Symfony2 Capifony部署setfacl不允许在缓存目录上进行操作 [英] Symfony2 Capifony deploy setfacl Operation not permitted on cache directory
问题描述
我正在使用Capifony多阶段部署将Symfony2 Web应用程序部署到托管在AWS上的Ubuntu计算机上的Apache Web服务器上.
I am deploying my Symfony2 web app onto an Apache web server, on an Ubuntu machine, hosted on AWS, using Capifony multistage deploy.
我有用户设置
set :user, "ubuntu"
像这样设置缓存的可写目录
And writable directory for cache set like so
set :writable_dirs, ["app/cache"]
set :webserver_user, "www-data"
set :use_set_permissions, true
set :permission_method, :acl
除了运行时,一切都部署良好
Everything is deploying fine apart from when this is run
executing "setfacl -R -m u:ubuntu:rwx -m u:www-data:rwx /var/www/releases/20140310012814/app/cache"
我遇到多个操作不允许的错误,例如
I get multiple Operation not permitted errors such as
setfacl: /var/www/releases/20140310012814/app/cache/prod/classes.php: Operation not permitted
似乎用户(大概是"www-data")不能对"ubuntu"创建的文件设置权限.但是,我已经从/var/www/current目录中的服务器上运行了以下命令,但是我不完全确定它们的作用:
It seems that the user, presumably 'www-data', cannot set permissions on files created by 'ubuntu'. However, I have run the following on the server from the /var/www/current directory, but I'm not entirely sure what they do:
sudo setfacl -R -m u:www-data:rwX -m u:`whoami`:rwX app/cache
sudo setfacl -dR -m u:www-data:rwx -m u:`whoami`:rwx app/cache
以下是一些ACL信息
getfacl app/cache
# file: app/cache
# owner: ubuntu
# group: ubuntu
user::rwx
user:www-data:rwx
user:ubuntu:rwx
group::rwx
mask::rwx
other::rwx
default:user::rwx
default:user:www-data:rwx
default:user:ubuntu:rwx
default:group::rwx
default:mask::rwx
default:other::rwx
我看过类似的问题此处我应该运行相似的东西?例如:
I have had a look at a similar issue here Should I run something similar? such as:
sudo sh -c 'setfacl -R -m u:ubuntu:rwX -m u:www-data:rwX /var/www/current/app/cache'
谢谢
推荐答案
Capifony has a cookbook entry explaining how to automatically set proper permissions. Basically what you need is this:
set :writable_dirs, ["app/cache", "app/logs"]
set :webserver_user, "www-data"
set :permission_method, :acl
set :use_set_permissions, true
只要:writable_dirs由:user拥有,
:use_sudo不必是true.
:use_sudo doesn't need to be true as long as the :writable_dirs are owned by :user.
setfacl:/var/www/releases/20140310012814/app/cache/prod/classes.php:不允许操作
setfacl: /var/www/releases/20140310012814/app/cache/prod/classes.php: Operation not permitted
此消息表明运行任务时缓存目录不为空(setfacl在该目录中的prod/classes.php上运行),该目录不是setfacl不允许).
This message indicates that the cache directory isn't empty when the task is run (setfacl operates on prod/classes.php in that directory), which is not owned by :user (setfacl is not permitted).
该文件不属于:user的事实是很正常的,因为Web服务器将创建很多缓存文件,这使它们属于:webserver_user.
The fact that the file is not owned by :user is quite normal because the webserver will create a lot of cache files, which make them owned by :webserver_user.
奇怪的是,缓存目录不为空.通常,新版本应具有一个空的缓存目录.造成这种情况的常见原因是缓存目录是共享的,这意味着您已将其添加到:shared_children中.如果是这样,请删除它.缓存目录不应该共享.
The strange thing here is that the cache directory isn't empty. Normally a new release should have an empty cache directory. A common cause for this is that the cache directory is shared, meaning you've added it to :shared_children. If so, please remove it. The cache directory shouldn't be shared.
如果不是这种情况,请尝试找出运行setfacl任务时缓存目录为何不为空的原因.也许其他任务即将运行.
If this is not the case, then try to find out why the cache directory isn't empty when the setfacl task is run. Maybe other tasks are running to soon.
如果您实际上希望Web服务器可写一个共享目录怎么办?实际上,这很常见,请考虑应该共享的media或uploads目录.
What if you actually want a shared directory to be writable for the webserver? This is actually very common, think of a media or uploads directory that should be shared.
应该在实际的共享目录上设置权限,而不是发布目录中的符号链接.只要:writable_dirs中完全相同的短语也在:shared_children中,Capifony就会为您解决这一问题.
The permissions should be set on the actual shared directory, not the symlink in the release directory. Capifony takes care of this for you, as long as the exact same phrase in :writable_dirs is also in :shared_children.
# this will work:
set :shared_children, ["web/uploads"]
set :writable_dirs, ["web/uploads"]
# this will also work:
set :web_path, "web" # is default
set :shared_children, [web_path + "/uploads"]
set :writable_dirs, ["web/uploads"]
# this will not:
set :web_path, "web" # is default
set :shared_children, [web_path + "/uploads"]
set :writable_dirs, ["web/uploads/"] # trailing /
请检查错误中提到的目录是否为实际的共享目录(不是符号链接).
Please check if the directory mentioned in the error is the actual shared directory (not the symlink).
共享目录的所有者必须是将运行setfacl命令的用户.换句话说,它必须是:user.更改:user的值或过去启用:use_sudo时,这可能会引起问题.请检查目录(在:writable_dirs中设置)是否确实由:user拥有.
The owner of the shared directory must be the user that will run the setfacl command. In other words, it must be :user. When you've changed the value of :user, or have had :use_sudo enabled in the past, this could cause issues. Please check if the directories (as set in :writable_dirs) are indeed owned by :user.
Capifony将检查权限是否已设置.如果是这样,它将不会尝试再次执行此操作.这是通过以下命令完成的:
Capifony will perform a check if the permissions are already set. If so, it won't try to do it again. This is done with the following command:
getfacl --absolute-names --tabular #{dir} | grep #{webserver_user}.*rwx | wc -l"
尝试手动运行此命令(将#{dir}和#{webserver_user}替换为实际值)以查看结果.如果未产生任何结果,则Capifony假定尚未设置权限,并将尝试这样做.
Try to run this command manually (replace #{dir} and #{webserver_user} with the actual values) to see the outcome. If it yields no results, then Capifony assumes the permissions have not yet been set, and will try to do so.
在这种情况下,请使用getfacl手动检查权限.如果确实不正确,请使用"root of power"手动设置(再次替换#{user},#{webserver_user}和#{dir}):
In that case, manually check the permissions with getfacl. If they are indeed incorrect, manually set them (again, replace #{user}, #{webserver_user} and #{dir}) using "the power of root":
sudo setfacl -R -m u:#{user}:rwX -m u:#{webserver_user}:rwX #{dir}
sudo setfacl -dR -m u:#{user}:rwx -m u:#{webserver_user}:rwx #{dir}
然后再次运行Capifony.如果一切顺利,这次应该会成功!
Then run Capifony again. If all is well, it should succeed this time!
这篇关于Symfony2 Capifony部署setfacl不允许在缓存目录上进行操作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
