After I upgraded to ISPConfig 3.2.1 my /var/log/ispconfig/cron.log file started flooding the following messages: Code: ... Tue Dec 8 11:23:45 CET 2020 PHP 47. unlink() /usr/local/ispconfig/server/lib/classes/system.inc.php:1025 Tue Dec 8 11:23:45 CET 2020 PHP Warning: unlink(/var/www/clients/client1/web4/sys/block/dm-0/bdi/subsystem/11:0/subsystem/11:0/subsystem/11:0/subsystem/11:0/subsystem/11:0/subsystem/11:0/ subsystem/11:0/subsystem/11:0/subsystem/11:0/subsystem/11:0/subsystem/11:0/subsystem/11:0/subsystem/11:0/subsystem/11:0/subsystem/253:5/subsystem/7:7/subsystem/7:5/subsystem/253:9/subsyste m/253:6/subsystem): Operation not permitted in /usr/local/ispconfig/server/lib/classes/system.inc.php on line 1025 Tue Dec 8 11:23:45 CET 2020 PHP Stack trace: Tue Dec 8 11:23:45 CET 2020 PHP 1. {main}() /usr/local/ispconfig/server/cron.php:0 Tue Dec 8 11:23:45 CET 2020 PHP 2. cronjob_jailkit_maintenance->run() /usr/local/ispconfig/server/cron.php:116 Tue Dec 8 11:23:45 CET 2020 PHP 3. cronjob_jailkit_maintenance->onRunJob() /usr/local/ispconfig/server/lib/classes/cronjob.inc.php:87 Tue Dec 8 11:23:45 CET 2020 PHP 4. system->update_jailkit_chroot() /usr/local/ispconfig/server/lib/classes/cron.d/600-jailkit_maintenance.inc.php:116 Tue Dec 8 11:23:45 CET 2020 PHP 5. system->remove_broken_symlinks() /usr/local/ispconfig/server/lib/classes/system.inc.php:2640 Tue Dec 8 11:23:45 CET 2020 PHP 6. system->remove_broken_symlinks() /usr/local/ispconfig/server/lib/classes/system.inc.php:1022 Tue Dec 8 11:23:45 CET 2020 PHP 7. system->remove_broken_symlinks() /usr/local/ispconfig/server/lib/classes/system.inc.php:1022 Tue Dec 8 11:23:45 CET 2020 PHP 8. system->remove_broken_symlinks() /usr/local/ispconfig/server/lib/classes/system.inc.php:1022 ... As you can see I have to use sys inside the jailkit of some websites in order for the jailkit users to be able to use node, npm and other cli tools. After I unmounted /var/www/clients/client1/web4/sys and all the other mounts like this for other websites, the cron was able to finish. However this is not ideal as the jailkit users need these mountpoints in their jail.
you shouldn't need any symlinks to sys for nodejs or npm, or any cli tools that i'm aware of. you can just install nodejs, npm, composer, wp-cli etc on the server normally, just as you would any other package. and then add them as sections to your jk_init.ini file. then add them as Jailkit chroot app sections in system->server config->server->jailkit or in sites->websites->'sitename'->options if you search on this site, the jailkit config for them has been posted in a couple of different threads.
node/npm is also included in jk_init.ini in nightly builds (so will be in 3.2.2). To stop the messages being printed right now, try putting an ampersand on the unlink() call on line 1025 (ie.: @unlink ("$path/$object"); ). As to the overall scenario, it will need a bit more thought/research. Possibly sys should not be listed as a jailkit_dir (as proc is not listed), or maybe those should both be considered specially (if it is a mount point, don't process, if a normal directory, do ?).
Thanks. Putting it this way I can't even remember why I needed /sys to be mounted inside the jails. Everything seems to be working fine without it. I unmounted it from every jail permanently. I still need the following mount points inside the jail. Will any of these cause any problems? /proc /dev/pts (for tmux) /var/run/mysqld
I don't know of any problems in the jailkit cleanup with those. /proc isn't handled at all, and /dev/pts is just a directory with character devices and bind mounting (I assume, for the socket) the /var/run/mysqld dir shouldn't cause a problem for maintenance (possibly for removing the jail). As for any other type of problem, adding /proc certainly has security implications.