Symfony 3.4 deployer fails due to permission denied of shared folder

Multi tool use
Multi tool use











up vote
0
down vote

favorite












I have developed a webapp based on Symfony3.4. On production it is deployed on a Ubuntu 18.04 Server via deployer (deployer.org).
Everything runs fine so far. The webapp is deployed in /opt/app/prod done by a user that is part of group www-data.



My webapp allows the upload of files. To support this I have added the folder data which stores the uploaded files.



In order to sustain access to the files after another release I have added the data folder to the list of shared folders.



My deploy.php looks as follows:



set('bin_dir', 'bin');

// Symfony console bin

set('bin/console', function () {

    return sprintf('{{release_path}}/%s/console', trim(get('bin_dir'), '/'));

});



// Project name

set('application', 'appname');

set('http_user', 'www-data');

set('writable_mode', 'acl');



// Project repository

set('repository', '<MY_GITREPO>');



// [Optional] Allocate tty for git clone. Default value is false.

set('git_tty', true);



// Shared files/dirs between deploys

add('shared_files', );

add('shared_dirs', ['data']);





// Writable dirs by web server

add('writable_dirs', ['{{release_path}}','data']);





// Hosts

host('prod')

    ->hostname('<MY_HOST>')

    ->user('<MY_USER>')

    ->stage('prod')

    ->set('deploy_path', '/opt/app/prod/<MY_APPNAME>');


This leads to the following folder structure:



.

├── current -> releases/5

├── releases

│   ├── 2

│   ├── 3

│   ├── 4

│   └── 5

└── shared

    ├── app

    └── data


So everything fine so far - with one exception:
Deployer wants to setfacl the data folder which is not allowed as the files in data belongs to www-data:www-data where deployer tries to change this as .



The command "export SYMFONY_ENV='prod'; cd /opt/app/prod/<MY_APPNAME>/releases/5 && (setfacl -RL -m u:"www-data":rwX -m u:`whoami`:rwX /opt/app/prod/<MY_APPNAME>/releases/5)" failed.

setfacl: /opt/app/prod/<MY_APPNAME>/releases/5/data/child/679/ba7f9641061879554e5cafbd6a3a557b.jpeg: Operation not permitted


I have the impression that I did a mistake in my deployer.php or I missed something.
Has someone an idea what I need to do in order to get my deployment running?



Thanks and best regards






symfony deployment permissions







share|improve this question






















  • Just to get this right. /opt/app/prod/<app>/releases is owned by www-data:www-data and group-writeable, you're deploying as a different user user-x who is member of www-data and the command setfacl -RL -m u:"www-data":rwX -m u:user-x:rwX /opt/app/prod/<MY_APPNAME>/releases/5 fails? Can you confirm/double-check all files in the shared/data folder and especially the file child/679/ba7f9641061879554e5cafbd6a3a557b.jpeg are owned by www-data:www-data ?
    – nifr
    Nov 8 at 9:25












  • No, /opt/app/prod/<app>/releases is owned by <MY_USER>:www-data but the given folder and all subfolder are group-writeable. And yes, I am trying to deploy as <MY_USER>. Just checked: All files in shared/data are owned by www-data:www-data as it has been created by the webserver.
    – Oliver Koehler
    Nov 8 at 11:10

















up vote
0
down vote

favorite












I have developed a webapp based on Symfony3.4. On production it is deployed on a Ubuntu 18.04 Server via deployer (deployer.org).
Everything runs fine so far. The webapp is deployed in /opt/app/prod done by a user that is part of group www-data.



My webapp allows the upload of files. To support this I have added the folder data which stores the uploaded files.



In order to sustain access to the files after another release I have added the data folder to the list of shared folders.



My deploy.php looks as follows:



set('bin_dir', 'bin');

// Symfony console bin

set('bin/console', function () {

    return sprintf('{{release_path}}/%s/console', trim(get('bin_dir'), '/'));

});



// Project name

set('application', 'appname');

set('http_user', 'www-data');

set('writable_mode', 'acl');



// Project repository

set('repository', '<MY_GITREPO>');



// [Optional] Allocate tty for git clone. Default value is false.

set('git_tty', true);



// Shared files/dirs between deploys

add('shared_files', );

add('shared_dirs', ['data']);





// Writable dirs by web server

add('writable_dirs', ['{{release_path}}','data']);





// Hosts

host('prod')

    ->hostname('<MY_HOST>')

    ->user('<MY_USER>')

    ->stage('prod')

    ->set('deploy_path', '/opt/app/prod/<MY_APPNAME>');


This leads to the following folder structure:



.

├── current -> releases/5

├── releases

│   ├── 2

│   ├── 3

│   ├── 4

│   └── 5

└── shared

    ├── app

    └── data


So everything fine so far - with one exception:
Deployer wants to setfacl the data folder which is not allowed as the files in data belongs to www-data:www-data where deployer tries to change this as .



The command "export SYMFONY_ENV='prod'; cd /opt/app/prod/<MY_APPNAME>/releases/5 && (setfacl -RL -m u:"www-data":rwX -m u:`whoami`:rwX /opt/app/prod/<MY_APPNAME>/releases/5)" failed.

setfacl: /opt/app/prod/<MY_APPNAME>/releases/5/data/child/679/ba7f9641061879554e5cafbd6a3a557b.jpeg: Operation not permitted


I have the impression that I did a mistake in my deployer.php or I missed something.
Has someone an idea what I need to do in order to get my deployment running?



Thanks and best regards






symfony deployment permissions







share|improve this question






















  • Just to get this right. /opt/app/prod/<app>/releases is owned by www-data:www-data and group-writeable, you're deploying as a different user user-x who is member of www-data and the command setfacl -RL -m u:"www-data":rwX -m u:user-x:rwX /opt/app/prod/<MY_APPNAME>/releases/5 fails? Can you confirm/double-check all files in the shared/data folder and especially the file child/679/ba7f9641061879554e5cafbd6a3a557b.jpeg are owned by www-data:www-data ?
    – nifr
    Nov 8 at 9:25












  • No, /opt/app/prod/<app>/releases is owned by <MY_USER>:www-data but the given folder and all subfolder are group-writeable. And yes, I am trying to deploy as <MY_USER>. Just checked: All files in shared/data are owned by www-data:www-data as it has been created by the webserver.
    – Oliver Koehler
    Nov 8 at 11:10















up vote
0
down vote

favorite









up vote
0
down vote

favorite











I have developed a webapp based on Symfony3.4. On production it is deployed on a Ubuntu 18.04 Server via deployer (deployer.org).
Everything runs fine so far. The webapp is deployed in /opt/app/prod done by a user that is part of group www-data.



My webapp allows the upload of files. To support this I have added the folder data which stores the uploaded files.



In order to sustain access to the files after another release I have added the data folder to the list of shared folders.



My deploy.php looks as follows:



set('bin_dir', 'bin');

// Symfony console bin

set('bin/console', function () {

    return sprintf('{{release_path}}/%s/console', trim(get('bin_dir'), '/'));

});



// Project name

set('application', 'appname');

set('http_user', 'www-data');

set('writable_mode', 'acl');



// Project repository

set('repository', '<MY_GITREPO>');



// [Optional] Allocate tty for git clone. Default value is false.

set('git_tty', true);



// Shared files/dirs between deploys

add('shared_files', );

add('shared_dirs', ['data']);





// Writable dirs by web server

add('writable_dirs', ['{{release_path}}','data']);





// Hosts

host('prod')

    ->hostname('<MY_HOST>')

    ->user('<MY_USER>')

    ->stage('prod')

    ->set('deploy_path', '/opt/app/prod/<MY_APPNAME>');


This leads to the following folder structure:



.

├── current -> releases/5

├── releases

│   ├── 2

│   ├── 3

│   ├── 4

│   └── 5

└── shared

    ├── app

    └── data


So everything fine so far - with one exception:
Deployer wants to setfacl the data folder which is not allowed as the files in data belongs to www-data:www-data where deployer tries to change this as .



The command "export SYMFONY_ENV='prod'; cd /opt/app/prod/<MY_APPNAME>/releases/5 && (setfacl -RL -m u:"www-data":rwX -m u:`whoami`:rwX /opt/app/prod/<MY_APPNAME>/releases/5)" failed.

setfacl: /opt/app/prod/<MY_APPNAME>/releases/5/data/child/679/ba7f9641061879554e5cafbd6a3a557b.jpeg: Operation not permitted


I have the impression that I did a mistake in my deployer.php or I missed something.
Has someone an idea what I need to do in order to get my deployment running?



Thanks and best regards






symfony deployment permissions







share|improve this question













I have developed a webapp based on Symfony3.4. On production it is deployed on a Ubuntu 18.04 Server via deployer (deployer.org).
Everything runs fine so far. The webapp is deployed in /opt/app/prod done by a user that is part of group www-data.



My webapp allows the upload of files. To support this I have added the folder data which stores the uploaded files.



In order to sustain access to the files after another release I have added the data folder to the list of shared folders.



My deploy.php looks as follows:



set('bin_dir', 'bin');

// Symfony console bin

set('bin/console', function () {

    return sprintf('{{release_path}}/%s/console', trim(get('bin_dir'), '/'));

});



// Project name

set('application', 'appname');

set('http_user', 'www-data');

set('writable_mode', 'acl');



// Project repository

set('repository', '<MY_GITREPO>');



// [Optional] Allocate tty for git clone. Default value is false.

set('git_tty', true);



// Shared files/dirs between deploys

add('shared_files', );

add('shared_dirs', ['data']);





// Writable dirs by web server

add('writable_dirs', ['{{release_path}}','data']);





// Hosts

host('prod')

    ->hostname('<MY_HOST>')

    ->user('<MY_USER>')

    ->stage('prod')

    ->set('deploy_path', '/opt/app/prod/<MY_APPNAME>');


This leads to the following folder structure:



.

├── current -> releases/5

├── releases

│   ├── 2

│   ├── 3

│   ├── 4

│   └── 5

└── shared

    ├── app

    └── data


So everything fine so far - with one exception:
Deployer wants to setfacl the data folder which is not allowed as the files in data belongs to www-data:www-data where deployer tries to change this as .



The command "export SYMFONY_ENV='prod'; cd /opt/app/prod/<MY_APPNAME>/releases/5 && (setfacl -RL -m u:"www-data":rwX -m u:`whoami`:rwX /opt/app/prod/<MY_APPNAME>/releases/5)" failed.

setfacl: /opt/app/prod/<MY_APPNAME>/releases/5/data/child/679/ba7f9641061879554e5cafbd6a3a557b.jpeg: Operation not permitted


I have the impression that I did a mistake in my deployer.php or I missed something.
Has someone an idea what I need to do in order to get my deployment running?



Thanks and best regards






symfony deployment permissions




symfony deployment permissions






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 8 at 8:33









Oliver Koehler

2642315




2642315












  • Just to get this right. /opt/app/prod/<app>/releases is owned by www-data:www-data and group-writeable, you're deploying as a different user user-x who is member of www-data and the command setfacl -RL -m u:"www-data":rwX -m u:user-x:rwX /opt/app/prod/<MY_APPNAME>/releases/5 fails? Can you confirm/double-check all files in the shared/data folder and especially the file child/679/ba7f9641061879554e5cafbd6a3a557b.jpeg are owned by www-data:www-data ?
    – nifr
    Nov 8 at 9:25












  • No, /opt/app/prod/<app>/releases is owned by <MY_USER>:www-data but the given folder and all subfolder are group-writeable. And yes, I am trying to deploy as <MY_USER>. Just checked: All files in shared/data are owned by www-data:www-data as it has been created by the webserver.
    – Oliver Koehler
    Nov 8 at 11:10




















  • Just to get this right. /opt/app/prod/<app>/releases is owned by www-data:www-data and group-writeable, you're deploying as a different user user-x who is member of www-data and the command setfacl -RL -m u:"www-data":rwX -m u:user-x:rwX /opt/app/prod/<MY_APPNAME>/releases/5 fails? Can you confirm/double-check all files in the shared/data folder and especially the file child/679/ba7f9641061879554e5cafbd6a3a557b.jpeg are owned by www-data:www-data ?
    – nifr
    Nov 8 at 9:25












  • No, /opt/app/prod/<app>/releases is owned by <MY_USER>:www-data but the given folder and all subfolder are group-writeable. And yes, I am trying to deploy as <MY_USER>. Just checked: All files in shared/data are owned by www-data:www-data as it has been created by the webserver.
    – Oliver Koehler
    Nov 8 at 11:10


















Just to get this right. /opt/app/prod/<app>/releases is owned by www-data:www-data and group-writeable, you're deploying as a different user user-x who is member of www-data and the command setfacl -RL -m u:"www-data":rwX -m u:user-x:rwX /opt/app/prod/<MY_APPNAME>/releases/5 fails? Can you confirm/double-check all files in the shared/data folder and especially the file child/679/ba7f9641061879554e5cafbd6a3a557b.jpeg are owned by www-data:www-data ?
– nifr
Nov 8 at 9:25






Just to get this right. /opt/app/prod/<app>/releases is owned by www-data:www-data and group-writeable, you're deploying as a different user user-x who is member of www-data and the command setfacl -RL -m u:"www-data":rwX -m u:user-x:rwX /opt/app/prod/<MY_APPNAME>/releases/5 fails? Can you confirm/double-check all files in the shared/data folder and especially the file child/679/ba7f9641061879554e5cafbd6a3a557b.jpeg are owned by www-data:www-data ?
– nifr
Nov 8 at 9:25














No, /opt/app/prod/<app>/releases is owned by <MY_USER>:www-data but the given folder and all subfolder are group-writeable. And yes, I am trying to deploy as <MY_USER>. Just checked: All files in shared/data are owned by www-data:www-data as it has been created by the webserver.
– Oliver Koehler
Nov 8 at 11:10






No, /opt/app/prod/<app>/releases is owned by <MY_USER>:www-data but the given folder and all subfolder are group-writeable. And yes, I am trying to deploy as <MY_USER>. Just checked: All files in shared/data are owned by www-data:www-data as it has been created by the webserver.
– Oliver Koehler
Nov 8 at 11:10



















active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53203994%2fsymfony-3-4-deployer-fails-due-to-permission-denied-of-shared-folder%23new-answer', 'question_page');
}
);

Post as a guest























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes
















 

draft saved


draft discarded



















































 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53203994%2fsymfony-3-4-deployer-fails-due-to-permission-denied-of-shared-folder%23new-answer', 'question_page');
}
);

Post as a guest






































































whBefvWtsRRnP3GS7 oaTw8srOi ajtNJ34gkxEgZ5ROm,mJagf
-
OmB0sj,xn,J BRmzRglKF5 Lca lAFdY6Zh0gB 7,Do uGejJZAcdcs6RiYDz 2 81S,EEYDJyEFda 9Q8ZN6gZQyE9 Nr U,iBH di

Popular posts from this blog

Schultheiß

Image
Der Titel dieses Artikels ist mehrdeutig. Weitere Bedeutungen sind unter Schultheiß (Begriffsklärung) aufgeführt. Ein Schultheiß. Holzschnitt von Peter Flötner (16. Jahrhundert) Der Schultheiß oder Schuldheiß (von althochdeutsch  sculdheizo ‚Leistung Befehlender‘, vgl. mittelniederdeutsch  schult(h)ēte , latinisiert (mittellat.) sculte(t)us , schwäbisch heute noch Schultes für „Bürgermeister“) bezeichnet einen in vielen westgermanischen Rechtsordnungen vorgesehenen Beamten, der Schuld heischt : Er hatte im Auftrag seines Herren (Landesherrn, Stadtherrn, Grundherrn) die Mitglieder einer Gemeinde zur Leistung ihrer Schuldigkeit anzuhalten, also Abgaben einzuziehen oder für das Beachten anderer Verpflichtungen Sorge zu tragen. Sprachliche Varianten des Schultheißen sind Schulte , Schultes oder Schulze . Früher wurde zwischen dem Stadtschulzen und dem Dorfschulzen unterschieden. In der städtischen Gerichts- und Gemeindeverfassung war er ein vom städtischen Rat oder vom L...
Read more

how to define a CAPL function taking a sysvar argument

Image
up vote 0 down vote favorite In Vector CANoe, is it possible to define a function that takes a system variable argument like the system function TestWaitForSignalMatch() ? For my use case it is not sufficient to supply the current value of the system variable because I want to pass the system variable to TestWaitForSignalMatch() or similar system functions. The CANoe help seems to show examples: long TestWaitForSignalMatch (Signal aSignal, float aCompareValue, dword aTimeout); // form 1 long TestWaitForSignalMatch (sysvar aSysVar, float aCompareValue, dword aTimeout); // form 3 I tried like this void foo(sysvar aSysvar) {} ^ or this void foo(sysvar *aSysvar) {} ^ but I get a parse error at the marked position of the sysvar keyword in both cases. I successfully created functions that take a...
Read more

Krone von Aragonien

Image
Wappenschild der Krone von Aragonien Die Länder der Krone Aragon (hellblaue Gebiete: nur kurzzeitig oder indirekt unter aragonesischer Herrschaft) Herrschaftsgebiet zur Zeit Ramon Berenguers IV. Krone von Aragonien im 13. Jahrhundert Krone von Aragonien im 15. Jahrhundert Unter dem Begriff Krone von Aragonien ( spanisch Corona de Aragón , aragonesisch Corona d’Aragón , katalanisch Corona d’Aragó ) werden Herrschaftsgebiete unterschiedlicher Verfasstheit zusammengefasst, die zwischen 1137 und 1516 bzw. 1714 in Personalunion von den Königen von Aragonien regiert wurden. Dazu gehörten Königreiche wie Aragonien, Mallorca, Valencia, Sizilien, Sardinien, Korsika und Neapel, das Herzogtum Athen und Neopatria, die Markgrafschaft Provence, die Grafschaften Barcelona, Roussillon und Cerdanya und die Herrschaft Montpellier. [1] Die Herrscher der Krone von Aragonien und von Spanien zählten und zählen in ihrer Titulatur eine große Anzahl von Herrschaftsgebieten auf. Dies...
Read more