Articles in this section

How to add programs to chrooted shell environment template in Plesk?

Vincent Lauton
Updated
kb: how-to Plesk for Linux

Applicable to:

  • Plesk for Linux

Question

How to add programs to chrooted shell environment template in Plesk?

Answer

Note: If it becomes necessary to add too many programs to the chrooted environment, consider offering a hosting upgrade to dedicated or virtual servers.

  1. Connect to the server via SSH

  2. Run this to download and unpack the update-chroot script:

    # curl -o update-chroot.sh https://raw.githubusercontent.com/plesk/kb-scripts/master/update-chroot/update-chroot.sh && chmod 700 update-chroot.sh

    Some software won't work in a chroot environment. Refer to its documentation to make sure that it can be added to a chroot environment.

    These other articles have links to this script:
    https://support.plesk.com/hc/en-us/articles/12377475066391
    https://support.plesk.com/hc/en-us/articles/12377594375703
    https://support.plesk.com/hc/en-us/articles/12377589132951

  3. Add a program to the chrooted environment (examples below)

These examples require SSH access to the server, and the update-chroot.sh script to be downloaded and unpacked.

Note: Run ./update-chroot.sh --help for more options (e.g. locale)

SSH Client

To add the SSH command into the chrooted environment template, follow these steps.

  1. Add the terminal device inside the chrooted environment template:

    # ./update-chroot.sh --devices tty

    Note: Without access to /dev/tty, SSH will not be able to work.

  2. Add the SSH executable file itself:

    # ./update-chroot.sh --add ssh

  3. Apply changes to one or several specific domains:

    # ./update-chroot.sh --apply example-1.com example-2.com

    or to all domains at once:

    # ./update-chroot.sh --apply all

Now, it is possible to use SSH client while logged in as the domain's user.

PHP by OS vendor

Some programs need not just the libraries they link to, but also configuration files and plugins. PHP is one example of such a program.

Note: Adding PHP to the chrooted environment will not benefit the security of PHP scripts on the website, since PHP scripts are executed in a non-chrooted context by the web-server or by FPM process pool.

  1. PHP binary:

    # ./update-chroot.sh --add php

  2. Set the variable for the correct Plesk vhost path:

    # VHOSTS=`grep HTTPD_VHOSTS_D /etc/psa/psa.conf | awk '{print $2}'`

  3. Add timezone definitions:

    # mkdir $VHOSTS/chroot/usr/share
    # cp -a /usr/share/zoneinfo $VHOSTS/chroot/usr/share/zoneinfo

    Warning: Without them, PHP will produce the error whenever date/time functions are used:
    glibc detected php: free(): invalid pointer: 0x00007f11249fccd8 ***

  4. Add PHP extensions. They are not added on the first step because PHP binary does not depend on them:

    • For RHEL/CentOS:

      # for i in /usr/lib64/php/modules/*.so ; do ./update-chroot.sh --add $i ; done

    • For Ubuntu/Debian:

      # for i in /usr/lib/php/modules/*.so ; do ./update-chroot.sh --add $i ; done

    Note: The path to the modules directory differs between Linux distributions. To find out where PHP modules are stored on the server, run php -i | grep -E "^extension_dir"

  5. Copy the PHP configuration:

    # mkdir -p $VHOSTS/chroot/etc
    # cp -a /etc/php.ini /etc/php.d $VHOSTS/chroot/etc/

    Note: The path to the configuration files differs between Linux distributions. To find out where PHP configuration is stored, run php -i | grep -E "^Configuration File|^Scan this dir for additional"

  6. Set up default timezone in the main configuration file:

    # sed -i.bkp 's/;date.timezone =/date.timezone = Europe\/Zurich/' $VHOSTS/chroot/etc/php.ini

    Note: By default the date.timezone variable is not set, which can result in some PHP scripts failing to parse the output of date("r") call, because it will return a warning before returning date.

  7. Apply changes to one or several specific domains:

    # ./update-chroot.sh --apply example-1.com example-2.com

    or to all domains at once:

    # ./update-chroot.sh --apply all

    Note: Changes will not be applied if the Access to the server over SSH value in Plesk > Domains > example.com > Web Hosting Access differs from /bin/bash (chrooted).

Plesk PHP

Some programs need not just the libraries they link to, but also configuration files and plugins. PHP is one example of such a program.

Note: Adding PHP to the chrooted environment will not benefit the security of PHP scripts on the website (as PHP scripts are executed in a non-chrooted context by web-server or by FPM process pool).

  1. Set a variable for the PHP version that you want to add:

    # PHPPATH='/opt/plesk/php/7.4'

    Note: to find the available version use ls -d /opt/plesk/php/*

  2. Add the PHP binary:

    # ./update-chroot.sh --add $PHPPATH/bin/php

  3. Set the variable for the correct Plesk vhost path:

    # VHOSTS=`grep HTTPD_VHOSTS_D /etc/psa/psa.conf | awk '{print $2}'`

  4. Add timezone definitions:

    # mkdir $VHOSTS/chroot/usr/share
    # cp -a /usr/share/zoneinfo $VHOSTS/chroot/usr/share/zoneinfo

    Warning: Without them, PHP will produce the error whenever date/time functions are used:
    glibc detected php: free(): invalid pointer: 0x00007f11249fccd8 ***

  5. Add PHP extensions. They are not added on the first step because PHP binary does not depend on them.

    • For RHEL/CentOS/AlmaLinux:

      # for i in $PHPPATH/lib64/php/modules/*.so; do ./update-chroot.sh --add $i; done

    • For Ubuntu/Debian:

      # for i in $PHPPATH/lib/php/modules/*.so; do ./update-chroot.sh --add $i; done

  6. Copy the PHP configuration:

    # mkdir -p $VHOSTS/chroot$PHPPATH/etc/
    # cp -a $PHPPATH/etc/ $VHOSTS/chroot$PHPPATH/; rm -rf $VHOSTS/chroot$PHPPATH/etc/php-fpm.d

  7. Set up default timezone:

    # sed -i.bkp 's/;date.timezone =/date.timezone = Europe\/Zurich/' $VHOSTS/chroot/$PHPPATH/etc/php.ini

    Note: By default the date.timezone variable is not set, which can result in some PHP scripts failing to parse the output of date("r") call, because it will return a warning before returning date.

  8. Apply changes to one or several specific domains:

    Note: Changes will not be applied if the Access to the server over SSH value in Plesk > Domains > example.com > Web Hosting Access differs from "/bin/bash (chrooted)".

    Note: Use the full path to executable as user, e.g.: 
    # $PHPPATH/bin/php -v

    # ./update-chroot.sh --apply example-1.com example-2.com

    or to all domains at once:

    # ./update-chroot.sh --apply all

     

ldconfig

Note: ldconfig is automatically installed by update-chroot.sh 1.2 and newer when a new application is added to the template.

  1. Set the variable for the correct Plesk vhost path:

    # VHOSTS=`grep HTTPD_VHOSTS_D /etc/psa/psa.conf | awk '{print $2}'`

  2. Add required folders and files to the template:

    # cp -a /etc/ld.so.conf* $VHOSTS/chroot/etc

  3. Add ldconfig to the template to rebuild paths:

    # ./update-chroot.sh --add ldconfig

  4. Update the linker's configuration:

    # chroot $VHOSTS/chroot /bin/sh -c "ldconfig -v"

  5. Apply changes to subscriptions:

    # ./update-chroot.sh --apply all

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.