在 OpenBSD 的 Apache 服务器上运行 xinc
有没有人能够让 xinc 在 OpenBSD 的 chrooted 默认 Apache 下正确运行? 我想让我们的开发服务器像我们的生产服务器一样完全 chroot 运行,以便确保我们的代码在 chroot 下运行良好。
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
我会尝试一下。 我发现 xinc 的一个大问题是,虽然它是一个 PHP 应用程序,但它想要知道应用程序安装路径(但它仍然将内容传播到其他文件夹中)并以守护进程模式运行一些 PHP 脚本(这些脚本是最难执行的)开始运行)。 因此,例如,我告诉它安装到 /var/www/xinc,然后创建
/var/www/var/www/xinc -> 的符号链接。 /var/www/xinc
并且它部分工作。 我让 GUI 出现了一点,它拒绝识别我设置的任何项目。 我认为最大的问题是一部分在运行 chroot,另一半在外面运行。
如果一切都失败了,我只需要在 chroot 环境中编程时构建一些东西,因为我们的生产是 chroot 的。 我们遇到过这样的问题:我们在 chroot 之外进行编码,然后必须回溯以找到使其在 chroot 内工作所需的内容。
I'll give this a try. The big issue I've found with xinc is that while it is a PHP application, it wants to know application installation paths (yet it still spreads stuff into other folders) and runs some PHP scripts in daemon mode (those scripts being the hardest to get running). So, for example, I told it to install to /var/www/xinc and then made a symlink of
/var/www/var/www/xinc -> /var/www/xinc
and it partially worked. I got the GUI to come up bit it refused to recognize any projects that I had set up. I think the biggest problem is that part of it is running a chroot and the other half is running outside.
If all else fails I'm going to just have to build something as we program inside chrooted environments since our production is chrooted. We've run into issues where we code outside of a chroot and then have to back track to find what we need to make it work inside a chroot.
由于我自己从未使用过 xinc,所以我只能暗示一下我通常如何访问 chroot 应用程序。
第一步是收集有关应用程序运行所需的所有信息; 我通常通过运行 systrace(1) 和 ldd(1) 到找出运行该软件需要什么。
检查输出
并确保应用程序涉及和需要的所有内容(相当多的应用程序涉及它实际上不需要的内容)在 chroot 环境中可用。 您可能需要稍微调整配置和环境变量。 另外,如果有一个选项可以让应用程序记录到 syslog,我通常会这样做并创建一个 syslog 套接字(请参阅 syslogd(8)) 以减少应用程序需要写入权限的位置。
我刚才描述的是一种使几乎任何程序在 chroot 环境中运行的通用方法(但是,如果您需要导入一半的用户空间和一些 suid 命令,您可能不想执行 chroot :)。 对于在 Apache 下运行的应用程序(我确信您知道 OpenBSD httpd(8) 略有不同)您可以选择(一旦程序启动;任何动态库仍然需要存在于监狱中)使用 apache 访问文件,允许使用 httpd.conf 在 chroot 环境中导入资源,而不实际复制它们。
同样有用(如果稍微过时)的是 此 链接,概述OpenBSD 上的 chroot PHP 中的一些陷阱。
Having never used xinc myself, I can only hint as to how I usually get to chrooting apps.
First step would be to gather information on everything the app needs to run; this I usually accomplish by running systrace(1) and ldd(1) to find out what is needed to run the software.
Go through the output of
and make sure that everything the app touches and needs (quite a lot of apps touch stuff it doesn't actually need) is available in the chroot environment. You might need to tweak configs and environment variables a bit. Also, if there is an option to have the app log to syslog, I usually do that and create a syslog socket (see the -a option of syslogd(8)) in order to decrease the places the app needs write access to.
What I just described is a generic way to make just about any program run in a chroot environment (however, if you need to import half the userland and some suid commands, you might want to just not do chroot :). For apps running under Apache (I'm sure you're aware that the OpenBSD httpd(8) is slightly different) you have the option (once the program has started; any dynamic libraries still needs to be present in the jail) of using apache to access the files, allowing the use of httpd.conf to import resources in the chroot environment without actually copying them.
Also useful (if slightly outdated) is this link, outlining some gotchas in chrooted PHP on OpenBSD.
@dragonmantank
在Xinc的例子中,我希望你使用PEAR来安装它。
这应该可以完成,并显示您的 Xinc 安装将其文件放置在哪里。 因此,尽管 Xinc“只是”一个大型 PHP 脚本,但它仍然分布在 rc 脚本以及运行应用程序所需的所有其他内容中。 我确信您不需要添加那里列出的所有路径,但可能需要添加一些路径才能使其运行。
除了 Xinc 本身之外,我认为它还需要 phpUnit 和一堆其他 PEAR 库来运行,所以我的建议是:
然后您需要将该路径(如 Henrik 建议的那样)添加到 chroot 环境中。
@dragonmantank
In Xinc's case, I hope you used PEAR to install it.
This should do it, and show you where your Xinc install put its files. So even though Xinc is "just" one big PHP script, it's still spread out into rc scripts and all those other things which are necessary to make an application run. I'm sure you don't need to add all paths listed there, but probably some in order to make it run.
Aside from Xinc itself, I think it also needs phpUnit and a bunch of other PEAR libs to run, so what I'd propose is this:
And then you need to add that path (like Henrik suggested) to the chroot environment.
您是否已在 Xinc 错误跟踪器上发布了该问题? Xinc 本身应该运行良好,因为它既作为守护进程又作为 Web 应用程序运行。 正如您提到的,问题可能是守护进程没有在 chroot 环境中运行,而 Web 界面则在 chroot 环境中运行,导致任何一方都无法获取文件。
Have you posted the issue on the Xinc bug tracker? Xinc itself should run fine as it runs both as a daemon and as a web app. As you alluded to, the issue may be that the daemon is not running in a chroot'ed environment where as the web interface is, leading to either side not grabbing the files.