Permission denied error when app image is run as user that can't write to `/layers`
Opened this issue · 0 comments
The upstream CNB spec now states that the build and run images should use different Linux users:
https://github.com/buildpacks/spec/blob/main/platform.md#run-image
https://github.com/buildpacks/rfcs/blob/main/text/0085-run-uid.md
As such, for Heroku-24 we've switched to using the heroku-build
user for the build, and the heroku
user for the run image:
https://github.com/heroku/base-images/blob/6af6d3a1b20b684402691b59f9bb360766935f97/heroku-24/setup.sh#L200-L201
Heroku-24 isn't yet available, however, I was curious what impact this user change will have on our existing CNBs, so backported equivalent changes to Heroku-22 in this builder repo branch:
heroku/cnb-builder-images@main...edmorley/split-user-test
The CI run for it shows the issue for the PHP CNB:
https://github.com/heroku/cnb-builder-images/actions/runs/8326016245/job/22780888755
DOCUMENT_ROOT changed to 'web/'
Assuming 512MB of RAM
PHP memory_limit is 128M Bytes
Starting php-fpm with 4 workers...
Starting httpd...
(13)Permission denied: AH00091: httpd: could not open error log file /layers/heroku_php/webservers/var/apache2/log/error_log.
AH00015: Unable to open logs
Process exited unexpectedly: httpd, shutting down...
Stopping php-fpm gracefully...
Shutdown complete.
The CNB should configure Apache to write the logs to /tmp
or $HOME
(both of which are guaranteed by the spec to be writeable at runtime, unlike /layers
or the app directory).
Note: Even if we decide not to use separate users for Heroku-24, other platforms already use separate users (or read-only /layers
), so our buildpacks need to handle this case.