У меня есть докер-контейнер с веб-приложением. Apache не может читать в папку журнала. У пользователя apache есть определенный rwx в папке facl. Я установил 0777 в папке рекурсивно внутри и вне контейнера. Внутри контейнера только root может читать файлы. Вне каждый может. Внутри контейнера ls от пользователя apache выглядит так:
-????????? ? ? ? ? ? access_log
-????????? ? ? ? ? ? app.log
-????????? ? ? ? ? ? error_log
Я запустил strace, который не дал ничего полезного. Вот пример open, access, lstat для полноты.
[www-data@a377ecbb9c76 www]$ strace -e open,access,lstat ls -l /var/www/logs/
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib64/libselinux.so.1", O_RDONLY) = 3
open("/lib64/librt.so.1", O_RDONLY) = 3
open("/lib64/libcap.so.2", O_RDONLY) = 3
open("/lib64/libacl.so.1", O_RDONLY) = 3
open("/lib64/libc.so.6", O_RDONLY) = 3
open("/lib64/libdl.so.2", O_RDONLY) = 3
open("/lib64/libpthread.so.0", O_RDONLY) = 3
open("/lib64/libattr.so.1", O_RDONLY) = 3
open("/proc/filesystems", O_RDONLY) = 3
open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
open("/usr/share/locale/locale.alias", O_RDONLY) = 3
open("/usr/share/locale/en_US.UTF-8/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_TIME/coreutils.mo", O_RDONLY) = 3
open("/usr/lib64/gconv/gconv-modules.cache", O_RDONLY) = 3
lstat("/var/www/logs/", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0
lstat("/var/www/logs/", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0
open("/etc/nsswitch.conf", O_RDONLY) = 3
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib64/libnss_files.so.2", O_RDONLY) = 3
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
open("/etc/group", O_RDONLY|O_CLOEXEC) = 3
open("/var/www/logs/", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
lstat("/var/www/logs/error_log", 0xf17800) = -1 EACCES (Permission denied)
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/coreutils.mo", O_RDONLY) = 4
ls: cannot access /var/www/logs/error_logopen("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
: Permission denied
lstat("/var/www/logs/app.log", 0xf178c0) = -1 EACCES (Permission denied)
ls: cannot access /var/www/logs/app.log: Permission denied
lstat("/var/www/logs/access_log", 0xf17980) = -1 EACCES (Permission denied)
ls: cannot access /var/www/logs/access_log: Permission denied
total 0
open("/etc/localtime", O_RDONLY) = 3
-????????? ? ? ? ? ? access_log
-????????? ? ? ? ? ? app.log
-????????? ? ? ? ? ? error_log
+++ exited with 1 +++
я получил ключ к ответу на это на stackoverflow.
Мои контейнеры докеров не настроены для поддержки ACL, и наличие в них ACL вызывало проблему. Команда setfacl -Rb logs/ снаружи контейнер закрепил его.