Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
I
ISPConfig 3
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 489
    • Issues 489
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 25
    • Merge Requests 25
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • ISPConfig
  • ISPConfig 3
  • Issues
  • #3220

Closed
Open
Opened Jun 26, 2014 by Justin Albstmeijer@jalbstmeijer

Add support for chrooted php-fpm

Hi,

I got chrooted php-fpm working in ISPconfig 3.0.5.3 and I was hoping you might be interested in implementing it in a future ISPconfig version.

I don't pretend these instructions below are anywhere near the way it should be implemented. It's just dirty hacked prove of concept. But I hope it covers the info you need to implement it nicely.

What did I do;

1- created a patched version of php_fpm_pool.conf.master in server/conf-custom/php_fpm_pool.conf.master. See php_fpm_pool.conf.master.patch 2- patched server/plugins-available/apache2_plugin.inc.php to get the desired chroot directory VAR to use in the php_fpm pool config. See apache2_plugin.inc.php.patch 3- added some extra needed files to jailkit. See jk_init.ini.extra 4- patched server/plugins-available/shelluser_jailkit_plugin.inc.php to change needed permissions on /etc/msmtprc. See shelluser_jailkit_plugin.inc.php.patch 5- two files are added through jailkit to make mail work in the chroot. See msmtprc (mail.rc is de default p[oviced by mailx) 6- one php fix include file is added to fix some variables that are not set correctly by php-fpm. See phpfix 7- on the Centos based web server I installed php54-php-fpm-5.4.16 packages from SCL, which makes it possible to run multiple php versions and even keep the original mod_php version available. 8- added the extra section of jk_init.ini in System->Server Config->the webserver->jailkit 9- added "Additional PHP Version" with these settings:

Path to the PHP-FPM init script: /etc/init.d/php54-php-fpm Path to the php.ini directory: /opt/rh/php54/root/etc/php.d Path to the PHP-FPM pool directory: /opt/rh/php54/root/etc/php-fpm.d

Some issues with the dirty hack above.

1- "hardlinks = 0" in the new jk_init.ini is ignored by ISPconfig as it utilizes "-k" on execution. This means that changing the permissions in shelluser_jailkit_plugin.inc.php will break the mail function on previous created chrooted sites. So ISPconfig should respect the jk_init.ini settings or placing the mail support files should take place somewhere else.

2- resolving in php within the chrooted php-fpm does not work till a chrooted shell account is created providing the necessary libraries/files. so you will need to add the chrooted shell user and restart the php-fpm process to make resolving work for now. So these files should be installed on creating the vhost without the need of a chrooted shell user in the eventual implementation.

3- The same as point 2, phpfix is only added as part of a chrooted shell user. So this file should be installed on creating the vhost without the need of a chrooted shell user in the eventual implementation.

No big issues to solve, just things that are part of this dirty hack till a better place to do these things has been found.

Gr, J

Edited Aug 16, 2020 by Thom
Assignee
Assign to
3.1.14
Milestone
3.1.14
Assign milestone
Time tracking
None
Due date
None
Reference: ispconfig/ispconfig3#3220