Apache

How to get ImageMagick to work in chroot apache for Gentoo

unocode_pnz3cj

I recently changed one of my web servers to use chroot apache. This particular web server also used ImageMagick for some of the sites there, so I needed to figure out how to get this to work.

I came across this script.. that sorta worked, but it was enough to get it started. I’ll post my version of this bash script for getting ImageMagick to work at the end of the blog post. I wanted to point out some of the errors in case I need to reference these problems in the future again.

click here for more info

After I adjusted the script to use the proper awk column and executed it, I noticed that somethings did not get moved (ie: the actual binaries). I copied convert, composite and identify to their proper locations in the jail, but I started to have other problems.

Problem #1 in the logs:

I recently changed one of my web servers to use chroot apache. This particular web server also used ImageMagick for some of the sites there, so I needed to figure out how to get this to work.

I came across this script.. that sorta worked, but it was enough to get it started. I’ll post my version of this bash script for getting ImageMagick to work at the end of the blog post. I wanted to point out some of the errors in case I need to reference these problems in the future again.

click here for more info

After I adjusted the script to use the proper awk column and executed it, I noticed that somethings did not get moved (ie: the actual binaries). I copied convert, composite and identify to their proper locations in the jail, but I started to have other problems.

Problem #1 in the logs:


/usr/bin/convert: error while loading shared libraries: libMagickCore.so.4: cannot open shared object file: No such file or directory
/usr/bin/convert: error while loading shared libraries: libMagickCore.so.4: cannot open shared object file: No such file or directory

Interesting, so libMagickCore didn’t get pushed over. This was actually due to my 64 bit system. I did not have a symlink for /var/chroot/apache/usr/lib64 to go to /var/chroot/apache/usr/lib. I added this, and the errors continued:


/usr/bin/convert: error while loading shared libraries: libbz2.so.1: cannot open shared object file: No such file or directory
/usr/bin/convert: error while loading shared libraries: libbz2.so.1: cannot open shared object file: No such file or directory
/usr/bin/convert: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory
/usr/bin/convert: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory

This appears to not be included in the chroot script. I coppied over my so files then I started to have IM specific problems:


convert: UnableToOpenConfigureFile `delegates.xml' @ warning/configure.c/GetConfigureOptions/589.

This appears to be config issue not being in the chroot, I executed the following:


cp /usr/lib64/ImageMagick-6.6.5/config/ /var/chroot/apache/usr/lib64/ImageMagick-6.6.5/. -R

I continued to get additional problems with the decoder.


convert: NoDecodeDelegateForThisImageFormat `/var/www/site.com/htdocs/images/gallery/test-original.jpg' @ error/constitute.c/ReadImage/532.
convert: MissingAnImageFilename `/var/www/site.com/htdocs/images/gallery/test-original-th.jpg' @ error/convert.c/ConvertImageCommand/2949.
convert: UnableToOpenConfigureFile `delegates.xml' @ warning/configure.c/GetConfigureOptions/589.
convert: NoDecodeDelegateForThisImageFormat `/var/www/site.com/htdocs/images/gallery/test-original.jpg' @ error/constitute.c/ReadImage/532.
convert: MissingAnImageFilename `/var/www/site.com/htdocs/images/gallery/test.jpg' @ error/convert.c/ConvertImageCommand/2949.

I tested IM outside of the chroot.. and sure enough, I was getting the same error. This is a pretty classic error, basically ImageMagick isn’t able use libjpeg. I re-emerged ImageMagick and it worked outside of the chroot.. but not within. I was starting to lean towards libjpeg stuff not being in the chroot, but figured I would run strace to be sure. Sure enough.. it was something else. In the strace output I noticed the following:


1025 stat("/usr/lib64/ImageMagick-6.6.5/modules-Q16/coders/jpeg.la", 0x7ffffae23ec0) = -1 ENOENT (No such file or directory)
1025 stat("/usr/lib64/ImageMagick-6.6.5/modules-Q16/coders/jpeg.la", 0x7ffffae23ec0) = -1 ENOENT (No such file or directory)

Ah.. so it’s physically missing the compiled coders .la files.


cp /usr/lib64/ImageMagick-6.6.5/modules-Q16/ /var/chroot/apache/usr/lib64/ImageMagick-6.6.5/. -R

So here is my version of the script to get ImageMagick working in chroot’d apache environment. My distro is Gentoo.


#!/bin/sh
IMAGEMAGICK="/usr/bin/composite /usr/bin/convert /usr/bin/identify"

if [ ! -d /var/chroot/apache/usr/lib ]; then mkdir -p /var/chroot/apache/usr/lib ;fi
if [ ! -d /var/chroot/apache/lib/tls/i686/cmov ]; then mkdir -p /var/chroot/apache/lib/tls/i686/cmov ;fi
if [ ! -d /var/chroot/apache/lib ]; then mkdir -p /var/chroot/apache/lib ;fi
if [ ! -d /var/chroot/apache/usr/bin ]; then mkdir -p /var/chroot/apache/usr/bin ;fi
if [ ! -d /var/chroot/apache/usr/lib64/ImageMagick-6.6.5 ]; then mkdir -p /var/chroot/apache/usr/lib64/ImageMagick-6.6.5 ; fi

# I had to do this by hand.. symlink issue
# cp -p /usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/libgomp.so.1 /var/chroot/apache/usr/lib/.
# I was receiving the following error from the script:
# cp: cannot create regular file `/var/chroot/apache/usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/libgomp.so.1′: No such file or directory

LOCALBIN=`ldd $IMAGEMAGICK | grep -v : | grep usr | awk ‘{print $3}’ | grep lib`
LOCALLIB=`ldd $IMAGEMAGICK | grep -v : | grep usr | awk ‘{print $3}’ | grep local | grep -v libexec | grep lib`
LIB=`ldd $IMAGEMAGICK | grep -v : | grep usr | awk ‘{print $3}’ | grep -v local | grep -v libexec | grep lib`
LIBEXEC=`ldd $IMAGEMAGICK | grep -v : | grep usr | awk ‘{print $3}’ | grep libexec`

for x in $LOCALBIN
do
# if [ ! -x /var/chroot/apache${x} ]; then
cp -p $x /var/chroot/apache${x}
echo Copied $x
# else
# echo /var/chroot/apache$x already executable
# fi
done

for x in $LOCALLIB
do
# if [ ! -r /var/chroot/apache${x} ]; then
cp -p $x /var/chroot/apache${x}
echo Copied $x
# else
# echo /var/chroot/apache$x already readable
# fi
done

for x in $LIB
do
# if [ ! -r /var/chroot/apache${x} ]; then
cp -p $x /var/chroot/apache${x}
echo Copied $x
# else
# echo /var/chroot/apache$x already readable
# fi
done

for x in $LIBEXEC
do
# if [ ! -r /var/chroot/apache${x} ]; then
cp -p $x /var/chroot/apache${x}
echo Copied $x
# else
# echo /var/chroot/apache$x already readable
# fi
done

# copy the binaries
cp /usr/bin/convert /var/chroot/apache/usr/bin/.
cp /usr/bin/composite /var/chroot/apache/usr/bin/.
cp /usr/bin/identify /var/chroot/apache/usr/bin/.

# copy misc stuff that was not included in the script above:
cp /lib64/libbz2.so.1 /var/chroot/apache/lib64/.
cp /lib64/librt.so.1 /var/chroot/apache/lib64/.
cp /usr/lib64/ImageMagick-6.6.5/config/ /var/chroot/apache/usr/lib64/ImageMagick-6.6.5/. -R
cp /usr/lib64/ImageMagick-6.6.5/modules-Q16/ /var/chroot/apache/usr/lib64/ImageMagick-6.6.5/. -R

UPDATE
Months after getting this to work, I had one problem – PNGs I didn’t consider pngs when I initially got this going. Basically, I followed my how to and ran strace again, I didn’t notice much from the strace, but realized that I was missing the .so files in the chroot. I had to move the following over:

libpng14.so -> libpng14.so.14.5.0
libpng14.so.14 -> libpng14.so.14.5.0
libpng14.so.14.5.0

Hope this helps.