └── 5

└── shared

    ├── app

    └── data

The command "export SYMFONY_ENV='prod'; cd /opt/app/prod/<MY_APPNAME>/releases/5 && (setfacl -RL -m u:"www-data":rwX -m u:`whoami`:rwX /opt/app/prod/<MY_APPNAME>/releases/5)" failed.

setfacl: /opt/app/prod/<MY_APPNAME>/releases/5/data/child/679/ba7f9641061879554e5cafbd6a3a557b.jpeg: Operation not permitted

I have the impression that I did a mistake in my deployer.php or I missed something.
Has someone an idea what I need to do in order to get my deployment running?

Thanks and best regards

asked Nov 8 at 8:33

Oliver Koehler

2642315

Just to get this right. /opt/app/prod/<app>/releases is owned by www-data:www-data and group-writeable, you're deploying as a different user user-x who is member of www-data and the command setfacl -RL -m u:"www-data":rwX -m u:user-x:rwX /opt/app/prod/<MY_APPNAME>/releases/5 fails? Can you confirm/double-check all files in the shared/data folder and especially the file child/679/ba7f9641061879554e5cafbd6a3a557b.jpeg are owned by www-data:www-data ?
– nifr
Nov 8 at 9:25

No, /opt/app/prod/<app>/releases is owned by <MY_USER>:www-data but the given folder and all subfolder are group-writeable. And yes, I am trying to deploy as <MY_USER>. Just checked: All files in shared/data are owned by www-data:www-data as it has been created by the webserver.
– Oliver Koehler
Nov 8 at 11:10

add a comment |

up vote
0
down vote

favorite

My webapp allows the upload of files. To support this I have added the folder data which stores the uploaded files.

In order to sustain access to the files after another release I have added the data folder to the list of shared folders.

My deploy.php looks as follows:

set('bin_dir', 'bin');

// Symfony console bin

set('bin/console', function () {

    return sprintf('{{release_path}}/%s/console', trim(get('bin_dir'), '/'));

});



// Project name

set('application', 'appname');

set('http_user', 'www-data');

set('writable_mode', 'acl');



// Project repository

set('repository', '<MY_GITREPO>');



// [Optional] Allocate tty for git clone. Default value is false.

set('git_tty', true);



// Shared files/dirs between deploys

add('shared_files', );

add('shared_dirs', ['data']);





// Writable dirs by web server

add('writable_dirs', ['{{release_path}}','data']);





// Hosts

host('prod')

    ->hostname('<MY_HOST>')

    ->user('<MY_USER>')

    ->stage('prod')

    ->set('deploy_path', '/opt/app/prod/<MY_APPNAME>');

This leads to the following folder structure:

.

├── current -> releases/5

├── releases

│   ├── 2

│   ├── 3

│   ├── 4

│   └── 5

└── shared

    ├── app

    └── data

The command "export SYMFONY_ENV='prod'; cd /opt/app/prod/<MY_APPNAME>/releases/5 && (setfacl -RL -m u:"www-data":rwX -m u:`whoami`:rwX /opt/app/prod/<MY_APPNAME>/releases/5)" failed.

setfacl: /opt/app/prod/<MY_APPNAME>/releases/5/data/child/679/ba7f9641061879554e5cafbd6a3a557b.jpeg: Operation not permitted

I have the impression that I did a mistake in my deployer.php or I missed something.
Has someone an idea what I need to do in order to get my deployment running?

Thanks and best regards

asked Nov 8 at 8:33

Oliver Koehler

2642315

My webapp allows the upload of files. To support this I have added the folder data which stores the uploaded files.

In order to sustain access to the files after another release I have added the data folder to the list of shared folders.

My deploy.php looks as follows:

set('bin_dir', 'bin');

// Symfony console bin

set('bin/console', function () {

    return sprintf('{{release_path}}/%s/console', trim(get('bin_dir'), '/'));

});



// Project name

set('application', 'appname');

set('http_user', 'www-data');

set('writable_mode', 'acl');



// Project repository

set('repository', '<MY_GITREPO>');



// [Optional] Allocate tty for git clone. Default value is false.

set('git_tty', true);



// Shared files/dirs between deploys

add('shared_files', );

add('shared_dirs', ['data']);





// Writable dirs by web server

add('writable_dirs', ['{{release_path}}','data']);





// Hosts

host('prod')

    ->hostname('<MY_HOST>')

    ->user('<MY_USER>')

    ->stage('prod')

    ->set('deploy_path', '/opt/app/prod/<MY_APPNAME>');

This leads to the following folder structure:

.

├── current -> releases/5

├── releases

│   ├── 2

│   ├── 3

│   ├── 4

│   └── 5

└── shared

    ├── app

    └── data

The command "export SYMFONY_ENV='prod'; cd /opt/app/prod/<MY_APPNAME>/releases/5 && (setfacl -RL -m u:"www-data":rwX -m u:`whoami`:rwX /opt/app/prod/<MY_APPNAME>/releases/5)" failed.

setfacl: /opt/app/prod/<MY_APPNAME>/releases/5/data/child/679/ba7f9641061879554e5cafbd6a3a557b.jpeg: Operation not permitted

I have the impression that I did a mistake in my deployer.php or I missed something.
Has someone an idea what I need to do in order to get my deployment running?

Thanks and best regards

symfony deployment permissions

asked Nov 8 at 8:33

Oliver Koehler

2642315

asked Nov 8 at 8:33

Oliver Koehler

2642315

asked Nov 8 at 8:33

Oliver Koehler

2642315

asked Nov 8 at 8:33

Oliver Koehler

2642315

asked Nov 8 at 8:33

Oliver Koehler

2642315

Just to get this right. /opt/app/prod/<app>/releases is owned by www-data:www-data and group-writeable, you're deploying as a different user user-x who is member of www-data and the command setfacl -RL -m u:"www-data":rwX -m u:user-x:rwX /opt/app/prod/<MY_APPNAME>/releases/5 fails? Can you confirm/double-check all files in the shared/data folder and especially the file child/679/ba7f9641061879554e5cafbd6a3a557b.jpeg are owned by www-data:www-data ?
– nifr
Nov 8 at 9:25

No, /opt/app/prod/<app>/releases is owned by <MY_USER>:www-data but the given folder and all subfolder are group-writeable. And yes, I am trying to deploy as <MY_USER>. Just checked: All files in shared/data are owned by www-data:www-data as it has been created by the webserver.
– Oliver Koehler
Nov 8 at 11:10

add a comment |

Just to get this right. /opt/app/prod/<app>/releases is owned by www-data:www-data and group-writeable, you're deploying as a different user user-x who is member of www-data and the command setfacl -RL -m u:"www-data":rwX -m u:user-x:rwX /opt/app/prod/<MY_APPNAME>/releases/5 fails? Can you confirm/double-check all files in the shared/data folder and especially the file child/679/ba7f9641061879554e5cafbd6a3a557b.jpeg are owned by www-data:www-data ?
– nifr
Nov 8 at 9:25

No, /opt/app/prod/<app>/releases is owned by <MY_USER>:www-data but the given folder and all subfolder are group-writeable. And yes, I am trying to deploy as <MY_USER>. Just checked: All files in shared/data are owned by www-data:www-data as it has been created by the webserver.
– Oliver Koehler
Nov 8 at 11:10

Just to get this right. /opt/app/prod/<app>/releases is owned by www-data:www-data and group-writeable, you're deploying as a different user user-x who is member of www-data and the command setfacl -RL -m u:"www-data":rwX -m u:user-x:rwX /opt/app/prod/<MY_APPNAME>/releases/5 fails? Can you confirm/double-check all files in the shared/data folder and especially the file child/679/ba7f9641061879554e5cafbd6a3a557b.jpeg are owned by www-data:www-data ?
– nifr
Nov 8 at 9:25

No, /opt/app/prod/<app>/releases is owned by <MY_USER>:www-data but the given folder and all subfolder are group-writeable. And yes, I am trying to deploy as <MY_USER>. Just checked: All files in shared/data are owned by www-data:www-data as it has been created by the webserver.
– Oliver Koehler
Nov 8 at 11:10

add a comment |

active

oldest

votes

Your Answer

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53203994%2fsymfony-3-4-deployer-fails-due-to-permission-denied-of-shared-folder%23new-answer', 'question_page');
}
);

Post as a guest

Name

active

oldest

votes

draft saved

draft discarded

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Name

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Xtykutl