Deployer: sudo permission for cachetool:clear:opcache

Created on 8 Dec 2017  Â·  4Comments  Â·  Source: deployphp/deployer

| Q | A
| ----------------- | ---
| Issue Type | Bug
| Deployer Version | 6.0.3
| Local Machine OS | Mac OS
| Remote Machine OS | Debian 8

Description

Deployment crashes when trying to accomplish step cachetool:clear:opcache.

It is because the deployment is not done via an user root for security reasons.

Steps to reproduce

Content of deploy.php

<?php
namespace Deployer;

require 'recipe/symfony.php';
require 'vendor/deployer/recipes/cachetool.php';

//------------------------------
// Configuration
//------------------------------
set('ssh_type', 'native');
set('ssh_multiplexing', true);
set('default_stage', 'stage');
set('shared_files', ['app/config/parameters.yml.dist']);
set('keep_releases', 1);


host('stage')
    ->hostname('x.x.x.x')
    ->stage('stage')
    ->set('writable_use_sudo', true)
    ->set('clear_use_sudo', true)
    ->set('cleanup_use_sudo', true)
    ->set('symfony_env', 'dev')
    ->set('composer_options', '{{composer_action}} -vvv --profile --prefer-dist --no-progress --no-interaction --optimize-autoloader')
    ->set('clear_paths', ['web/config.php'])
    ->set('deploy_path', '/home/project/stage')
    ->set('cachetool', '/var/run/php/php7.1-fpm.sock')
    ->configFile('/Users/xx/.ssh/config')
    ->identityFile('/Users/xx/.ssh/project_rsa')
    ->user('myuser')
    ->forwardAgent(true)
    ->set('branch', 'master');


//------------------------------
// Tasks
//------------------------------

// If deploy fails automatically unlock.
after('deploy:failed', 'deploy:unlock');

// Migrate database before symlink new release.
before('deploy:symlink', 'database:migrate');

// Clear opcache
after('deploy:symlink', 'cachetool:clear:opcache');

Output log

With enabled option for verbose output -vvv.

➤ Executing task cachetool:clear:opcache
[stage] > export SYMFONY_ENV='stage'; cd /home/project/stage/releases/5 && (if [ -e /home/project/stage/releases/5/cachetool.phar ]; then echo 'true'; fi)
[stage] > export SYMFONY_ENV='stage'; cd /home/project/stage/releases/5 && (curl -sO https://gordalina.github.io/cachetool/downloads/cachetool.phar)
[stage] > export SYMFONY_ENV='stage'; cd /home/project/stage/releases/5 && (/usr/bin/php cachetool.phar opcache:reset --fcgi=/var/run/php/php7.1-fpm.sock)
[stage] < PHP Warning: fsockopen(): unable to connect to unix:///var/run/php/php7.1-fpm.sock:-1 (Permission denied) in phar:///home/project/stage/releases/5/cachetool.phar/vendor/adoy/fastcgi-client/src/Adoy/FastCGI/Client.php on line 255
[stage] <
[stage] < [RuntimeException]
[stage] < FastCGI error: Unable to connect to FastCGI application: Permission denied
[stage] < (/var/run/php/php7.1-fpm.sock)
[stage] < [Exception]
[stage] < Unable to connect to FastCGI application: Permission denied
[stage] <
[stage] < opcache:reset
➤ Executing task deploy:failed
• done on [stage]
✔ Ok [0ms]
➤ Executing task deploy:unlock
[stage] > export SYMFONY_ENV='stage'; rm -f /home/project/stage/.dep/deploy.lock
• done on [stage]
✔ Ok [99ms]

[Deployer\Exception\RuntimeException (1)]
The command "export SYMFONY_ENV='stage'; cd /home/project/stage/releases/5 && (/usr/bin/php cachet
ool.phar opcache:reset --fcgi=/var/run/php/php7.1-fpm.sock)" failed.
Exit Code: 1 (General error)
Host Name: stage
================
PHP Warning: fsockopen(): unable to connect to unix:///var/run/php/php7.1-fpm.sock:-1 (Permissi
on denied) in phar:///home/project/stage/releases/5/cachetool.phar/vendor/adoy/fastcgi-client/src
/Adoy/FastCGI/Client.php on line 255

[RuntimeException]
FastCGI error: Unable to connect to FastCGI application: Permission denied
(/var/run/php/php7.1-fpm.sock)


[Exception]
Unable to connect to FastCGI application: Permission denied

opcache:reset

picture jolipixel
👍1

Most helpful comment

Although setting this to root it would definitely work, I'd argue that the right permission model would be for the user to be part of the group that owns the fpm sock file.

picture gordalina on 10 Dec 2017
👍5

All 4 comments

ping @gordalina

antonmedv picture antonmedv on 9 Dec 2017

Although setting this to root it would definitely work, I'd argue that the right permission model would be for the user to be part of the group that owns the fpm sock file.

gordalina picture gordalina on 10 Dec 2017
👍5

I was able to bypass the permission error by using the cli option of cachetool:

set('cachetool_args', '--cli');

riddla picture riddla on 21 Feb 2020
👍2

cachetool_args to --cli is only going to clear the opcache for cli.
You'll need to change the php-fpm pool user + group to the same user which deploys the project. This might take more resources for multi-site servers, but you can manage resources per site this way and you have better permission management.

If this is not possible, you can also use the web feature via a request. Like so:
set('cachetool_args', '--web --web-path={{public_path}} --web-url={{web_url}}');

This will create a temporary (dynamic) .php file in the public folder of your project and trigger a HTTP request to the specified web-url, which will reset the opcache. Afterwards the .php file is removed for better security.

harveychow picture harveychow on 21 Oct 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ovaiskhan11 picture ovaiskhan11  Â·  4Comments
k-solnushkin picture k-solnushkin  Â·  5Comments
minkbear picture minkbear  Â·  4Comments
sweebee picture sweebee  Â·  3Comments
chouex picture chouex  Â·  4Comments