Hi! I’m setting up a configuration with multiple webservers (all Ubuntu 20) which run behind a load balancer, and a fileserver (not behind that load balancer) for serving static files like user uploads.
I’ve mounted a directory from the fileserver to my webservers, and I’m able to read and write to that directory, but only when I use the sudo command.
I would like to be able to move uploaded files from Apache/PHP over to the mounted NFS directory so that the files will be accessible from a central location. The NFS mount will only be used to move and delete files to and from that shared directory, not to serve the actual files to the end user. This writing and deleting doesn’t work right now, since PHP (or Apache) doesn’t use sudo and hasn’t got the correct permissions.
What’s the best solution to solve this problem? Or are there better solutions to handle this?
Thanks :)
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hi, The idea is to set up writing permission to NFS share for the owner of Apache and PHP processes on your web servers. To be successful with such scenario, it has to be the same user (the same uid) on every single web server in your configuration. Luckily, your environment seems to be homogenic, so we can be optimistic :) However, you need to check some things to be 100% sure. First check what a user is behind Apache/PHP processes:
ps -efjH | grep -i -e apache -e php
Outputroot 10892 1 10892 10892 php-fpm: master process (/etc/php/7.4/fpm/php-fpm.conf)
www-data 10903 10892 10892 10892 php-fpm: pool www
www-data 10904 10892 10892 10892 php-fpm: pool www
root 11074 1 11074 11074 /usr/sbin/apache2 -k start
www-data 11075 11074 11074 11074 /usr/sbin/apache2 -k start
www-data 11076 11074 11074 11074 /usr/sbin/apache2 -k start
I believe it is www-data in your case, since you use Ubuntu distro. It might be another user if you changed Apache’s default configuration. Though you can see a root user in some lines of the result, the processes which effectively work are their child processes, having www-data user privileges.
The next thing you need to check is the user id of www-data. Even if a user name is the same across the hosts, a user id may differ. You can find uid in passwd file. Run below command:
sudo cat /etc/passwd | grep www-data
Outputwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
Uid of www-data is 33. This user belongs to its own user group www-data only.You should get the same result on each host in your configuration. Now, you need to change an ownership of your NFS share. You will be able to do that locally in the system that hosts this share. This system has to contain www-data user in its configuration too.
sudo chown -R www-data:www-data /var/nfs-share/
Use -R parameter to apply the settings to all subdirectories and files. Substitute /var/nfs-share/ with your actual NFS share.
Just in case, you could propagate appropriate rights across the share:
sudo chmod -R 755 /var/nfs-share/
Now you can mount NFS share under a subdirectory in the www root directory on web server. PHP app should be able to write to it now.
Heya,
- Ensure that the NFS mount in
/etc/fstabon each web server is configured with the appropriate options to allow write access without sudo. For example:
fileserver:/path/to/shared/directory /mnt/nfs-mount nfs rw,sync,hard,intr 0 0
Replace fileserver:/path/to/shared/directory with your actual NFS server and path, and /mnt/nfs-mount with your local mount point.
- Set Correct Permissions on File Server: Make sure the NFS server allows write access from the web servers. Set the appropriate permissions on the shared directory:
sudo chown -R www-data:www-data /path/to/shared/directory
This assumes that the web server is running as the www-data user, which is common for Apache on Ubuntu.
- Configure Apache/PHP: Ensure that Apache/PHP has the necessary permissions to write to the NFS-mounted directory. You may need to adjust the user and group settings in your Apache/PHP configuration files.
In the Apache configuration (/etc/apache2/apache2.conf or a virtual host config file), you might find and modify the User and Group directives:
User www-data Group www-data
- SELinux (if applicable): If you’re using SELinux, make sure to set the appropriate SELinux context on the shared directory. You can use the
chconcommand:
sudo chcon -R -t httpd_sys_content_rw_t /path/to/shared/directory
Adjust the context type (httpd_sys_content_rw_t) based on your SELinux policy.
- Testing: After making these changes, restart your Apache server and try uploading files again. Monitor the Apache/PHP error logs (
/var/log/apache2/error.log) for any permission-related issues.
Remember that security is crucial, so avoid overly permissive settings and only grant the necessary permissions for the webserver to perform its tasks. Regularly review and update your security measures based on best practices and any changes to your system.
Hope that this helps!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.