ispconfig3.2 chrooted php-fpm mysql access

Discussion in 'Installation/Configuration' started by nhybgtvfr, Sep 30, 2020.

  1. nhybgtvfr

    nhybgtvfr Active Member

    running a test instance, ubuntu 20.04, ispconfig 3.2b2 (updated from nightly 3.2dev20200930)
    when i create a new website and attempt to install wordpress on it, i can only connect using 127.0.0.1 as the database host when chroot php-fpm is selected. it fails to connect when specifying 'localhost' as the database host.
    i've tried it with 'use socket for php-fpm' both enabled and disabled.

    i've not changed any of the default jailkit server config. i can see jailkit app sections and chrooted apps options on the site options, but the hint indicates that overrides the sections from server config rather than adds additional apps to them, so i've left that alone.

    am i missing something? i would have thought using port 9010 instead of web1.sock would have allowed 'localhost' to connect.

    i'd like to chroot all websites, i like more security, but trying to explain to nearly every customer that they need to use 127.0.01 instead of localhost is a lot more work than i'd like, customers never listen properly.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You don't miss anything, if you use a chroot, then you must use the localhost IP address.
     
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You could add a hostname like db.customerdomain.com to the dns template and tell them to use that. It'd simply be 127.0.0.1 for now, but if you ever moved to a separate db server you'd also have the advantage of not needing to change client sites.
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    If you wanted to hack it to work for you, tie into your init system (systemd or whatever) and bind mount the mysql socket inside each jail after mysqld is running. You could catch that for new jails with a server plugin (you probably wouldn't want to have to restart your database server every time a jail is added).
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    But the bind mount needs to be removed and recreated in case of a MySQL restart if I remember correctly?
     
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Yes, the old socket would need remove/unmounted and remounted every time mysqld restarts, which could be done by the init system, or probably even with a file monitoring system, like inotify, watchman, fswatch or incron.
     
  7. nhybgtvfr

    nhybgtvfr Active Member

    how much extra security does chrooting php-fpm actually provide over and above a normal unchrooted php-fpm site on ispconfig?

    i see recent benchmarking shows that unix sockets are still about 33% faster/higher throughput than tcp. so i guess i need to think about if that bit of extra security is worth the potential performance hit, not that i think mysql is anywhere near hitting it's limits, but everyone wants faster websites...

    also wondering if bind mounting the mysql sockets into the jails is worth all the extra hassle, complication and potential failure points involved for the amount of performance/security gained.

    i'm usually very good at finding anything through google, and i can find a quite a bit about how to chroot php-fpm for apache, loads for nginx, but i'm not really finding anything that details of the potential benefits/problems.
     

Share This Page