Permission denied error when app image is run as user that can't write to `/layers`

Question

Permission denied error when app image is run as user that can't write to `/layers`

Opened this issue 4 months ago · 0 comments

The upstream CNB spec now states that the build and run images should use different Linux users:
https://github.com/buildpacks/spec/blob/main/platform.md#run-image
https://github.com/buildpacks/rfcs/blob/main/text/0085-run-uid.md

As such, for Heroku-24 we've switched to using the heroku-build user for the build, and the heroku user for the run image:
https://github.com/heroku/base-images/blob/6af6d3a1b20b684402691b59f9bb360766935f97/heroku-24/setup.sh#L200-L201

Heroku-24 isn't yet available, however, I was curious what impact this user change will have on our existing CNBs, so backported equivalent changes to Heroku-22 in this builder repo branch:
heroku/cnb-builder-images@main...edmorley/split-user-test

The CI run for it shows the issue for the PHP CNB:
https://github.com/heroku/cnb-builder-images/actions/runs/8326016245/job/22780888755

DOCUMENT_ROOT changed to 'web/'
Assuming 512MB of RAM
PHP memory_limit is 128M Bytes
Starting php-fpm with 4 workers...
Starting httpd...
(13)Permission denied: AH00091: httpd: could not open error log file /layers/heroku_php/webservers/var/apache2/log/error_log.
AH00015: Unable to open logs
Process exited unexpectedly: httpd, shutting down...
Stopping php-fpm gracefully...
Shutdown complete.

The CNB should configure Apache to write the logs to /tmp or $HOME (both of which are guaranteed by the spec to be writeable at runtime, unlike /layers or the app directory).

Note: Even if we decide not to use separate users for Heroku-24, other platforms already use separate users (or read-only /layers), so our buildpacks need to handle this case.