For a web GUI to manage NFS mount points, we've run into a problem after migrating to Centos 8.
JS Billings noted that:
CentOS8 runs httpd in a private namespace (with its own private /tmp). Since it's such a terrible idea to give httpd the ability to run sudo, I've never tried this, but I suspect what you are seeing is the fact that the mounts are happening in the private namespace
The effect is that running mount(8) via system() or even a setuid program which calls mount(2) to mount NFS partitions, the partitions are only visible to subsequent HTTP calls and not to any processes running on the server itself.
Is there a way to configure apache and/or php-fpm to not use mount namespaces?
- Centos 8 Kernel 4.18.0-147.el8.x86_64
- SELinux is disabled
- Apache/2.4.37 (centos)
- PHP 7.2.11
EDIT I
From Michael Hampton's advice, changing /etc/systemd/system/php-fpm.service to disable the PrivateTmp solved the problem:
[Unit]
Description=The PHP FastCGI Process Manager
After=syslog.target network.target
[Service]
Type=notify
ExecStart=/usr/sbin/php-fpm --nodaemonize
ExecReload=/bin/kill -USR2 $MAINPID
# Disable private mount namespace
PrivateTmp=false
RuntimeDirectory=php-fpm
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
