Apache agent in chroot environment
I have the following linux environment for a poc. On one machine we have 2 chroot environments
/chroot1/
/chroot2/
In each chroot there is an apache.
We installed the master agent services in /opt/dynaTrace/
Take as example chroot1. We copied the master agent directory to the chroot1. In config file of the master agent we tell the agent to use the shared memory file in the /chroot1/ The loadmodule of the apache uses as well the shared memory file in the /chroot1/ The master agents listens correctly on port 8001. When we start apache the apache crashes. Last line is that module is loaded in apache.
Version dynaTrace: 6.1.
Is this the right approach for a chroot environment? We do not want to install in each chroot a master agent service because to do that they also need to copy a lot of files to the chroot environments which they want to avoid of course.
Chris
Chris,
without beeing 100% certain but the intention of chroots is that no process in the chroot is able to write outside of the chroot. So if the shared memory file that the dynatrace agent and the apache module use for communication lies outside the chroot this would be a violation of that principle. I think securitywise it makes sense to have the master agent also running in the chroot of each apache. Also it should be a snap to modify chrooted environments to provide additional files.
Reinhard
Hi Reinhard,
But the downside to this is that you need to install more libraries in the chroot environment which makes it again less secure...
That's why I am wondering if we have experience or recommendations for this? Also later on for having support on these environments....
Chris
The purpose of a chroot is not to interfere with the contents outside of the chroot. If executables, libraries etc are required by services in that chroot they have to be inside the chroot. There is no advice we can give here, it's standard chroot administration.
