php nginx mysql

[montie]

I have just installed OpenBSD5.6, php-5.4.30, mysql-server-5.1.73xxxx, php-fpm, xcache

on a virtual server with 1GHz, 1GB RAM, 10GB Space

Environment
--------------
1) php-fpm is chrooted to /var/www (sidenote: why do I keep pressing tabs while typing paths on a webpage?)
2) mysql-server has skip-networking enabled, so the only way for php to talk to mysql is via sockets (i.e. /var/run/mysql/mysql.sock)
3) Don't know if nginx is chrooted or not (1st time with nginx, don't care too much as php is the real security nightmare)

Problem
---------
php-fpm is chrooted to /var/www so a php mysql connect statement throws me a "Can't connect to local MySQL server......" as it can't see the mysql socket

Workaround
--------------
1) So I make a hardlink "sudo ln /var/run/mysql/mysql.sock /var/www/run/mysql.sock" and point my php application (mediawiki) to the hardlink which is very much inside the jail --> WORKS!!!
2) Good things in life don't come easy. Works perfectly, until I restart mysql. I figure mysql is deleting the socket (on the orig path) everytime it shuts down and recreates it everytime it starts. Don't hardlinks persist in such a case? Symlinks won't work either as the link will be out of the jail path.

What wrong am I doing here? Any help is appreciated.

PS: I'd love to follow being paranoid everytime and run mysql without networking option and php in a chroot
PPS: Haven't slept for 48 straight hours as I have been fixing such small other issues (first time on openBSD in 6 years)
PPPS: Planning on chucking out all linux implementations if a few test implementations of OpenBSD work out for me (I'll still take help from linux users though )

[J65nko]

I haven't done it myself yet, but you should be able to change the MySQL socket in the my.cnf file:

Code:

# The following options will be passed to all MySQL clients
[client]
#password       = your_password
port            = 3306
socket          = /var/run/mysql/mysql.sock

# Here follows entries for some specific programs

# The MySQL server
[mysqld]
port            = 3306
socket          = /var/run/mysql/mysql.sock

So if you you if do something like # mkdir -p /var/www/var/run/mysql/mysql.sock and adjust the permissions the socket should be found.

[montie]

Thank you @J65nko

I did consider configuring my.cnf to put the socket file in /var/www/run. Since mysql user doesn't have permission, it wouldn't create a socket inside (or anywhere) and on restarting mysql would silently die.

I am no expert by any yardstick and wasn't too sure if granting write permission to +o on the php jail root was the way to go.

[J65nko]

I don't have MySQL networking disabled, but solely bound to the loopback interface:

Code:

#skip-networking
bind-address = 127.0.0.1

This result:

Code:

# netstat -an -f inet | grep 3306
tcp          0      0  127.0.0.1.3306         *.*                    LISTEN

I don't know whether that is an viable alternative

[J65nko]

From a Feb 2013 mail on the OpenBSD misc mailing list that can be found at http://marc.info/?l=openbsd-misc&m=136040911329990&w=2 :

Code:

> I dont know if this is any help to you,
> but I managed to get my php/mysql running by following 
> the guide at: 
> http://www.h-i-r.net/2009/10/oamp-openbsd-46-chroot-apache-mysql-php.html
> it worked for 5.2 as well.
>
> From that information I also made a small startup script:
> "
> sudo rm /var/www/var/run/mysql/mysql.sock
> sudo ln /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock 

this only works if /var/www/var/run/mysql and /var/run/mysql are on the
same filesystem; it would often be preferable to use a separate filesystem
for /var/www to avoid risk of running out of space for other important
files in /var (particularly /var/log and /var/db).

a cleaner method is given in the pkg-readme for drupal:

--snip--
In order to run with standard OpenBSD chroot'ed httpd:

- make sure you can connect to your database.

Create a directory for the mysql socket.

	mkdir -p /var/www/var/run/mysql

Adjust ${SYSCONFDIR}/my.cnf to put the mysql socket into the chroot.

	[client]
	socket = /var/www/var/run/mysql/mysql.sock

	[mysqld]
	socket = /var/www/var/run/mysql/mysql.sock
--snip--

[montie]

Thank you @j65nko. This has to be one of the most helpful forums ever. A very few times that I have gone on the web (sites, forums, chats, etc.) for advice and have actually encountered people who do know so much.

I settled for 127.0.0.1 on mysql because I wasn't too sure whether changing write permissions for +o on /var/www subtree was more dangerous or not. And I thought "This is OpenBSD, not Linux... and they know what they're doing". So I let it be.

The very nice rule of this forum of not being updated by email, ensures that we visit often. Accidentally entered FreeBSD. I did encounter a lot more activity on the FreeBSD forum. Now that I have for the first time joined a forum (since 1997), that's about to change

[montie]

There's a way around hard linking the socket file as described by the author in http://www.h-i-r.net/2009/05/sysadmi...nbsds.html?m=1

Summary -
1 - in rc.local first remove the old hardlink to the socket
2 - start mysqld
3 - create the hardlink again

Hardlink will not persist on sockets as the inode changes everytime the socket is recreated. Haven't tried this out though as I have removed mysql from my system forever