php-fpm 需要在监禁环境中哪些系统文件才能在 ubuntu 上正常运行? [英] What system files need to be in a jailed environment for php-fpm to function properly on ubuntu?

问题描述

我在 ubuntu 12.04 上使用 php5-fpm，并且为使用 nginx 托管的每个域都有单独的池和 chroot 位置.但是，我知道有些系统文件需要直接在jail中，但我需要哪些?

I'm using php5-fpm on ubuntu 12.04, and have separate pools and chroot locations for each domain hosted with nginx. However, I know that some system files need to be directly in the jail, but which ones do I need?

我知道 dns 解析目前不起作用，我读过几篇文章说我需要将一些系统核心文件复制到目录中，但他们从未真正详细说明我真正需要哪些文件复制到那里.

I know that dns resolution isn't working currently, and I have read a few articles that say I need to copy some of the system core files into the directory, but they never really go into details of which ones I actually need to copy into there.

我知道 dns、时区有一些东西(php 似乎对任何与时间/日期相关的函数都出错).

I know there is something for dns, timezone (php seems to error for any time/date related functions).

我只是想知道 chroot 的一般使用.是否值得使用它，或者为每个域设置一个单独的分区会更安全，或者甚至只是为每个域设置一个单独的虚拟机(这会花费更多资源)?

And I was just wondering about the use of chroot in general. Is it even worth using it or would it be more secure to have a separate partition for each domain, or even just having a separate vm for each domain (which would cost more resources)?

推荐答案

我也在为此寻找答案.经过一番研究，答案似乎并没有那么简单.

I, too, was searching for an answer for this. After a research the answer does not seem to be that simple.

有些东西很明显，因为它几乎用于所有事情.这些文件用于解析名称、端口和时区.

Something is quite obvious because it's used for nearly everything. These files here are for resolving names, ports and the timezone.

• /etc/hosts
• /etc/nsswitch.conf
• /etc/resolv.conf
• /etc/services
• /etc/localtime

但是根据您安装的扩展和 PHP 的编译方式，您还需要更多的东西.我不知道你是否需要它们，但如果你需要它，你可以通过使用命令 ldd 和你的 PHP 二进制文件作为参数来获取 PHP 使用的库列表:

But there are much more things you'd need depending on the extensions you have installed and how PHP is compiled. I don't know if you need them, but just in case you need it, you can get a list of libraries PHP uses by using the command ldd and your PHP-binary as argument:

ldd /usr/bin/php5

根据您的扩​​展所在的路径，您可以使用相同的命令来获取所需的库:

Depending on the path your extensions are in, you can use the same command to get the libraries require:

ldd /usr/lib/php5/20100525/*

现在您只需要注意您在 PHP-config 文件中使用的其他可执行文件.就我而言，我找到了对 sendmail 的引用.

Now you just have to watch out for other executables you use in your PHP-config file. In my case I found a reference to sendmail.

我没有让它完全适合我......我仍然有一些使用 curl 解析名称的问题.但到目前为止还没有开始:)

来源:

• http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html
• http://forum.nginx.org/read.php?3,229450,229450

这是我从 IRC 的某个人那里得到的脚本.我没试过，但他说效果很好...... http://pastebin.com/index/HyE87bcF

Here's a script I got from someone at IRC. I haven't tried it, but he said it works quite well ... http://pastebin.com/index/HyE87bcF

这篇关于php-fpm 需要在监禁环境中哪些系统文件才能在 ubuntu 上正常运行?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！