nginx and tomcat use chroot (jail) related configurations

This article focuses on configuration records, and the benefits of chroot (jail) will not be described in detail.

This article is divided into three parts: configuring basic chroot jail, configuring chroot jail for nginx, and configuring chrootjail for tomcat.

1. Configure a basic chroot jail

1.1. Create a directory as the root directory of the chroot jail.

# mkdir /home/chroot/jail

1.2. Use the ldd command to find out the dependent libraries of the command you want to run in the chroot jail.

# ldd /bin/bash
	linux-vdso.so.1 =>  (0x00007fff56fcc000)
	libtinfo.so.5 => /lib64/libtinfo.so.5 (0x0000003ad1200000)
	libdl.so.2 => /lib64/libdl.so.2 (0x0000003abe600000)
	libc.so.6 => /lib64/libc.so.6 (0x0000003abe200000)
	/lib64/ld-linux-x86-64.so.2 (0x0000003abde00000)

1.3. Create a subfolder in the root directory of the chroot jail. Create whatever is needed for the things you want to run under the chroot. Remember the service minimization principle.

# mkdir /home/chroot/jail/bin
# mkdir /home/chroot/jail/lib64

1.4. Copy the binary files (need to be run under chroot) and dependent libraries to the chroot jail directory.

# cp /bin/bash /home/chroot/jail/bin
# cp /lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} \
  /home/chroot/jail/lib64

1.5. After completing the above operations, you can view it under chroot.

The above operations can only run bash under chroot, but other operations are not possible. Therefore, the ls command in the following example cannot be found.

# chroot /home/chroot/jail
bash-4.1# pwd
/
bash-4.1# ls
bash: ls: command not found
bash-4.1# exit
exit
#

can only run some embedded shells, such as pwd, but other commands cannot, unless you also copy its binary files and related dependent libraries into the chroot jail.

1.6. If there is always an error when starting a certain service, you can use strace to check the error. It will be added at the end of the nginx configuration.

2.nginx configuration chroot jail

nginx installation method is omitted, that is, download tar.gz, unzip, configure, make, make install. . .

This configuration is for CentOS6.x 64-bit system.

2.1. Specify the chroot directory, which is the root directory mentioned in 1.1.

To unify the naming convention, the following directory structure is made:

# D=/home/nginx/jail
# mkdir -p $D

2.2. Create an isolation environment, a subdirectory under the jail root directory.

# mkdir -p $D/etc
# mkdir -p $D/dev
# mkdir -p $D/var
# mkdir -p $D/usr
# mkdir -p $D/usr/local/nginx
# mkdir -p $D/tmp
# chmod 1777 $D/tmp
# mkdir -p $D/var/tmp
# chmod 1777 $D/var/tmp
# mkdir -p $D/lib64

2.3. Create the required device in $D/dev, which should be a buffer.

Use the mknod command here to create cache files:

# /bin/mknod -m 0666 $D/dev/null c 1 3
# /bin/mknod -m 0666 $D/dev/random c 1 8
# /bin/mknod -m 0444 $D/dev/urandom c 1 9

2.4. Copy all nginx files to the jail.

# /bin/cp -farv /usr/local/nginx/* $D/usr/local/nginx

2.5. Copy the dependent libraries to the jail. (2.5 and 2.4 are equivalent to the process in 1.4)

# ldd /usr/local/nginx/sbin/nginx

copies whatever you need, and the service is minimized.

2.6. Copy /etc to jail.

nixCraft tutorial specifically points out these, which should be used when nginx is running.

# cp -fv /etc/{group,prelink.cache,services,adjtime,shells,gshadow,shadow,hosts.deny,localtime,nsswitch.conf,nscd.conf,prelink.conf,protocols,hosts,passwd,ld.so.cache,ld.so.conf,resolv.conf,host.conf} $D/etc

Add some folders:

# cp -avr /etc/{ld.so.conf.d,prelink.conf.d} $D/etc

2.7. Start nginx.

If there is nginx running, you must first close it:

# killall -9 nginx

Open nginx in chroot:

# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx -t
# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx

You can also chroot first, and then open it:

# chroot /home/nginx/jail 
bash-4.1# /usr/local/nginx/sbin/nginx -t
bash-4.1# /usr/local/nginx/sbin/nginx

Configure it to start automatically at boot:

# echo '/usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx' >> /etc/rc.local

edit chroot Configuration file of nginx:

# cd /home/nginx/jail/usr/local/nginx/conf/
# vi nginx.conf

After saving and closing, test and restart nginx:

# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx -t
# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx -s reload

If you directly copy the chroot environment, nginx may not recognize the configuration file, execute:

# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf

and then test and restart nginx.
2.8. If there are still problems with the environment, use strace to track errors. (This method can also be used to configure tomcat or other services and will not be described in detail later)

# strace -f -o /tmp/nginx.strace chroot /nginx /usr/local/nginx/sbin/nginx -t 

strace may need to be installed.
After executing the statement, there will be some traces. In the /tmp/nginx.strace file, there will be more detailed traces.

When I was configuring the environment, I found that a certain package was missing in the file. I added it to the chroot jail and it started normally.

3. Tomcat configure chroot jail

3.1. Create chroot jail root directory.

# mkdir /home/tomcat/jail

3.2. Create chroot jail directory structure.

# cd /home/tomcat/jail
# mkdir -p lib lib64 etc tmp dev usr
# chmod 755 etc dev usr
# chmod 1777 tmp

# cp -a /etc/hosts etc/hosts

3.3. Install the java environment and copy the root-installed environment to chroot.

# mkdir -p usr/java
# cp -a /usr/java/jdk1.7.0_67 usr/java

3.4. Find and copy the dependent libraries of java

# ldd /usr/java/jdk1.7.0_67/bin/java
	linux-vdso.so.1 =>  (0x00007fff532d1000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fc36c8f2000)
	libjli.so => /usr/java/jdk1.7.0_67/bin/../lib/amd64/jli/libjli.so (0x00007fc36c6da000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007fc36c4d6000)
	libc.so.6 => /lib64/libc.so.6 (0x00007fc36c142000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fc36cb17000)

only copies the above 4 libraries in lib64, and also needs to copy 2 libraries required by JVM:

# cp -p /lib64/libm.so.6 lib64/
# cp -p /lib64/libnsl.so.1 lib64/

3.5. Before running the JVM, you still need to do Some work to make chroot more like a real root environment.

Create /dev and its subkeys:

# cd /home/tomcat/jail
# mkdir -p /home/tomcat/jail/dev/pts
# /dev/MAKEDEV -d /home/tomcat/jail/dev null random urandom zero loop* log console
# cp /dev/MAKEDEV /home/tomcat/jail/dev
# cp -a /dev/shm /home/tomcat/jail/dev/

3.6. Mount /proc.

# mkdir -p /home/tomcat/jail/proc
# mount -t proc proc /home/tomcat/jail/proc

After this step is mounted, you can use java under chroot. You can enter chroot and test with the following command:

bash-4.1# /usr/java/jdk1.7.0_67/bin/java -version

. . The premise is that you have already made a copy of bash and sh in chroot. Or after all this 3.
Copy the three files under etc. Try not to copy them if they are not needed, again. . Services are minimized. .

cp -a /etc/{hosts,resolv.conf,nsswitch.conf} /home/tomcat/jail/etc/ 

There are also three dependent libraries with named support that need to be copied

cp -p /lib64/libresolv.so.2 lib64/
cp -p /lib64/libnss_dns.so.2 lib64/
cp -p /lib64/libnss_files.so.2 lib64/

Then chroot /bin/bash and /bin/sh, refer to 1.x. Among them, sh is a soft connection of bash in centos.

After this step, java can work in chroot. If something goes wrong, use strace to troubleshoot.

After the java running environment is set up, start configuring tomcat.

3.8.tomcat installation configuration.

Tomcat generally does not need to be installed. It is considered green. Download the decompression package and decompress it in the chroot jail directory.

I compressed it directly in the jail root directory.

Try to run, and you will see the following results:

bash-4.1# /apache-tomcat-7.0.57/bin/catalina.sh start                      
/apache-tomcat-7.0.57/bin/catalina.sh: line 102: uname: command not found
/apache-tomcat-7.0.57/bin/catalina.sh: line 122: dirname: command not found
Cannot find //bin/setclasspath.sh
This file is needed to run this program

needs to copy the two binary files uname and dirname and the dependent libraries. The method is the same as bash.

# cp /bin/uname bin/
# mkdir usr/bin
# cp /usr/bin/dirname usr/bin

While running tomcat, I found that there is still a small problem:

bash-4.1# /apache-tomcat-7.0.57/bin/catalina.sh start
/apache-tomcat-7.0.57/bin/catalina.sh: line 203: tty: command not found
Using CATALINA_BASE:   /apache-tomcat-7.0.57
Using CATALINA_HOME:   /apache-tomcat-7.0.57
Using CATALINA_TMPDIR: /apache-tomcat-7.0.57/temp
Using JRE_HOME:        /usr/java/jdk1.7.0_67
Using CLASSPATH:       /apache-tomcat-7.0.57/bin/bootstrap.jar:/apache-tomcat-7.0.57/bin/tomcat-juli.jar
/apache-tomcat-7.0.57/bin/catalina.sh: line 368: touch: command not found
Tomcat started.

added a few more things:

# cp -p /lib64/librt.so.1 lib64/
# cp /usr/bin/tty usr/bin/
# cp /bin/touch bin/

In this way, tomcat can run normally in the chroot container.

Configure it to start automatically at boot, and add:

export JAVA_HOME=/usr/local/java/jdk1.7.0_25
export JRE_HOME=$JAVA_HOME/jre
mount -t proc proc /home/tomcat/jail/proc &>/dev/null
/usr/sbin/chroot /home/tomcat/jail /usr/tomcat/bin/catalina.sh start

at the end of rc.local. Pay attention to the java path. Root and chroot must be consistent.

Reference:

[1] 3.13 Configuring and Using Chroot Jails Chapter 3 Implementing Oracle Linux Security Guide for Release 6

[2] Linux nginx: Chroot (Jail) Setup By NIXCRAFT

[3] Tomcat: The Definitive Guide: The Definitive Guide By Jason Brittain, Ian F. Darwin

The above introduces the relevant configuration of nginx and tomcat using chroot (jail), including the relevant content. I hope it will be helpful to friends who are interested in PHP tutorials.