让nginx在CentOS下以chroot的方式运行

僤鯓⒐⒋嵵緔 提交于 2020-04-22 08:30:45

实验环境为64位的CentOS6.4,nginx使用官方最新稳定版的,

下载源码包

# wget http://nginx.org/download/nginx-1.6.2.tar.gz

[root@2core local]# tar zxvf nginx-1.6.2.tar.gz

隐藏nginx的真实版本,修改nginx显示版本及名称, 

[root@2core nginx-1.6.2]# vi /usr/local/nginx-1.6.2/src/core/nginx.h

#define NGINX_VERSION      "1.6.2"  /*版本号,自己改*/
#define NGINX_VER          "Your string here" /*显示版本时直接显示此字符串*/

增加用户
#groupadd nginx
#useradd -g nginx nginx
[root@2core nginx-1.6.2]# cd /usr/local/nginx-1.6.2
[root@2core nginx-1.6.2]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_gzip_static_module --http-log-path=/var/log/nginx/access.log

#make

#make install

安装完成,测试是否能正常启动

# /usr/local/nginx/sbin/nginx
[root@2core nginx-1.6.2]# ps auxf|grep nginx   //检查nginx是否正常启,也可以http://ip 访问确认,注意iptables也是打开了相关的端口
root 7740 0.0 0.0 103240 852 pts/0 S+ 16:28 0:00 \_ grep nginx 
root 7649 0.0 0.0 20212 604 ? Ss 16:26 0:00 nginx: master process /usr/local/nginx/sbin/nginx 
nginx 7650 0.0 0.1 20636 1476 ? S 16:26 0:00 \_ nginx: worker process


一切正常,下面开始实施chroot,
1、建立一个chroot运行牢笼(Jail)根目录,比如/nginx
#D=/nginx
#mkdir -p $D
2、建立一个独立的运行环境,nginx将被限制在这环境下运行
mkdir -p $D/etc
mkdir -p $D/dev
mkdir -p $D/var
mkdir -p $D/usr
mkdir -p $D/usr/local/nginx
mkdir -p $D/tmp
chmod 1777 $D/tmp
mkdir -p $D/var/tmp
chmod 1777 $D/var/tmp
mkdir -p $D/lib64
3、还有些特殊设备需要创建,否则可能出错
# ls -l /dev/{null,random,urandom}
[root@2core nginx-1.6.2]# ls -l /dev/{null,random,urandom} 
crw-rw-rw-. 1 root root 1, 3 9月 13 2013 /dev/null 
crw-rw-rw-. 1 root root 1, 8 9月 13 2013 /dev/random 
crw-rw-rw-. 1 root root 1, 9 9月 13 2013 /dev/urandom

#/bin/mknod -m 0666 $D/dev/null c 1 3
#/bin/mknod -m 0666 $D/dev/random c 1 8
#/bin/mknod -m 0444 $D/dev/urandom c 1 9

4、将/urs/local/nginx目录里所有的文件复制到$D/usr/local/nginx目录去
# /bin/cp -farv /usr/local/nginx/* $D/usr/local/nginx

5、因为要启动 $D/usr/local/nginx/sbin/nginx,涉及一些库, 相应地,复制相关的库到Jail对应目录去,使用下面的命令查看关联的库
# ldd /usr/local/nginx/sbin/nginx  
linux-vdso.so.1 => (0x00007fff225ff000)   //这个不用复制
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fb450acf000)  
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fb450898000)  
libpcre.so.0 => /lib64/libpcre.so.0 (0x00007fb45066b000)  
libz.so.1 => /lib64/libz.so.1 (0x00007fb450455000)  
libc.so.6 => /lib64/libc.so.6 (0x00007fb4500c2000)  
/lib64/ld-linux-x86-64.so.2 (0x00007fb450cf5000)  
libfreebl3.so => /lib64/libfreebl3.so (0x00007fb44fe5f000)  
libdl.so.2 => /lib64/libdl.so.2 (0x00007fb44fc5b000)
6、把上面关联的复制到相应目录里去
[ root@2core  nginx-1.6.2]# cp /lib64/libpthread.so.0 /nginx/lib64/  
[ root@2core  nginx-1.6.2]# cp /lib64/libcrypt.so.1 /nginx/lib64/  
[ root@2core  nginx-1.6.2]# cp /lib64/libpcre.so.0 /nginx/lib64/  
[ root@2core  nginx-1.6.2]# cp /lib64/libz.so.1 /nginx/lib64/  
[ root@2core  nginx-1.6.2]# cp /lib64/libc.so.6 /nginx/lib64/  
[ root@2core  nginx-1.6.2]# cp /lib64/ld-linux-x86-64.so.2 /nginx/lib64/
cp /lib64/libfreebl3.so /nginx/lib64/
cp /lib64/libdl.so.2 /nginx/lib64/ 

7、复制/etc 到/nginx目录去,不同系统可能有不同目录,如果下面某目录不存在的话,会有相应的报错,但不会影响
cp -fv /etc/{group,prelink.cache,services,adjtime,shells,gshadow,shadow,hosts.deny,localtime,nsswitch.conf,nscd.conf,prelink.conf,protocols,hosts,passwd,ld.so.cache,ld.so.conf,resolv.conf,host.conf} $D/etc
cp -avr /etc/{ld.so.conf.d,prelink.conf.d} $D/etc

8、启动nginx,
pkill -9 nginx
[ root@2core  nginx-1.6.2]# /usr/sbin/chroot /nginx /usr/local/nginx/sbin/nginx -t  
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok  
nginx: [emerg] getpwnam("nginx") failed 
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

上面的报错是由于还缺少一些库,需要把这些库复制到/nginx/lib64目录下, 通过以下命令strace,发现还有库没有复制过来

# strace -f -o /tmp/nginx.strace chroot /nginx /usr/local/nginx/sbin/nginx -t
# more /tmp/nginx.strace
8221 open(" /lib64/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) 
8221 open("/lib64/tls/x86_64/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)  
8221 stat("/lib64/tls/x86_64", 0x7fffa8e430a0) = -1 ENOENT (No such file or directory)  
8221 open("/lib64/tls/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)  
8221 stat("/lib64/tls", 0x7fffa8e430a0) = -1 ENOENT (No such file or directory)  
8221 open("/lib64/x86_64/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)  
8221 stat("/lib64/x86_64", 0x7fffa8e430a0) = -1 ENOENT (No such file or directory)  
8221 open("/lib64/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)  
8221 stat("/lib64", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0  
8221 open("/usr/lib64/tls/x86_64/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)  
8221 stat("/usr/lib64/tls/x86_64", 0x7fffa8e430a0) = -1 ENOENT (No such file or directory)  
8221 open("/usr/lib64/tls/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)  
8221 stat("/usr/lib64/tls", 0x7fffa8e430a0) = -1 ENOENT (No such file or directory)  
8221 open("/usr/lib64/x86_64/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)  
8221 stat("/usr/lib64/x86_64", 0x7fffa8e430a0) = -1 ENOENT (No such file or directory)  
8221 open("/usr/lib64/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)  
8221 stat("/usr/lib64", 0x7fffa8e430a0) = -1 ENOENT (No such file or directory)  
8221 munmap(0x7f6818e0d000, 29430) = 0  
8221 write(3, "2014/10/24 17:49:34 [emerg] 8221"..., 99) = 99  
8221 write(2, "nginx: [emerg] getpwnam(\"nginx\")"..., 78) = 78  
8221 close(4) = 0  
8221 write(2, "nginx: configuration file /usr/l"..., 71) = 71  
8221 exit_group(1) = ? 


[ root@2core  nginx-1.6.2]# cp /lib64/libnss_files.so.2 /nginx/lib64/

[ root@2core  nginx-1.6.2]# strace -f -o /tmp/nginx.strace chroot /nginx /usr/local/nginx/sbin/nginx -t  
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok  
nginx: [emerg] open() " /var/log/nginx/access.log" failed (2: No such file or directory)  
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
很明显,这次报错是没有/var/log/nginx/access.log,检查一下,发现没有这个/nginx/var/log目录
[ root@2core  nginx-1.6.2]# mkdir -p /nginx/var/log/nginx  
[ root@2core  nginx-1.6.2]# chmod 777 /nginx/var/log/nginx/  
[ root@2core  nginx-1.6.2]# strace -f -o /tmp/nginx.strace chroot /nginx /usr/local/nginx/sbin/nginx -t  
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok  
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
测试通过
[ root@2core  nginx-1.6.2]# chroot /nginx /usr/local/nginx/sbin/nginx 
[ root@2core  nginx-1.6.2]# ps auxf|grep nginx  
root 8357 0.0 0.0 103240 856 pts/0 S+ 18:04 0:00 \_ grep nginx  
root 8354 0.0 0.0 20212 604 ? Ss 18:04 0:00 nginx: master process /usr/local/nginx/sbin/nginx  
nginx 8355 0.0 0.1 20636 1200 ? S 18:04 0:00 \_ nginx: worker process
至此,部署完成,这时,nginx 便在/nginx这个目录下运行了,而日志这些文件都在这个目录下生成,注意,这时的配置文件在这/nginx/usr/local/nginx/conf/目录了
# cd /nginx/usr/local/nginx/conf/
# vi nginx.conf

重启命令
# /usr/sbin/chroot /nginx /usr/local/nginx/sbin/nginx -s reload


易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!