Mount GCP storage for apache php access

The situation encountered is to mount a non-public access gcp storage bucket on the ubuntu machine, and then read and write to the php web api.

A more normal solution should be to use google cloud storage api for PHP ( https://googleapis.github.io/google-cloud-php/#/docs/cloud-storage/v1.24.1/storage/storageclient Instructions & https :// ://github.com/googleapis/google-cloud-php-storage github ), but because you have to go online and change the original storage in local disk to gcp cloud storage, so you have to use mount bucket first. to read and write.

Install gcsfuse first

Installation instructions can be found directly at https://github.com/GoogleCloudPlatform/gcsfuse/blob/master/docs/installing.md

mount with gcsfuse

You can see https://github.com/GoogleCloudPlatform/gcsfuse/blob/master/docs/mounting.md , but it should be noted that if you simply do mount, the path permission will follow the mount account. Therefore, if root mount is used, then usually the www-data running apache2.4 on ubuntu cannot be accessed directly. Even if www-data is added to the sudo identity, filesize() in php cannot be used. function.

The description mentions that you can use the credential key file (json format) method, and this article also mentions it, but because the machine has already done gcloud auth login, this method is not used.

mount as www-data identity

But it is very strange that according to what is written at the bottom of the file ( here ), there has been a problem with writing mount in /etc/fstab. So I changed it to write it in crontab, but also need to confirm the id of www-data first.

 $ id --help
Usage: id [OPTION]... [USER]
Print user and group information for the specified USER,
or (when USER omitted) for the current user.

  -a ignore, for compatibility with other versions
  -Z, --context print only the security context of the process
  -g, --group print only the effective group ID
  -G, --groups print all group IDs
  -n, --name print a name instead of a number, for -ugG
  -r, --real print the real ID instead of the effective ID, with -ugG
  -u, --user print only the effective user ID
  -z, --zero delimit entries with NUL characters, not whitespace;
                   not permitted in default format
      --help display this help and exit
      --version output version information and exit

Without any OPTION, print some useful set of identified information.

GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
Report id translation bugs to <http://translationproject.org/team/>
Full documentation at: <http://www.gnu.org/software/coreutils/id>
or available locally via: info '(coreutils) id invocation'
$ id -g www-data
33
$ id -u www-data
33

Then add @reboot to crontab to do mount

 $ crontab -l
@reboot gcsfuse --uid 33 --gid 33 --implicit-dirs -o allow_other -file-mode=660 -dir-mode=770 BUCKET-NAME /PATH/TO/MOUNT/

But in the end, the better way is to use the google cloud storage api obediently, so that it can be solved by simply deploying the program and the credential key file, without having to make these settings.

Original link: Phanix's Blog