The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

php-fpm chrooted to virtfs

Discussion in 'cPanel Developers' started by Anoop P Alias, Mar 28, 2017.

Tags:
  1. Anoop P Alias

    Anoop P Alias Well-Known Member

    Joined:
    Mar 31, 2015
    Messages:
    65
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Kochi,Kerala,India
    cPanel Access Level:
    Root Administrator
    Not sure if this is the correct place to post this.

    I think php-fpm can be easily chrooted to /home/virtfs/user for a user with jailshell enabled . I have tested this and everything looks fine . I know you guys do it with mod_ruid2 .Note sure why this is left out in php-fpm pools as this makes a perfect alternative for cagefs .

    The only drawback I see is that the virtfs bind mounts are initialized only on shell access . so if you make the virtfs mounts auto initialize on account creation or shell change to jailshell that would solve it .

    I would be interested to hear the reason if chrooting php-fpm to virtfs was knowingly omitted as I am integrating this in a plugin I develop for cPanel
     
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,493
    Likes Received:
    31
    Trophy Points:
    308
    cPanel Access Level:
    Root Administrator
    PHP FPM pools will automatically be bound to the virtfs mount for a user in the following conditions:

    1. /var/cpanel/feature_toggles/apachefpmjail exists
    2. The account is using either jailshell or noshell

    You should also enable the JailManager chkservd driver which should setup the mounts automatically.
     
  3. Anoop P Alias

    Anoop P Alias Well-Known Member

    Joined:
    Mar 31, 2015
    Messages:
    65
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Kochi,Kerala,India
    cPanel Access Level:
    Root Administrator
    Ok cool. I think this part is missing in the docs and it would be great info for people who wish to use it .

    As a personal note ..cPanel should concentrate more on the fpm SAPI and not on ruid2 as this would eventually make adopting other web servers easy. FastCGI is almost universally supported
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,281
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @Anoop P Alias,

    I've opened a case (DOC-8605) with our Documentation Team to see if we can get this information added to our documentation. I'll update this thread with any status updates to this case as they become available.

    Thank you.

    Update: The following document is now updated to reflect this information:

    PHP-FPM User Pools - Documentation - cPanel Documentation
     
    #4 cPanelMichael, Mar 28, 2017
    Last edited: May 4, 2017
  5. Anoop P Alias

    Anoop P Alias Well-Known Member

    Joined:
    Mar 31, 2015
    Messages:
    65
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Kochi,Kerala,India
    cPanel Access Level:
    Root Administrator
    Enabling JailManager creates the virtfs mounts ok. But I couldn't find the chroot directive in pool file
    ###

    [root@li993-97 ~]# ls -l /var/cpanel/feature_toggles/apachefpmjail
    -rw-r--r-- 1 root root 0 Mar 28 14:31 /var/cpanel/feature_toggles/apachefpmjail
    [root@li993-97 ~]# grep -i chroot /opt/cpanel/ea-php56/root/etc/php-fpm.d/domaintest.com.conf
    [root@li993-97 ~]#

    ####

    I am testing this on WHM 62.0 (build 17) [TRIAL]

    The first part is enough for me( as I use a separate pool file for the plugin) ..so you guys may check out why chroot is missing
     
    #5 Anoop P Alias, Mar 28, 2017
    Last edited by a moderator: Mar 28, 2017
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,432
    Likes Received:
    30
    Trophy Points:
    178
    cPanel Access Level:
    Root Administrator
    One thing to note - /var/cpanel/feature_toggles/apachefpmjail - doesn't create a full virtfs. For example, /home/virtfs/%user%/etc/exim.conf is missing. This affects users ability to use PHP's mail() function with this chroot. Otherwise, it seems to work great, and I think it is a huge, huge step forward in terms of caging a user's filesystem.

    I thought I had a discussion with Matt about this incomplete virtfs. But I'm not sure where I had that. There's some discussion on the feature request - Enhance FPM support - but I don't see any mention of the incomplete virtfs.

    I think the lack of some files in the virtfs has to do with /usr/local/cpanel/bin/jailmount not doing a complete mount. Whereas instantiating a full jailshell (i.e. a user logging in with jailshell) does.
     
  7. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,432
    Likes Received:
    30
    Trophy Points:
    178
    cPanel Access Level:
    Root Administrator
    The creation of the file - /var/cpanel/feature_toggles/apachefpmjail - is just a flag. cPanel's PHP-FPM binary has been patched to look for this file. If it is found, the binary automatically enables the chroot. It doesn't modify any PHP-FPM configuration file.

    You have to have /var/cpanel/feature_toggles/apachefpmjail and you have to be using cPanel's PHP-FPM binaries from EA4 for this to work.

    Some of the focus I made in the feature request - Enhance FPM support - was to automatically create this virtfs mount point for all users and always have it available, THEN you can add chroot configuration to each PHP-FPM configuration file. I kind of like that way a little bit better (because it doesn't depend on a cPanel patch having to be included) but I'm not going to argue for it too much.
     
  8. Anoop P Alias

    Anoop P Alias Well-Known Member

    Joined:
    Mar 31, 2015
    Messages:
    65
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Kochi,Kerala,India
    cPanel Access Level:
    Root Administrator
    In my test mail was working great. Note that I am using only the php-fpm binary and using my own fpm config and pool files which have chroot= set.
    Also, I don't understand why someone would patch a software with a feature that it provides out of the box!
     
  9. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,432
    Likes Received:
    30
    Trophy Points:
    178
    cPanel Access Level:
    Root Administrator
    Well, it probably won't work for a new user that doesn't have a virtfs jailmounted.

    How are you insuring that /home/virtfs/%user% is mounted?

    The chroot directive is available in PHP-FPM, but the virtfs isn't always created and mounted. That's why it was patched. Is there another way of doing this without patching? Yes. But cPanel sometimes likes to take the road with more twists, bumps, and hills.
     
  10. Anoop P Alias

    Anoop P Alias Well-Known Member

    Joined:
    Mar 31, 2015
    Messages:
    65
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Kochi,Kerala,India
    cPanel Access Level:
    Root Administrator
    The simple solution I had used in my script before adding the pool file and reloading php-fpm is
    su -c "touch /home/$user" $user
    But when the jailmnager driver is enabled ; the above is not needed and the virtfs mounts are auto populated.
     
  11. Anoop P Alias

    Anoop P Alias Well-Known Member

    Joined:
    Mar 31, 2015
    Messages:
    65
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    Kochi,Kerala,India
    cPanel Access Level:
    Root Administrator
    @ sparek-3 - I now see the discussion in the feature request. so from what I understand /var/cpanel/feature_toggles/apachefpmjail is all I need for the copy of php-fpm I run to be chrooted too . Also as a solution to having multiple php-fpm restart , which is mentioned in that thread(its locked there for comments). we can simply have a php-fpm master spawn for all php versions available and all have the pools defined . So if we have 4 php version and 500 users , there will be 2000 sockets each (4 for each user)providing the different versions . So if domain1 need another version ;you just need to change the socket path in apache and not reload php-fpm. The php-fpm pool need to be reloaded only when a user is added or deleted from the system .This is different from the approch cpanel takes by creating a pool for each domain which is unnecessary
    Here is simple python code I use to spawn the fpm masters - XtendWeb/init_backends.py at ndeploy4 · AnoopAlias/XtendWeb · GitHub

    Also on another issue mentioned there - spawning separate masters for different cpanel users is also easy and scalable . systemd and related stuff — GnuSys.net SysAdmin Services

    The only issue is that there must be a watchdog daemon to kill out the master process not currently in use.

    I am sure these are all hacks that I use for my small script and cpanel team may have better tests/ideas , just mentioning this here as I cannot collaborate on the enhance fpm feature request anymore.
     
Loading...

Share This Page