[BUG] Setting memory limit permission issue

[jonasgroenke]

Hey, I have an issue running the image (apache-2.3.0-prod) in Kubernetes. I'm using the official suggested helm chart. The container is running with uid 33 (www-data).

The sed command is failing because it can't create a temporary file. The permissions of the php.ini are correct, but the folder is owned by the root user, so it can't create the temporary file.

+ sed -i 's/memory_limit.*/memory_limit=256M/g' /usr/local/etc/php/php.ini
sed: couldn't open temporary file /usr/local/etc/php/sedEDa2zc: Permission denied

ls -al /usr/local/etc/php/
total 228
drwxr-xr-x 1 root     root      4096 Nov 10 00:26 .
drwxr-xr-x 1 root     root      4096 Jun 13 13:03 ..
drwxr-xr-x 1 root     root      4096 Nov 10 00:25 conf.d
-rw-r--r-- 1 www-data www-data 73604 Nov 10 00:26 php.ini
-rw-r--r-- 1 root     root     73457 Jun 13 13:03 php.ini-development
-rw-r--r-- 1 root     root     73603 Jun 13 13:03 php.ini-production

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

I'm not sure what the best way to solve it is.

1. Output the result of sed to a temporary file in another folder e.g., /tmp/php.ini, and copy it back afterwards.
2. Change the ownership / permission of the folder /usr/local/etc/php/

Kind regards

[tobybatch]

Is this you setting the memory limit or are you using the ENV setting?

https://github.com/tobybatch/kimai2/blob/main/docs/runtime-args.md#memory-limit

[jonasgroenke]

Is this you setting the memory limit or are you using the ENV setting?

https://github.com/tobybatch/kimai2/blob/main/docs/runtime-args.md#memory-limit

I'm using the environment variable.

[tobybatch]

So using this docker-compose as a base https://github.com/tobybatch/kimai2/blob/main/compose/docker-compose.apache.prod.yml

And adding these to the environment:

      - memory_limit=125m
      - USER_ID=1000
      - GROUP_ID=1000

docker compose -f docker-compose.apache.dev.yml up -d

I get

✔  ~/usr/kimai/kimai-kimai [ docker/mem-limit L | ✔  ] $ docker exec -ti compose-kimai-1 php -i | grep memory_limit
memory_limit => 125m => 125m
memory_limit => 125m
$_SERVER['memory_limit'] => 125m
✔  ~/usr/kimai/kimai-kimai [ docker/mem-limit L | ✔  ] $ 

[jonasgroenke]

Oh, is php taking the memory limit directly from the environment variable? There were some errors during the cache rebuild because of the memory limit and I thought it was failing because this sed command is not working.

I'm changing the user for the whole container, so the entrypoint is also running with www-data. I think on one side it's a good security practice to not run the container with uid 0 on kubernetes and on the other side I got some permission errors because the kubernetes cluster I'm working on is using nfs as storage and is not allowing uid 0.

You can reproduce it by running the container with these settings:

   kimai:
    image: kimai/kimai2:apache
    volumes:
      - kimai-var:/opt/kimai/var
    ports:
      - 8001:8001
    # Run as www-data user
    user: "33:33"
    environment:
      - memory_limit=125m
      - ADMINMAIL=admin@kimai.local
      - ADMINPASS=changemeplease
      - "DATABASE_URL=mysql://kimaiuser:kimaipassword@sqldb/kimai?charset=utf8&serverVersion=5.7"
      - TRUSTED_HOSTS=nginx,localhost,127.0.0.1
    restart: unless-stopped

The sed command is failing, but it seems to take the memory limit from the environment. Which one will be used when there are different values configured?

docker exec -ti compose-kimai-1 php -i | grep memory_limit
memory_limit => 128M => 128M
memory_limit => 125m
$_SERVER['memory_limit'] => 125m

[tobybatch]

The last one will be used.