Add support for chrooted php-fpm (#3220) · Issues · ISPConfig / ISPConfig 3

Add support for chrooted php-fpm

Hi,

I got chrooted php-fpm working in ISPconfig 3.0.5.3 and I was hoping you might be interested in implementing it in a future ISPconfig version.

I don't pretend these instructions below are anywhere near the way it should be implemented. It's just dirty hacked prove of concept. But I hope it covers the info you need to implement it nicely.

What did I do;

1- created a patched version of php_fpm_pool.conf.master in server/conf-custom/php_fpm_pool.conf.master. See php_fpm_pool.conf.master.patch 2- patched server/plugins-available/apache2_plugin.inc.php to get the desired chroot directory VAR to use in the php_fpm pool config. See apache2_plugin.inc.php.patch 3- added some extra needed files to jailkit. See jk_init.ini.extra 4- patched server/plugins-available/shelluser_jailkit_plugin.inc.php to change needed permissions on /etc/msmtprc. See shelluser_jailkit_plugin.inc.php.patch 5- two files are added through jailkit to make mail work in the chroot. See msmtprc (mail.rc is de default p[oviced by mailx) 6- one php fix include file is added to fix some variables that are not set correctly by php-fpm. See phpfix 7- on the Centos based web server I installed php54-php-fpm-5.4.16 packages from SCL, which makes it possible to run multiple php versions and even keep the original mod_php version available. 8- added the extra section of jk_init.ini in System->Server Config->the webserver->jailkit 9- added "Additional PHP Version" with these settings:

Path to the PHP-FPM init script: /etc/init.d/php54-php-fpm Path to the php.ini directory: /opt/rh/php54/root/etc/php.d Path to the PHP-FPM pool directory: /opt/rh/php54/root/etc/php-fpm.d

Some issues with the dirty hack above.

1- "hardlinks = 0" in the new jk_init.ini is ignored by ISPconfig as it utilizes "-k" on execution. This means that changing the permissions in shelluser_jailkit_plugin.inc.php will break the mail function on previous created chrooted sites. So ISPconfig should respect the jk_init.ini settings or placing the mail support files should take place somewhere else.

2- resolving in php within the chrooted php-fpm does not work till a chrooted shell account is created providing the necessary libraries/files. so you will need to add the chrooted shell user and restart the php-fpm process to make resolving work for now. So these files should be installed on creating the vhost without the need of a chrooted shell user in the eventual implementation.

3- The same as point 2, phpfix is only added as part of a chrooted shell user. So this file should be installed on creating the vhost without the need of a chrooted shell user in the eventual implementation.

No big issues to solve, just things that are part of this dirty hack till a better place to do these things has been found.

Gr, J

Hi,

I got chrooted php-fpm working in ISPconfig 3.0.5.3 and I was hoping you might be interested in implementing it in a future ISPconfig version.

I don't pretend these instructions below are anywhere near the way it should be implemented. It's just dirty hacked prove of concept. But I hope it covers the info you need to implement it nicely.

What did I do;

1- created a patched version of php_fpm_pool.conf.master in server/conf-custom/php_fpm_pool.conf.master. See php_fpm_pool.conf.master.patch
2- patched server/plugins-available/apache2_plugin.inc.php to get the desired chroot directory VAR to use in the php_fpm pool config. See apache2_plugin.inc.php.patch
3- added some extra needed files to jailkit. See jk_init.ini.extra
4- patched server/plugins-available/shelluser_jailkit_plugin.inc.php to change needed permissions on /etc/msmtprc. See shelluser_jailkit_plugin.inc.php.patch
5- two files are added through jailkit to make mail work in the chroot. See msmtprc (mail.rc is de default p[oviced by mailx)
6- one php fix include file is added to fix some variables that are not set correctly by php-fpm. See phpfix
7- on the Centos based web server I installed php54-php-fpm-5.4.16 packages from SCL, which makes it possible to run multiple php versions and even keep the original mod_php version available.
8- added the extra section of jk_init.ini in System->Server Config->the webserver->jailkit
9- added "Additional PHP Version" with these settings:

Path to the PHP-FPM init script: /etc/init.d/php54-php-fpm
Path to the php.ini directory: /opt/rh/php54/root/etc/php.d
Path to the PHP-FPM pool directory: /opt/rh/php54/root/etc/php-fpm.d

Some issues with the dirty hack above.

1- "hardlinks = 0" in the new jk_init.ini is ignored by ISPconfig as it utilizes "-k" on execution. This means that changing the permissions in  shelluser_jailkit_plugin.inc.php will break the mail function on previous created chrooted sites.
So ISPconfig should respect the jk_init.ini settings or placing the mail support files should take place somewhere else.

No big issues to solve, just things that are part of this dirty hack till a better place to do these things has been found.

Gr, J

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.