19

I try to share my php5-fpm socket via a volume with my nginx webserver. Fpm and nginx are running in different containers and I want to get them working via a shared volume where I place the socket file from fpm.

2014/04/13 10:53:35 [crit] 33#0: *1 connect() to unix:/container/fpm/run/php5-fpm.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.8.2, server: docker.dev, request: "GET /test.php HTTP/1.1", upstream: "fastcgi://unix:/container/fpm/run/php5-fpm.sock:", host: "docker.dev"

I already tried setting permissions to 777 and changing the group of php5-fpm.socket to www-data.

Dockerfile of fpm container

FROM ubuntu:13.10

RUN apt-get update
RUN apt-get upgrade -y
RUN apt-get install -y php5-cli php5-common
RUN apt-get install -y php5-fpm php5-cgi

ADD ./php-fpm.conf /etc/php5/fpm/php-fpm.conf
ADD ./pool.d/www.conf /etc/php5/fpm/pool.d/www.conf
ADD ./php.ini /etc/php5/fpm/php.ini

CMD ["/usr/sbin/php5-fpm"]

Dockerfile of nginx container

FROM ubuntu:13.10

RUN apt-get update
RUN apt-get upgrade -y
RUN apt-get install -y nginx

ADD ./test.php /var/test/test.php
ADD ./test.html /var/test/test.html
ADD ./nginx.conf /etc/nginx/nginx.conf
ADD ./site /etc/nginx/sites-enabled/test

EXPOSE 80

CMD ["/usr/sbin/nginx"]

I can access the test.html but when accessing test.php I get 502 Bad Gateway.

Is there anything else I have to care about permissions when sharing stuff via volumes?

Arnaud Meuret
  • 103
  • 6
soupdiver
  • 797
  • 2
  • 8
  • 26

3 Answers3

12

Its now 2015 and I assume the kernel patch the Michael mentions has now made it's way into the stable kernel. I have a working example of 2 docker containers one with php-fpm and the other with nginx talking to each other via a unix socket.

See: https://github.com/brad-jones/conductor/tree/master/example-project

The key to it working though was to open up the permissions on the socket.

Eg: listen.mode = 0777 in /etc/php-fpm.d/www.conf

It didn't seem to matter what listen.owner & listen.group were set to. The socket needed to be completely unrestricted, I guess because a user in one container, even if it has the same name in another container is still considered a different user.

Brad Jones
  • 121
  • 1
  • 3
  • 5
    In my limited experience docker isn't able to do name lookups for users, or rather that doesn't factor into the containerization architecture. it seems that the uid of the user in the container is all that matters. If you try to test again with restricted permissions make sure the UID's match inside and outside the container. – ThorSummoner Oct 09 '15 at 19:10
6

Different containers cannot talk to each other via UNIX domain sockets when they are in different network namespaces. There is an unofficial kernel patch that allows this, but you're on your own if you use it.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Er, explanation? Can you get them onto the same namespace, then? – Steven Linn May 28 '20 at 07:03
  • @StevenLinn What people usually do when they need to share a UNIX domain socket is to create a volume containing the socket and share it to both containers. In most cases, though, including the one in this question, the containers should be talking to each other via IP instead. – Michael Hampton May 28 '20 at 17:57
0

ADD ./test.php /var/test/test.php in the fpm container

Php must be interpreted to be displayed, right?

etre
  • 1