When using Jailkit, wget/git commands under jail will fail due to missing ca-certificates. I had to copy over cp /etc/ssl/certs/ca-certificates.crt /var/www/clients/client1/etc/ssl/certs/ to make HTTPS Request possible (without the use of --no-certificate-check). Could you guys consider automatically copying over the ca-file inside jails?
You sure that shouldn't be /var/www/clients/client1/web1/etc/ssl/certs/? On my system (debian jessie) the jailkit root dirs are the web*, not client*, directories. The correct way to add it to an existing jail is with jk_cp, rather than cp, though in this case the results are probably identical: Code: jk_cp -j /var/www/clients/client1/web1/ /etc/ssl/certs/ca-certificates.crt Leaving aside discussion of adding that to howto's or default ispconfig configuration, this is easy to do on your system. To include that in all new jails, edit /etc/jailkit/jk_init.ini and add that file into a section that is used by default; eg. the [netutils] section is what adds wget, so put it in there: Code: [netutils] comment = several internet utilities like wget, ftp, rsync, scp, ssh executables = /usr/bin/wget, /usr/bin/lynx, /usr/bin/ftp, /usr/bin/host, /usr/bin/rsync, /usr/bin/smbclient regularfiles = /etc/ssl/certs/ca-certificates.crt includesections = netbasics, ssh, sftp, scp To update all current jails, you can script the jk_cp: Code: grep /\\./home /etc/passwd | cut -d: -f6 | grep /\\./home | cut -d. -f1 | xargs -I @ -n 1 jk_cp -j @ /etc/ssl/certs/ca-certificates.crt And while you're at it, add a cronjob to keep all your jails updated (note that security updates for libc, wget, curl and such aren't propogated into your jails by default - something ispconfig definitely could/should do). Save this as /usr/local/sbin/jk_update_all (modify as needed): Code: #!/bin/bash PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # Simple script to parse jailkit root directories from /etc/passwd # and run jk_update for each one. Run periodically from cron and # manually after security updates. function update_jail() { jk_update --jail=${@} --skip=/opt | grep -v '^skip ' } export -f update_jail grep /\\./home /etc/passwd | cut -d: -f6 | grep /\\./home | cut -d. -f1 | xargs -I @ -n 1 bash -c "update_jail @" Make that executable and run it from a cronjob: Code: chmod +x /usr/local/sbin/jk_update_all echo '24 3 * * * root /usr/local/sbin/jk_update_all' > /etc/cron.d/jk_update
Thank you very much for this awesome notes. Of course, you are right, I forgot /web1/ (I just wrote down the lines from my mind, not a real copy from my terminal). I will use your stuff asap and report back my feedback. This should be added to ISPConfig (esp. the update-part, I thought they we're symlinked and up-to-date automatically)
https://git.ispconfig.org/ispconfig/ispconfig3/issues/2140 is for doing jk_update, go thumbs-up that issue to bump it up in priority, and please do report your testing/finding.
Dear Jesse, thank you again 1000 times. It worked perfectly. (you just need to mention that jk_update_all needs execute permission: chmod +x jk_update_all Beside of that, it worked perfectly!
@Jesse Norell I am getting a lot of Errors: ERROR: failed to remove deprecated file /var/www/clients/client1/web205/usr/lib/node_modules/npm/node_modules/JSONStream ERROR: failed to remove deprecated file /var/www/clients/client1/web205/usr/lib/node_modules/npm/lib/search ERROR: failed to remove deprecated file /var/www/clients/client1/web205/usr/lib/node_modules/npm/lib/doctor ERROR: failed to remove deprecated file /var/www/clients/client1/web205/usr/lib/node_modules/npm/test Can I ignore them?
I've not come across that before. A quick search finds this bug, with a patch if you want to try it. The error is the same, and apparently has to do with directories, not files, so may or may not be the exact issue you're seeing: http://savannah.nongnu.org/bugs/?48254
better use the following netutils section or the https connections will fail inside the jail: Code: [netutils] comment = several internet utilities like wget, ftp, rsync, scp, ssh executables = /usr/bin/wget, /usr/bin/lynx, /usr/bin/ftp, /usr/bin/host, /usr/bin/rsync, /usr/bin/smbclient directories = /etc/ssl/certs/ regularfiles = /usr/lib/ssl/certs includesections = netbasics, ssh, sftp, scp # the following line is optional - it may be removed or commented hardlinks = 1
** I posted an improved version of the above jk_update_all script ** - anyone using the above (and I will assert that everyone using jailkit should be doing something similar to keep security updates flowing to their jail environments) should take note. I upgraded a web server OS (debian 8 -> 9), and all existing jails were broken once jk_update ran on them (there is a note in the jk_update man page that it doesn't handle things like an OS upgrade so well). There were a few changes needed in jk_init.ini for debian 9 (missing libraries/paths), but the main issue was jk_update (and jk_init) removes some files (libraries), but does not clean up symlinks pointing to them. I posted a replacement for the above jk_update_all script in the issue 2140 which does some cleanup in the jail for these dangling symlinks, and also allows completely reinitializing jails using the jailkit sections/applications specified in ispconfig.
New Buster install for me with backports of Jailkit 2.21 is broken, jk_init and jk_update stops. https://lists.libreplanet.org/archive/html/jailkit-dev/2020-01/msg00001.html 2 files need fix: /etc/jailkit/jk_init.ini [openvpn] #includesections = netbasics and /usr/sbin/jk_update #if (not config.has_key('hardlink') and cfg.has_option(configsection,'hardlink')): if ('hardlink' not in config and cfg.has_option(configsection,'hardlink')): #if (not config.has_key('hardlink')): if ('hardlink' not in config): After fixing these, jk_updater_ispc worked.
Nice, I didn't realize debian had any jailkit packages. I'm running 2.21 compiled from source on multiple debian buster servers right now and haven't seen those problems offhand. Note that ispconfig has a jk_init.ini config template, so you will have either debian's or ispconfig's depending on if you reconfigured services in the ISPconfig updater since your installed jailkit or not. Mind sharing your jk_ini.ini here? (or is it simply this one with that single change?) If code changes are needed, definitely submit that against the debian package and/or upstream source. I've not had a problem here, and if it helps, I have hardlinks disabled (do not use hardlinks in your jails, it's a major security issue): Code: # grep hardlink /etc/jailkit/* /etc/jailkit/jk_update.ini:hardlinks = 0
@Jesse Norell Sorry to report but on third server i tested, the script deleted alot of systemfiles. Had to restore from disaster recovery. More info in git.
Becouse /etc/jailkit/jk_init.ini has two rows of those. There must be only one. Code: [openvpn] comment = jail for the openvpn daemon paths = /usr/sbin/openvpn users = root,nobody groups = root,nogroup includesections = netbasics devices = /dev/urandom, /dev/random, /dev/net/tun includesections = netbasics, uidbasics need_logsocket = 1 I copied from upstream Olivier Sessink for /usr/sbin/jk_update , see link in former post.
Looks like the ISPConfig template has this problem, I'll submit an updated jk_init.ini in a merge request.
To clarify, you mean inside the jail, or actual system files (outside any jail)? You can specify a jail to update on the command line, and it probably doesn't check to see if you specified "/" as the jail by mistake; I don't know what would happen if you were to do that, but it could be bad. I'll add a note to add that check.
