Community & Support
General » Drupal showcase

Drupal site next to Xoops on OpenBSD 3.6

Posted by buckrey on August 21, 2005 at 6:54pm

Hi Guys n Gals ,

Am still new to drupal, but beginning to realise that drupal is such an advance CMS ( I think its more than CMS as a matter of fact). Still has a lot to learn on optimising it.

I run drupal on OpenBSD3.6 in chrooted environment. I also have xoops CMS running on the same server , this is basically a burn-in test, bcoz the server hardware is very minimal ( pentium II -233Mhz MMX , 1999 PC , with 232 MB RAM ), both CMS run reasonably fast . I list them below , in case you all wanna have a look:

1. my drupal site : buntlet
2. my xoops site : buntal

Cheers!

buckrey

Login or register to post comments Categories:

Comments

Getting chrooted mail ,mysql and netPBM to work - a howto

Posted by buckrey on August 22, 2005 at 5:33am

I would like to share some notes on how to get the mail and netPBM ( used for image thumbnailing) to work under chrooted apache environment ( tested on openBSD , should work on any OS with chrooted apache)

OpenBSD 3.6 apache installation will be chrooted by default. ( you can set the chrooted path in apache configuration file, default would be /var/www). This basically means that webserver wont be able to see/execute anything outside it chroot jail. That will effectively limit all the intrusion ( if any) within /var/www boundary.

Not being able to access services beyond chroot jail also means no access to : mysql socket ( mysql.sock) , netPBM/imagemagick(gallery needs them), and most importantly the mail() function ( extensive use of mail nofication will be impaired) .

mysql
---------

Installing all packages apache,php,mysql in one go can be done by installing phpMyAdmin package, (pkg_add /the_path_to_packages/phpMyadminXXX.tgz ), all the dependencies will be added as well by openBSD package manager.

But here is my installation packages , ( set env to ftp directory and then pkg_add php4-core-4.3.10.tgz php4-curl-4.3.10.tgz php4-extensions-4.3.10.tgz php4-domxml-4.3.10.tgz php4-gd-4.3.10.tgz php4-imap-4.3.10.tgz php4-ldap-4.3.10.tgz php4-mysql-4.3.10.tgz php4-odbc-4.3.10.tgz php4-pdf-4.3.10.tgz php4-pear-4.3.10.tgz php4-pqsql-4.3.10.tgz php4-xmlrpc-4.3.10.tgz phpMyAdmin-2.5.7-pl1.tgz postgresql-server-7.4.3.tgz postgresql-client-7.4.3.tgz netpbm-9.24pl.tgz mysql-server-4.0.20.tgz mysql-client-4.0.20.tgz mailman-2.1.5-postfix.tgz vsftpd-1.2.2.tgz webalizer-2.01.10pl.tgz wget-1.8.2.tgz wordpress-1.2.tgz py-mysql-0.9.2.tgz py-openssl-0.5.1.tgz py-ldap-2.0.0pre19-2.3.tgz py-curl-7.12.tgz)

Test run the installation by running - apachectl start . and mysqld_safe .Then point the browser to phpMyAdmin url, you'll get the message , something like` unable to connect to mysql .... mysql.sock et al `. This is because php has no access to mysql.sock located outside chroot jail ( /var/run/mysql/mysql.sock ).
To make it happen create a link - #ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock . ( of course you have to first create all the necessary directories within chroot jail).

Even better if you want to start mysql at boot, then do these:

1. in /etc/rc.conf.local
# Start MySQL automatically at start-up:
mysql=YES

2. etc/rc.local
# MySQL Settings
#
rm -R /var/www/var/run/mysql
mkdir -p /var/www/var/run/mysql
#
if [ X "${mysql}" == X"YES" -a -x /usr/local/bin/mysqld_safe ];
then echo -n "mysqld" ;
/usr/local/bin/mysqld_safe --user= _mysql \
--bind-address=127.0.0.1 --log=/var/mysql/
#
for i in 1 2 3 4 5 6;
do if [ -S /var/run/mysql/mysql.sock ];
then break
else sleep 1 echo -n "."
fi done
#
sleep 10
#
ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock
fi

That will start mysql automatically at boot time.Some users have a problems with mysql overloaded , it can be solved just by adding the following to the mysqld_safe invocation line ( right after user=_mysql ) " --open-files=1000" .

Now your Apache,PHP and Mysql should be running hand-in-hand.

mail and netPBM
---------------------

a) .mail() function will silent out. No mail sent for user registration confirmation or in the notification.
b) If you install a gallery you will face one more problem, because no access to netPBM / image magick .

step 3 - solving mail function.

In my case I use mini_sendmail. Install the package with chroot flavor. The installation automatically creates directory and binary in /var/www/bin/mini_sendmail . So let it be there.

Next is to add this line in /var/www/conf/php.ini
sendmail_path = "/bin/mini_sendmail -t -i"

after that do this

# cp -p /bin/sh /var/www/bin/sh

and finally
cp /etc/resolv.conf /var/www/etc/resolv.conf

note: failing to copy the resolv.conf part get me going in circle for almost 62 hours.

There you go, you can now mail() to your heart content. :)

Step 4 . using netPBM for gallery ( this is the mother of all cp's operation :) )

Nothing much else to do except for copying everything to make the chroot access all the needed library. Only netPBM procedures are explained here, because it does the job.

making directories:

mkdir -p /var/www/bin
mkdir -p /var/www/var/run
mkdir -p /var/www/usr/lib
mkdir -p /var/www/usr/libexec
mkdir -p /var/www/usr/local/bin
mkdir -p /var/www/usr/local/lib
mkdir -p /var/www/usr/local/lib/pkgconfig
mkdir -p /var/www/usr/local/include
mkdir -p /var/www/usr/local/include/libexif
mkdir -p /var/www/usr/local/include/libpng
mkdir -p /var/www/usr/local/share/netpbm
mkdir -p /var/www/usr/local/share/doc/png

#Copying library files
cp /usr/lib/libc.so.34.1 /var/www/usr/lib
cp /usr/lib/libm.so.2.0 /var/www/usr/lib
cp /usr/lib/libz.so.4.0 /var/www/usr/lib
cp /usr/libexec/ld.so /var/www/usr/libexec
cp /usr/local/lib/libjpeg.so.62.0 /var/www/usr/local/lib
cp /usr/local/lib/libpbm.so.1.0 /var/www/usr/local/lib
cp /usr/local/lib/libpgm.so.1.0 /var/www/usr/local/lib
cp /usr/local/lib/libpng.so.4.0 /var/www/usr/local/lib
cp /usr/local/lib/libpnm.so.1.0 /var/www/usr/local/lib
cp /usr/local/lib/libppm.so.1.0 /var/www/usr/local/lib
cp /usr/local/lib/libtiff.so.36.1 /var/www/usr/local/lib
cp /usr/local/lib/libbz2.so.10.2 /var/www/usr/local/lib
cp /usr/local/lib/libxml2.so.8.11 /var/www/usr/local/lib
cp /usr/local/lib/libiconv.so.4.0 /var/www/usr/local/lib
cp /usr/local/lib/libjasper.so.1.0 /var/www/usr/local/lib
cp /var/run/ld.so.hints /var/www/var/run

#Copying JPEG files
cd /var/www/usr/local/bin
cp /usr/local/bin/icc2ps .
cp /usr/local/bin/icclink .
cp /usr/local/bin/icctrans .
cp /usr/local/bin/jpegicc .
cp /usr/local/bin/tifficc .
cp /usr/local/bin/wtpt .
cd /var/www/usr/local/include
cp /usr/local/include/icc34.h .
cp /usr/local/include/lcms.h .
cd /var/www/usr/local/lib
cp /usr/local/lib/liblcms.a .
cp /usr/local/lib/liblcms.la .
cp /usr/local/lib/liblcms.so.1.12 .

#Copying libexif files
cd /var/www/usr/local/include/libexif
cp /usr/local/include/libexif/* .
cd /var/www/usr/local/lib
cp /usr/local/lib/libexif.a .
cp /usr/local/lib/libexif.la .
cp /usr/local/lib/libexif.so.8.0 .
cd /var/www/usr/local/lib/pkgconfig
cp /usr/local/lib/pkgconfig/libexif.pc .

#Copying mpeg-lib
cd /var/www/usr/local/include
cp /usr/local/include/mpeg.h .
cd /var/www/usr/local/lib
cp /usr/local/lib/libmpeg.a .
cp /usr/local/lib/libmpeg.so.13.1 .

#Copying netpbm files
cd /var/www/usr/local/bin
cp /usr/local/bin/*ppm* .
cp /usr/local/bin/*pnm* .
cp /usr/local/bin/*pgm* .
cp /usr/local/bin/*pbm* .
cp /usr/local/bin/*pam* .
cp /usr/local/bin/*pcd* .
cd /var/www/usr/local/include
cp /usr/local/include/pam.h .
cp /usr/local/include/pammap.h .
cp /usr/local/include/pbm.h .
cp /usr/local/include/pgm.h .
cp /usr/local/include/pm.h .
cp /usr/local/include/pm_config.h .
cp /usr/local/include/pm_shhopt.h .
cp /usr/local/include/pnm.h .
cp /usr/local/include/ppm.h .
cp /usr/local/include/ppmcmap.h .
cp /usr/local/include/ppmdraw.h .
cp /usr/local/include/ppmfloyd.h .
cd /var/www/usr/local/lib
cp /usr/local/lib/libpbm.a .
cp /usr/local/lib/libpgm.a .
cp /usr/local/lib/libpnm.a .
cp /usr/local/lib/libppm.a .
cp /usr/local/lib/libpbm.so.1.0 .
cp /usr/local/lib/libpgm.so.1.0 .
cp /usr/local/lib/libpnm.so.1.0 .
cp /usr/local/lib/libppm.so.1.0 .
cd /var/www/usr/local/share/netpbm
cp /usr/local/share/netpbm/* .

#Copying png files
cd /var/www/usr/local/bin
cp /usr/local/bin/libpng-config .
cd /var/www/usr/local/include/libpng
cp /usr/local/include/libpng/* .
cd /var/www/usr/local/share/doc/png
cp /usr/local/share/doc/png/* .
cd /var/www/usr/local/lib
cp /usr/local/lib/libpng.a .
cp /usr/local/lib/libpng.so.4.0 .

#Copying tiff files
cd /var/www/usr/local/bin
cp /usr/local/bin/fax2ps .
cp /usr/local/bin/*tiff* .
cp /usr/local/bin/pal2rgb .
cp /usr/local/bin/rgb2ycbcr .
cp /usr/local/bin/thumbnail .
cd /var/www/usr/local/include
cp /usr/local/include/*tiff* .
cd /var/www/usr/local/lib
cp /usr/local/lib/libtiff.a .
cp /usr/local/lib/libtiff.so.36.1 .

#jpegtran
cd /var/www/usr/local/bin
cp /usr/local/bin/jpegtran

At this point after you can test your netPBM existence via gallery admin interface.

In my case I have one problem when it complaint that "pnmtojpeg not availabe" , in which case i just go to the directory and do " cp ppmtojpeg pnmtojpeg .

ditto.

Cheers!

buckrey.

------------------
drupal buntlet..
buntal..
Code to live..

live to code to live

MySQL errors

Posted by Rainy Day on November 7, 2005 at 7:28pm

Some users have a problems with mysql overloaded , it can be solved just by adding the following to the mysqld_safe invocation line ( right after user=_mysql ) " --open-files=1000" .

Ah, now that’s just what i needed! Thanks!

I was seeing errors like these (sometimes dozens) on top of each page:

user error: Can't create/write to file '/var/www/tmp_mysql/#sql_508b_0.MYI' (Errcode: 9)

query: SELECT t.*, parent FROM term_data t, term_hierarchy h WHERE t.tid = h.tid AND t.vid = 3 ORDER BY weight, name in /vhosts/cms/civicspace/includes/database.mysql.inc on line 66.

Once these errors started appearing, the only way i could make them go away was to restart the MySQL server. Your suggestion (above) seems to have fixed the problem.

While doing this on the invocation line, as you suggest, is an easy way to test to see if this solution will work for you, for a permanent fix it is better to put it in the /etc/my.cnf file. It should look something like this:

[mysqld]
open-files=1000

Great article. Thanks for posting.

Use mount_null to avoid all those cp’s

Posted by Rainy Day on November 24, 2005 at 11:09pm

The chroot function, while providing a nice level of security, can be a royal pain sometimes, as all the cp’s in Step 4 above so dramatically illustrate. Turns out there is an easier way.

BSD supports some interesting filesystem mounting options/commands, namely the union style mount, and mount_union & mount_null commands. They all work in a similar fashion, with subtle differences.

In particular, for Apache chroot, the mount_null is of greatest interest. With this command, you may mount (superimpose) one part of the file structure onto another (this is called a loop-back filesystem). Think of it as a “wormhole,” in sci-fi parlance, from one branch in the directory tree to another. A similar effect can be achieved with a symbolic link, but symbolic links break when chrooted so they cannot be used to escape the chroot jail, whereas mount_null transcends the jail because part of the filesystem (external to the jail) is brought inside. Additionally, security enhancing restrictions may be applied to the mount (e.g. it can be made read-only, execution and/or setuid disallowed, etc.)

For example, assuming there exists a /var/www/usr/local/ directory, one could issue the following command:

  mount_null   -o ro   /usr/local    /var/www/usr/local/

This causes the contents of /usr/local/ to be superimposed on that of /var/www/usr/local/, obscuring any underlying files (if any) in the latter (target) directory. (A mount_union would blend the contents of the two directories.) The -o ro causes the target directory to become read-only, even if the source is writable (the original is unchanged by the mount and still available to those with access to it). In effect, what this does is create a read-only wormhole outside of the chroot jail.

Discretion should be exercised, however. It would not be wise, for example, to move the /etc or /bin directories into the chroot jail, even as read-only. But one might create a special directory, something like /jail/bin, make hard links to selected files, then mount_null -o ro /jail/bin /var/www/bin/ to create a mini-/bin directory inside the jail (e.g. for mini-sendmail and its shell).

Once you create mount points, you might like to see what they are. You can view them with this command:

  df -h

To dissolve a mount:

  umount mount point

For example, to dissolve the mount of our mount_null example above:

  umount   /var/www/usr/local/

Once you figure out how to create a directory structure which works for your environment, you’ll want to make your mounts permanent so that a system reboot won’t destroy it. You can do that with the /etc/fstab file, which is read as part of the system startup. An entry might look something like this:

# device      mount point        filesystem  fs options    dump   fsck
  /usr/local  /var/www/usr/local    null      ro,nosuid      1      2

It is my understanding that similar loop-back mechanisms are available for Linux (mount --bind) and Solaris (mount -F lofs).

Linux bind mounts

Posted by hackman on May 29, 2008 at 10:13am

It is important to know that in Linux
mount --bind binds only one directory to a subtree in the FS. So if for example you have:

mount /dev/sda3 /chroot
mount /dev/sda4 /chroot/tmp

and if you do:

mount --bind /chroot /chroot2

In /chroot2 you will see everything from /dev/sda3 but not /dev/sda4 cause it is a second mount within the /chroot dir.

If what you want to do is having the contents of both sda3 and sda4 you should use:

mount --rbind /chroot /chroot2

If you have to code this within a C code, the mount option for --bind s MS_BIND and the options for --rbind are MS_BIND|MS_REC.

This is how it is done.

nobody click here