What I want to do:
Get Nginx to serve PHP files through FastCGI (FPM) from within a chroot jail created using debootstrap.
The problem:
Every function that resolves hostnames to IP addresses fails with php_network_getaddresses: getaddrinfo failed: Name or service not known
. What's so odd about this is that there's no problem resolving hostnames from a chrooted shell.
What I did so far:
I disabled the firewall outside the jail.
I copied /etc/resolv.conf, /etc/nsswitch.conf and some other files (which I found here) into the jail. (All of which were already there thanks to Debootstrap, but I replaced them anyways!)
I added
nameserver 8.8.8.8
andnameserver 8.8.4.4
to /etc/resolv.conf. (I haven't done this before, because the nameservers were properly provided by the DHCP server!)I added
domain localhost
1 to /etc/resolv.conf and127.0.0.1 localhost
1 to /etc/hosts.I installed a nameserver inside the jail.
I installed a nameserver outside the jail (oops).
I mounted /proc inside the jail.
Needless to say that nothing actually fixed the problem, so please help me.
All the steps needed to reproduce this:
Install Debian Wheezy from debian-7.4.0-amd64-netinst.iso and use the default settings for everything except for Software selection, leave only Standard system checked there.
-
Realize that not picking a less distant mirror was a mistake.
vi /etc/apt/sources.list
and made the file look like this:deb http://ftp.de.debian.org/debian/ wheezy main contrib non-free deb-src http://ftp.de.debian.org/debian/ wheezy main contrib non-free deb http://security.debian.org/ wheezy/updates main deb-src http://security.debian.org/ wheezy/updates main deb http://ftp.de.debian.org/debian/ wheezy-updates main deb-src http://ftp.de.debian.org/debian/ wheezy-updates main
-
Make sure everything is up to date prior to installing Debootstrap, Nginx and PHP-FPM.
aptitude update && aptitude -y full-upgrade
aptitude -y install debootstrap nginx php5-fpm
-
Use Debootstrap to create the chroot jail for the website.
debootstrap wheezy /srv/localhost http://ftp.de.debian.org/debian/
1 -
Create a directory called www with a test file inside the previously created jail and make www-data the owner.
mkdir /srv/localhost/srv/www
1echo "<?php fsockopen('ftp.de.debian.org'); ?>" > /srv/localhost/srv/www/index.php
1chown -R 33:33 /srv/localhost/srv/www
1 -
Configure and enable the site.
vi /etc/nginx/sites-available/localhost
1 and made the file look like this1:server { listen 127.0.0.1:80; server_name localhost; root /srv/localhost/srv/www; index index.html index.htm index.php; location ~ \.php$ { try_files $uri =404; fastcgi_pass unix:/var/run/localhost.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /www/$fastcgi_script_name; include fastcgi_params; } location / { try_files $uri $uri/ /index.html; } location ~* \.(jpg|jpeg|gif|png|css|js|ico)$ { access_log off; } location = /favicon.ico { log_not_found off; } location ~ /\. { deny all; access_log off; log_not_found off; } }
ln -s /etc/nginx/sites-available/localhost /etc/nginx/sites-enabled/
1 -
Make slight adjustments to the FastCGI parameters provided by Nginx.
vi /etc/nginx/fastcgi_params
and made the file look like this:fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param HTTPS $https if_not_empty; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; # PHP only, required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200;
-
Create a PHP-FPM pool(?) for the site.
vi /etc/php5/fpm/pool.d/localhost.conf
1 and made the file look like this1:[localhost] user = www-data group = www-data listen = /var/run/localhost.sock listen.allowed_clients = 127.0.0.1 pm = ondemand pm.max_children = 5 pm.process_idle_timeout = 300s pm.max_requests = 500 ;access.log = log/$pool.access.log ;access.format = "%R - %u %t \"%m %r\" %s" chroot = /srv/localhost/srv chdir = / ;catch_workers_output = yes ;security.limit_extensions = .php .php3 .php4 .php5 php_flag[display_errors] = on php_admin_flag[log_errors] = on php_admin_value[error_log] = /var/log/php.log php_admin_value[memory_limit] = 32M php_admin_value[session.save_path] = /tmp env[HOSTNAME] = $HOSTNAME env[PATH] = /usr/local/bin:/usr/bin:/bin env[TMP] = /tmp env[TMPDIR] = /tmp env[TEMP] = /tmp
-
Remove Nginx and PHP-FPM configuration examples.
rm /etc/nginx/sites-enabled/default /etc/php5/fpm/pool.d/wwww.conf
-
Restart the PHP-FPM and the Nginx service.
service php5-fpm restart && service nginx restart
-
Inspect the output.
wget -qO- http://localhost
1 prints:<br /> <b>Warning</b>: fsockopen(): php_network_getaddresses: getaddrinfo failed: Name or service not known in <b>/www/index.php</b> on line <b>1</b><br /> <br /> <b>Warning</b>: fsockopen(): unable to connect to ftp.de.debian.org:80:-1 (php_network_getaddresses: getaddrinfo failed: Name or service not known) in <b>/www/index.php</b> on line <b>1</b><br />
-
Chroot into the jail, just to see that there's no problem with resolving hostnames
chroot /srv/localhost/
1ping -c1 ftp.de.debian.org
prints:PING ftp.de.debian.org (141.76.2.4) 56(84) bytes of data. 64 bytes from ftp.de.debian.org (141.76.2.4): icmp_req=1 ttl=56 time=15.1 ms --- ftp.de.debian.org ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 15.137/15.137/15.137/0.000 ms
1 All occurrences of my actual domain have been replaced with localhost and those of my actual IP address with 127.0.0.1.
2 I've exported the Oracle® VirtualBox appliance and uploaded it on Mega.co.nz (root password is password) for everyone who's really, really eager to help me here.