nginx and tomcat use chroot (jail) related configurations-PHP Tutorial-php.cn

This article focuses on configuration records, and the benefits of chroot (jail) will not be described in detail.

This article is divided into three parts: configuring basic chroot jail, configuring chroot jail for nginx, and configuring chrootjail for tomcat.

1. Configure a basic chroot jail

1.1. Create a directory as the root directory of the chroot jail.

# mkdir /home/chroot/jail

Copy after login

1.2. Use the ldd command to find out the dependent libraries of the command you want to run in the chroot jail.

# ldd /bin/bash
	linux-vdso.so.1 =>  (0x00007fff56fcc000)
	libtinfo.so.5 => /lib64/libtinfo.so.5 (0x0000003ad1200000)
	libdl.so.2 => /lib64/libdl.so.2 (0x0000003abe600000)
	libc.so.6 => /lib64/libc.so.6 (0x0000003abe200000)
	/lib64/ld-linux-x86-64.so.2 (0x0000003abde00000)

Copy after login

1.3. Create a subfolder in the root directory of the chroot jail. Create whatever is needed for the things you want to run under the chroot. Remember the service minimization principle.

# mkdir /home/chroot/jail/bin
# mkdir /home/chroot/jail/lib64

Copy after login

1.4. Copy the binary files (need to be run under chroot) and dependent libraries to the chroot jail directory.

# cp /bin/bash /home/chroot/jail/bin
# cp /lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} \
  /home/chroot/jail/lib64

Copy after login

1.5. After completing the above operations, you can view it under chroot.

The above operations can only run bash under chroot, but other operations are not possible. Therefore, the ls command in the following example cannot be found.

# chroot /home/chroot/jail
bash-4.1# pwd
/
bash-4.1# ls
bash: ls: command not found
bash-4.1# exit
exit
#

Copy after login

can only run some embedded shells, such as pwd, but other commands cannot, unless you also copy its binary files and related dependent libraries into the chroot jail.

1.6. If there is always an error when starting a certain service, you can use strace to check the error. It will be added at the end of the nginx configuration.

2.nginx configuration chroot jail

nginx installation method is omitted, that is, download tar.gz, unzip, configure, make, make install. . .

This configuration is for CentOS6.x 64-bit system.

2.1. Specify the chroot directory, which is the root directory mentioned in 1.1.

To unify the naming convention, the following directory structure is made:

# D=/home/nginx/jail
# mkdir -p $D

Copy after login

2.2. Create an isolation environment, a subdirectory under the jail root directory.

# mkdir -p $D/etc
# mkdir -p $D/dev
# mkdir -p $D/var
# mkdir -p $D/usr
# mkdir -p $D/usr/local/nginx
# mkdir -p $D/tmp
# chmod 1777 $D/tmp
# mkdir -p $D/var/tmp
# chmod 1777 $D/var/tmp
# mkdir -p $D/lib64

Copy after login

2.3. Create the required device in $D/dev, which should be a buffer.

Use the mknod command here to create cache files:

# /bin/mknod -m 0666 $D/dev/null c 1 3
# /bin/mknod -m 0666 $D/dev/random c 1 8
# /bin/mknod -m 0444 $D/dev/urandom c 1 9

Copy after login

2.4. Copy all nginx files to the jail.

# /bin/cp -farv /usr/local/nginx/* $D/usr/local/nginx

Copy after login

2.5. Copy the dependent libraries to the jail. (2.5 and 2.4 are equivalent to the process in 1.4)

# ldd /usr/local/nginx/sbin/nginx

Copy after login

copies whatever you need, and the service is minimized.

2.6. Copy /etc to jail.

nixCraft tutorial specifically points out these, which should be used when nginx is running.

# cp -fv /etc/{group,prelink.cache,services,adjtime,shells,gshadow,shadow,hosts.deny,localtime,nsswitch.conf,nscd.conf,prelink.conf,protocols,hosts,passwd,ld.so.cache,ld.so.conf,resolv.conf,host.conf} $D/etc

Copy after login

Add some folders:

# cp -avr /etc/{ld.so.conf.d,prelink.conf.d} $D/etc

Copy after login

2.7. Start nginx.

If there is nginx running, you must first close it:

# killall -9 nginx

Copy after login

Open nginx in chroot:

# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx -t
# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx

Copy after login

You can also chroot first, and then open it:

# chroot /home/nginx/jail 
bash-4.1# /usr/local/nginx/sbin/nginx -t
bash-4.1# /usr/local/nginx/sbin/nginx

Copy after login

Configure it to start automatically at boot:

# echo '/usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx' >> /etc/rc.local

Copy after login

edit chroot Configuration file of nginx:

# cd /home/nginx/jail/usr/local/nginx/conf/
# vi nginx.conf

Copy after login

After saving and closing, test and restart nginx:

# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx -t
# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx -s reload

Copy after login

If you directly copy the chroot environment, nginx may not recognize the configuration file, execute:

# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf

Copy after login

and then test and restart nginx.
2.8. If there are still problems with the environment, use strace to track errors. (This method can also be used to configure tomcat or other services and will not be described in detail later)

# strace -f -o /tmp/nginx.strace chroot /nginx /usr/local/nginx/sbin/nginx -t

Copy after login

strace may need to be installed.
After executing the statement, there will be some traces. In the /tmp/nginx.strace file, there will be more detailed traces.

When I was configuring the environment, I found that a certain package was missing in the file. I added it to the chroot jail and it started normally.

3. Tomcat configure chroot jail

3.1. Create chroot jail root directory.

# mkdir /home/tomcat/jail

Copy after login

3.2. Create chroot jail directory structure.

# cd /home/tomcat/jail
# mkdir -p lib lib64 etc tmp dev usr
# chmod 755 etc dev usr
# chmod 1777 tmp

Copy after login

# cp -a /etc/hosts etc/hosts

Copy after login

3.3. Install the java environment and copy the root-installed environment to chroot.

# mkdir -p usr/java
# cp -a /usr/java/jdk1.7.0_67 usr/java

Copy after login

3.4. Find and copy the dependent libraries of java

# ldd /usr/java/jdk1.7.0_67/bin/java
	linux-vdso.so.1 =>  (0x00007fff532d1000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fc36c8f2000)
	libjli.so => /usr/java/jdk1.7.0_67/bin/../lib/amd64/jli/libjli.so (0x00007fc36c6da000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007fc36c4d6000)
	libc.so.6 => /lib64/libc.so.6 (0x00007fc36c142000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fc36cb17000)

Copy after login

only copies the above 4 libraries in lib64, and also needs to copy 2 libraries required by JVM:

# cp -p /lib64/libm.so.6 lib64/
# cp -p /lib64/libnsl.so.1 lib64/

Copy after login

3.5. Before running the JVM, you still need to do Some work to make chroot more like a real root environment.

Create /dev and its subkeys:

# cd /home/tomcat/jail
# mkdir -p /home/tomcat/jail/dev/pts
# /dev/MAKEDEV -d /home/tomcat/jail/dev null random urandom zero loop* log console
# cp /dev/MAKEDEV /home/tomcat/jail/dev
# cp -a /dev/shm /home/tomcat/jail/dev/

Copy after login

3.6. Mount /proc.

# mkdir -p /home/tomcat/jail/proc
# mount -t proc proc /home/tomcat/jail/proc

Copy after login

After this step is mounted, you can use java under chroot. You can enter chroot and test with the following command:

bash-4.1# /usr/java/jdk1.7.0_67/bin/java -version

Copy after login

. . The premise is that you have already made a copy of bash and sh in chroot. Or after all this 3.
Copy the three files under etc. Try not to copy them if they are not needed, again. . Services are minimized. .

cp -a /etc/{hosts,resolv.conf,nsswitch.conf} /home/tomcat/jail/etc/

Copy after login

There are also three dependent libraries with named support that need to be copied

cp -p /lib64/libresolv.so.2 lib64/
cp -p /lib64/libnss_dns.so.2 lib64/
cp -p /lib64/libnss_files.so.2 lib64/

Copy after login

Then chroot /bin/bash and /bin/sh, refer to 1.x. Among them, sh is a soft connection of bash in centos.

After this step, java can work in chroot. If something goes wrong, use strace to troubleshoot.

After the java running environment is set up, start configuring tomcat.

3.8.tomcat installation configuration.

Tomcat generally does not need to be installed. It is considered green. Download the decompression package and decompress it in the chroot jail directory.

I compressed it directly in the jail root directory.

Try to run, and you will see the following results:

bash-4.1# /apache-tomcat-7.0.57/bin/catalina.sh start                      
/apache-tomcat-7.0.57/bin/catalina.sh: line 102: uname: command not found
/apache-tomcat-7.0.57/bin/catalina.sh: line 122: dirname: command not found
Cannot find //bin/setclasspath.sh
This file is needed to run this program

Copy after login

needs to copy the two binary files uname and dirname and the dependent libraries. The method is the same as bash.

# cp /bin/uname bin/
# mkdir usr/bin
# cp /usr/bin/dirname usr/bin

Copy after login

While running tomcat, I found that there is still a small problem:

bash-4.1# /apache-tomcat-7.0.57/bin/catalina.sh start
/apache-tomcat-7.0.57/bin/catalina.sh: line 203: tty: command not found
Using CATALINA_BASE:   /apache-tomcat-7.0.57
Using CATALINA_HOME:   /apache-tomcat-7.0.57
Using CATALINA_TMPDIR: /apache-tomcat-7.0.57/temp
Using JRE_HOME:        /usr/java/jdk1.7.0_67
Using CLASSPATH:       /apache-tomcat-7.0.57/bin/bootstrap.jar:/apache-tomcat-7.0.57/bin/tomcat-juli.jar
/apache-tomcat-7.0.57/bin/catalina.sh: line 368: touch: command not found
Tomcat started.

Copy after login

added a few more things:

# cp -p /lib64/librt.so.1 lib64/
# cp /usr/bin/tty usr/bin/
# cp /bin/touch bin/

Copy after login

In this way, tomcat can run normally in the chroot container.

Configure it to start automatically at boot, and add:

export JAVA_HOME=/usr/local/java/jdk1.7.0_25
export JRE_HOME=$JAVA_HOME/jre
mount -t proc proc /home/tomcat/jail/proc &>/dev/null
/usr/sbin/chroot /home/tomcat/jail /usr/tomcat/bin/catalina.sh start

Copy after login

at the end of rc.local. Pay attention to the java path. Root and chroot must be consistent.

Reference:

[1] 3.13 Configuring and Using Chroot Jails Chapter 3 Implementing Oracle Linux Security Guide for Release 6

[2] Linux nginx: Chroot (Jail) Setup By NIXCRAFT

[3] Tomcat: The Definitive Guide: The Definitive Guide By Jason Brittain, Ian F. Darwin

The above introduces the relevant configuration of nginx and tomcat using chroot (jail), including the relevant content. I hope it will be helpful to friends who are interested in PHP tutorials.