Applicable to:
- Plesk for Linux
Question
How to add programs to chrooted shell environment template in Plesk?
Answer
Note: If you notice that you have to add more and more software into the chrooted environment template for a few customers, you may want to consider offering them an upgrade for their hosting to dedicated or virtual servers.
-
Connect to the server via SSH.
-
Run the following commands to download and unpack the script attached to this article:
# curl -o update-chroot.sh https://raw.githubusercontent.com/plesk/kb-scripts/master/update-chroot/update-chroot.sh
# chmod 700 update-chroot.sh
Note: Execute
./update_chroot.sh --helpfor other options such aslocale.PLESK_WARN: Not all software can operate in chroot environment. Refer to the corresponding software's documentation to make sure that particular program can be added to chroot environment.
Please note that three other articles have links to this script:
https://support.plesk.com/hc/en-us/articles/115002140654
https://support.plesk.com/hc/en-us/articles/115002214365
https://support.plesk.com/hc/en-us/articles/115000879829 -
Refer to the following examples on how to add a program to the chrooted environment:
Note: Further examples require SSH Access to the server and the
update_chroot.shscript to be downloaded and unpacked.SSH ClientTo add an SSH command into the chrooted environment template, follow these steps:
-
Add the terminal device inside the chrooted environment template:
# ./update-chroot.sh --devices tty
Note: Without access to
/dev/tty, SSH will not be able to work. -
Add the SSH executable file itself:
# ./update-chroot.sh --add ssh
-
Apply changes to one or several specific domains:
# ./update-chroot.sh --apply example-1.com example-2.com
or to all domains at once:
# ./update-chroot.sh --apply all
Now, it is possible to use SSH client while logged in as the domain's user.
Adding OS-provided PHPSome programs require not only libraries with which the main binary is linked, but also configuration files and plugins. An example of such a program is PHP.
Note: Adding PHP to the chrooted environment will not benefit the security of PHP scripts on the website since PHP scripts are executed in a non-chrooted context by the web-server or by FPM process pool.
-
PHP binary:
# ./update-chroot.sh --add php
-
Set the variable for the correct Plesk vhost path:
# VHOSTS=`grep HTTPD_VHOSTS_D /etc/psa/psa.conf | awk '{print $2}'`
-
Add timezone definitions:
# mkdir $VHOSTS/chroot/usr/share
# cp -a /usr/share/zoneinfo $VHOSTS/chroot/usr/share/zoneinfoWarning: Without them, PHP will produce the error whenever date/time functions are used:
glibc detected php: free(): invalid pointer: 0x00007f11249fccd8 *** -
Add PHP extensions. They are not added on the first step because PHP binary does not depend on them:
-
For RHEL/CentOS:
# for i in /usr/lib64/php/modules/*.so ; do ./update-chroot.sh --add $i ; done
-
For Ubuntu/Debian:
# for i in /usr/lib/php/modules/*.so ; do ./update-chroot.sh --add $i ; done
Note: The path to the modules directory differs between Linux distributions. To find out where PHP modules are stored on the server, run
php -i | grep -E "^extension_dir" -
-
Copy the PHP configuration:
# mkdir -p $VHOSTS/chroot/etc
# cp -a /etc/php.ini /etc/php.d $VHOSTS/chroot/etc/Note: The path to the configuration files differs between Linux distributions. To find out where PHP configuration is stored, run
php -i | grep -E "^Configuration File|^Scan this dir for additional" -
Set up default timezone in the main configuration file:
# sed -i.bkp 's/;date.timezone =/date.timezone = Europe\/Zurich/' $VHOSTS/chroot/etc/php.ini
Note: By default the
date.timezonevariable is not set, which can result in some PHP scripts failing to parse the output ofdate("r")call, because it will return a warning before returning date. -
Apply changes to one or several specific domains:
# ./update-chroot.sh --apply example-1.com example-2.com
or to all domains at once:
# ./update-chroot.sh --apply all
Note: Changes will not be applied if the Access to the server over SSH value in Plesk > Domains > example.com > Web Hosting Access differs from /bin/bash (chrooted).
Adding Plesk PHPSome programs require not only libraries with which the main binary is linked, but also configuration files and plugins. An example of such a program is PHP.
Note: Adding PHP to the chrooted environment will not benefit the security of PHP scripts on the website (as PHP scripts are executed in a non-chrooted context by web-server or by FPM process pool).
-
Set a variable for the PHP version that you want to add:
# PHPPATH='/opt/plesk/php/7.4'
Note: to find the available version use
ls -d /opt/plesk/php/* -
Add the PHP binary:
# ./update-chroot.sh --add $PHPPATH/bin/php
-
Set the variable for the correct Plesk vhost path:
# VHOSTS=`grep HTTPD_VHOSTS_D /etc/psa/psa.conf | awk '{print $2}'`
-
Add timezone definitions:
# mkdir $VHOSTS/chroot/usr/share
# cp -a /usr/share/zoneinfo $VHOSTS/chroot/usr/share/zoneinfoWarning: Without them, PHP will produce the error whenever date/time functions are used:
glibc detected php: free(): invalid pointer: 0x00007f11249fccd8 *** -
Add PHP extensions. They are not added on the first step because PHP binary does not depend on them.
-
For RHEL/CentOS:
# for i in $PHPPATH/lib64/php/modules/*.so; do ./update-chroot.sh --add $i; done
-
For Ubuntu/Debian:
# for i in $PHPPATH/lib/php/modules/*.so; do ./update-chroot.sh --add $i; done
-
-
Copy the PHP configuration:
# mkdir -p $VHOSTS/chroot$PHPPATH/etc/
# cp -a $PHPPATH/etc/ $VHOSTS/chroot$PHPPATH/; rm -rf $VHOSTS/chroot$PHPPATH/etc/php-fpm.d -
Set up default timezone:
# sed -i.bkp 's/;date.timezone =/date.timezone = Europe\/Zurich/' $VHOSTS/chroot/$PHPPATH/etc/php.ini
Note: By default the
date.timezonevariable is not set, which can result in some PHP scripts failing to parse the output ofdate("r")call, because it will return a warning before returning date. -
Apply changes to one or several specific domains:
# ./update-chroot.sh --apply example-1.com example-2.com
or to all domains at once:
# ./update-chroot.sh --apply all
Note: Changes will not be applied if the Access to the server over SSH value in Plesk > Domains > example.com > Web Hosting Access differs from "/bin/bash (chrooted)".
Note: Use the full path to executable as user, e.g.:
$ $PHPPATH/bin/php -v
Adding ldconfigNote:
ldconfigis automatically installed byupdate_chroot.sh1.2 and newer when a new application is added to the template.-
Set the variable for the correct Plesk vhost path:
# VHOSTS=`grep HTTPD_VHOSTS_D /etc/psa/psa.conf | awk '{print $2}'`
-
Add required folders and files to the template:
# cp -a /etc/ld.so.conf* $VHOSTS/chroot/etc
-
Add ldconfig to the template to rebuild paths:
# ./update-chroot.sh --add ldconfig
-
Update the linker's configuration:
# chroot $VHOSTS/chroot /bin/sh -c "ldconfig -v"
-
Apply changes to subscriptions:
# ./update-chroot.sh --apply all
-
Comments
28 comments
This instruction worked fine for me. For both Plesk Onyx as well as version 12.5.
One issue though: Executing php -v (or any other php command) resulted in errors that e.g. mysql.so could not be found.
The above adds the OS version of PHP to the chroot environment, not the PHP executables that are used for the websites.
I therefore replaced
./update_chroot.sh --add php
with
./update_chroot.sh --add /opt/plesk/php/7.1/bin/php
You may want to repeat that with other available php versions.
For convenience I also linked that php binary to usr/bin:
ln -s /opt/plesk/php/7.1/bin/php /var/www/vhosts/chroot/usr/bin/php
Afterwards, of course, do a ./update_chroot.sh --apply <domain>|all
Hello,
Could you please tell me if you did the step 3 with the Plesk PHP modules dir?
To ensure that that modules and dependant libraries for them are correctly loaded, please, run the following command:
# ./update_chroot.sh --add `/opt/plesk/php/7.1/bin/php -i | grep "^extension_dir" | awk '{ print $3"/*" }'`
By doing that the error with mysql.so and other modules should be resolved.
If the error persists, however, I would like you to tell me what OS do you use, so I could test and debug the script.
Hi Alexandr,
yes, I performed step 3. And I'm running CentOS 7.1.
My problem description was unclear, let me add some detail.
After following your instructions (all steps, same on Plesk Onyx and 12.5), running php inside the chrooted environment results in the following:
I thought that this might be caused by the fact that I added only the OS version of PHP, not the ones provided by Plesk.
And indeed, adding e.g. /opt/plesk/php/7.0/bin/php to the chroot environment solves the issue completely:
I added a symbolic link from usr/bin/php to opt/plesk/php/7.0/bin/php to have that php version in the PATH.
With that, everything works fine inside chroot.
Now, running the command you suggested
# ./update_chroot.sh --add `/opt/plesk/php/7.0/bin/php -i | grep "^extension_dir" | awk '{ print $3"/*" }'`doesn't seem to change anything. After executing it and applying the new chroot template, I still get the same warnings as above if I call the OS version (5.6) of php and everything works just fine for the Plesk php version (7.0).
The point is, because I want to use the same PHP version for delivering the website via http and when running some tests via PHP CLI within the chrooted shell, I'm not interested in getting the OS PHP version to work. As long as all the PHP versions from /opt/plesk/php are working, I'm happy.
Does that make sense? ;)
Christian Toller
tethis IT
Vienna, Austria
Hello,
Seems like CentOS 7 has a pretty different idea of which libraries should reside where. As a result, all mysql-related PHP modules which have a dependency on /usr/lib64/mysql/libmysqlclient.so.18 cannot find it.
The library libmysqlclient.so.18 is placed in /usr/lib64/mysql/, which is a non-standard location for a shared library, so locations for shared libraries on CentOS 7 are appended with /usr/lib64/mysql/.
update_chroot script (UPD: before 1.3), however, does not copy /etc/ld.so.conf and contents of /etc/ld.so.conf.d/ to the template, and as a result, OS-provided PHP cannot find the shared library throwing a bunch of warnings.
As a result, it can be resolved this way:
# cp -a /etc/ld.so.conf* /var/www/vhosts/chroot/etc
# ./update_chroot.sh --add ldconfig
# chroot /var/www/vhosts/chroot
# ldconfig -v
# ./update_chroot.sh --apply all
After that OS-provided PHP should not return any warnings:
# php -v
No entry for terminal type "screen-256color";
using dumb terminal settings.
PHP 5.4.16 (cli) (built: Nov 6 2016 00:29:02)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
with the ionCube PHP Loader (enabled) + Intrusion Protection from ioncube24.com (unconfigured) v5.0.18, Copyright (c) 2002-2015, by ionCube Ltd.
UPD: As an alternative, update_chroot.sh 1.3 or newer can be used to automatically configure linker paths in chroot environment.
I have run the above command. But i'm getting this errors.How to fix it please
bash-4.2$ ./update_chroot.sh --add dash
bash: ./update_chroot.sh: /usr/bin/env: bad interpreter: No such file or directory
Senaka could you send me the output of ls /usr/bin/env ?
[root@coreservers ~]# ls /usr/bin/env
/usr/bin/env
Hello @Senaka,
Thank you.
This means that /usr/bin/env exists on your server.
Looks like initially, the command failed because being executed not as the root user: "bash-4.2$ ./update_chroot.sh --add dash"
All the commands form instruction are to be executed as root.
Hello,
The link to the tarball is not working right now:
~]$ wget https://plesk.zendesk.com/hc/article_attachments/360009607573/update_chroot.tar.gz
--2020-04-23 15:18:21-- https://plesk.zendesk.com/hc/article_attachments/360009607573/update_chroot.tar.gz
Auflösen des Hostnamen »plesk.zendesk.com (plesk.zendesk.com)«... 104.16.54.111, 104.16.53.111, 104.16.52.111, ...
Verbindungsaufbau zu plesk.zendesk.com (plesk.zendesk.com)|104.16.54.111|:443... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 404 Not Found
2020-04-23 15:18:21 FEHLER 404: Not Found.
Just shows a blank page in browser; no download is starting.
Greetings,
I am trying to get the "screen" command working within in the chrooted
I tried running the: "./update_chroot.sh --add screen" and then the --apply all to bring screen into the domains...
when trying to start screen in the chrooted I am having issues that it states that "Must be connected to a Terminal.".
As of some google stuff it says to mount (bind) the /dev/pts... as of trying this it results in:
chrootmng: cannot link "/var/www/vhosts/<domain>/dev/pts/0": Invalid cross-device link
also tried some other ways like linking or copying stuff... but not working... any ideas how to get screen in the chrooted?
Regards
Hi Ops-team,
Thanks, I've updated the article.
Hi Michael F.,
According the script, the available devices that can be added are: "tty", "urandom", "random", "null", "ptmx" and "zero".
pts isn't one of the ones available, and I'm not sure if this is possible.
Amazing! Thank you very much. I was about to remove chroot for CD/CI reasons when I found this.
I dag through so many internet threads on adding rsync to Plesk ssh but all answers were just "use ftp"
Below did the trick:
./update_chroot.sh --add rsync
./update_chroot.sh --apply all
Once these commands update the chroot environment at /var/www/vhosts/chroot, I take it these auto-apply to any future created subscriptions? Is there a good way to reset the chroot to Plesk defaults after having done all of this? We wish to allow access to PHP or Node binaries (for example) to only select chrooted shell accounts/subscriptions but then ensure future created subscriptions do not have those utilies by default (as it takes up a few hundred MB on disk each time).
Hello Jordan Schelew
The script attached to this article update_chroot.sh includes many functions and should help to achieve your goals.
The full list of script options may be displayed with "./update_chroot.sh --help".
> We wish to allow access to PHP or Node binaries (for example) to only select chrooted shell accounts/subscriptions but then ensure future created subscriptions do not have those utilies by default (as it takes up a few hundred MB on disk each time).
Try this option:
./update_chroot.sh --apply [[domain] ... | all]
Apply new chrooted template to specific domains or all domains with
enabled chrooted shell. This operation is necessary to apply changes done
by '--install', '--add' and '--devices' commands.
> Is there a good way to reset the chroot to Plesk defaults after having done all of this?
./update_chroot.sh --rebuild
Remove old template from all domains, rebuild it from scratch and
reapply it. Only applications from /bin will be reinstalled.
Please note if you use add "/proc" to chrooted shell environment template, using this script, the Plesk backup will show the following warning while performing backup of subscriptions that use chroot:
Not all the data was backed up into /var/lib/psa/dumps/clients/USER/domains/DOMAIN successfully. Total space: 2742.00 GB; Available space: 1943.00 GB; Mounted on: /. For security reasons, backing up is performed on behalf of subscription's system user. This system user has no read access to: /var/www/vhosts/DOMAIN/proc/1/fd
and many similar
Anyone have any success adding sendmail to a chroot environment?
Any application i try to add via:
./update_chroot.sh --add dash
(dash/php etc) all fail with the error WARNING: Could not find dash
ERROR : php was not installed due to the previous errors.
Please advise on what I can do.
I simply need composer and direct env access to php from the user's shell (this is a single user system)
Best Regards
As I found out the hard way:
You need to add to content of /usr/lib/x86_64-linux-gnu/gconv/* to your chroot-environment, otherwise iconv() will fail with something like "Notice: iconv(): Wrong charset, conversion from `utf-32le' to `utf-8' is not allowed"
BR
you can also add a soft link, so the user does not have to type the full path, go to the vhost diirectory i.e:
cd /var/www/vhosts/mydomain.com/binln -s /opt/plesk/php/7.4/bin/php php
the user can than type:
php -vinstead of
/opt/plesk/php/7.4/bin/php -v
For additional PHP SSL Commands like openssl_pkey_new there should be also valid openssl.cnf file to prevent OpenSSL errors (error:02001002:system library:fopen:No such file or directory).
In your chrooted env you can get the correct path by:
Add the config to the chrooted template:
VHOSTS=`grep HTTPD_VHOSTS_D /etc/psa/psa.conf | awk '{print $2}'`
mkdir $VHOSTS/chroot/usr/lib/ssl/
cp /usr/lib/ssl/openssl.cnf $VHOSTS/chroot/usr/lib/ssl/openssl.cnf
Don't forget to apply the new configuration to all vhosts:
Ivan Postnikov Maybe you should consider adding this to your original "Adding Plesk PHP" :)
is there a way to remove an added command? example:
Is there a way to add composer to the chroot environment?
This doesn't work:
# ./update_chroot.sh --add composer
'/bin/composer' -> '/var/www/vhosts/chroot/bin/composer'
# ./update_chroot.sh --add /usr/lib64/plesk-9.0/composer.phar
'/usr/lib64/plesk-9.0/composer.phar' -> '/var/www/vhosts/chroot/usr/lib64/plesk-9.0/composer.phar'
# ./update_chroot.sh --apply all
# su - user
$ composer
/bin/composer: /usr/lib64/plesk-9.0/composer.phar: /usr/bin/env: bad interpreter: No such file or directory
@maartenv
The error says `/usr/bin/env: bad interpreter: No such file or directory`. This means that `/usr/bin/env` isn't available in your chrooted environment, which is depended on by `composer.phar`.
For Composer, this has worked for us:
I think you have changed the chroot file to update-chroot.sh but the old name is mentioned in the article under step 2 en step 3 in the Note.
Hi, anyone have a example to add dotnet to chrooter shell, i would like to run sheduled tasks with dotnet command.
Can we add datetime for logging?
python for initiallisation/pip install?
Please sign in to leave a comment.