Re: LibreNMS chroot issues

2015-12-27 Thread ludovic coues 
On 26 Dec 2015 12:47 am, "Predrag Punosevac"  wrote:

>
> I was wondering if anybody tried running LibreNMS with httpd from the
> base and even more fundamentally does httpd from the base support
> "unsecure" mode. I read up and down httpd several times but I didn't see
> anything about insecure mode.
>

Like many part of OpenBSD, httpd from base have a concept of "non-optional
security". So there is no possibility to use httpd without chroot.

Re: LibreNMS chroot issues

2015-12-27 Thread Ax0n 
I've been able to run most *AMP stuff on OpenBSD/nginx/php_fpm. I've not
tried librenms before, but the major hurdle for chroot is usually the
mariaDB socket. I overcome this by setting up mariadb to bind to localhost
and setting up a user on 127.0.0.1 to force a TCP connection instead of
sockets. This is a little slower but I've never seen it make a web app
sluggish on its own.
If you want an example of the setup I use, I wrote it up here (only up to
date with 5.7 though) http://www.h-i-r.net/p/openbsd-nginx-php-mysql.html


On Sun, Dec 27, 2015, 07:40 ludovic coues  wrote:

> On 26 Dec 2015 12:47 am, "Predrag Punosevac" 
> wrote:
>
> >
> > I was wondering if anybody tried running LibreNMS with httpd from the
> > base and even more fundamentally does httpd from the base support
> > "unsecure" mode. I read up and down httpd several times but I didn't see
> > anything about insecure mode.
> >
>
> Like many part of OpenBSD, httpd from base have a concept of "non-optional
> security". So there is no possibility to use httpd without chroot.

Re: LibreNMS chroot issues

2015-12-27 Thread Stuart Henderson 
On 2015-12-27, Ax0n  wrote:
> I've been able to run most *AMP stuff on OpenBSD/nginx/php_fpm. I've not
> tried librenms before, but the major hurdle for chroot is usually the
> mariaDB socket.

That isn't the major hurdle for LibreNMS. It needs snmpbulkwalk, fping,
rrdtool, etc.

Re: LibreNMS chroot issues

2015-12-27 Thread Daniel Ouellet 
> I was wondering if anybody tried running LibreNMS with httpd from the
> base and even more fundamentally does httpd from the base support
> "unsecure" mode. I read up and down httpd several times but I didn't see
> anything about insecure mode.

Yes, "unsecure mode" is call Linux.

Or FreeBSD these days with all security they talked about not enable by
default.

Take your pick.

Re: LibreNMS chroot issues

2015-12-27 Thread Uwe Werler 
Why not pointing the socket to chroot? 


Von meinem Samsung Galaxy Smartphone gesendet.


 Ursprüngliche Nachricht 
Von: Ax0n <a...@h-i-r.net> 
Datum:27.12.2015  18:58  (GMT+01:00) 
An: cou...@gmail.com, punoseva...@gmail.com 
Cc: misc@openbsd.org 
Betreff: Re: LibreNMS chroot issues

Re: LibreNMS chroot issues

2015-12-26 Thread Stuart Henderson 
On 2015-12-25, Predrag Punosevac  wrote:
> I was wondering if anybody tried running LibreNMS with httpd from the
> base and even more fundamentally does httpd from the base support
> "unsecure" mode. I read up and down httpd several times but I didn't see
> anything about insecure mode.

It's PHP, not the http server, that needs to be run without chroot.

> My second question is using PHP with Nginx running in the insecure mode.
> I got Nginx exporting http without any problems. However I can't get 
> to export PHP files. I was under impression that it is sufficient to
> comment out with ; the 
>
> chroot = /var/www
>
> line from 
>
> /etc/php-fpm.conf
>
> However that didn't work. Can anybody who runs php-fpm, MariaDB, and
> Nginx in the insecure mode give me some hint to what I am doing wrong.
> I haven't seen anything interesting in php-fpm log files. 
>
> Best,
> Predrag

You probably need something like this.

fastcgi_param  DOCUMENT_ROOT /var/www$document_root;
fastcgi_param  SCRIPT_FILENAME /var/www$document_root$fastcgi_script_name;

Works with nginx for sure. I don't think httpd will give enough control
over fastcgi path names to work though.

I'll try to find time to revise the pkg-readme.

Re: LibreNMS chroot issues

2015-12-25 Thread Predrag Punosevac 
Sorry my original message was somehow garbled.


Hi Misc,

I am using this holiday season to migrate our Debian based Observium
installation to LibreNMS/OpenBSD. I have two questions. The first one is
related to httpd from the base. According to wonderful pkg-readmes for
LibreNMS pre-assumable written by Stan the LibreNMS is tested with
Apache2 (which is what Observium people insisted on) but also with Nginx
(I was delighted to see this). However pkg-readmes recommend using both
servers in unsecure "non-chroot" mode due to extensive dependencies on
other software besides PHP and MariaDB. The pkg-readmes come even with
the nginx.conf example.

I was wondering if anybody tried running LibreNMS with httpd from the
base and even more fundamentally does httpd from the base support
"unsecure" mode. I read up and down httpd several times but I didn't see
anything about insecure mode.

My second question is using PHP with Nginx running in the insecure mode.
I got Nginx exporting http without any problems. However I can't get 
to export PHP files. I was under impression that it is sufficient to
comment out with ; the 

chroot = /var/www

line from 

/etc/php-fpm.conf

However that didn't work. Can anybody who runs php-fpm, MariaDB, and
Nginx in the insecure mode give me some hint to what I am doing wrong.
I haven't seen anything interesting in php-fpm log files. 

Best,
Predrag

LibreNMS chroot issues

2015-12-25 Thread Predrag Punosevac 
Hi Misc,
sing this holiday season to migrate our Debian based Observium
n to LibreNMS/OpenBSD. I have two questions. The first one is
pd from the base. According to wonderful pkg-readmes for
ache2
(which is what Observium people insisted on) but also with Nginx (I was
delighted to see this). However pkg-readmes recommend using both servers
in unsecure "non-chroot" mode due to extensive dependencies on other
software besides PHP, and MariaDB. The pkg-readmes come even with the
nginx.conf example.

I was wondering if anybody tried running LibreNMS with httpd from the
base and even more fundamentally does httpd from the base support
"unsecure" mode. I read up and down httpd several times but I didn't see
anything about insecure mode.

My second question is using PHP with Nginx running in the insecure mode.
I got Nginx exporting http without any problems. However I can't get 
to export PHP files. I was under impre
I am uhainstallatioficient to
comment out with ; the 

chroot = /var/www

linerelated to htthp-fpm.conf

However that didn't work. Can anybody who runsLibreNMS pre-assumable written by 
Stan the LibreNMS is tested with Apo what I am doing wrong.
I haven't seen anything interesting in php-fpm log files. 

Best,
Predrag