[BlueOnyx:23906] easy-migrate.pl 5208R(PHP DSO) -> 5209R(suPHP)
Tomohiro Hosaka
bokutin at bokut.in
Wed May 27 22:44:27 -05 2020
Hi Michael,
Thank you for locale/ja_JP/*.po merged.
I resumed the migration verification work this morning, and was
impressed when it was updated!
(Yes, I have automatic yum update turned on.)
This is the main subject.
I am moving vsite using easy-migrate.pl, but the PHP DSO site is
imported as suPHP.
I am considering making some changes and using it.
--- /usr/sausalito/sbin/easy-migrate.pl-00 2020-03-05 06:54:15.000000000
+0900
+++ /usr/sausalito/sbin/easy-migrate.pl 2020-05-28 11:21:38.186732577
+0900
@@ -814,7 +814,7 @@
foreach my $x (@diff) {
# If the import Vsite has NameSpace keys that we do
NOT have locally, then we delete them here:
delete $Vsite_NameSpace->{$x};
- #print "Diff in $key: $x \n"
+ print "Diff in $key: $x \n"
}
# Cleanup:
@@ -885,34 +885,34 @@
}
# Handle difference in keys when we come from
anything older than 5209R:
- if (($SYSTEM{'System'}{'productBuild'} ne '5210R')
&& ($SYSTEM{'System'}{'productBuild'} ne '5209R')) {
- if ($Vsite_NameSpace->{'suPHP_enabled'} eq "1")
{
- $Vsite_NameSpace->{'mod_ruid_enabled'} =
"0";
- $Vsite_NameSpace->{'fpm_enabled'} = "0";
- $Vsite_NameSpace->{'enabled'} = "1";
- }
- elsif ($Vsite_NameSpace->{'enabled'} eq "1") {
- $Vsite_NameSpace->{'suPHP_enabled'} = "1";
- $Vsite_NameSpace->{'mod_ruid_enabled'} =
"0";
- $Vsite_NameSpace->{'fpm_enabled'} = "0";
- }
- elsif ($Vsite_NameSpace->{'mod_ruid_enabled'}
eq "1") {
- $Vsite_NameSpace->{'suPHP_enabled'} = "0";
- $Vsite_NameSpace->{'fpm_enabled'} = "0";
- $Vsite_NameSpace->{'enabled'} = "1";
- }
- elsif ($Vsite_NameSpace->{'fpm_enabled'} eq
"1") {
- $Vsite_NameSpace->{'suPHP_enabled'} = "0";
- $Vsite_NameSpace->{'mod_ruid_enabled'} =
"0";
- $Vsite_NameSpace->{'enabled'} = "1";
- }
- else {
- $Vsite_NameSpace->{'suPHP_enabled'} = "0";
- $Vsite_NameSpace->{'mod_ruid_enabled'} =
"0";
- $Vsite_NameSpace->{'fpm_enabled'} = "0";
- $Vsite_NameSpace->{'enabled'} = "0";
- }
- }
+ # if (($SYSTEM{'System'}{'productBuild'} ne
'5210R') && ($SYSTEM{'System'}{'productBuild'} ne '5209R')) {
+ # if ($Vsite_NameSpace->{'suPHP_enabled'} eq
"1") {
+ # $Vsite_NameSpace->{'mod_ruid_enabled'} =
"0";
+ # $Vsite_NameSpace->{'fpm_enabled'} = "0";
+ # $Vsite_NameSpace->{'enabled'} = "1";
+ # }
+ # elsif ($Vsite_NameSpace->{'enabled'} eq "1")
{
+ # $Vsite_NameSpace->{'suPHP_enabled'} =
"1";
+ # $Vsite_NameSpace->{'mod_ruid_enabled'} =
"0";
+ # $Vsite_NameSpace->{'fpm_enabled'} = "0";
+ # }
+ # elsif ($Vsite_NameSpace->{'mod_ruid_enabled'}
eq "1") {
+ # $Vsite_NameSpace->{'suPHP_enabled'} =
"0";
+ # $Vsite_NameSpace->{'fpm_enabled'} = "0";
+ # $Vsite_NameSpace->{'enabled'} = "1";
+ # }
+ # elsif ($Vsite_NameSpace->{'fpm_enabled'} eq
"1") {
+ # $Vsite_NameSpace->{'suPHP_enabled'} =
"0";
+ # $Vsite_NameSpace->{'mod_ruid_enabled'} =
"0";
+ # $Vsite_NameSpace->{'enabled'} = "1";
+ # }
+ # else {
+ # $Vsite_NameSpace->{'suPHP_enabled'} =
"0";
+ # $Vsite_NameSpace->{'mod_ruid_enabled'} =
"0";
+ # $Vsite_NameSpace->{'fpm_enabled'} = "0";
+ # $Vsite_NameSpace->{'enabled'} = "0";
+ # }
+ # }
}
# Handle individual WebApps:
@@ -1191,8 +1191,15 @@
# Actual Rsync:
$DirOwner = $VSITE_DIROWNERS->{$directory};
print "[INFO] Starting RSYNC from $host:$sourceDir to
$target_Vsite_actiondir\n";
- #print "/usr/bin/rsync -q --progress -ar '-e ssh -p
$port' $source:$sourceDir $target_Vsite_actiondir --delete-after
--info=progress2 --chown=$DirOwner\n";
- system("/usr/bin/rsync -q --progress -ar '-e ssh -p
$port' $source:$sourceDir $target_Vsite_actiondir --delete-after
--info=progress2 --chown=$DirOwner >/dev/null 2>&1 || :");
+ # --chown=$DirOwner
+ print "/usr/bin/rsync -q --progress -ar '-e ssh -p
$port' $source:$sourceDir $target_Vsite_actiondir --delete-after
--info=progress2\n";
+ system("/usr/bin/rsync -q --progress -ar '-e ssh -p
$port' $source:$sourceDir $target_Vsite_actiondir --delete-after
--info=progress2");
+ {
+ my ($user, $group) = split /:/, $DirOwner, 2;
+ my $cmd = "find $target_Vsite_actiondir -not -user
$user -or -not -group $group";
+ print $cmd,"\n";
+ system($cmd);
+ }
}
# Fix owner of sitedir:
@@ -1430,7 +1437,13 @@
if
($SYSTEM->{'DNS'}->{'DnsIncludeFile'}->{$NEW_VSITE_OBJ_DATA->{'domain'}})
{
my $include_File = '/var/named/chroot/var/named/db.' .
$NEW_VSITE_OBJ_DATA->{'domain'} . '.include';
print "[INFO] Importing DNS include file for Vsite
$NEW_VSITE_OBJ_DATA->{'fqdn'}: $include_File\n";
- system("/usr/bin/rsync -q --progress -ar '-e ssh -p
$port' $source:$include_File $include_File --delete-after
--info=progress2 --chown=named:named");
+ print("/usr/bin/rsync -q --progress -ar '-e ssh -p
$port' $source:$include_File $include_File --delete-after
--info=progress2\n");
+ system("/usr/bin/rsync -q --progress -ar '-e ssh -p
$port' $source:$include_File $include_File --delete-after
--info=progress2");
+ {
+ my $cmd = "find $include_File -not -user named -or
-not -group named";
+ print $cmd,"\n";
+ system $cmd;
+ }
}
#
@@ -1520,7 +1533,13 @@
$sourceDir = '/home/.easy-migrate/';
# Fetch remote SQL databases:
- system("/usr/bin/rsync -q --progress -ar '-e ssh -p $port'
$source:$sourceDir $sourceDir --delete-after --info=progress2
--chown=root:root >/dev/null 2>&1 || :");
+ print("/usr/bin/rsync -q --progress -ar '-e ssh -p $port'
$source:$sourceDir $sourceDir --delete-after --info=progress2\n");
+ system("/usr/bin/rsync -q --progress -ar '-e ssh -p $port'
$source:$sourceDir $sourceDir --delete-after --info=progress2");
+ {
+ my $cmd = "find $sourceDir -not -user root -or -not -group
root";
+ print $cmd,"\n";
+ system $cmd;
+ }
if (-f '/home/.easy-migrate/mysql-all-dbs.sql') {
system("/usr/bin/mysql -u " .
$TARGETSYSTEM{'System'}{'MySQL'}{'sql_root'} . " -p" .
$TARGETSYSTEM{'System'}{'MySQL'}{'sql_rootpassword'} . " <
/home/.easy-migrate/mysql-all-dbs.sql >/dev/null 2>&1 || :");
@@ -1606,7 +1625,13 @@
if
($SYSTEM->{'DNS'}->{'DnsIncludeFile'}->{$CURRENT_DOMAIN}) {
my $include_File =
'/var/named/chroot/var/named/db.' . $CURRENT_DOMAIN . '.include';
print "[INFO] Importing DNS include file for
domain $CURRENT_DOMAIN: $include_File\n";
- system("/usr/bin/rsync -q --progress -ar '-e
ssh -p $port' $source:$include_File $include_File --delete-after
--info=progress2 --chown=named:named");
+ print("/usr/bin/rsync -q --progress -ar '-e ssh
-p $port' $source:$include_File $include_File --delete-after
--info=progress2\n");
+ system("/usr/bin/rsync -q --progress -ar '-e
ssh -p $port' $source:$include_File $include_File --delete-after
--info=progress2");
+ {
+ my $cmd = "find $include_File -not -user
named -or -not -group named";
+ print $cmd,"\n";
+ system $cmd;
+ }
}
$ret = &CCE_Tramp('DnsRecord', '', { 'type' =>
$record->{'type'}, 'hostname' => $record->{'hostname'}, 'domainname' =>
$record->{'domainname'} }, $record_new);
@@ -1919,8 +1944,13 @@
# Actual Rsync:
print "[INFO] Starting RSYNC from $host:$sourceDir to
$userDir \n";
- #print "/usr/bin/rsync -q --dry-run --progress -ar '-e
ssh -p $port' $source:$sourceDir $userDir --delete-after
--info=progress2 --chown=$import_username:$new_user_group\n";
- system("/usr/bin/rsync -q --progress -ar '-e ssh -p
$port' $source:$sourceDir $userDir --delete-after --info=progress2
--chown=$import_username:$new_user_group >/dev/null 2>&1 || :");
+ print "/usr/bin/rsync --progress -ar '-e ssh -p $port'
$source:$sourceDir $userDir --delete-after --info=progress2
--chown=$import_username:$new_user_group\n";
+ system("/usr/bin/rsync --progress -ar '-e ssh -p $port'
$source:$sourceDir $userDir --delete-after --info=progress2");
+ {
+ my $cmd = "find $userDir -not -user
$import_username -or -not -group $new_user_group";
+ print $cmd,"\n";
+ system $cmd;
+ }
#
### Conditionally fix directory permissions based on
platform:
@@ -1945,8 +1975,13 @@
if ($Import_USERS->{$import_username}->{'UserCron'}) {
foreach my $userCron (keys %{
$Import_USERS->{$import_username}->{'UserCron'} }) {
print "[INFO] User has own cronjob. Making copy
of $host:$userCron to $userCron \n";
- #print "/usr/bin/rsync -q --dry-run --progress
-ar '-e ssh -p $port' $source:$userCron $userCron --delete-after
--info=progress2 --chown=$import_username:$new_user_group\n";
- system("/usr/bin/rsync -q --progress -ar '-e
ssh -p $port' $source:$userCron $userCron --delete-after
--info=progress2 --chown=$import_username:$new_user_group >/dev/null
2>&1 || :");
+ print "/usr/bin/rsync -q --progress -ar '-e ssh
-p $port' $source:$userCron $userCron --delete-after --info=progress2
--chown=$import_username:$new_user_group\n";
+ system("/usr/bin/rsync -q --progress -ar '-e
ssh -p $port' $source:$userCron $userCron --delete-after
--info=progress2");
+ {
+ my $cmd = "find $userCron -not -user
$import_username -or -not -group $new_user_group";
+ print $cmd,"\n";
+ system $cmd;
+ }
system("chmod 0600 $userCron");
}
}
I prefer to make as few changes as possible and migrate painlessly.
I also know there is a problem with PHP DSO on the 5208R. For example,
files created by PHP are not included in the quota because their
permissions are apache.
I also understand that suPHP uses fork(not "pre"fork) and has a very
different execution model than PHP DSO.
I assume that the reason for changing to "rsync ... --chwon=" and suPHP
in easy-migrate.pl is to try to fix the above problem in this phase. Do
you have?
If the guess is correct, I would consider not chowning during this phase
and having time to fix chown after migration.
I am considering migrating multiple vsites at once, so I would like to
avoid multiple failures occurring at the same time.
There are many sites where the site+apache usage exceeds the site quota.
Also, why did you choose suPHP and not mod_ruid2?
I think mod_ruid2 fixes UID issues and is more like 5208R PHP (DSO) in
terms of DSO.
Or are you considering the following?
> https://github.com/mind04/mod-ruid2
> -there are some security issues, for instance if attacker successfully
> exploits the httpd process,
> he can set effective capabilities and setuid to root. i recommend to
> use some security patch in kernel (grsec),
> or something.
Thanks,
More information about the Blueonyx
mailing list