9

I have configured an Ubuntu webserver with Nginx + PHP5-FPM. I have created a chrooted environment (using jailkit) that I'm tossing my developers into, from where they can develop their test applications.

Chroot jail: /home/jail

Nginx and PHP5-FPM run outside the chroot, but are configured to function with websites within the chrooted environment.

So far, Nginx and PHP5-FPM are serving up files without issue, except for the following: When attempting to connect to MySQL, we receive this error: SQLSTATE[HY000] [2002] Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock'

Now, I believe the issue is due to the non-chrooted php.ini referencing mysqld.sock outside of the chroot environment (it's actually using the MySQL default setting currently).

My question is, how can I configure PHP to access MySQL via loopback or similar? (Found that as a suggestion in a google result, but without any instructions)

Or if I'm missing some other obvious setting, let me know. If there's an option of creating a hardlink (that would remain available even if mysql is restarted), that would be handy as well.

peterh
  • 4,914
  • 13
  • 29
  • 44
Jon L.
  • 318
  • 2
  • 9

4 Answers4

11

I solved my own issue. Jailkit couldn't create a hard link reference to mysqld.sock, as Ubuntu stores /var/run in tmpfs, which appears to the system to be a separate partition (which breaks hardlink functionality). I instead am now mounting /var/run/mysqld in the jail now, like so: mount --bind /var/run/mysqld /home/jail/var/run/mysqld/

Jon L.
  • 318
  • 2
  • 9
4

How about using as host value 127.0.0.1? It uses TCP connection which doesn't write socket (unlike localhost value on unix).

pevik
  • 286
  • 1
  • 12
1

Remounting using --bind for the chroot looks like a workable suggestion. However, IMHO connecting to MySQL using a TCP socket (127.0.0.1) seems cleaner, more secure and less likely to go wrong.

The reason I say that is that various sources including http://blog.dispatched.ch/postfix-and-mysql-debian/ and https://stackoverflow.com/questions/11389214/postfix-cant-connect-with-mysql-table-when-using-unix-socket-postmap-succeeds suggest adding to the fstab:

 /var/run/mysqld /home/jail/var/run/mysqld bind defaults,bind 0 0

Be cautious with that: Debian at least cleans out /var/run on reboot, so the mount will fail at boot time, and so will your service. Of course you could instead use:

 /var/run /home/jail/var/run bind defaults,bind 0 0
Community
  • 1
Cedric Knight
  • 1,098
  • 6
  • 20
  • Works like a charm. But really ... it there no easier solution? Why does MySQL need a socket at all, when the communication runs via localhost:3306, anyway? – BurninLeo Jun 15 '18 at 06:56
  • Okay, found out it IS easier (https://serverfault.com/a/337844/100194), just use an IP address (`127.0.0.1`) as MySQL host in mysqli_connect(), instead of `localhost`. This requires slightly more resources, but the difference should be negligible. – BurninLeo Jun 15 '18 at 06:59
0

You can control MySQL's socket via the socket option in your my.cnf file.

socket = /home/jail/var/run/mysqld/mysqld.sock
hobodave
  • 2,800
  • 2
  • 23
  • 33
  • 1
    That's a valid suggestion, but my concern is that /home/jail could be "volatile". Any suggestion on how to modify /etc/jailkit/jk_init.ini to force jailkit to create a hardlink to the mysqld.sock file, or some other jailkit compatible solution that doesn't risk the MySQL server if the jail is (for instance) completely deleted and rebuilt? – Jon L. Feb 01 '11 at 16:07