Home > Article > Backend Development > nginx and tomcat use chroot (jail) related configurations
This article focuses on configuration records, and the benefits of chroot (jail) will not be described in detail.
This article is divided into three parts: configuring basic chroot jail, configuring chroot jail for nginx, and configuring chrootjail for tomcat.
1. Configure a basic chroot jail
1.1. Create a directory as the root directory of the chroot jail.
# mkdir /home/chroot/jail
# ldd /bin/bash linux-vdso.so.1 => (0x00007fff56fcc000) libtinfo.so.5 => /lib64/libtinfo.so.5 (0x0000003ad1200000) libdl.so.2 => /lib64/libdl.so.2 (0x0000003abe600000) libc.so.6 => /lib64/libc.so.6 (0x0000003abe200000) /lib64/ld-linux-x86-64.so.2 (0x0000003abde00000)
# mkdir /home/chroot/jail/bin # mkdir /home/chroot/jail/lib64
# cp /bin/bash /home/chroot/jail/bin # cp /lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} \ /home/chroot/jail/lib64
The above operations can only run bash under chroot, but other operations are not possible. Therefore, the ls command in the following example cannot be found.
# chroot /home/chroot/jail bash-4.1# pwd / bash-4.1# ls bash: ls: command not found bash-4.1# exit exit #can only run some embedded shells, such as pwd, but other commands cannot, unless you also copy its binary files and related dependent libraries into the chroot jail.
1.6. If there is always an error when starting a certain service, you can use strace to check the error. It will be added at the end of the nginx configuration.
2.nginx configuration chroot jail
nginx installation method is omitted, that is, download tar.gz, unzip, configure, make, make install. . .
This configuration is for CentOS6.x 64-bit system.
2.1. Specify the chroot directory, which is the root directory mentioned in 1.1.
To unify the naming convention, the following directory structure is made:
# D=/home/nginx/jail # mkdir -p $D2.2. Create an isolation environment, a subdirectory under the jail root directory.
# mkdir -p $D/etc # mkdir -p $D/dev # mkdir -p $D/var # mkdir -p $D/usr # mkdir -p $D/usr/local/nginx # mkdir -p $D/tmp # chmod 1777 $D/tmp # mkdir -p $D/var/tmp # chmod 1777 $D/var/tmp # mkdir -p $D/lib64
Use the mknod command here to create cache files:
# /bin/mknod -m 0666 $D/dev/null c 1 3 # /bin/mknod -m 0666 $D/dev/random c 1 8 # /bin/mknod -m 0444 $D/dev/urandom c 1 9
# /bin/cp -farv /usr/local/nginx/* $D/usr/local/nginx
# ldd /usr/local/nginx/sbin/nginxcopies whatever you need, and the service is minimized.
2.6. Copy /etc to jail.
nixCraft tutorial specifically points out these, which should be used when nginx is running.
# cp -fv /etc/{group,prelink.cache,services,adjtime,shells,gshadow,shadow,hosts.deny,localtime,nsswitch.conf,nscd.conf,prelink.conf,protocols,hosts,passwd,ld.so.cache,ld.so.conf,resolv.conf,host.conf} $D/etcAdd some folders:
# cp -avr /etc/{ld.so.conf.d,prelink.conf.d} $D/etc
If there is nginx running, you must first close it:
# killall -9 nginx
# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx -t # /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginxYou can also chroot first, and then open it:
# chroot /home/nginx/jail bash-4.1# /usr/local/nginx/sbin/nginx -t bash-4.1# /usr/local/nginx/sbin/nginx
# echo '/usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx' >> /etc/rc.localedit chroot Configuration file of nginx:
# cd /home/nginx/jail/usr/local/nginx/conf/ # vi nginx.confAfter saving and closing, test and restart nginx:
# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx -t # /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx -s reloadIf you directly copy the chroot environment, nginx may not recognize the configuration file, execute:
# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.confand then test and restart nginx.
# strace -f -o /tmp/nginx.strace chroot /nginx /usr/local/nginx/sbin/nginx -tstrace may need to be installed.
When I was configuring the environment, I found that a certain package was missing in the file. I added it to the chroot jail and it started normally.
3. Tomcat configure chroot jail
3.1. Create chroot jail root directory.
# mkdir /home/tomcat/jail3.2. Create chroot jail directory structure.
# cd /home/tomcat/jail # mkdir -p lib lib64 etc tmp dev usr # chmod 755 etc dev usr # chmod 1777 tmp
# cp -a /etc/hosts etc/hosts
# mkdir -p usr/java # cp -a /usr/java/jdk1.7.0_67 usr/java
# ldd /usr/java/jdk1.7.0_67/bin/java linux-vdso.so.1 => (0x00007fff532d1000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fc36c8f2000) libjli.so => /usr/java/jdk1.7.0_67/bin/../lib/amd64/jli/libjli.so (0x00007fc36c6da000) libdl.so.2 => /lib64/libdl.so.2 (0x00007fc36c4d6000) libc.so.6 => /lib64/libc.so.6 (0x00007fc36c142000) /lib64/ld-linux-x86-64.so.2 (0x00007fc36cb17000)only copies the above 4 libraries in lib64, and also needs to copy 2 libraries required by JVM:
# cp -p /lib64/libm.so.6 lib64/ # cp -p /lib64/libnsl.so.1 lib64/
Create /dev and its subkeys:
# cd /home/tomcat/jail # mkdir -p /home/tomcat/jail/dev/pts # /dev/MAKEDEV -d /home/tomcat/jail/dev null random urandom zero loop* log console # cp /dev/MAKEDEV /home/tomcat/jail/dev # cp -a /dev/shm /home/tomcat/jail/dev/
# mkdir -p /home/tomcat/jail/proc # mount -t proc proc /home/tomcat/jail/procAfter this step is mounted, you can use java under chroot. You can enter chroot and test with the following command:
bash-4.1# /usr/java/jdk1.7.0_67/bin/java -version. . The premise is that you have already made a copy of bash and sh in chroot. Or after all this 3.
cp -a /etc/{hosts,resolv.conf,nsswitch.conf} /home/tomcat/jail/etc/
There are also three dependent libraries with named support that need to be copied
cp -p /lib64/libresolv.so.2 lib64/ cp -p /lib64/libnss_dns.so.2 lib64/ cp -p /lib64/libnss_files.so.2 lib64/
After this step, java can work in chroot. If something goes wrong, use strace to troubleshoot.
bash-4.1# /apache-tomcat-7.0.57/bin/catalina.sh start /apache-tomcat-7.0.57/bin/catalina.sh: line 102: uname: command not found /apache-tomcat-7.0.57/bin/catalina.sh: line 122: dirname: command not found Cannot find //bin/setclasspath.sh This file is needed to run this programneeds to copy the two binary files uname and dirname and the dependent libraries. The method is the same as bash.
# cp /bin/uname bin/ # mkdir usr/bin # cp /usr/bin/dirname usr/bin
While running tomcat, I found that there is still a small problem:
bash-4.1# /apache-tomcat-7.0.57/bin/catalina.sh start /apache-tomcat-7.0.57/bin/catalina.sh: line 203: tty: command not found Using CATALINA_BASE: /apache-tomcat-7.0.57 Using CATALINA_HOME: /apache-tomcat-7.0.57 Using CATALINA_TMPDIR: /apache-tomcat-7.0.57/temp Using JRE_HOME: /usr/java/jdk1.7.0_67 Using CLASSPATH: /apache-tomcat-7.0.57/bin/bootstrap.jar:/apache-tomcat-7.0.57/bin/tomcat-juli.jar /apache-tomcat-7.0.57/bin/catalina.sh: line 368: touch: command not found Tomcat started.added a few more things:
# cp -p /lib64/librt.so.1 lib64/ # cp /usr/bin/tty usr/bin/ # cp /bin/touch bin/In this way, tomcat can run normally in the chroot container.
Configure it to start automatically at boot, and add:
export JAVA_HOME=/usr/local/java/jdk1.7.0_25 export JRE_HOME=$JAVA_HOME/jre mount -t proc proc /home/tomcat/jail/proc &>/dev/null /usr/sbin/chroot /home/tomcat/jail /usr/tomcat/bin/catalina.sh startat the end of rc.local. Pay attention to the java path. Root and chroot must be consistent. Reference:
[1] 3.13 Configuring and Using Chroot Jails Chapter 3 Implementing Oracle Linux Security Guide for Release 6
[2] Linux nginx: Chroot (Jail) Setup By NIXCRAFT
[3] Tomcat: The Definitive Guide: The Definitive Guide By Jason Brittain, Ian F. Darwin
The above introduces the relevant configuration of nginx and tomcat using chroot (jail), including the relevant content. I hope it will be helpful to friends who are interested in PHP tutorials.