Chroot Jailing of an user to their home with PHP CLI and everything to run Magento 2 CLi commands

Question

Ok, so first off I'm pretty sure there's gonna be a load of "additional info" requests so please post them in the OP comments and I'll do my best to provide extra info on request!

Here's the skinny, first the server :

It is a Shared staging server, Ubuntu 16.4 LTS with Apache2.4, Php7.1, Mysql 5.7. It has Webmin, VirtualMin and UserMin installed (latest). It also has phpMyAdmin installed globally. It's configured to allow sites to be served with mod_php (using www-data), CGI, FCGI (default) or FPM+FCGI. CGI/FPM varients use SuExec to execute the sites. The web server itself works perfectly.

So, the task now is to set up a Chroot jail to allow an existing domain user to SSH or SFTP but only see their Home directory which is already populated with a latest Magento 2 install.

In this example we'll use these details :

User = domain Group = domain Home Dir = /home/domain/ Chroot = /var/chroot/

Now, I can set up the Chroot fine, What I've done is copy the relivent lib/var/usr files needed, allowed the commands ls, bash, sh, rm, rmdir, mkdir, touch, vi & php.

It took some work but I got the PHP command working (after finding all the module dependancies) almost correctly.

The CHroot jail is fine, I mounted /home/domain to /var/chroot/home/domain so thats fine. The user is effectively jailed and can see the users home directory and thus can access all the website files no problems.

Databasewise I left out the mysql commands as we have phpmyadmin available globally so they can log into the releivent database only using the dedicates domain mysql user. no probs.

The real problem comes with Magento 2. Here as we know you use command line tools to do things like cache refreshes, index building and other deployment tasks, some examples :

domain@server:/home/domain/public_html# php bin/magento cache:flush
domain@server:/home/domain/public_html# php bin/magento indexer:reindex
domain@server:/home/domain/public_html# php bin/magento setup:static-content:deploy en_US

As we can see these commands are run through the PHP CLI interpreter, hense all the work getting PHP to work right on the jailed CLI.

At first I was getting Database issues with cache:flush ect but with some fiddling of the php.ini for the CLI (I copied the FCGI one from the users home into the jailed location) and some "finding the right mysql.sock" I fixed that up no probs (well, some probs but fixed it!)

The actual question

I have a problem with indexer:reindex with root permissions there's no problem however within the Chroot as the user domain for some reason the command throws errors for all but the first index. Here's the result :

-bash-4.3$ cd /home/domain/public_html/
-bash-4.3$ php bin/magento indexer:reindex
Design Config Grid index has been rebuilt successfully in 00:00:00
Customer Grid indexer process unknown error: 
Warning: SessionHandler::read(): open(/home/domain/tmp/sess_mfn527a808ntv8e3g9glcjg8aq, O_RDWR) failed: No such file or directory (2) in /home/domain/public_html/vendor/magento/framework/Session/SaveHandler/Native.php on line 22
Category Products indexer process unknown error:
Warning: SessionHandler::read(): open(/home/domain/tmp/sess_mfn527a808ntv8e3g9glcjg8aq, O_RDWR) failed: No such file or directory (2) in /home/domain/public_html/vendor/magento/framework/Session/SaveHandler/Native.php on line 22
Product Categories indexer process unknown error:
Warning: SessionHandler::read(): open(/home/domain/tmp/sess_mfn527a808ntv8e3g9glcjg8aq, O_RDWR) failed: No such file or directory (2) in /home/domain/public_html/vendor/magento/framework/Session/SaveHandler/Native.php on line 22
Product Price indexer process unknown error:
Warning: SessionHandler::read(): open(/home/domain/tmp/sess_mfn527a808ntv8e3g9glcjg8aq, O_RDWR) failed: No such file or directory (2) in /home/domain/public_html/vendor/magento/framework/Session/SaveHandler/Native.php on line 22
Warning: SessionHandler::read(): open(/home/domain/tmp/sess_mfn527a808ntv8e3g9glcjg8aq, O_RDWR) failed: No such file or directory (2) in /home/domain/public_html/vendor/magento/framework/Session/SaveHandler/Native.php on line 22
Warning: SessionHandler::read(): open(/home/domain/tmp/sess_mfn527a808ntv8e3g9glcjg8aq, O_RDWR) failed: No such file or directory (2) in /home/domain/public_html/vendor/magento/framework/Session/SaveHandler/Native.php on line 22
Catalog Rule Product indexer process unknown error:
Warning: SessionHandler::read(): open(/home/domain/tmp/sess_mfn527a808ntv8e3g9glcjg8aq, O_RDWR) failed: No such file or directory (2) in /home/domain/public_html/vendor/magento/framework/Session/SaveHandler/Native.php on line 22
Catalog Product Rule indexer process unknown error:
Warning: SessionHandler::read(): open(/home/domain/tmp/sess_mfn527a808ntv8e3g9glcjg8aq, O_RDWR) failed: No such file or directory (2) in /home/domain/public_html/vendor/magento/framework/Session/SaveHandler/Native.php on line 22
Catalog Search indexer process unknown error:
Warning: SessionHandler::read(): open(/home/domain/tmp/sess_mfn527a808ntv8e3g9glcjg8aq, O_RDWR) failed: No such file or directory (2) in /home/domain/public_html/vendor/magento/framework/Session/SaveHandler/Native.php on line 22

Ok, said I, this is some sort of session creation fail followed by the indexer not able to read the session that failed to create. Explains why the first one works but subsiquent fail. I attempted to mount the default sesion directory for PHp into the chroot jail, so I mounted /var/lib/php/ to /var/chroot/var/lib/php. This directory has the sticky bit so I though rather than create I'd mount.

Still no dice. I though well what if I reindex one at a time :

-bash-4.3$ php bin/magento indexer:reindex customer_grid
Customer Grid indexer process unknown error:
Warning: SessionHandler::read(): open(/home/domain/tmp/sess_en89p7h50m9mc1a0pb8l3c3tv1, O_RDWR) failed: No such file or directory (2) in /home/domain/public_html/vendor/magento/framework/Session/SaveHandler/Native.php on line 22

Still no dice. I am struggling to see what it is actually struggling with, where it's getting this supposed session ID, where it is supposed to be creating the session file and where / what logs I can look at for information!

Can anyone offer up any sort of suggestion for m to move forward and master SH jailing of a user of a Magento 2 site?

Answer 1

Try ls -l /home/domain/ and ls -l /home/domain/tmp, looks like you have directories with wrong permissions, wrong ownership, or both.

PHP is trying to access a session file, and fails. Or the file exists and domain does not have read access, or the file does not exist and domain does not have write permissions on the directory.

Answer 2

Answering my own quesion as I've managed to get through the issue.

2 things wrong :

1. Firstly, so that in the chroot I'm not messing with the php-cli settings for the rest of the server, I copied php.ini over into the jail. I then duly set the session save path to a directory without the sticky bit.

This is why I could create the session file in /var/lib/php/sessions as root but when in the chroot jail it couldn't, becuase it was putting it to the wrong place with the wrong permissions.

So updated the correct php.ini and reviewed permissions, happy days we got a session! indexer:reindex is working a treat!

2. So onto the biggun, setup:static-content:deploy, well all I can say is "you know when the script throws so many errors you can't get to the top of it in the CLI?", yea this. Erk :/

This was down to (eventually located) my poor keyboard skills. when I mounted the user directory in the jail, I mistyped the directory name so the path /home/domain/public_html was not /home/domain/public_html in the jail. A quick remounting and all was well again.

So now problem solved, thanks to ThoriumBR for his useful suggestions! Leasons learned and hopefully this story might help some others.