PHP apps fail with `Permission denied: AH00091: httpd: could not open error log file` when run with a read-only user

[edmorley]

The upstream CNB spec encourages operators to use separate Linux users for build vs run images: https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#run-image

We've decided not to do this for the Heroku base images (at least for now), since we're not able to control application code, and we believe it will otherwise cause compatibility issues with a number of existing apps: https://github.com/heroku/base-images/issues/268

However, it would be ideal if our buildpacks and Getting started guide app templates at least supported the app images being run with a separate user (or with read-only layers), so that they can work with other base images or platforms that might choose to use separate users or mount the layers as read-only.

Testing all of our officially supported languages in the builder image (by adding --user nobody to the docker run invocation), I found that the PHP getting started guide app failed to boot:

Starting httpd...
(13)Permission denied: AH00091: httpd: could not open error log file /layers/heroku_php/webservers/var/apache2/log/error_log.
AH00015: Unable to open logs
Process exited unexpectedly: httpd, shutting down...

(see: https://github.com/heroku/cnb-builder-images/actions/runs/8877305233/job/24370680538#step:8:31)

To fix this, Apache would need to be configured to write logs to a file/directory /tmp instead of under a /layers directory. (Plus something similar may also apply to nginx.)

cc @dzuelke