I have a Docker image hosted in a app service on Azure.
Everything works fine when I run a container for that image on my local machine.
But everything breaks down as soon as I put it in Azure.
I got Permission denied everywhere, problems with apache that can't read the .htaccess file, random Forbidden errors on static files and so on...
So in order to find out what's going on I simplified to the point where I simply try to write a file.
The folder structure is the following:
/var (www-data:staff, 777)
| - /www (www-data:staff, 777)
| | - /public
| | | - index.php
In the index.php I've got:
error_reporting(E_ALL);
ini_set('display_startup_errors',1);
ini_set('display_errors',1);
$path = '/var/www';
var_dump(get_current_user());
var_dump(posix_getpwuid(posix_geteuid())['name']);
var_dump(is_readable($path));
var_dump(is_writable($path));
var_dump(ini_get('safe_mode'));
file_put_contents($path . '/test.log', 'test');
The output is:
string(8) "www-data"
string(8) "www-data"
bool(true)
bool(true)
bool(false)
Warning: file_put_contents(/var/www/test.log): failed to open stream: Permission denied in /var/www/public/index.php on line 14
If I change the file_put_contents to write in the var folder:
[...]
$path = '/var';
[...]
file_put_contents($path . '/test.log', 'test');
It works fine!
The two folders have the exact same permissions (777), owner (www-data) and group (staff).
I thought about SELinux but I don't know if it is installed.
I didn't find any option to enable/disable it in the app service configuration and the getenforce or setenforce commands are not found when logged in web ssh.
Do you have any idea?
Thanks for your help.
IMPORTANT EDIT:
After a lot of tries, I figured that the problem is specific to the /var/www folder.
If I try to write anywhere I should have access to, it works fine, but not in the /var/www folder, no matter its access rights.
But I have more!
If I rename /var/www to /var/www2 and then back to /var/www: everything works!
I can create the test file I tried to create above, the site boots normally, log files are written normally, the routing works, etc.
So it seems there is something blocking access to everything under www that is not related to the container, but probably to Azure.
And this "thing" seem to stop when the folder cease to exist and never come back.
Any idea of what it could be?
EDIT 2:
It does't have to be /var/www, I have the exact same behavior after changing the DirectoryRoot from /var/www/public to /var/app/public.
Renaming /var/app to /var/app2 and then back to /var/app also solves the issue.
I'm out of ideas.
