Fresh install of ISPConfig v3.1.15p3 running on Debian Buster with Jailkit v2.21 using Perfect Server guide. After creating an SFTP (shell) user with Jailkit the user is unable to login. There appear to be multiple issues together conspiring in producing this symptom: error in /etc/jailkit/jk_init.ini missing /bin/bash (+ others) concern between Jailkit v2.2.1 on Debian 10 (or Python?) ~~~ Looking at /var/log/auth.log yields this hint: Code: jk_chrootsh[10490]: ERROR: failed to execute shell /bin/bash for user ****** (####), check the permissions and libraries of /var/www/clients/client1/web###//bin/bash OK, so peeking inside the web user's I note that there are a lot of missing binaries: Code: $ ls bin basename dircolors dirname groups id lesspipe mysql mysqldump nano patch pico rm tar unzip zip Digging further, I found this entry in /var/log/ispconfig/cron.log: Code: Tue 15 Sep 2020 10:29:01 AM CDT Traceback (most recent call last): Tue 15 Sep 2020 10:29:01 AM CDT File "/usr/sbin/jk_init", line 261, in <module> Tue 15 Sep 2020 10:29:01 AM CDT main() Tue 15 Sep 2020 10:29:01 AM CDT File "/usr/sbin/jk_init", line 258, in main Tue 15 Sep 2020 10:29:01 AM CDT activateConfig(config, jail, args) Tue 15 Sep 2020 10:29:01 AM CDT File "/usr/sbin/jk_init", line 164, in activateConfig Tue 15 Sep 2020 10:29:01 AM CDT cfg.read([config['file']]) Tue 15 Sep 2020 10:29:01 AM CDT File "/usr/lib/python3.7/configparser.py", line 696, in read Tue 15 Sep 2020 10:29:01 AM CDT self._read(fp, filename) Tue 15 Sep 2020 10:29:01 AM CDT File "/usr/lib/python3.7/configparser.py", line 1091, in _read Tue 15 Sep 2020 10:29:01 AM CDT fpname, lineno) Tue 15 Sep 2020 10:29:01 AM CDT configparser.DuplicateOptionError: While reading from '/etc/jailkit/jk_init.ini' [line 115]: option 'includesections' in section 'openvpn' already exists Tue 15 Sep 2020 10:29:02 AM CDT invalid shell, /var/www/clients/client1/web597/bin/bash does not exist Tue 15 Sep 2020 10:29:02 AM CDT finished. When I try to run jk_list: Code: # jk_list bash: jk_list: command not found # /usr/sbin/jk_list Traceback (most recent call last): File "/usr/sbin/jk_list", line 159, in <module> main() File "/usr/sbin/jk_list", line 156, in main printResults(results,wide) File "/usr/sbin/jk_list", line 92, in printResults results.sort() TypeError: '<' not supported between instances of 'ListResult' and 'ListResult' ~~~ I've noted there are others who are recently describing similar issues, but this one in particular looks related: https://www.howtoforge.com/community/threads/possible-ubuntu-20-04-jailkit-issue.85071/#post-408047
Fix for the reported Jailkit error is straight forward: Code: configparser.DuplicateOptionError: While reading from '/etc/jailkit/jk_init.ini' [line 115]: option 'includesections' in section 'openvpn' already exists Looking in /etc/jailkit/jk_init.ini simply delete the duplicate `includesections` found in `openvpn`. After this fix is applied I'm able to mostly create a jailkit manually for that user's directory: Code: $ sudo jk_init -j /var/www/clients/client1/web597/ basicshell editors extendedshell netutils ssh sftp scp groups jk_lsh usr/bin/var/www/clients/client1/web597/bin Code: Traceback (most recent call last): File "/usr/sbin/jk_init", line 261, in <module> main() File "/usr/sbin/jk_init", line 258, in main activateConfig(config, jail, args) File "/usr/sbin/jk_init", line 173, in activateConfig ji.handle_cfg_section(config,jail,cfg,section) File "/usr/sbin/jk_init", line 110, in handle_cfg_section self.handle_cfg_section(config,chroot,cfg,tmp) File "/usr/sbin/jk_init", line 157, in handle_cfg_section jk_lib.create_parent_path(chroot,os.path.dirname(tmp), config['verbose'], copy_permissions=0, allow_suid=0, copy_ownership=0) File "/usr/share/jailkit/jk_lib.py", line 485, in create_parent_path os.mkdir(jailpath, dir_mode) PermissionError: [Errno 1] Operation not permitted: '/var/www/clients/client1/web597/dev' Is there some method of triggering a rebuild of jailkit for a given vhost, or will I have to delete the ISPConfig Site and start anew?
Remove the /etc/jailkit/ directory within the jail, then update something (eg. password) in your shell user.
Yeah, the overall situation will improve with 3.2, but that doesn't help you today, unless you'd like to beta test things (not recommended for production).
The more I look into it, appears some of this is Jailkit vs. Python 3: https://lists.libreplanet.org/archive/html/jailkit-dev/2020-01/msg00000.html https://lists.libreplanet.org/archive/html/jailkit-dev/2020-08/msg00000.html I wonder if downgrading Jailkit to v2.20 would solve it, given this notation to the v2.21 release news: "Jailkit 2.21 is a maintenance release that adds full python 3 compatibility."
Perhaps the issue is due to python 3 not parsing the jail with the duplicate section the same as an older version did (I really don't know), but the first link you post explains the simple workaround is to remove the extra includesections line. I use 2.21 on Buster without issue. For fun I also tested adding that extraneous includesections line back in to my jk_init.ini on a buster system with 2.20, and it produces the exact same failure, so a clear 'no' on that idea as a workaround.
I'm seeing what I think is this same error: Code: # jk_cp -j /var/www/clients/client$n/web$n/ /usr/bin/git Traceback (most recent call last): File "/usr/sbin/jk_cp", line 121, in <module> main() File "/usr/sbin/jk_cp", line 118, in main startcopy(config, jail, args) File "/usr/sbin/jk_cp", line 47, in startcopy allow_suid=config['retainsetuid'], retain_owner=config['retainowner']) File "/usr/share/jailkit/jk_lib.py", line 642, in copy_binaries_and_libs create_parent_path(chroot,os.path.dirname(file), be_verbose, copy_permissions=1, allow_suid=allow_suid, copy_ownership=retain_owner) File "/usr/share/jailkit/jk_lib.py", line 464, in create_parent_path os.mkdir(jailpath, 0755) OSError: [Errno 1] Operation not permitted: '/var/www/clients/client$n/web$n/usr' Has a solution/fix been found?
<slaps head> sorry, forgot to include this info: Code: OS: Linux 4.19.0-8-686-pae #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) i686 ISPConfig 3.2.1 jk_cp doesn't appear to have any version information, but the md5 may help: Code: md5sum /usr/sbin/jk_cp ef58f649ed1643bee8b53448219fa1d3 /usr/sbin/jk_cp
Looks like you have Debian Buster, you can verify with Code: lsb_release -a cat /etc/debian_version Check what version jailkit is now: Code: apt policy jailkit For Buster jailkit is available from Debian Backports, https://packages.debian.org/buster-backports/jailkit Read how to add backports and install jailkit from there: https://backports.debian.org/ With that jailkit it may start working better.
Buster, yep, and the other info is here: Code: # lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 10 (buster) Release: 10 Codename: buster # cat /etc/debian_version 10.6 # apt policy jailkit jailkit: Installed: 2.19-1 Candidate: 2.19-1 Version table: *** 2.19-1 100 100 /var/lib/dpkg/status
Installed from buster backports: Code: # apt policy jailkit jailkit: Installed: 2.21-2~bpo10+1 Candidate: 2.21-2~bpo10+1 Version table: *** 2.21-2~bpo10+1 100 100 http://deb.debian.org/debian buster-backports/main i386 Packages 100 /var/lib/dpkg/status Unfortunately no difference: Code: # jk_cp -j /var/www/clients/clientn/webn/ /usr/bin/git Traceback (most recent call last): File "/usr/sbin/jk_cp", line 123, in <module> main() File "/usr/sbin/jk_cp", line 120, in main startcopy(config, jail, args) File "/usr/sbin/jk_cp", line 49, in startcopy allow_suid=config['retainsetuid'], retain_owner=config['retainowner']) File "/usr/share/jailkit/jk_lib.py", line 668, in copy_binaries_and_libs create_parent_path(chroot,os.path.dirname(file), be_verbose, copy_permissions=1, allow_suid=allow_suid, copy_ownership=retain_owner) File "/usr/share/jailkit/jk_lib.py", line 485, in create_parent_path os.mkdir(jailpath, dir_mode) PermissionError: [Errno 1] Operation not permitted: '/var/www/clients/clientn/webn/usr' #
The base web# directory of a site is set immutable, you sometimes need to change that if you run jk_cp manually. Note in 3.2 you can set jailkit options for each individual site, so just copy the jailkit sections from your server config to the website options, add 'git' to the end, and it should just work.
I appreciate the feedback, Jesse and Taleman both. I'm really trying to avoid having to change the configuration for each individual site manually. That's an admin's nightmare, surely. There must be some way for this to work nearly "out of the box". I'm just trying to apply a single new application (git) to all existing sites. This cannot be so complicated, surely? Code: . ~/bin/jk_updater_ispc -v The above code is what I would ideally use. However, this runs and does nothing as, if I recall correctly, this command is only useful for NEW sites. What I need is to update existing sites, hence my use of the `jk_cp` command earlier.
Try this: Code: chattr -i /var/www/clients/client$n/web$n jk_cp -j /var/www/clients/client$n/web$n/ /usr/bin/git chattr +i /var/www/clients/client$n/web$n
The specific issue is resolved via Till's comment above (using chattr). Still, I'd like to get the general procedure correct for future use. Do you mean that just adding the app. to the server config is sufficient to run the built-in jailkit updater against all existing sites? System -> Server Config -> Host -> Jailkit And this should work, as I'd have expected, regardless whether existing old site or future new site?
