[BlueOnyx:23907] easy-migrate.pl 5208R(PHP DSO) -> 5209R(suPHP)

Tomohiro Hosaka bokutin at gmail.com
Wed May 27 23:43:55 -05 2020


Hi Michael,

Thank you for locale/ja_JP/*.po merged.
I resumed the migration verification work this morning, and was
impressed when it was updated!
(Yes, I have automatic yum update turned on.)

This is the main subject.

I am moving vsite using easy-migrate.pl, but the PHP DSO site is
imported as suPHP.

I am considering making some changes and using it.

--- /usr/sausalito/sbin/easy-migrate.pl-00 2020-03-05 06:54:15.000000000 +0900
+++ /usr/sausalito/sbin/easy-migrate.pl 2020-05-28 11:21:38.186732577 +0900
@@ -814,7 +814,7 @@
                 foreach my $x (@diff) {
                     # If the import Vsite has NameSpace keys that we
do NOT have locally, then we delete them here:
                     delete $Vsite_NameSpace->{$x};
-                    #print "Diff in $key: $x \n"
+                    print "Diff in $key: $x \n"
                 }

                 # Cleanup:
@@ -885,34 +885,34 @@
                     }

                     # Handle difference in keys when we come from
anything older than 5209R:
-                    if (($SYSTEM{'System'}{'productBuild'} ne
'5210R') && ($SYSTEM{'System'}{'productBuild'} ne '5209R')) {
-                        if ($Vsite_NameSpace->{'suPHP_enabled'} eq "1") {
-                            $Vsite_NameSpace->{'mod_ruid_enabled'} = "0";
-                            $Vsite_NameSpace->{'fpm_enabled'} = "0";
-                            $Vsite_NameSpace->{'enabled'} = "1";
-                        }
-                        elsif ($Vsite_NameSpace->{'enabled'} eq "1") {
-                            $Vsite_NameSpace->{'suPHP_enabled'} = "1";
-                            $Vsite_NameSpace->{'mod_ruid_enabled'} = "0";
-                            $Vsite_NameSpace->{'fpm_enabled'} = "0";
-                        }
-                        elsif ($Vsite_NameSpace->{'mod_ruid_enabled'} eq "1") {
-                            $Vsite_NameSpace->{'suPHP_enabled'} = "0";
-                            $Vsite_NameSpace->{'fpm_enabled'} = "0";
-                            $Vsite_NameSpace->{'enabled'} = "1";
-                        }
-                        elsif ($Vsite_NameSpace->{'fpm_enabled'} eq "1") {
-                            $Vsite_NameSpace->{'suPHP_enabled'} = "0";
-                            $Vsite_NameSpace->{'mod_ruid_enabled'} = "0";
-                            $Vsite_NameSpace->{'enabled'} = "1";
-                        }
-                        else {
-                            $Vsite_NameSpace->{'suPHP_enabled'} = "0";
-                            $Vsite_NameSpace->{'mod_ruid_enabled'} = "0";
-                            $Vsite_NameSpace->{'fpm_enabled'} = "0";
-                            $Vsite_NameSpace->{'enabled'} = "0";
-                        }
-                    }
+                    # if (($SYSTEM{'System'}{'productBuild'} ne
'5210R') && ($SYSTEM{'System'}{'productBuild'} ne '5209R')) {
+                    #     if ($Vsite_NameSpace->{'suPHP_enabled'} eq "1") {
+                    #         $Vsite_NameSpace->{'mod_ruid_enabled'} = "0";
+                    #         $Vsite_NameSpace->{'fpm_enabled'} = "0";
+                    #         $Vsite_NameSpace->{'enabled'} = "1";
+                    #     }
+                    #     elsif ($Vsite_NameSpace->{'enabled'} eq "1") {
+                    #         $Vsite_NameSpace->{'suPHP_enabled'} = "1";
+                    #         $Vsite_NameSpace->{'mod_ruid_enabled'} = "0";
+                    #         $Vsite_NameSpace->{'fpm_enabled'} = "0";
+                    #     }
+                    #     elsif
($Vsite_NameSpace->{'mod_ruid_enabled'} eq "1") {
+                    #         $Vsite_NameSpace->{'suPHP_enabled'} = "0";
+                    #         $Vsite_NameSpace->{'fpm_enabled'} = "0";
+                    #         $Vsite_NameSpace->{'enabled'} = "1";
+                    #     }
+                    #     elsif ($Vsite_NameSpace->{'fpm_enabled'} eq "1") {
+                    #         $Vsite_NameSpace->{'suPHP_enabled'} = "0";
+                    #         $Vsite_NameSpace->{'mod_ruid_enabled'} = "0";
+                    #         $Vsite_NameSpace->{'enabled'} = "1";
+                    #     }
+                    #     else {
+                    #         $Vsite_NameSpace->{'suPHP_enabled'} = "0";
+                    #         $Vsite_NameSpace->{'mod_ruid_enabled'} = "0";
+                    #         $Vsite_NameSpace->{'fpm_enabled'} = "0";
+                    #         $Vsite_NameSpace->{'enabled'} = "0";
+                    #     }
+                    # }
                 }

                 # Handle individual WebApps:
@@ -1191,8 +1191,15 @@
                 # Actual Rsync:
                 $DirOwner = $VSITE_DIROWNERS->{$directory};
                 print "[INFO] Starting RSYNC from $host:$sourceDir to
$target_Vsite_actiondir\n";
-                #print "/usr/bin/rsync -q --progress -ar '-e ssh -p
$port' $source:$sourceDir $target_Vsite_actiondir --delete-after
--info=progress2 --chown=$DirOwner\n";
-                system("/usr/bin/rsync -q --progress -ar '-e ssh -p
$port' $source:$sourceDir $target_Vsite_actiondir --delete-after
--info=progress2 --chown=$DirOwner >/dev/null 2>&1 || :");
+                # --chown=$DirOwner
+                print "/usr/bin/rsync -q --progress -ar '-e ssh -p
$port' $source:$sourceDir $target_Vsite_actiondir --delete-after
--info=progress2\n";
+                system("/usr/bin/rsync -q --progress -ar '-e ssh -p
$port' $source:$sourceDir $target_Vsite_actiondir --delete-after
--info=progress2");
+                {
+                    my ($user, $group) = split /:/, $DirOwner, 2;
+                    my $cmd = "find $target_Vsite_actiondir -not
-user $user -or -not -group $group";
+                    print $cmd,"\n";
+                    system($cmd);
+                }
             }

             # Fix owner of sitedir:
@@ -1430,7 +1437,13 @@
             if
($SYSTEM->{'DNS'}->{'DnsIncludeFile'}->{$NEW_VSITE_OBJ_DATA->{'domain'}})
{
                 my $include_File = '/var/named/chroot/var/named/db.'
. $NEW_VSITE_OBJ_DATA->{'domain'} . '.include';
                 print "[INFO] Importing DNS include file for Vsite
$NEW_VSITE_OBJ_DATA->{'fqdn'}: $include_File\n";
-                system("/usr/bin/rsync -q --progress -ar '-e ssh -p
$port' $source:$include_File $include_File --delete-after
--info=progress2 --chown=named:named");
+                print("/usr/bin/rsync -q --progress -ar '-e ssh -p
$port' $source:$include_File $include_File --delete-after
--info=progress2\n");
+                system("/usr/bin/rsync -q --progress -ar '-e ssh -p
$port' $source:$include_File $include_File --delete-after
--info=progress2");
+                {
+                    my $cmd = "find $include_File -not -user named
-or -not -group named";
+                    print $cmd,"\n";
+                    system $cmd;
+                }
             }

             #
@@ -1520,7 +1533,13 @@
     $sourceDir = '/home/.easy-migrate/';

     # Fetch remote SQL databases:
-    system("/usr/bin/rsync -q --progress -ar '-e ssh -p $port'
$source:$sourceDir $sourceDir --delete-after --info=progress2
--chown=root:root >/dev/null 2>&1 || :");
+    print("/usr/bin/rsync -q --progress -ar '-e ssh -p $port'
$source:$sourceDir $sourceDir --delete-after --info=progress2\n");
+    system("/usr/bin/rsync -q --progress -ar '-e ssh -p $port'
$source:$sourceDir $sourceDir --delete-after --info=progress2");
+    {
+        my $cmd = "find $sourceDir -not -user root -or -not -group root";
+        print $cmd,"\n";
+        system $cmd;
+    }

     if (-f '/home/.easy-migrate/mysql-all-dbs.sql') {
         system("/usr/bin/mysql -u " .
$TARGETSYSTEM{'System'}{'MySQL'}{'sql_root'} . " -p" .
$TARGETSYSTEM{'System'}{'MySQL'}{'sql_rootpassword'} . " <
/home/.easy-migrate/mysql-all-dbs.sql >/dev/null 2>&1 || :");
@@ -1606,7 +1625,13 @@
                     if
($SYSTEM->{'DNS'}->{'DnsIncludeFile'}->{$CURRENT_DOMAIN}) {
                         my $include_File =
'/var/named/chroot/var/named/db.' . $CURRENT_DOMAIN . '.include';
                         print "[INFO] Importing DNS include file for
domain $CURRENT_DOMAIN: $include_File\n";
-                        system("/usr/bin/rsync -q --progress -ar '-e
ssh -p $port' $source:$include_File $include_File --delete-after
--info=progress2 --chown=named:named");
+                        print("/usr/bin/rsync -q --progress -ar '-e
ssh -p $port' $source:$include_File $include_File --delete-after
--info=progress2\n");
+                        system("/usr/bin/rsync -q --progress -ar '-e
ssh -p $port' $source:$include_File $include_File --delete-after
--info=progress2");
+                        {
+                            my $cmd = "find $include_File -not -user
named -or -not -group named";
+                            print $cmd,"\n";
+                            system $cmd;
+                        }
                     }

                     $ret = &CCE_Tramp('DnsRecord', '', { 'type' =>
$record->{'type'}, 'hostname' => $record->{'hostname'}, 'domainname'
=> $record->{'domainname'} }, $record_new);
@@ -1919,8 +1944,13 @@

                 # Actual Rsync:
                 print "[INFO] Starting RSYNC from $host:$sourceDir to
$userDir \n";
-                #print "/usr/bin/rsync -q --dry-run --progress -ar
'-e ssh -p $port' $source:$sourceDir $userDir --delete-after
--info=progress2 --chown=$import_username:$new_user_group\n";
-                system("/usr/bin/rsync -q --progress -ar '-e ssh -p
$port' $source:$sourceDir $userDir --delete-after --info=progress2
--chown=$import_username:$new_user_group >/dev/null 2>&1 || :");
+                print "/usr/bin/rsync --progress -ar '-e ssh -p
$port' $source:$sourceDir $userDir --delete-after --info=progress2
--chown=$import_username:$new_user_group\n";
+                system("/usr/bin/rsync --progress -ar '-e ssh -p
$port' $source:$sourceDir $userDir --delete-after --info=progress2");
+                {
+                    my $cmd = "find $userDir -not -user
$import_username -or -not -group $new_user_group";
+                    print $cmd,"\n";
+                    system $cmd;
+                }

                 #
                 ### Conditionally fix directory permissions based on platform:
@@ -1945,8 +1975,13 @@
                 if ($Import_USERS->{$import_username}->{'UserCron'}) {
                     foreach my $userCron (keys %{
$Import_USERS->{$import_username}->{'UserCron'} }) {
                         print "[INFO] User has own cronjob. Making
copy of $host:$userCron to $userCron \n";
-                        #print "/usr/bin/rsync -q --dry-run
--progress -ar '-e ssh -p $port' $source:$userCron $userCron
--delete-after --info=progress2
--chown=$import_username:$new_user_group\n";
-                        system("/usr/bin/rsync -q --progress -ar '-e
ssh -p $port' $source:$userCron $userCron --delete-after
--info=progress2 --chown=$import_username:$new_user_group >/dev/null
2>&1 || :");
+                        print "/usr/bin/rsync -q --progress -ar '-e
ssh -p $port' $source:$userCron $userCron --delete-after
--info=progress2 --chown=$import_username:$new_user_group\n";
+                        system("/usr/bin/rsync -q --progress -ar '-e
ssh -p $port' $source:$userCron $userCron --delete-after
--info=progress2");
+                        {
+                            my $cmd = "find $userCron -not -user
$import_username -or -not -group $new_user_group";
+                            print $cmd,"\n";
+                            system $cmd;
+                        }
                         system("chmod 0600 $userCron");
                     }
                 }


I prefer to make as few changes as possible and migrate painlessly.

I also know there is a problem with PHP DSO on the 5208R. For example,
files created by PHP are not included in the quota because their
permissions are apache.

I also understand that suPHP uses fork(not "pre"fork) and has a very
different execution model than PHP DSO.

I assume that the reason for changing to "rsync ... --chwon=" and
suPHP in easy-migrate.pl is to try to fix the above problem in this
phase. Do you have?
If the guess is correct, I would consider not chowning during this
phase and having time to fix chown after migration.
I am considering migrating multiple vsites at once, so I would like to
avoid multiple failures occurring at the same time.
There are many sites where the site+apache usage exceeds the site quota.

Also, why did you choose suPHP and not mod_ruid2?
I think mod_ruid2 fixes UID issues and is more like 5208R PHP (DSO) in
terms of DSO.
Or are you considering the following?
> https://github.com/mind04/mod-ruid2
> -there are some security issues, for instance if attacker successfully exploits the httpd process,
> he can set effective capabilities and setuid to root. i recommend to use some security patch in kernel (grsec),
> or something.


Thanks,


More information about the Blueonyx mailing list