Isolated Nginx & PHP installation script

This script install a chrooted nginx and php environment on a specific folder of the system. Is has been developped and tested on Debian Squeeze 64 bits. It requires that the nginx, php5-cgi, spawn-fcgi packages are installed. In addition, if you want mysql support, install php5-mysql before launching the script.

If you need help, want to report bug or submit improvements, please post a comment at the bottom of the page.

#! /bin/bash
set -e

#### 
# Isolated Nginx & PHP Installation script
# Julien Vehent - 20110418
# http://wiki.linuxwall.info
# Distributed under GPL V2 licence
####


# The main container. change it to match your configuration.
chroot_container=/var/www/


# this function copies shared libraries from a binary to the chroot
# stolen from nixcraft and then improved a bit ;)
libs_to_chroot(){
        local d="$1"            # JAIL ROOT
        local pFILE="$2"        # copy bin file libs
        local files=""
        local _cp="/bin/cp"

        # get rid of blanks and (0x00007fff0117f000)
        files="$(ldd $pFILE |  awk '{ print $3 }' | sed -e '/^$/d' -e '/(*)$/d')"

        for i in $files
        do
            dcc="${i%/*}" # get dirname only
            [ ! -d ${d}${dcc} ] && mkdir -p ${d}${dcc} # create missing dirs
            [ ! -e ${d}${dcc}${i} ] && ${_cp} -f $i ${d}${dcc} # copy missing only

            # recursively get shared libraries of shared library
            libs_to_chroot "${d}" "${i}"
        done

        # Works with 32 and 64 bit ld-linux
        sldl="$(ldd $pFILE | grep 'ld-linux' | awk '{ print $1}')"
        sldlsubdir="${sldl%/*}"
        #[ ! -f ${d}${sldl} ] && ${_cp} -f ${sldl} ${d}${sldlsubdir}
        if [ ! -f ${d}${sldl} ];
        then
                ${_cp} -f ${sldl} ${d}${sldlsubdir}
        fi
}

install_env() {
	local target="$1"

	mkdir -p $chroot_container$target/{etc/init.d,dev,var/log/nginx,var/run,var/www,var/tmp,var/lib/nginx,usr/sbin,usr/bin,usr/share,bin,sbin,tmp,lib/lsb,lib64,usr/lib}
	chmod 1777 $chroot_container$target/var/tmp/
	mknod -m 0666 $chroot_container$target/dev/null c 1 3
	mknod -m 0666 $chroot_container$target/dev/random c 1 8
	mknod -m 0666 $chroot_container$target/dev/urandom c 1 9
	mknod -m 0666 $chroot_container$target/dev/zero c 1 5

	# create a user and a group that have the same name as target
	groupadd $target
	useradd -d $chroot_container$target/var/www -g $target -M -N -s /bin/false $target

	# copy startup program
	#cp -f /sbin/start-stop-daemon $chroot_container$target/sbin/
	#cp -f /lib/lsb/init-functions $chroot_container$target/lib/lsb/

    # copy ln to recreate symbolic links inside the chroot
    cp -f /bin/ln $chroot_container$target/bin/
}

install_nginx(){
	local target="$1"
	local nginx_bin=`which nginx`
	cp -f $nginx_bin $chroot_container$target$nginx_bin
	cp -fr /etc/nginx $chroot_container$target/etc/
	#copy shared libs to target
	libs_to_chroot "${chroot_container}${target}" "${nginx_bin}"

	cp -f /lib/libnss_compat.so.2 $chroot_container$target/lib/
	cp -f /lib/libnsl.so.1 $chroot_container$target/lib/
	cp -f /lib/libnss_nis.so.2 $chroot_container$target/lib/
	cp -f /lib/libnss_files.so.2 $chroot_container$target/lib/

	cp -fr /etc/{nsswitch.conf,services,hosts*,localtime,protocols,ld.so.cache,ld.so.conf,ld.so.conf.d,host.conf} $chroot_container$target/etc/

	#we just give the chroot the user it needs, that is root and its own
	head -n 1 /etc/passwd > $chroot_container$target/etc/passwd
	tail -n 1 /etc/passwd >> $chroot_container$target/etc/passwd

	head -n 1 /etc/group > $chroot_container$target/etc/group
	tail -n 1 /etc/group >> $chroot_container$target/etc/group
	
	

	# change user ownership
	chown -R $target:$target $chroot_container$target/var/www/

	
	# install basic configuration
	echo "user $target $target;
worker_processes  1;
error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;
events {
    worker_connections  1024;
}
http {
    include       /etc/nginx/mime.types;
    access_log    /var/log/nginx/access.log;
    sendfile        on;
    keepalive_timeout  65;
    tcp_nodelay        on;
    gzip  on;
    gzip_disable \"MSIE [1-6]\.(?!.*SV1)\";
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}
" > $chroot_container$target/etc/nginx/nginx.conf

	# install basic virtual host
	echo "Nginx can be configured to accept requests from 127.0.0.1 only (coming from a proxy or load balancer)"
	echo -n "Do you want to allow 127.0.0.1 only and deny all (can be changed in site config) ? y/n > "
	read response
	
	if [ $response == "y" ]
	then
		echo "server {
    listen  127.0.0.1:$nginxport;"> $chroot_container$target/etc/nginx/sites-available/default
	else
		echo "server {
    listen  $nginxport;"> $chroot_container$target/etc/nginx/sites-available/default
	fi

        echo "
    server_name  $fqdn;
    access_log  /var/log/nginx/$fqdn.access.log;
    root   /var/www;
    index  index.cgi index.php index.html index.htm;">>$chroot_container$target/etc/nginx/sites-available/default

	
    if [ $phpsupport -eq 1 ]
    then
        echo "
    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass   127.0.0.1:$phpport;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  \$document_root\$fastcgi_script_name;
    }">> $chroot_container$target/etc/nginx/sites-available/default
    fi

    if [ $fcgiwrapsupport -eq 1 ]
    then
        echo "
    location ~ \.cgi {
        include fastcgi_params;
        fastcgi_pass    unix:/var/run/fcgiwrap.sock;
        fastcgi_index   index.cgi;
        fastcgi_param  SCRIPT_FILENAME  \$document_root\$fastcgi_script_name;
    }">>$chroot_container$target/etc/nginx/sites-available/default
    fi

	echo "
}" >> $chroot_container$target/etc/nginx/sites-available/default

	# test the setup
	chroot $chroot_container$target/ $nginx_bin -t

	echo "nginx setup finished."
}



install_php(){

    aptitude install php5-cgi spawn-fcgi

    local spawnfcgibin=`which spawn-fcgi`
	local php_bin=`which php5-cgi`

    if [ ! -x $chroot_container$target$spawnfcgibin ]
    then
        cp -f $spawnfcgibin $chroot_container$target$spawnfcgibin
        libs_to_chroot "${chroot_container}${target}" "$spawnfcgibin"
    fi

	cp -f $php_bin $chroot_container$target$php_bin
	cp -fr /etc/php5 $chroot_container$target/etc/
	cp -fr /usr/lib/php5 $chroot_container$target/usr/lib/
	cp -fr /usr/share/zoneinfo $chroot_container$target/usr/share/

	libs_to_chroot "${chroot_container}${target}" "${php_bin}"

	echo "php setup finished."
}

install_mysql(){

	aptitude update 1>/dev/null
	aptitude install php5-mysql

	cp -fr /etc/php5 $chroot_container$target/etc/
	cp -fr /usr/lib/php5 $chroot_container$target/usr/lib/

	local mysql_lib=`find /usr/lib/php5/ -iname mysql.so`
	libs_to_chroot "${chroot_container}${target}" "${mysql_lib}"

	find /lib -iname libgcc_s.so* -exec cp -f {} $chroot_container$target/lib/ \;

	echo "php5-mysql setup finished."
}

install_fcgiwrap(){
	aptitude update 1>/dev/null
	aptitude install fcgiwrap spawn-fcgi

    fcgiwrap_bin=`which fcgiwrap`
	cp -f $fcgiwrap_bin $chroot_container$target$fcgiwrap_bin
	libs_to_chroot "${chroot_container}${target}" "${fcgiwrap_bin}"
    
    spawnfcgibin=`which spawn-fcgi`
    if [ ! -x $chroot_container$target$spawnfcgibin ]
    then
        cp -f $spawnfcgibin $chroot_container$target$spawnfcgibin
        libs_to_chroot "${chroot_container}${target}" "$spawnfcgibin"
    fi
}

install_perl(){
	local perl_bin=`which perl`
    #copy perl binary
	cp -f $perl_bin $chroot_container$target$perl_bin

    echo "copying all included perl modules from @INC, be patient (~5/10min)"
    for INC in $(perl -e 'foreach(@INC){print "$_\n";}')
    do
        if [ "$INC" != "." ]
        then
            if [ -h "$INC" ]
            then
                DESTLINK=$(readlink -f $INC)
                mkdir -p $chroot_container$target$DESTLINK
                cp -fr $DESTLINK/* $chroot_container$target$DESTLINK/
                chroot $chroot_container$target ln -s $DESTLINK $INC
            else
                if [ -d "$INC" ]
                then
                    mkdir -p $chroot_container$target$INC
                    cp -fr $INC $chroot_container$target$INC
                    for perl_lib in $(find $INC -iname '*.so' -exec ls {} \;)
                    do
                        libs_to_chroot "${chroot_container}${target}" "${perl_lib}"
                    done
                fi
            fi
        fi
    done

    #copy dynamic libs
	libs_to_chroot "${chroot_container}${target}" "${perl_bin}"

	echo "perl setup finished."
}

install_mojolicious(){
    # install chroot env, then move there and issue mojolicious install
    cp $(which bash) ${chroot_container}${target}$(which bash)
    libs_to_chroot "${chroot_container}${target}" $(which bash)

    cp $(which env) ${chroot_container}${target}$(which env)
    libs_to_chroot "${chroot_container}${target}" $(which env)

    cp $(which curl) ${chroot_container}${target}$(which curl)
    libs_to_chroot "${chroot_container}${target}" $(which curl)

    curl -s -L cpanmin.us | perl - Mojolicious --local-lib=/tmp-${target}-mojolicious/
    cp -r /tmp/${target}-mojolicious/lib/perl5/* ${chroot_container}${target}/usr/lib/perl5/
    cp -r /tmp/${target}-mojolicious/bin/*  ${chroot_container}${target}/usr/bin/
    rm -rf /tmp/${target}-mojolicious/

    echo "mojolicious setup finished."
}


create_supervised_config(){

	aptitude update 1>/dev/null
	aptitude install daemontools daemontools-run

    mkdir -p /etc/sv/spawn-fcgi-$target
    echo "#! /bin/bash
CHROOTBIN=/usr/sbin/chroot
CHROOTPATH=$chroot_container$target
SPAWNBIN=`which spawn-fcgi`
PHP5BIN=`which php5-cgi`
PHP5PORT=$phpport
PHP5ADDR=127.0.0.1
USER=$target
exec \$CHROOTBIN \$CHROOTPATH \$SPAWNBIN -n -a \$PHP5ADDR -p \$PHP5PORT -u \$USER -g \$USER -C 3 \$PHP5BIN
" > /etc/sv/spawn-fcgi-$target/run

	chmod +x /etc/sv/spawn-fcgi-$target/run
	update-service --add /etc/sv/spawn-fcgi-$target spawn-fcgi-$target
}

create_control(){
	echo "#! /bin/sh
#
### BEGIN INIT INFO
# Provides:          control-$target
# Required-Start:    $syslog
# Required-Stop:     $syslog
# Should-Start:      $local_fs
# Should-Stop:       $local_fs
# Default-Start:     2
# Default-Stop:      0 1 6
# Short-Description: starts/stops $target
# Description:       starts and stops $target
#                    a webserver chroot for $fqdn
#
### END INIT INFO

CHROOTBIN=/usr/sbin/chroot
CHROOTPATH=$chroot_container$target
NGINXDAEMON=`which nginx`
NAME=nginx

PHP5SUPPORT=$phpsupport
SPAWNBIN=`which spawn-fcgi`
PHP5BIN=`which php5-cgi`
PHP5PORT=$phpport
PHP5ADDR=127.0.0.1
PHPSUPERVISE=$phpsupervise

FCGIWRAPSUPPORT=$fcgiwrapsupport
FCGIWRAPSOCK=/var/run/fcgiwrap.sock
FCGIWRAPBIN=`which fcgiwrap`

USER=$target

DESC='chroot webserver (nginx/php) for $fqdn'
set -e
. /lib/lsb/init-functions
test_nginx_config() {
  if \$CHROOTBIN \$CHROOTPATH -t \$NGINXDAEMON_OPTS >/dev/null 2>&1
  then
    return 0
  else
    \$CHROOTBIN \$CHROOTPATH \$NGINXDAEMON -t \$NGINXDAEMON_OPTS
    return \$?
  fi
}
case \"\$1\" in
  start)
        echo \"Starting \$DESC ---\"

	# launching nginx
        test_nginx_config
        start-stop-daemon --chroot \$CHROOTPATH --start --pidfile /var/run/nginx.pid \
                --exec \$NGINXDAEMON -- \$NGINXDAEMON_OPTS || true
        echo -n \"nginx started with pid \"; cat \$CHROOTPATH/var/run/nginx.pid ; echo

        if [ \$PHP5SUPPORT -eq 1 ]
        then
            if [ \$PHPSUPERVISE -eq 1 ]
            then
                svc -u /etc/service/spawn-fcgi-$target
                echo \"spawn-fcgi and php5 started under supervise\"
            else
                start-stop-daemon --chroot \$CHROOTPATH --start \
                    --exec \$SPAWNBIN -- -a \$PHP5ADDR -p \$PHP5PORT \
                    -u \$USER -g \$USER -P /var/run/php5-cgi.pid \$PHP5BIN || true

            	echo -n \"php5-cgi started with pid \"; cat \$CHROOTPATH/var/run/php5-cgi.pid ; echo
            fi
        fi

        if [ \$FCGIWRAPSUPPORT -eq 1 ]
        then
            start-stop-daemon --chroot \$CHROOTPATH --start \
                    --exec \$SPAWNBIN -- -s \$FCGIWRAPSOCK \
                    -u \$USER -g \$USER -P /var/run/fcgiwrap.pid \$FCGIWRAPBIN || true

        	echo -n \"fcgiwrap started with pid \"; cat \$CHROOTPATH/var/run/fcgiwrap.pid ; echo
        fi

        ;;
  stop)
        echo \"Stopping \$DESC ---\"
	if [ -e \$CHROOTPATH/var/run/nginx.pid ]
	then
		kill \`cat \$CHROOTPATH/var/run/nginx.pid\`
		if [ \$? -ne 0 ]
		then
			echo  -n \"couldn't kill nginx - found running pid \" ; \`cat \$CHROOTPATH/var/run/nginx.pid\`;echo
		else
                	echo \"stopping nginx\"
		fi
        else
                echo \"nginx is not running, no pid file in /var/run/\"
        fi

        if [ \$PHP5SUPPORT -eq 1 ]
        then
            if [ \$PHPSUPERVISE -eq 1 ]
            then
                svc -d /etc/service/spawn-fcgi-$target
                echo \"spawn-fcgi and php5 stopped under supervise\"
            else
                if [ -e \$CHROOTPATH/var/run/php5-cgi.pid ]
                then
                    ps -p \`cat \$CHROOTPATH/var/run/php5-cgi.pid\` 2>&1 1>/dev/null
                    if [ $? -ne 0 ]
                    then
                        echo \"php5-cgi process not running\"
                    else
                        kill \`cat \$CHROOTPATH/var/run/php5-cgi.pid\`
                		if [ \$? -ne 0 ]
                		then
		    	            echo  -n \"couldn't kill php5-cgi - pid=\";\`cat \$CHROOTPATH/var/run/php5-cgi.pid\`;echo
                		else
                        	echo \"php5-cgi has been stopped\"
            		    fi
                    fi
                else
                    echo \"no php5-cgi pid file in /var/run/\"
                fi
            fi
        fi

        if [ \$FCGIWRAPSUPPORT -eq 1 ]
        then
            if [ -e \$CHROOTPATH/var/run/fcgiwrap.pid ]
            then
                ps -p \`cat \$CHROOTPATH/var/run/fcgiwrap.pid\` 2>&1 1>/dev/null
                if [ $? -ne 0 ]
                then
                    echo \"fcgiwrap process not running\"
                else
                    kill \`cat \$CHROOTPATH/var/run/fcgiwrap.pid\`
                	if [ $? -ne 0 ]
                	then
		    	        echo  -n \"couldn't kill fcgiwrap - pid=\";\`cat \$CHROOTPATH/var/run/fcgiwrap.pid\`;echo
                	else
                       	echo \"fcgiwrap has been stopped\"
            		fi
                fi
            else
                echo \"no fcgiwrap.pid file in /var/run/\"
            fi
        fi
            
        ;;
  restart)
        echo -n \"Restarting \$DESC: \"
	\$0 stop
        sleep 1
	\$0 start
        ;;
  configtest)
        echo -n \"Testing \$DESC configuration: \"
        if test_nginx_config
        then
          echo \"\$NAME.\"
        else
          exit \$?
        fi
        ;;
  status)
        status_of_proc -p \$CHROOTPATH/var/run/nginx.pid \"\$NGINXDAEMON\" nginx && exit 0 || exit $?
    " >> /etc/init.d/control-$target

if [ $phpsupport -eq 1 ]
then
    echo "
        status_of_proc -p \$CHROOTPATH/var/run/php5-cgi.pid \"\$PHP5BIN\" php5-cgi && exit 0 || exit $?
    " >> /etc/init.d/control-$target
fi

    echo "
        ;;
  *)
        echo \"Usage: \$0 {start|stop|restart|status|configtest}\" >&2
        exit 1
        ;;
esac
exit 0

" >> /etc/init.d/control-$target

	if [ -e /etc/init.d/control-$target ]
	then
		chmod +x /etc/init.d/control-$target
	else
		echo "couldn't create control file /etc/init.d/control-$target"
		exit 1
	fi
}

usage(){
	echo "Chroot installation script"
	echo "Syntax: $0 <site name>"
    echo "example: $0 chroot-example"
    echo "this will initiate the creation of $chroot_container/chroot-example"
	exit 1
}

[ $# -ne 1 ] && usage
[ $UID -ne 0 ] && echo "You need to be root to launch this program" && usage

target=$1
[ -d $chroot_container$target ] && echo "Target already exist !" && exit 1

echo -n "This is going to install a chroot environment in $chroot_container$target. Do you want to continue ? y/n > "
read response
if [ $response != "y" ]
then
	exit 1
fi

# create the environment
install_env "${target}"

# get some information from the administrator before we start
port_available=$(netstat -taupen|grep :50|grep LISTEN|awk '{print $4}'|cut -d : -f 2|sort|tail -n 1)
port_available=$(( $port_available + 1 ))

echo -n "Nginx listening port ($port_available seems available) ? > "
read nginxport

echo -n "What will the FQDN of the server be ? (example.com) ? > "
read fqdn

echo -n "Do you want chrooted php support ? y/n > "
read response
if [ $response == "y" ]
then
    phpsupport=1
	echo -n "Which port should php cgi listen on ? > "
	read phpport


	echo -n "Would you like to install php5-mysql support in the chroot ? y/n > "
	read response
	if [ $response == "y" ]
	then
		install_mysql "${target}"
	fi
else
    phpsupport=0
fi


if [ $phpsupport -eq 1 ]
then
	install_php "${target}"

	echo -n "Would you like to add to supervise php using daemon-tools 'supervise' ? y/n > "
	read response
	if [ $response == "y" ]
	then
        phpsupervise=1
		create_supervised_config "${target}"
	else
        phpsupervise=0
	fi
fi


echo -n "Do you want chrooted fcgiwrap support ? y/n > "
read response
if [ $response == "y" ]
then
    fcgiwrapsupport=1
	install_fcgiwrap "${target}"
else
    fcgiwrapsupport=0
fi

echo -n "Do you want perl support ? y/n > "
read response
if [ $response == "y" ]
then
	install_perl "${target}"
    echo -n "Also want Mojolicious ? y/n > "
    read response
    if [ $response == "y" ]
    then
        install_mojolicious "${target}"
    fi
fi

# call installation functions
install_nginx "${target}"
create_control "${target}"

echo -n "Would you like to add this server to startup runlevel 2 ? y/n > "
read response
if [ $response == "y" ]
then
	SAVEPWD=`pwd`
	cd /etc/rc2.d
	ln -s ../init.d/control-$target S17control-$target
	cd /etc/rc6.d
	ln -s ../init.d/control-$target K01control-$target
	cd $SAVEPWD
fi

echo -n "Would you like to create a logrotate rule for this server ? y/n > "
read response
if [ $response == "y" ]
then
	echo "$chroot_container$target/var/log/nginx/*.log {
        daily
        missingok
        rotate 7
        compress
        delaycompress
        notifempty
        create 640 root adm
        sharedscripts
        postrotate
                [ ! -f $chroot_container$target/var/run/nginx.pid ] || kill -USR1 \`cat $chroot_container$target/var/run/nginx.pid\`
        endscript
}" > /etc/logrotate.d/$target
fi

echo "The installation of the chroot environment is finished."
echo "To control the environement, use the script located at /etc/init.d/control-$target (outside the chroot)"

exit 0


en/ressources/articles/script_chroot_nginx.txt · Last modified: 2011/04/19 00:28 (external edit)
CC Attribution-Noncommercial-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0