|
OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD. |
|
Thread Tools | Display Modes |
|
|||
php nginx mysql
I have just installed OpenBSD5.6, php-5.4.30, mysql-server-5.1.73xxxx, php-fpm, xcache
on a virtual server with 1GHz, 1GB RAM, 10GB Space Environment -------------- 1) php-fpm is chrooted to /var/www (sidenote: why do I keep pressing tabs while typing paths on a webpage?) 2) mysql-server has skip-networking enabled, so the only way for php to talk to mysql is via sockets (i.e. /var/run/mysql/mysql.sock) 3) Don't know if nginx is chrooted or not (1st time with nginx, don't care too much as php is the real security nightmare) Problem --------- php-fpm is chrooted to /var/www so a php mysql connect statement throws me a "Can't connect to local MySQL server......" as it can't see the mysql socket Workaround -------------- 1) So I make a hardlink "sudo ln /var/run/mysql/mysql.sock /var/www/run/mysql.sock" and point my php application (mediawiki) to the hardlink which is very much inside the jail --> WORKS!!! 2) Good things in life don't come easy. Works perfectly, until I restart mysql. I figure mysql is deleting the socket (on the orig path) everytime it shuts down and recreates it everytime it starts. Don't hardlinks persist in such a case? Symlinks won't work either as the link will be out of the jail path. What wrong am I doing here? Any help is appreciated. PS: I'd love to follow being paranoid everytime and run mysql without networking option and php in a chroot PPS: Haven't slept for 48 straight hours as I have been fixing such small other issues (first time on openBSD in 6 years) PPPS: Planning on chucking out all linux implementations if a few test implementations of OpenBSD work out for me (I'll still take help from linux users though ) |
|
|||
I haven't done it myself yet, but you should be able to change the MySQL socket in the my.cnf file:
Code:
# The following options will be passed to all MySQL clients [client] #password = your_password port = 3306 socket = /var/run/mysql/mysql.sock # Here follows entries for some specific programs # The MySQL server [mysqld] port = 3306 socket = /var/run/mysql/mysql.sock # mkdir -p /var/www/var/run/mysql/mysql.sock and adjust the permissions the socket should be found.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Thank you @J65nko
I did consider configuring my.cnf to put the socket file in /var/www/run. Since mysql user doesn't have permission, it wouldn't create a socket inside (or anywhere) and on restarting mysql would silently die. I am no expert by any yardstick and wasn't too sure if granting write permission to +o on the php jail root was the way to go. |
|
|||
I don't have MySQL networking disabled, but solely bound to the loopback interface:
Code:
#skip-networking bind-address = 127.0.0.1 Code:
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
From a Feb 2013 mail on the OpenBSD misc mailing list that can be found at http://marc.info/?l=openbsd-misc&m=136040911329990&w=2 :
Code:
> I dont know if this is any help to you, > but I managed to get my php/mysql running by following > the guide at: > http://www.h-i-r.net/2009/10/oamp-openbsd-46-chroot-apache-mysql-php.html > it worked for 5.2 as well. > > From that information I also made a small startup script: > " > sudo rm /var/www/var/run/mysql/mysql.sock > sudo ln /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock this only works if /var/www/var/run/mysql and /var/run/mysql are on the same filesystem; it would often be preferable to use a separate filesystem for /var/www to avoid risk of running out of space for other important files in /var (particularly /var/log and /var/db). a cleaner method is given in the pkg-readme for drupal: --snip-- In order to run with standard OpenBSD chroot'ed httpd: - make sure you can connect to your database. Create a directory for the mysql socket. mkdir -p /var/www/var/run/mysql Adjust ${SYSCONFDIR}/my.cnf to put the mysql socket into the chroot. [client] socket = /var/www/var/run/mysql/mysql.sock [mysqld] socket = /var/www/var/run/mysql/mysql.sock --snip--
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Thank you @j65nko. This has to be one of the most helpful forums ever. A very few times that I have gone on the web (sites, forums, chats, etc.) for advice and have actually encountered people who do know so much.
I settled for 127.0.0.1 on mysql because I wasn't too sure whether changing write permissions for +o on /var/www subtree was more dangerous or not. And I thought "This is OpenBSD, not Linux... and they know what they're doing". So I let it be. The very nice rule of this forum of not being updated by email, ensures that we visit often. Accidentally entered FreeBSD. I did encounter a lot more activity on the FreeBSD forum. Now that I have for the first time joined a forum (since 1997), that's about to change |
|
|||
There's a way around hard linking the socket file as described by the author in http://www.h-i-r.net/2009/05/sysadmi...nbsds.html?m=1
Summary - 1 - in rc.local first remove the old hardlink to the socket 2 - start mysqld 3 - create the hardlink again Hardlink will not persist on sockets as the inode changes everytime the socket is recreated. Haven't tried this out though as I have removed mysql from my system forever Last edited by montie; 28th November 2014 at 04:27 AM. Reason: typo |
Tags |
chroot, mysql, nginx, php |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Nginx 1.2.7 released | J65nko | News | 0 | 13th February 2013 11:54 PM |
openbsd 5.1 and nginx | barti | OpenBSD General | 2 | 1st October 2012 05:51 PM |
Web servers: nginx overtakes IIS | J65nko | News | 2 | 6th January 2012 07:31 PM |
OpenBSD nginx is going into base | ocicat | News | 1 | 23rd September 2011 08:23 AM |
About perdition and nginx | satimis | General software and network | 3 | 10th December 2008 12:53 PM |