Securing the Magento 2 CLI on MageStack

Tips and Tricks

A customer raised a good question about using the Magento 2 CLI binary (bin/magento) on MageStack and asked how it works with domain group isolation.

On Magento 1, we encourage a strong security practice for all CLI/cron activity by using wrappers for the commands, to constrain the command being run within the domain group - and to ensure a consistent environment between web and acc nodes.

Background

On MageStack, the server consists of a series of mini environments (domain groups) - these are isolated from each other for security purposes.

But for ease of management, in the access server, you are able to access all domain groups. But, when executing commands in the context of a domain group - you should do it from within the domain group itself, not using the global php commands.

This is why if you look at how we recommend running Magento cron jobs - that it locks the process into the domain group - so that the configuration mirrors the web server exactly (and leaves no room for error).

By running a command outside of the domain group, you introduce a security risk and a change in platform (as the settings won't be consistent with the web server).

An example

On Magento 2 stacks, there is support for multi-php, so that each domain group has its own PHP version. So there's a basic example we can use to demonstrate the differences between running a command in the global access server, and the domain group itself.

On the access server, a simple php -v would show,

php -v
PHP 5.4.45 MageStack (cli) (built: Feb 22 2016 19:20:20)

But in a Magento 2 domain group,

php -v
PHP 5.6.18 MageStack (cli) (built: Feb 22 2016 19:26:49)

This basic example shows the difference between the two environments. So whilst it is possible to run commands in the global context of the access server, its always recommended to use the domain-group itself to execute site-specific commands.

Simplifying dropping into a domain-group

Dropping into the context of a domain group isn't a difficult process, its really simple,

Eg. To drop into the example domain group,

fakechroot /usr/sbin/chroot /microcloud/domains/example /bin/bash

We can make this even simpler/shorter by making a quick bash function to add to our .bash_profile

function example()
{
  local CMD="fakechroot /usr/sbin/chroot /microcloud/domains/example /bin/bash"
  if [ $# -gt 0 ]; then
    echo "$@" | $CMD
  else
    $CMD
  fi
}

Then you could drop into the domain-group environment as easily as,

[www-data@acc1 .microcloud ~]
[~]$ example
bash-4.1$

Or execute a command in the context of the domain group like so,

[www-data@acc1 .microcloud ~]
[~]$ example ls
bin  dev  domains  etc  home  lib  lib64  logs  proc  sbin  tmp  usr  var  version

Running M2 CLI via domain group drop-in function

With the new function in place, it is as simple as running the command - just prefixed with the function name.

Eg. To reindex,

example php /domains/example.com/http/bin/magento indexer:reindex
Customer Grid index has been rebuilt successfully in 00:00:00
Category Products index has been rebuilt successfully in 00:00:00
Product Categories index has been rebuilt successfully in 00:00:00
Product Price index has been rebuilt successfully in 00:00:00
Product EAV index has been rebuilt successfully in 00:00:00
Stock index has been rebuilt successfully in 00:00:00
Catalog Rule Product index has been rebuilt successfully in 00:00:00
Catalog Product Rule index has been rebuilt successfully in 00:00:00
Catalog Search index has been rebuilt successfully in 00:00:00

Making the function portable

If you've got a lot of domain groups, you can make it much more portable by making the function use variables to define the environment and just pass the domain group name in as an argument.

function dg()
{
  local DG="$1"
  local CMD="fakechroot /usr/sbin/chroot /microcloud/domains/$DG /bin/bash"
  shift
  if [ $# -gt 0 ]; then
    echo "$@" | $CMD
  else
    $CMD
  fi
}

Make it a permanent change by opening /home/www-data/.bash_profile and appending the function to the end of the file. Then use the new command like so,

dg [domain-group] [command]

Eg.

dg example php -v