Kubernetes: how to correctly set php-fpm and nginx shared volume permission
You can use init container
as described here to change permissions of mounted directories or you can set an fsGroup
to change the groupID that owns volume as described here.
In your case I think it will be easier to set permissions by modifying your "copy" command:
command: ["/bin/sh", "-c", "cp -r /app/. /var/www"]
adding a chmod
command with appropriate parameters e.g:
command: ["/bin/sh", "-c", "cp -r /app/. /var/www && chmod -R a+r /var/www"]
For anyone who is looking for answer, I manage to setup kubernetes for our production server with php-fpm and nginx.
It requires 2 image, 1 contains php-fpm
and our code, the other one is nginx
image with our conf in it.
Also we have to setup a shared volume between those 2 image to access. What I was missing was the postStart
command to do chmod
and php artisan optimize
to make sure I cleared the cache
For future reference, please do kubectl logs <pods-name>
and kubectl describe pods <pods-name>
to easily debug and see what happens in every pods
here's the final working config, hope it helps someone in the future
apiVersion: v1kind: Servicemetadata: name: operation-service labels: app: operation-servicespec: type: NodePort selector: app: operation ports: - port: 80 targetPort: 80 protocol: TCP name: http---# Create a pod containing the PHP-FPM application (my-php-app)# and nginx, each mounting the `shared-files` volume to their# respective /var/www/ directories.apiVersion: apps/v1kind: Deploymentmetadata: name: operationspec: selector: matchLabels: app: operation replicas: {{ .Values.replicaCount }} strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 50% type: RollingUpdate template: metadata: labels: app: operation spec: volumes: # Create the shared files volume to be used in both pods - name: shared-files emptyDir: {} securityContext: fsGroup: 82 containers: # Our PHP-FPM application - image: asia.gcr.io/3/operations:{{ .Values.version }} name: app envFrom: - configMapRef: name: prod - secretRef: name: prod volumeMounts: - name: shared-files mountPath: /var/www # Important! After this container has started, the PHP files # in our Docker image aren't in the shared volume. We need to # get them into the shared volume. If we tried to write directly # to this volume from our Docker image the files wouldn't appear # in the nginx container. # # So, after the container has started, copy the PHP files from this # container's local filesystem (/app -- added via the Docker image) # to the shared volume, which is mounted at /var/www. ports: - containerPort: 9000 name: fastcgi lifecycle: postStart: exec: command: - "/bin/sh" - "-c" - > cp -r /app/. /var/www && cd /var/www && php artisan optimize && php artisan migrate --force && chgrp -R www-data /var/www/* && chmod -R 775 /var/www/* # Our nginx container, which uses the configuration declared above, # along with the files shared with the PHP-FPM app. - image: asia.gcr.io/3/nginx:1.0 name: nginx ports: - containerPort: 80 volumeMounts: - name: shared-files mountPath: /var/www# We don't need this anymore as we're not using fastcgi straightaway# ---# apiVersion: v1# kind: ConfigMap# metadata:# name: ingress-cm# data:# SCRIPT_FILENAME: "/var/www/public/index.php$is_args$args"---apiVersion: networking.k8s.io/v1beta1kind: Ingressmetadata: name: operation-ingress labels: app: operation-ingress annotations: kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/from-to-www-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "0" cert-manager.io/cluster-issuer: letsencrypt-prodspec: tls: - hosts: - myservice.com.au secretName: kubernetes-tls rules: - host: myservice.com.au http: paths: - backend: serviceName: operation-service servicePort: 80
you can read the log and clearly mention permission denied which mean Nginx doesn't have permission to access the file you might have to change the permission of directory or files so that Nginx can access it.
either you can change permission during the docker build or else run a prehook or set the command which will run with image at a time of deployment get updated.
something like :
sudo chmod -R 775 /var/www/vendor
or
sudo chmod -R 755 /var/www/
i was trying to set up the WordPress same way along with php-fpm and using the Nginx container with php-fpm and faced same issue.
you find all the example files : https://github.com/harsh4870/Kubernetes-wordpress-php-fpm-nginx