Sharing unix socket via docker volume - permission denied
I try to share my php5-fpm
socket via a volume with my nginx
webserver. Fpm and nginx are running in different containers and I want to get them working via a shared volume where I place the socket file from fpm.
2014/04/13 10:53:35 [crit] 33#0: *1 connect() to unix:/container/fpm/run/php5-fpm.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.8.2, server: docker.dev, request: "GET /test.php HTTP/1.1", upstream: "fastcgi://unix:/container/fpm/run/php5-fpm.sock:", host: "docker.dev"
I already tried setting permissions to 777 and changing the group of php5-fpm.socket
to www-data
.
Dockerfile of fpm container
FROM ubuntu:13.10
RUN apt-get update
RUN apt-get upgrade -y
RUN apt-get install -y php5-cli php5-common
RUN apt-get install -y php5-fpm php5-cgi
ADD ./php-fpm.conf /etc/php5/fpm/php-fpm.conf
ADD ./pool.d/www.conf /etc/php5/fpm/pool.d/www.conf
ADD ./php.ini /etc/php5/fpm/php.ini
CMD ["/usr/sbin/php5-fpm"]
Dockerfile of nginx container
FROM ubuntu:13.10
RUN apt-get update
RUN apt-get upgrade -y
RUN apt-get install -y nginx
ADD ./test.php /var/test/test.php
ADD ./test.html /var/test/test.html
ADD ./nginx.conf /etc/nginx/nginx.conf
ADD ./site /etc/nginx/sites-enabled/test
EXPOSE 80
CMD ["/usr/sbin/nginx"]
I can access the test.html
but when accessing test.php
I get 502 Bad Gateway.
Is there anything else I have to care about permissions when sharing stuff via volumes?
Different containers cannot talk to each other via UNIX domain sockets when they are in different network namespaces. There is an unofficial kernel patch that allows this, but you're on your own if you use it.
Its now 2015 and I assume the kernel patch the Michael mentions has now made it's way into the stable kernel. I have a working example of 2 docker containers one with php-fpm and the other with nginx talking to each other via a unix socket.
See: https://github.com/brad-jones/conductor/tree/master/example-project
The key to it working though was to open up the permissions on the socket.
Eg: listen.mode = 0777
in /etc/php-fpm.d/www.conf
It didn't seem to matter what listen.owner & listen.group were set to. The socket needed to be completely unrestricted, I guess because a user in one container, even if it has the same name in another container is still considered a different user.