Chrooted PHP-FPM script cannot resolve DNS after a moment

Question

I need some help to understand why a PHP-FPM chrooted PHP script fails to resolve an FQDN few instants after the PHP-FPM service started.

When I (re)start the PHP-FPM service, it works (resolution succeeds) a few seconds and then resolution fails.

I chrooted a PHP application (a WordPress actually) via PHP-FPM (settings `` chroot` in the PHP-FPM pool configuration file) and gave PHP what it needed:

• A basic /etc/hosts file
• A mount --bind of /etc/ssl/certs
• A /dev/urandom (via mknod)
• A mount --bind of /usr/share/zoneinfo
• A mount --bind of /var/run/mysqld for the socket to MySQL.
• A mount --bind of /var/run/nscd for the socket to nscd resolver.
• A place to store PHP sessions

I noticed the issue when WordPress complained it could not download updates with:

stream_socket_client(): php_network_getaddresses: getaddrinfo failed: Name or service not known stream_socket_client(): unable to connect to tcp://www.wordpress.org:80 (php_network_getaddresses: getaddrinfo failed: Name or service not known)

Sample script:

<?php
$domain = 'www.example.com';
echo 'gethostbynamel(): '; var_dump(gethostbynamel($domain));
echo 'checkdnsrr(): ';     var_dump(checkdnsrr($domain, 'A'));
echo 'dns_get_record(): '; var_dump(dns_get_record($domain));
?>

When it works:

gethostbynamel(): array(1) {
  [0]=>
  string(13) "93.184.216.34"
}
checkdnsrr(): bool(true)
dns_get_record(): array(1) {
  [0]=>
  array(5) {
    ["host"]=>
    string(15) "www.example.com"
    ["class"]=>
    string(2) "IN"
    ["ttl"]=>
    int(86348)
    ["type"]=>
    string(1) "A"
    ["ip"]=>
    string(13) "93.184.216.34"
  }
}

After a few instants:

gethostbynamel(): bool(false)
checkdnsrr(): bool(true)
dns_get_record(): array(1) {
  [0]=>
  array(5) {
    ["host"]=>
    string(15) "www.example.com"
    ["class"]=>
    string(2) "IN"
    ["ttl"]=>
    int(86400)
    ["type"]=>
    string(1) "A"
    ["ip"]=>
    string(13) "93.184.216.34"
  }
}

Note that, in any case, both dns_get_record() and checkdnsrr() always works fine.

Three questions:

1. What makes dns_get_record() and checkdnsrr() achieve to resolve FQDN when gethostbynamel() fails?
2. What does gethostbynamel() need in a chrooted setup?
3. What could make it works only for a few moment?

Software versions:

• Debian 9
• Nginx 10.3
• PHP 7.0.19

Thanks

Answer 1

Per the comment on the question, Chrooted PHP-FPM script cannot resolve DNS after a moment, the OP was able to resolve the issue by adding the following files to the jail:

• /lib/x86_64-linux-gnu/libnss_dns.so.2 (or depending on OS variant, /lib/libnss_dns.so )
• /etc/nsswitch.conf
• /etc/resolv.conf