This article focuses on configuration records, and the benefits of chroot (jail) will not be described in detail.
This article is divided into three parts: configuring basic chroot jail, configuring chroot jail for nginx, and configuring chrootjail for tomcat.
1. Configure a basic chroot jail
1.1. Create a directory as the root directory of the chroot jail.
# mkdir /home/chroot/jail
Copy after login
1.2. Use the ldd command to find out the dependent libraries of the command you want to run in the chroot jail.
# ldd /bin/bash
linux-vdso.so.1 => (0x00007fff56fcc000)
libtinfo.so.5 => /lib64/libtinfo.so.5 (0x0000003ad1200000)
libdl.so.2 => /lib64/libdl.so.2 (0x0000003abe600000)
libc.so.6 => /lib64/libc.so.6 (0x0000003abe200000)
/lib64/ld-linux-x86-64.so.2 (0x0000003abde00000)
Copy after login
1.3. Create a subfolder in the root directory of the chroot jail. Create whatever is needed for the things you want to run under the chroot. Remember the service minimization principle.
# mkdir /home/chroot/jail/bin
# mkdir /home/chroot/jail/lib64
Copy after login
1.4. Copy the binary files (need to be run under chroot) and dependent libraries to the chroot jail directory.
# cp /bin/bash /home/chroot/jail/bin
# cp /lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} \
/home/chroot/jail/lib64Copy after login
1.5. After completing the above operations, you can view it under chroot.
The above operations can only run bash under chroot, but other operations are not possible. Therefore, the ls command in the following example cannot be found.
# chroot /home/chroot/jail
bash-4.1# pwd
/
bash-4.1# ls
bash: ls: command not found
bash-4.1# exit
exit
#
Copy after login
can only run some embedded shells, such as pwd, but other commands cannot, unless you also copy its binary files and related dependent libraries into the chroot jail.
1.6. If there is always an error when starting a certain service, you can use strace to check the error. It will be added at the end of the nginx configuration.
2.nginx configuration chroot jail
nginx installation method is omitted, that is, download tar.gz, unzip, configure, make, make install. . .
This configuration is for CentOS6.x 64-bit system.
2.1. Specify the chroot directory, which is the root directory mentioned in 1.1.
To unify the naming convention, the following directory structure is made:
# D=/home/nginx/jail
# mkdir -p $D
Copy after login
2.2. Create an isolation environment, a subdirectory under the jail root directory.
# mkdir -p $D/etc
# mkdir -p $D/dev
# mkdir -p $D/var
# mkdir -p $D/usr
# mkdir -p $D/usr/local/nginx
# mkdir -p $D/tmp
# chmod 1777 $D/tmp
# mkdir -p $D/var/tmp
# chmod 1777 $D/var/tmp
# mkdir -p $D/lib64
Copy after login
2.3. Create the required device in $D/dev, which should be a buffer.
Use the mknod command here to create cache files:
# /bin/mknod -m 0666 $D/dev/null c 1 3
# /bin/mknod -m 0666 $D/dev/random c 1 8
# /bin/mknod -m 0444 $D/dev/urandom c 1 9
Copy after login
2.4. Copy all nginx files to the jail.
# /bin/cp -farv /usr/local/nginx/* $D/usr/local/nginx
Copy after login
2.5. Copy the dependent libraries to the jail. (2.5 and 2.4 are equivalent to the process in 1.4)
# ldd /usr/local/nginx/sbin/nginx
Copy after login
copies whatever you need, and the service is minimized.
2.6. Copy /etc to jail.
nixCraft tutorial specifically points out these, which should be used when nginx is running.
# cp -fv /etc/{group,prelink.cache,services,adjtime,shells,gshadow,shadow,hosts.deny,localtime,nsswitch.conf,nscd.conf,prelink.conf,protocols,hosts,passwd,ld.so.cache,ld.so.conf,resolv.conf,host.conf} $D/etcCopy after login
Add some folders:
# cp -avr /etc/{ld.so.conf.d,prelink.conf.d} $D/etcCopy after login
2.7. Start nginx.
If there is nginx running, you must first close it:
# killall -9 nginx
Copy after login
Open nginx in chroot:
# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx -t
# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx
Copy after login
You can also chroot first, and then open it:
# chroot /home/nginx/jail
bash-4.1# /usr/local/nginx/sbin/nginx -t
bash-4.1# /usr/local/nginx/sbin/nginx
Copy after login
Configure it to start automatically at boot:
# echo '/usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx' >> /etc/rc.local
Copy after login
edit chroot Configuration file of nginx:
# cd /home/nginx/jail/usr/local/nginx/conf/
# vi nginx.conf
Copy after login
After saving and closing, test and restart nginx:
# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx -t
# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx -s reload
Copy after login
If you directly copy the chroot environment, nginx may not recognize the configuration file, execute:
# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
Copy after login
and then test and restart nginx.
2.8. If there are still problems with the environment, use strace to track errors. (This method can also be used to configure tomcat or other services and will not be described in detail later)
# strace -f -o /tmp/nginx.strace chroot /nginx /usr/local/nginx/sbin/nginx -t
Copy after login
strace may need to be installed.
After executing the statement, there will be some traces. In the /tmp/nginx.strace file, there will be more detailed traces.
When I was configuring the environment, I found that a certain package was missing in the file. I added it to the chroot jail and it started normally.
3. Tomcat configure chroot jail
3.1. Create chroot jail root directory.
# mkdir /home/tomcat/jail
Copy after login
3.2. Create chroot jail directory structure.
# cd /home/tomcat/jail
# mkdir -p lib lib64 etc tmp dev usr
# chmod 755 etc dev usr
# chmod 1777 tmp
Copy after login
# cp -a /etc/hosts etc/hosts
Copy after login
3.3. Install the java environment and copy the root-installed environment to chroot.
# mkdir -p usr/java
# cp -a /usr/java/jdk1.7.0_67 usr/java
Copy after login
3.4. Find and copy the dependent libraries of java
# ldd /usr/java/jdk1.7.0_67/bin/java
linux-vdso.so.1 => (0x00007fff532d1000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fc36c8f2000)
libjli.so => /usr/java/jdk1.7.0_67/bin/../lib/amd64/jli/libjli.so (0x00007fc36c6da000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fc36c4d6000)
libc.so.6 => /lib64/libc.so.6 (0x00007fc36c142000)
/lib64/ld-linux-x86-64.so.2 (0x00007fc36cb17000)
Copy after login
only copies the above 4 libraries in lib64, and also needs to copy 2 libraries required by JVM:
# cp -p /lib64/libm.so.6 lib64/
# cp -p /lib64/libnsl.so.1 lib64/
Copy after login
3.5. Before running the JVM, you still need to do Some work to make chroot more like a real root environment.
Create /dev and its subkeys:
# cd /home/tomcat/jail
# mkdir -p /home/tomcat/jail/dev/pts
# /dev/MAKEDEV -d /home/tomcat/jail/dev null random urandom zero loop* log console
# cp /dev/MAKEDEV /home/tomcat/jail/dev
# cp -a /dev/shm /home/tomcat/jail/dev/
Copy after login
3.6. Mount /proc.
# mkdir -p /home/tomcat/jail/proc
# mount -t proc proc /home/tomcat/jail/proc
Copy after login
After this step is mounted, you can use java under chroot. You can enter chroot and test with the following command:
bash-4.1# /usr/java/jdk1.7.0_67/bin/java -version
Copy after login
. . The premise is that you have already made a copy of bash and sh in chroot. Or after all this 3.
Copy the three files under etc. Try not to copy them if they are not needed, again. . Services are minimized. .
cp -a /etc/{hosts,resolv.conf,nsswitch.conf} /home/tomcat/jail/etc/ Copy after login
There are also three dependent libraries with named support that need to be copied
cp -p /lib64/libresolv.so.2 lib64/
cp -p /lib64/libnss_dns.so.2 lib64/
cp -p /lib64/libnss_files.so.2 lib64/
Copy after login
Then chroot /bin/bash and /bin/sh, refer to 1.x. Among them, sh is a soft connection of bash in centos.
After this step, java can work in chroot. If something goes wrong, use strace to troubleshoot.
After the java running environment is set up, start configuring tomcat.
3.8.tomcat installation configuration.
Tomcat generally does not need to be installed. It is considered green. Download the decompression package and decompress it in the chroot jail directory.
I compressed it directly in the jail root directory.
Try to run, and you will see the following results:
bash-4.1# /apache-tomcat-7.0.57/bin/catalina.sh start
/apache-tomcat-7.0.57/bin/catalina.sh: line 102: uname: command not found
/apache-tomcat-7.0.57/bin/catalina.sh: line 122: dirname: command not found
Cannot find //bin/setclasspath.sh
This file is needed to run this program
Copy after login
needs to copy the two binary files uname and dirname and the dependent libraries. The method is the same as bash.
# cp /bin/uname bin/
# mkdir usr/bin
# cp /usr/bin/dirname usr/bin
Copy after login
While running tomcat, I found that there is still a small problem:
bash-4.1# /apache-tomcat-7.0.57/bin/catalina.sh start
/apache-tomcat-7.0.57/bin/catalina.sh: line 203: tty: command not found
Using CATALINA_BASE: /apache-tomcat-7.0.57
Using CATALINA_HOME: /apache-tomcat-7.0.57
Using CATALINA_TMPDIR: /apache-tomcat-7.0.57/temp
Using JRE_HOME: /usr/java/jdk1.7.0_67
Using CLASSPATH: /apache-tomcat-7.0.57/bin/bootstrap.jar:/apache-tomcat-7.0.57/bin/tomcat-juli.jar
/apache-tomcat-7.0.57/bin/catalina.sh: line 368: touch: command not found
Tomcat started.
Copy after login
added a few more things:
# cp -p /lib64/librt.so.1 lib64/
# cp /usr/bin/tty usr/bin/
# cp /bin/touch bin/
Copy after login
In this way, tomcat can run normally in the chroot container.
Configure it to start automatically at boot, and add:
export JAVA_HOME=/usr/local/java/jdk1.7.0_25
export JRE_HOME=$JAVA_HOME/jre
mount -t proc proc /home/tomcat/jail/proc &>/dev/null
/usr/sbin/chroot /home/tomcat/jail /usr/tomcat/bin/catalina.sh start
Copy after login
at the end of rc.local. Pay attention to the java path. Root and chroot must be consistent.
Reference:
[1] 3.13 Configuring and Using Chroot Jails Chapter 3 Implementing Oracle Linux Security Guide for Release 6
[2] Linux nginx: Chroot (Jail) Setup By NIXCRAFT
[3] Tomcat: The Definitive Guide: The Definitive Guide By Jason Brittain, Ian F. Darwin
The above introduces the relevant configuration of nginx and tomcat using chroot (jail), including the relevant content. I hope it will be helpful to friends who are interested in PHP tutorials.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
