主页 / server / 问题 / 836091
Accepted
Ben
Asked: 2017-03-04 04:31:44 +0800 CST

crond:无法设置组:不允许操作

  • 772

今天早上我将我的 PHP 版本升级到 7.1,并且在 cron 尝试运行时看到了一个问题php /var/www/html/artisan schedule:run(一个简单的 PHP 命令)我看到了输出:

3/3/2017 10:39:00 AMcrond: can't set groups: Operation not permitted
3/3/2017 10:39:00 AMcrond: USER www-data pid 1562 cmd php /var/www/html/artisan schedule:run
3/3/2017 10:40:00 AMcrond: can't set groups: Operation not permitted
3/3/2017 10:40:00 AMcrond: USER www-data pid 1563 cmd php /var/www/html/artisan schedule:run
3/3/2017 10:41:00 AMcrond: can't set groups: Operation not permitted
3/3/2017 10:41:00 AMcrond: USER www-data pid 1564 cmd php /var/www/html/artisan schedule:run
3/3/2017 10:42:00 AMcrond: can't set groups: Operation not permitted
3/3/2017 10:42:00 AMcrond: USER www-data pid 1565 cmd php /var/www/html/artisan schedule:run
3/3/2017 10:43:00 AMcrond: can't set groups: Operation not permitted
3/3/2017 10:43:00 AMcrond: USER www-data pid 1566 cmd php /var/www/html/artisan schedule:run

正在运行的命令是 Laravel artisan 命令。它每分钟运行一次,允许在应用程序本身内完成其他计划的工作。此命令中没有任何内容可以写入任何文件或类似内容。计划的工作与数据库对话并发送一些电子邮件。应用程序日志被发送到标准输出,因为它是一个 Docker 容器。

cron使用命令在容器中运行crond -f -d 8。这是 Dockerfile:

# This container should be used for any/all CLI processes
# including cron, queues, etc.
FROM php:7.1-alpine

# Copy the application files to the container
ADD . /var/www/html

WORKDIR /var/www/html

# fix permissions in CI
RUN sed -ri 's/^www-data:x:82:82:/www-data:x:1000:1000:/' /etc/passwd \
    && sed -ri 's/^www-data:x:82:/www-data:x:1000:/' /etc/group

# Install Composer dependencies
RUN apk add --update --no-cache git zip unzip \

        # needed for spatie/laravel-backup
        mysql-client \

        # needed for gd
        libpng-dev libjpeg-turbo-dev \

    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

RUN docker-php-ext-install pdo_mysql gd \

        # needed for forking processes in laravel queues as of Laravel 5.3
        pcntl

# Ownership of the app dir for www-data
RUN chown -R www-data:www-data /var/www/html /home/www-data/

# Put php artisan schedule:run in a crontab
RUN echo "*       *       *       *       *       php /var/www/html/artisan schedule:run" > /etc/crontabs/www-data

# Make sure when users get into the container they aren't root
USER www-data

我已经排除了这php artisan schedule:run是原因,因为我可以手动运行它并且一切都很好。这意味着它在 cron 中。

cron 在幕后做了什么可能导致此错误?

php cron docker alpine

2 个回答

  1. Best Answer

    这是因为根据这两个条件之一man 2 setgroups

       EPERM  The calling process has insufficient privilege (the caller
          does not have the CAP_SETGID capability in the user namespace
          in which it resides).

   EPERM (since Linux 3.19)
          The use of setgroups() is denied in this user namespace.  See
          the description of /proc/[pid]/setgroups in
          user_namespaces(7).

    我想您没有使用用户命名空间,在这种情况下,docker 容器中不允许使用 CAP_SETGID 功能。您需要更改容器功能集来修复它。

    • 2

  2. 您正在运行 cron,只是为了让这个命令在后台运行:

    RUN echo "*       *       *       *       *       php /var/www/html/artisan schedule:run" > /etc/crontabs/www-data

    将 cron 替换为 sh 应该让您 /not/ 诉诸增加容器上限:

      artisan_schedule_run:
    image: your-app-image
    command: /dumb-init /bin/sh -c "while true; do su www-data -c \"php /var/www/html/artisan schedule:run\" & sleep 60; done"
    • 2

相关问题