nginx and tomcat use chroot (jail) related configurations
This article focuses on configuration records, and the benefits of chroot (jail) will not be described in detail.
This article is divided into three parts: configuring basic chroot jail, configuring chroot jail for nginx, and configuring chrootjail for tomcat.
1. Configure a basic chroot jail
1.1. Create a directory as the root directory of the chroot jail.
# mkdir /home/chroot/jail
1.2. Use the ldd command to find out the dependent libraries of the command you want to run in the chroot jail.
# ldd /bin/bash linux-vdso.so.1 => (0x00007fff56fcc000) libtinfo.so.5 => /lib64/libtinfo.so.5 (0x0000003ad1200000) libdl.so.2 => /lib64/libdl.so.2 (0x0000003abe600000) libc.so.6 => /lib64/libc.so.6 (0x0000003abe200000) /lib64/ld-linux-x86-64.so.2 (0x0000003abde00000)
1.3. Create a subfolder in the root directory of the chroot jail. Create whatever is needed for the things you want to run under the chroot. Remember the service minimization principle.
# mkdir /home/chroot/jail/bin # mkdir /home/chroot/jail/lib64
1.4. Copy the binary files (need to be run under chroot) and dependent libraries to the chroot jail directory.
# cp /bin/bash /home/chroot/jail/bin
# cp /lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} \
/home/chroot/jail/lib641.5. After completing the above operations, you can view it under chroot.
The above operations can only run bash under chroot, but other operations are not possible. Therefore, the ls command in the following example cannot be found.
# chroot /home/chroot/jail bash-4.1# pwd / bash-4.1# ls bash: ls: command not found bash-4.1# exit exit #
1.6. If there is always an error when starting a certain service, you can use strace to check the error. It will be added at the end of the nginx configuration.
2.nginx configuration chroot jail
nginx installation method is omitted, that is, download tar.gz, unzip, configure, make, make install. . .
This configuration is for CentOS6.x 64-bit system.
2.1. Specify the chroot directory, which is the root directory mentioned in 1.1.
To unify the naming convention, the following directory structure is made:
# D=/home/nginx/jail # mkdir -p $D
# mkdir -p $D/etc # mkdir -p $D/dev # mkdir -p $D/var # mkdir -p $D/usr # mkdir -p $D/usr/local/nginx # mkdir -p $D/tmp # chmod 1777 $D/tmp # mkdir -p $D/var/tmp # chmod 1777 $D/var/tmp # mkdir -p $D/lib64
2.3. Create the required device in $D/dev, which should be a buffer.
Use the mknod command here to create cache files:
# /bin/mknod -m 0666 $D/dev/null c 1 3 # /bin/mknod -m 0666 $D/dev/random c 1 8 # /bin/mknod -m 0444 $D/dev/urandom c 1 9
2.4. Copy all nginx files to the jail.
# /bin/cp -farv /usr/local/nginx/* $D/usr/local/nginx
2.5. Copy the dependent libraries to the jail. (2.5 and 2.4 are equivalent to the process in 1.4)
# ldd /usr/local/nginx/sbin/nginx
2.6. Copy /etc to jail.
nixCraft tutorial specifically points out these, which should be used when nginx is running.
# cp -fv /etc/{group,prelink.cache,services,adjtime,shells,gshadow,shadow,hosts.deny,localtime,nsswitch.conf,nscd.conf,prelink.conf,protocols,hosts,passwd,ld.so.cache,ld.so.conf,resolv.conf,host.conf} $D/etc# cp -avr /etc/{ld.so.conf.d,prelink.conf.d} $D/etc2.7. Start nginx.
If there is nginx running, you must first close it:
# killall -9 nginx
Open nginx in chroot:
# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx -t # /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx
# chroot /home/nginx/jail bash-4.1# /usr/local/nginx/sbin/nginx -t bash-4.1# /usr/local/nginx/sbin/nginx
Configure it to start automatically at boot:
# echo '/usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx' >> /etc/rc.local
# cd /home/nginx/jail/usr/local/nginx/conf/ # vi nginx.conf
# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx -t # /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx -s reload
# /usr/sbin/chroot /home/nginx/jail /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
2.8. If there are still problems with the environment, use strace to track errors. (This method can also be used to configure tomcat or other services and will not be described in detail later)
# strace -f -o /tmp/nginx.strace chroot /nginx /usr/local/nginx/sbin/nginx -t
After executing the statement, there will be some traces. In the /tmp/nginx.strace file, there will be more detailed traces.
When I was configuring the environment, I found that a certain package was missing in the file. I added it to the chroot jail and it started normally.
3. Tomcat configure chroot jail
3.1. Create chroot jail root directory.
# mkdir /home/tomcat/jail
# cd /home/tomcat/jail # mkdir -p lib lib64 etc tmp dev usr # chmod 755 etc dev usr # chmod 1777 tmp
# cp -a /etc/hosts etc/hosts
3.3. Install the java environment and copy the root-installed environment to chroot.
# mkdir -p usr/java # cp -a /usr/java/jdk1.7.0_67 usr/java
3.4. Find and copy the dependent libraries of java
# ldd /usr/java/jdk1.7.0_67/bin/java linux-vdso.so.1 => (0x00007fff532d1000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fc36c8f2000) libjli.so => /usr/java/jdk1.7.0_67/bin/../lib/amd64/jli/libjli.so (0x00007fc36c6da000) libdl.so.2 => /lib64/libdl.so.2 (0x00007fc36c4d6000) libc.so.6 => /lib64/libc.so.6 (0x00007fc36c142000) /lib64/ld-linux-x86-64.so.2 (0x00007fc36cb17000)
# cp -p /lib64/libm.so.6 lib64/ # cp -p /lib64/libnsl.so.1 lib64/
3.5. Before running the JVM, you still need to do Some work to make chroot more like a real root environment.
Create /dev and its subkeys:
# cd /home/tomcat/jail # mkdir -p /home/tomcat/jail/dev/pts # /dev/MAKEDEV -d /home/tomcat/jail/dev null random urandom zero loop* log console # cp /dev/MAKEDEV /home/tomcat/jail/dev # cp -a /dev/shm /home/tomcat/jail/dev/
3.6. Mount /proc.
# mkdir -p /home/tomcat/jail/proc # mount -t proc proc /home/tomcat/jail/proc
bash-4.1# /usr/java/jdk1.7.0_67/bin/java -version
Copy the three files under etc. Try not to copy them if they are not needed, again. . Services are minimized. .
cp -a /etc/{hosts,resolv.conf,nsswitch.conf} /home/tomcat/jail/etc/ There are also three dependent libraries with named support that need to be copied
cp -p /lib64/libresolv.so.2 lib64/ cp -p /lib64/libnss_dns.so.2 lib64/ cp -p /lib64/libnss_files.so.2 lib64/
Then chroot /bin/bash and /bin/sh, refer to 1.x. Among them, sh is a soft connection of bash in centos.
After this step, java can work in chroot. If something goes wrong, use strace to troubleshoot.
bash-4.1# /apache-tomcat-7.0.57/bin/catalina.sh start /apache-tomcat-7.0.57/bin/catalina.sh: line 102: uname: command not found /apache-tomcat-7.0.57/bin/catalina.sh: line 122: dirname: command not found Cannot find //bin/setclasspath.sh This file is needed to run this program
# cp /bin/uname bin/ # mkdir usr/bin # cp /usr/bin/dirname usr/bin
While running tomcat, I found that there is still a small problem:
bash-4.1# /apache-tomcat-7.0.57/bin/catalina.sh start /apache-tomcat-7.0.57/bin/catalina.sh: line 203: tty: command not found Using CATALINA_BASE: /apache-tomcat-7.0.57 Using CATALINA_HOME: /apache-tomcat-7.0.57 Using CATALINA_TMPDIR: /apache-tomcat-7.0.57/temp Using JRE_HOME: /usr/java/jdk1.7.0_67 Using CLASSPATH: /apache-tomcat-7.0.57/bin/bootstrap.jar:/apache-tomcat-7.0.57/bin/tomcat-juli.jar /apache-tomcat-7.0.57/bin/catalina.sh: line 368: touch: command not found Tomcat started.
# cp -p /lib64/librt.so.1 lib64/ # cp /usr/bin/tty usr/bin/ # cp /bin/touch bin/
Configure it to start automatically at boot, and add:
export JAVA_HOME=/usr/local/java/jdk1.7.0_25 export JRE_HOME=$JAVA_HOME/jre mount -t proc proc /home/tomcat/jail/proc &>/dev/null /usr/sbin/chroot /home/tomcat/jail /usr/tomcat/bin/catalina.sh start
[1] 3.13 Configuring and Using Chroot Jails Chapter 3 Implementing Oracle Linux Security Guide for Release 6
[2] Linux nginx: Chroot (Jail) Setup By NIXCRAFT
[3] Tomcat: The Definitive Guide: The Definitive Guide By Jason Brittain, Ian F. Darwin
The above introduces the relevant configuration of nginx and tomcat using chroot (jail), including the relevant content. I hope it will be helpful to friends who are interested in PHP tutorials.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to check the name of the docker container
Apr 15, 2025 pm 12:21 PM
You can query the Docker container name by following the steps: List all containers (docker ps). Filter the container list (using the grep command). Gets the container name (located in the "NAMES" column).
How to configure cloud server domain name in nginx
Apr 14, 2025 pm 12:18 PM
How to configure an Nginx domain name on a cloud server: Create an A record pointing to the public IP address of the cloud server. Add virtual host blocks in the Nginx configuration file, specifying the listening port, domain name, and website root directory. Restart Nginx to apply the changes. Access the domain name test configuration. Other notes: Install the SSL certificate to enable HTTPS, ensure that the firewall allows port 80 traffic, and wait for DNS resolution to take effect.
How to configure nginx in Windows
Apr 14, 2025 pm 12:57 PM
How to configure Nginx in Windows? Install Nginx and create a virtual host configuration. Modify the main configuration file and include the virtual host configuration. Start or reload Nginx. Test the configuration and view the website. Selectively enable SSL and configure SSL certificates. Selectively set the firewall to allow port 80 and 443 traffic.
How to check nginx version
Apr 14, 2025 am 11:57 AM
The methods that can query the Nginx version are: use the nginx -v command; view the version directive in the nginx.conf file; open the Nginx error page and view the page title.
How to start nginx server
Apr 14, 2025 pm 12:27 PM
Starting an Nginx server requires different steps according to different operating systems: Linux/Unix system: Install the Nginx package (for example, using apt-get or yum). Use systemctl to start an Nginx service (for example, sudo systemctl start nginx). Windows system: Download and install Windows binary files. Start Nginx using the nginx.exe executable (for example, nginx.exe -c conf\nginx.conf). No matter which operating system you use, you can access the server IP
How to check whether nginx is started
Apr 14, 2025 pm 01:03 PM
How to confirm whether Nginx is started: 1. Use the command line: systemctl status nginx (Linux/Unix), netstat -ano | findstr 80 (Windows); 2. Check whether port 80 is open; 3. Check the Nginx startup message in the system log; 4. Use third-party tools, such as Nagios, Zabbix, and Icinga.
How to create containers for docker
Apr 15, 2025 pm 12:18 PM
Create a container in Docker: 1. Pull the image: docker pull [mirror name] 2. Create a container: docker run [Options] [mirror name] [Command] 3. Start the container: docker start [Container name]
How to start containers by docker
Apr 15, 2025 pm 12:27 PM
Docker container startup steps: Pull the container image: Run "docker pull [mirror name]". Create a container: Use "docker create [options] [mirror name] [commands and parameters]". Start the container: Execute "docker start [Container name or ID]". Check container status: Verify that the container is running with "docker ps".
