Problem with chrooted php-fpm

Anonymous User

Problem with chrooted php-fpm
December 29, 2010 11:38AM

Hi,

we run php-5.3.4 chrooted (with php-fpm).
It works well, but trying to connect to https://www.google.com (for the
APIs) fails with
SSL: Unknown error: 0 in ...(filename + linenumber)
Failed to enable crypto in ... (filename + linenumber)
unable to connect to ssl://www.google.com:443 (Unknown error) in ...
(filename + linenumber)

in the apache log-file.

It works, when I disable the chroot.

This is together with the Zend-Framework, using the PHP-function
"stream_socket_client".

from ktrace:

29314 php-fpm STRU struct sockaddr { AF_INET, 66.102.13.103:443 }
29314 php-fpm RET connect -1 errno 36 Operation now in progress
29314 php-fpm CALL poll(0x7fffffffa780,0x1,0x2710)
29314 php-fpm RET poll 2
29314 php-fpm CALL
getsockopt(0xa,SOL_SOCKET,SO_ERROR,0x7fffffffa78c,0x7fffffffa788)
29314 php-fpm RET getsockopt 0
29314 php-fpm CALL fcntl(0xa,F_SETFL,O_RDWR)
29314 php-fpm RET fcntl 0
29314 php-fpm CALL getpid
29314 php-fpm RET getpid 29314/0x7282
29314 php-fpm CALL getpid
29314 php-fpm RET getpid 29314/0x7282

etc.

without chroot:

31655 php-fpm CALL socket(PF_INET,SOCK_STREAM,IPPROTO_IP)
31655 php-fpm RET socket 10/0xa
31655 php-fpm CALL fcntl(0xa,F_GETFL,0x12de9d8)
31655 php-fpm RET fcntl 2
31655 php-fpm CALL fcntl(0xa,F_SETFL,O_RDWR|O_NONBLOCK)
31655 php-fpm RET fcntl 0
31655 php-fpm CALL connect(0xa,0x80fc41a08,0x10)
31655 php-fpm STRU struct sockaddr { AF_INET, 66.102.13.191:80 }
31655 php-fpm RET connect -1 errno 36 Operation now in progress
31655 php-fpm CALL poll(0x7fffffffa780,0x1,0x2710)
31655 php-fpm RET poll 2
31655 php-fpm CALL
getsockopt(0xa,SOL_SOCKET,SO_ERROR,0x7fffffffa78c,0x7fffffffa788)
31655 php-fpm RET getsockopt 0
31655 php-fpm CALL fcntl(0xa,F_SETFL,O_RDWR)
31655 php-fpm RET fcntl 0
31655 php-fpm CALL sendto(0xa,0x80fc42fb8,0x1cd,MSG_DONTWAIT,0,0)
31655 php-fpm GIO fd 10 wrote 461 bytes

Does anybody have a clue what is going on here?
We have nullfs-mounted most of the "usual" directories into the chroot -
and the ktrace output doesn't show it looking for something

I found a forum where somebody had the same problem (and solution),
apparently. But of course, running non-chrooted is not a solution for us.

Regards,
Rainer

Reply Quote

Andidecosta

Re: Problem with chrooted php-fpm
January 10, 2011 10:43AM

Registered: 13 years ago
Posts: 1

I think in chroot mode $_SERVER['DOCUMENT_ROOT'] variable must represent a path inside a chroot, not outside. Because in this case this path is invalid, but some scripts actively use that variable. I tried to change it in nginx with:
fastcgi_param DOCUMENT_ROOT wantedpath;
But with no success, variable keeps unchanged.

[url=http://www.shivamtech.in/]Web Development In Bhubaneswar[/url] | [url=http://www.shivamtech.in/]Web Development In Orissa[/url]

Reply Quote

Mihail Samoylov

Re: Problem with chrooted php-fpm
May 23, 2012 08:22AM

I fixed this by mount devfs in the chroot:

mount -t devfs devfs /CHROOT/dev

OS: FreeBSD 8.1-RELEASE

среда, 29 декабря 2010 г., 23:36:38 UTC+7 пользователь rainer написал:
>
> Hi,
>
> we run php-5.3.4 chrooted (with php-fpm).
> It works well, but trying to connect to https://www.google.com (for the
> APIs) fails with
> SSL: Unknown error: 0 in ...(filename + linenumber)
> Failed to enable crypto in ... (filename + linenumber)
> unable to connect to ssl://www.google.com:443 (Unknown error) in ...
> (filename + linenumber)
>
> in the apache log-file.
>
> It works, when I disable the chroot.
>
> This is together with the Zend-Framework, using the PHP-function
> "stream_socket_client".
>
>
> from ktrace:
>
> 29314 php-fpm STRU struct sockaddr { AF_INET, 66.102.13.103:443 }
> 29314 php-fpm RET connect -1 errno 36 Operation now in progress
> 29314 php-fpm CALL poll(0x7fffffffa780,0x1,0x2710)
> 29314 php-fpm RET poll 2
> 29314 php-fpm CALL
> getsockopt(0xa,SOL_SOCKET,SO_ERROR,0x7fffffffa78c,0x7fffffffa788)
> 29314 php-fpm RET getsockopt 0
> 29314 php-fpm CALL fcntl(0xa,F_SETFL,O_RDWR)
> 29314 php-fpm RET fcntl 0
> 29314 php-fpm CALL getpid
> 29314 php-fpm RET getpid 29314/0x7282
> 29314 php-fpm CALL getpid
> 29314 php-fpm RET getpid 29314/0x7282
>
> etc.
>
>
> without chroot:
>
> 31655 php-fpm CALL socket(PF_INET,SOCK_STREAM,IPPROTO_IP)
> 31655 php-fpm RET socket 10/0xa
> 31655 php-fpm CALL fcntl(0xa,F_GETFL,0x12de9d8)
> 31655 php-fpm RET fcntl 2
> 31655 php-fpm CALL fcntl(0xa,F_SETFL,O_RDWR|O_NONBLOCK)
> 31655 php-fpm RET fcntl 0
> 31655 php-fpm CALL connect(0xa,0x80fc41a08,0x10)
> 31655 php-fpm STRU struct sockaddr { AF_INET, 66.102.13.191:80 }
> 31655 php-fpm RET connect -1 errno 36 Operation now in progress
> 31655 php-fpm CALL poll(0x7fffffffa780,0x1,0x2710)
> 31655 php-fpm RET poll 2
> 31655 php-fpm CALL
> getsockopt(0xa,SOL_SOCKET,SO_ERROR,0x7fffffffa78c,0x7fffffffa788)
> 31655 php-fpm RET getsockopt 0
> 31655 php-fpm CALL fcntl(0xa,F_SETFL,O_RDWR)
> 31655 php-fpm RET fcntl 0
> 31655 php-fpm CALL sendto(0xa,0x80fc42fb8,0x1cd,MSG_DONTWAIT,0,0)
> 31655 php-fpm GIO fd 10 wrote 461 bytes
>
> Does anybody have a clue what is going on here?
> We have nullfs-mounted most of the "usual" directories into the chroot -
> and the ktrace output doesn't show it looking for something
>
> I found a forum where somebody had the same problem (and solution),
> apparently. But of course, running non-chrooted is not a solution for us.
>
> Regards,
> Rainer
>
>

Reply Quote

Sandip Kulkarni

Re: Problem with chrooted php-fpm
May 23, 2012 12:46PM

On 12/29/10, rainer@ultra-secure.de <rainer@ultra-secure.de> wrote:
> Hi,
>
> we run php-5.3.4 chrooted (with php-fpm).
> It works well, but trying to connect to https://www.google.com (for the
> APIs) fails with
> SSL: Unknown error: 0 in ...(filename + linenumber)
> Failed to enable crypto in ... (filename + linenumber)
> unable to connect to ssl://www.google.com:443 (Unknown error) in ...
> (filename + linenumber)
>
> in the apache log-file.
>
> It works, when I disable the chroot.
>
> This is together with the Zend-Framework, using the PHP-function
> "stream_socket_client".
>
>
> from ktrace:
>
> 29314 php-fpm STRU struct sockaddr { AF_INET, 66.102.13.103:443 }
> 29314 php-fpm RET connect -1 errno 36 Operation now in progress
> 29314 php-fpm CALL poll(0x7fffffffa780,0x1,0x2710)
> 29314 php-fpm RET poll 2
> 29314 php-fpm CALL
> getsockopt(0xa,SOL_SOCKET,SO_ERROR,0x7fffffffa78c,0x7fffffffa788)
> 29314 php-fpm RET getsockopt 0
> 29314 php-fpm CALL fcntl(0xa,F_SETFL,O_RDWR)
> 29314 php-fpm RET fcntl 0
> 29314 php-fpm CALL getpid
> 29314 php-fpm RET getpid 29314/0x7282
> 29314 php-fpm CALL getpid
> 29314 php-fpm RET getpid 29314/0x7282
>
> etc.
>
>
> without chroot:
>
> 31655 php-fpm CALL socket(PF_INET,SOCK_STREAM,IPPROTO_IP)
> 31655 php-fpm RET socket 10/0xa
> 31655 php-fpm CALL fcntl(0xa,F_GETFL,0x12de9d8)
> 31655 php-fpm RET fcntl 2
> 31655 php-fpm CALL fcntl(0xa,F_SETFL,O_RDWR|O_NONBLOCK)
> 31655 php-fpm RET fcntl 0
> 31655 php-fpm CALL connect(0xa,0x80fc41a08,0x10)
> 31655 php-fpm STRU struct sockaddr { AF_INET, 66.102.13.191:80 }
> 31655 php-fpm RET connect -1 errno 36 Operation now in progress
> 31655 php-fpm CALL poll(0x7fffffffa780,0x1,0x2710)
> 31655 php-fpm RET poll 2
> 31655 php-fpm CALL
> getsockopt(0xa,SOL_SOCKET,SO_ERROR,0x7fffffffa78c,0x7fffffffa788)
> 31655 php-fpm RET getsockopt 0
> 31655 php-fpm CALL fcntl(0xa,F_SETFL,O_RDWR)
> 31655 php-fpm RET fcntl 0
> 31655 php-fpm CALL sendto(0xa,0x80fc42fb8,0x1cd,MSG_DONTWAIT,0,0)
> 31655 php-fpm GIO fd 10 wrote 461 bytes
>
>
>
> Does anybody have a clue what is going on here?
> We have nullfs-mounted most of the "usual" directories into the chroot -
> and the ktrace output doesn't show it looking for something
>
> I found a forum where somebody had the same problem (and solution),
> apparently. But of course, running non-chrooted is not a solution for us.
>
>
>
> Regards,
> Rainer
>
>

Reply Quote

Problem with chrooted php-fpm

Online Users