From e99b8cb2d1b8277ad1d465c2a1add75c795f2d5c Mon Sep 17 00:00:00 2001 From: jknapp Date: Wed, 10 Jun 2026 06:42:31 -0700 Subject: [PATCH] fix(cac-lsphp): entrypoint operates on the /mnt/users docroot, not /home/$user Code-review integration fixes: - entrypoint-lsphp.sh: the shared-ols tier mounts the docroot at /mnt/users// (NOT /home/$user). Discover the mount via glob (one site per sidecar; wildcard-safe), create public_html + logs/php-fpm under it (so OLS docRoot exists), point lsphp error_log there, and chown just those dirs. Verified: sidecar creates public_html under the mount, runs as the per-site user, OLS serves PHP (SAPI=litespeed) end-to-end. - shared-ols vhconf.tpl: per-vhost logs -> /usr/local/lsws/logs/.* (the shared-ols container has no /home/). Co-Authored-By: Claude Opus 4.8 (1M context) --- configs/shared-ols/vhconf.tpl | 6 ++++-- scripts/entrypoint-lsphp.sh | 35 +++++++++++++++++++++++++++++------ 2 files changed, 33 insertions(+), 8 deletions(-) diff --git a/configs/shared-ols/vhconf.tpl b/configs/shared-ols/vhconf.tpl index 8add16c..86a2d78 100644 --- a/configs/shared-ols/vhconf.tpl +++ b/configs/shared-ols/vhconf.tpl @@ -59,12 +59,14 @@ context / { ## cache block here. OLS stores each vhost's cache in its own subdir under the ## module storagePath automatically (per-vhost isolation, spec 5.2). -errorlog ~~LOG_DIR~~/error_log { +## Per-vhost logs in the shared-ols container's OWN writable log dir (NOT +## /home/, which doesn't exist here, and NOT the read-only /mnt/users mount). +errorlog /usr/local/lsws/logs/~~VHNAME~~.error_log { logLevel WARN rollingSize 50M keepDays 7 } -accesslog ~~LOG_DIR~~/access_log { +accesslog /usr/local/lsws/logs/~~VHNAME~~.access_log { rollingSize 50M keepDays 7 } diff --git a/scripts/entrypoint-lsphp.sh b/scripts/entrypoint-lsphp.sh index f9e7168..934d20c 100644 --- a/scripts/entrypoint-lsphp.sh +++ b/scripts/entrypoint-lsphp.sh @@ -40,11 +40,30 @@ if [ ! -x "$LSPHP_BIN" ]; then exit 1 fi -## ---- user + directories (mirror entrypoint-litespeed.sh paths) ---- +## ---- user ---- if ! id -u "$user" >/dev/null 2>&1; then useradd -u "$uid" -m -s /bin/bash "$user" fi -mkdir -p "/home/$user/public_html" "/home/$user/logs/php-fpm" + +## ---- locate the customer docroot ---- +## Unlike cac-fpm/cac-litespeed (docroot at /home/$user), the shared-ols tier +## mounts each site at /mnt/users// — the SAME absolute path the +## shared-ols vhost uses as docRoot, because OLS hands lsphp exactly that path as +## SCRIPT_FILENAME (feedback_ols_lsapi_no_script_filename_remap). The panel +## mounts exactly ONE site dir here, so glob it (wildcard-safe: the on-disk dir +## is wildcard. for wildcard sites, which the glob picks up verbatim). +SITE_DIR="" +for d in /mnt/users/"$user"/*/; do + [ -d "$d" ] || continue + SITE_DIR="${d%/}" + break +done +if [ -z "$SITE_DIR" ]; then + ## No bind mount yet (e.g. hand-run for testing) — fall back to a sane path so + ## lsphp still starts; OLS will send the real docRoot at request time. + SITE_DIR="/mnt/users/$user/site" +fi +mkdir -p "$SITE_DIR/public_html" "$SITE_DIR/logs/php-fpm" ## ---- detached-lsphp pool sizing ---- # shellcheck source=/dev/null @@ -71,7 +90,7 @@ if [ -n "$SCAN_DIR" ]; then mkdir -p "$SCAN_DIR" cat > "$SCAN_DIR/99-user-error-log.ini" </dev/null || true ## ---- exec lsphp -b as the customer user (PID 1) ---- ## Bind port is unprivileged (9000), so no root port-bind step is needed — start