HHVM and directory permissions

[enricodeleo]

Hi everybody,
good to see we have HHVM support now! I forked and implemented this feature myself (plus SSL) in the past but I had some problem with directory permissions: I had to assign the ownership of /srv/www/site_name to the user www-data.
Now, hoping this implementation was better than mine, I cloned a new copy of this repo and tried it with HHVM but I experienced the same issue.

Actually, I had to modify something since the current version of bedrock-ansible didn't work for me out of the box with HHVM set to true (the error was 502 bad gateway). I discovered that I have to switch from unix socket to tcp socket in order to make it work. The same happened with my implementation.

Now, if I leave the vagrant user as owner, everytime I try to upload a file or install a plugin from the dashboard I'm asked for ftp credentials.

Anyone experienced the same issue? Any hint?

[louim]

@enricodeleo I just set-up a bedrock-ansible using the HHVM option, and I have the same problem as you for the uploads. The owner of the the folder is : deploy www-data but the permissions are 755instead of 775 so the webserver (nginx) can't write to the folders.
ps aux | egrep nginx give me :

ubuntu   12614  0.0  0.0   8160   916 pts/2    S+   16:39   0:00 egrep --color=auto nginx
root     15906  0.0  0.1  91256  2856 ?        Ss   Mar27   0:00 nginx: master process /usr/sbin/nginx
www-data 28052  0.0  0.3  94576  6272 ?        S    Mar30   0:02 nginx: worker process
www-data 28053  0.0  0.3  94576  6280 ?        S    Mar30   0:04 nginx: worker process

For your second problem (the bad gateway and HHVM), I didn't experience that. Did you check the logs for any info that might be useful? Did you try to restart HHVM and NGINX manually before switching to a tcp socket?

I wonder if that has hanything to do with HHVM at all. Since I'm doing a talk about Bedrock this evening, I going to experiment this afternoon with clean installs with HHVM and PHP-FPM. I'll report back. @swalkinshaw, what the permissions should be on the folders?

[enricodeleo]

@louim I tried a fresh install and both php-fpm and hhvm gave me the same issue (bad gateway). I digged a little bit in and I found that switching from the unix socket to tcp solve this problem but not that of the directory permissions.
Then I decided to switch to the deploys branch where, among other changes, php-fpm is executed as web_user (eg vagrant on development). This config gives back directory permissions to php but not to hhvm (even with the correct user set in server.ini). I found another solution I'm going to submit as PR to the deploys branch so keep in touch :)

[ghost]

Solution/workaround for directory permissions in Vagrantfile when using HHVM:

Change:

config.bindfs.bind_folder nfs_path(name), remote_site_path(name), u: 'vagrant', g: 'www-data'

to:

config.bindfs.bind_folder nfs_path(name), remote_site_path(name), u: 'vagrant', g: 'www-data', :'create-as-user' => true, :perms => "u=rwx:g=rwx:o=rx", :'create-with-perms' => "u=rwx:g=rwx:o=rx", :'chown-ignore' => true, :'chgrp-ignore' => true, :'chmod-ignore' => true

That lets group write to directories. Probably not the best solution, would love to hear opinions for something better.

[anthonysexton]

Is this a problem for anyone else or just me these days?

[swalkinshaw]

I believe it's still a problem :(

I looked into this at the time and it was more complicated than it seems unfortunately. Forgot about it since then because we don't use HHVM though.

[fa8ster]

Yeah, really struggling with it, because the workaround seems not to work :(

[fa8ster]

Any tipps on where to look to debug it and then help with the solution?
Is php7 planned soon?

[QWp6t]

Sounds like all of this could be easily resolved with ACL.

[fa8ster]

OK @QWp6t ... any suggestion how I could help? :)

[QWp6t]

You should use setfacl to mask the default permissions for the users and/or groups to whom you wish to grant access, whether that's the web_user or www-data or whomever. There is almost never a need to mess with chmod or chown. ACL is far more flexible.

I'll see if I can reproduce this issue. How do you guys run into it? Just simply enabling hhvm results in this issue?

[swalkinshaw]

@QWp6t yeah just the standard HHVM install.

[swalkinshaw]

See #431