How to run Apache (and PHP) correctly in a container on Fedora Silverblue?

Hello Fedora Silverblue users,

I’m trying to run a container with Apache (and PHP) on Fedora Silverblue, but whichever tutorial I follow, I always end up with a 403 Forbidden error.

I tried these tutorials:
https://nelkinda.com/blog/apache-php-in-docker/
https://hub.docker.com/_/httpd
https://takac.dev/docker-how-to-solve-apache-403-forbidden-error/

The advantage of the last tutorial is that is it uses docker-compose (which I replaced with podman-compose) and this command gives me a more detailed error message:

[Sat Jan 29 22:05:52.524991 2022] [core:error] [pid 12] (13)Permission denied: [client 10.89.0.2:48566] AH00035: access to /index.html denied (filesystem path '/var/www/html/index.html') because search permissions are missing on a component of the path

So there is still a permission problem I can’t get rid of. Does somebody have an idea how to solve this? Has there anybody who successfully run Apache in a container on Fedora Silverblue? Tell me how ! I really would like to setup a PHP development environment on my machine.

Scott Trakker

What container options are you using? Are you mounting the document root from the host filesystem?

My first guess is that that’s what you’re doing and it’s protected by SEinux — see Podman volumes and SELinux – Just another Linux geek

Quick answer is “tack a :zon to the end of the volume mapping and see if that helps.

Hello Matthew,

Thanks for thinking along !

I tried many different things and that’s why I’m starting from scratch.

This is the command that I’m running at the moment:

podman run --rm --detach -p 8080:80 --name my-apache-php-app -v /var/home/verhoeckx/Websites:/var/www/html:Z php:7.2-apache

Despite adding the :Z (or :z) tag I’m still getting the 403 Forbidden error.

The page that you sent me is quite technical and I do not understand everything what is meant.

Not sure what to do next.

Since it’s Sunday, let’s try the big-hammer approach to narrowing down the problem — if you put selinux in non-enforcing mode, does it work? That will help us know where to go next.

Good idea!

sudo setenforce 0
getenforce
Permissive
podman run --rm --detach -p 8080:80 --name my-apache-php-app -v /var/home/verhoeckx/Websites:/var/www/html:z php:7.2-apache

The 403 error still appears .

No errors in the container Apache logs:

[#####@#### ~]$ podman exec -it ed5849169f97 /bin/bash
root@ed5849169f97:/var/www/html# cd /var/log/
root@ed5849169f97:/var/log# cd apache2/
root@ed5849169f97:/var/log/apache2# tail -f error.log 
^C
root@ed5849169f97:/var/log/apache2# tail -f access.log 
^C
root@ed5849169f97:/var/log/apache2# tail -f other_vhosts_access.log 
^C
root@ed5849169f97:/var/log/apache2# exit
exit

I ran sealert and found this:

ELinux is preventing apache2 from associate access on the filesystem 2.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that apache2 should be allowed associate access on the 2 filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'apache2' --raw | audit2allow -M my-apache2
# semodule -X 300 -i my-apache2.pp

I ran the commands ausearch -c 'apache2' --raw | audit2allow -M my-apache2 and semodule -i my-apache2.pp, and ran the container again but the error message keeps returning.

Does the same happen to you when you run the php:7.2-apache container (assuming you also run Fedora Silverblue)?

Hi Scott,
I had done one using Postgresql for nextcloud on F33 Silverblue, which was basically this script
podman run --detach --env PGDATABASE=nextcloud --env PGUSER=<username> --env PGPASSWORD=<pgdbpasswd> --env PGROOTPASSWORD=<pgrootpwd> --volume nextcloud-db:/var/home/<host-user-name>/.local/share/containers/storage/\ volumes/nextcloud-db/_data --network nextcloud-net --restart on-failure --name nextcloud-db registry.fedoraproject.org/f33/postgresql
Plus, there is a really good reference about Podman, selinux and rootless containers https://www.redhat.com/sysadmin/user-namespaces-selinux-rootless-containers. I feel this is a user mapping or volume mapping for the db that is at the heart of the issue for you. I’ll look at what else I have … https://access.redhat.com/articles/1328953 this is about doing it with docker and redhat.

Hello @jakfrost,

Thanks for the articles! I will read them with the hope that I will find something that could solve my problem. I’m not using a database but that’s something I could add after I solved the 403 error.

Scott Trakker

I tried the following but it didn’t work.

podman unshare chown root:root -R Websites/
podman run --rm --detach -p 8080:80 --name my-apache-php-app -v $(pwd)/Websites:/var/www/html:Z php:7.2-apache

@mattdm and/or @jakfrost:

Does the command below work on your laptop/computer?

podman run --rm --detach -p 8080:80 --name my-apache-php-app -v $(pwd)/Websites:/var/www/html:Z php:7.2-apache

Not that it should be because we are probably running identical systems.

Yeah it will start a container as long a the directory Websites exists off of wherever the command is issued from. But I don’t have permission to access the website while I can attach to the container and if I add a /bin/bash command to the end, can get a CLI like so

podman run --rm -it --detach -p 8080:80 --name my-apache-php-app c61d277263e1 /bin/bash

Which created container …

CONTAINER ID  IMAGE                             COMMAND     CREATED         STATUS             PORTS                 NAMES
1932a9bb4039  docker.io/library/php:7.2-apache  /bin/bash   17 seconds ago  Up 17 seconds ago  0.0.0.0:8080->80/tcp  my-apache-php-app

attached to the running container like this …

podman attach 1932a9bb4039                                                        01/31/22-14:59:15
root@1932a9bb4039:/var/www/html# ls

So now back to the original command you asked us to try, it starts a container successfully if I have a Websites directory off of wherever I am (pwd is used in your command), and I cannot access the site since I don’t have permissions is what the browser states (Firefox and LibreWolf). This is very likely because I do not have anything in /var/www/html/. This would need to be in existence in the container. See the error output of the attached to running container on my system …

[Mon Jan 31 20:06:59.365062 2022] [autoindex:error] [pid 12] [client 10.0.2.100:52080] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.php,index.html) found, and server-generated directory index forbidden by Options directive
10.0.2.100 - - [31/Jan/2022:20:06:59 +0000] "GET / HTTP/1.1" 403 493 "-" "Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0"
10.0.2.100 - - [31/Jan/2022:20:06:59 +0000] "GET /favicon.ico HTTP/1.1" 404 489 "http://127.0.0.1:8080/" "Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0"

If you’re trying to map ~/Websites/ on the host to /var/www/html/ on the container it would need to be something like podman run --rm --detach -p 8080:80 --name my-apache-php-app --volume /var/home/<host-user-name>/Websites volumes/my-apache-php-app/var/www/html/ I think.

Helloe @jakfrost,

Thanks for trying it out!!

Yes, the last command is exactly what I try to do: mount the directory Websites in my home directory with the directory /var/www/html in the container.

I made some progress: I copied the file index.php to container and now I get to see the generated web page!

Copying the file

podman cp index.php 5e7cff4097ea:/var/www/html

Result on localhost:8080
Hello from inside the container!

Conclusion: Apache and PHP are running fine in the container!
Only the mounting of the directory Websites with /var/www/html goes wrong.

@mattdm and @jakfrost,

Sorry, I just found out the container works just fine!

The only problem was that there were no files in the local directory Websites !

When I added and index.php file to the local directory I got to see the generated web page just fine!

I tried it before but somehow I forgot the place the files back.

Maybe the command podman unshare chown root:root -R Websites/ was necessary?

I found out the following:

The command podman unshare chown root:root -R Websites/ is not necessary.

The option/flag :Z is.

That great you got it solved then! Does it behave as expected?

Thanks !

Yes, it behaves as expected: I can now run all the PHP files inside the directory Websites!

The only thing I have to figure out is how to enable directory listing. Normally you would do this with Options Indexes but sadly that didn’t work (I copied a modified version of the file 000-default.conf to the container).