Jailkit: copy over ca-certificates

Discussion in 'Feature Requests' started by Hbod, Mar 21, 2017.

  1. Hbod

    Hbod Member

    When using Jailkit, wget/git commands under jail will fail due to missing ca-certificates.
    I had to copy over
    cp /etc/ssl/certs/ca-certificates.crt /var/www/clients/client1/etc/ssl/certs/
    to make HTTPS Request possible (without the use of --no-certificate-check). Could you guys consider automatically copying over the ca-file inside jails?
     
  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    You sure that shouldn't be /var/www/clients/client1/web1/etc/ssl/certs/? On my system (debian jessie) the jailkit root dirs are the web*, not client*, directories. The correct way to add it to an existing jail is with jk_cp, rather than cp, though in this case the results are probably identical:
    Code:
    jk_cp -j /var/www/clients/client1/web1/ /etc/ssl/certs/ca-certificates.crt
    Leaving aside discussion of adding that to howto's or default ispconfig configuration, this is easy to do on your system. To include that in all new jails, edit /etc/jailkit/jk_init.ini and add that file into a section that is used by default; eg. the [netutils] section is what adds wget, so put it in there:
    Code:
    [netutils]
    comment = several internet utilities like wget, ftp, rsync, scp, ssh
    executables = /usr/bin/wget, /usr/bin/lynx, /usr/bin/ftp, /usr/bin/host, /usr/bin/rsync, /usr/bin/smbclient
    regularfiles = /etc/ssl/certs/ca-certificates.crt
    includesections = netbasics, ssh, sftp, scp
    
    To update all current jails, you can script the jk_cp:
    Code:
    grep /\\./home /etc/passwd | cut -d: -f6 | grep /\\./home | cut -d. -f1 | xargs -I @ -n 1 jk_cp -j @ /etc/ssl/certs/ca-certificates.crt
    And while you're at it, add a cronjob to keep all your jails updated (note that security updates for libc, wget, curl and such aren't propogated into your jails by default - something ispconfig definitely could/should do). Save this as /usr/local/sbin/jk_update_all (modify as needed):
    Code:
    #!/bin/bash
    
    PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    
    # Simple script to parse jailkit root directories from /etc/passwd
    # and run jk_update for each one.  Run periodically from cron and
    # manually after security updates.
    
    function update_jail() {
        jk_update --jail=${@} --skip=/opt | grep -v '^skip '
    }
    export -f update_jail
    
    grep /\\./home /etc/passwd | cut -d: -f6 | grep /\\./home | cut -d. -f1 | xargs -I @ -n 1 bash -c "update_jail @"
    
    Make that executable and run it from a cronjob:
    Code:
    chmod +x /usr/local/sbin/jk_update_all
    echo '24 3 * * *  root  /usr/local/sbin/jk_update_all' > /etc/cron.d/jk_update
    
     
    Last edited: Mar 23, 2017
  3. Hbod

    Hbod Member

    Thank you very much for this awesome notes. Of course, you are right, I forgot /web1/ (I just wrote down the lines from my mind, not a real copy from my terminal).

    I will use your stuff asap and report back my feedback. This should be added to ISPConfig (esp. the update-part, I thought they we're symlinked and up-to-date automatically)
     
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

  5. Hbod

    Hbod Member

    Dear Jesse, thank you again 1000 times. It worked perfectly. (you just need to mention that jk_update_all needs execute permission:

    chmod +x jk_update_all

    Beside of that, it worked perfectly!
     
  6. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Heh, sorry, I did add that in a subsequent edit, you just opened my reply too fast. :)
     
  7. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    minor update on the above update script (added PATH)
     
  8. Hbod

    Hbod Member

    @Jesse Norell I am getting a lot of Errors:
    ERROR: failed to remove deprecated file /var/www/clients/client1/web205/usr/lib/node_modules/npm/node_modules/JSONStream
    ERROR: failed to remove deprecated file /var/www/clients/client1/web205/usr/lib/node_modules/npm/lib/search
    ERROR: failed to remove deprecated file /var/www/clients/client1/web205/usr/lib/node_modules/npm/lib/doctor
    ERROR: failed to remove deprecated file /var/www/clients/client1/web205/usr/lib/node_modules/npm/test

    Can I ignore them?
     
  9. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    I've not come across that before. A quick search finds this bug, with a patch if you want to try it. The error is the same, and apparently has to do with directories, not files, so may or may not be the exact issue you're seeing: http://savannah.nongnu.org/bugs/?48254
     
  10. manyk

    manyk New Member

    better use the following netutils section or the https connections will fail inside the jail:
    Code:
    [netutils]
    comment = several internet utilities like wget, ftp, rsync, scp, ssh
    executables = /usr/bin/wget, /usr/bin/lynx, /usr/bin/ftp, /usr/bin/host, /usr/bin/rsync, /usr/bin/smbclient
    directories = /etc/ssl/certs/
    regularfiles = /usr/lib/ssl/certs
    includesections = netbasics, ssh, sftp, scp
    # the following line is optional - it may be removed or commented
    hardlinks = 1
    
     
  11. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    ** I posted an improved version of the above jk_update_all script ** - anyone using the above (and I will assert that everyone using jailkit should be doing something similar to keep security updates flowing to their jail environments) should take note.

    I upgraded a web server OS (debian 8 -> 9), and all existing jails were broken once jk_update ran on them (there is a note in the jk_update man page that it doesn't handle things like an OS upgrade so well). There were a few changes needed in jk_init.ini for debian 9 (missing libraries/paths), but the main issue was jk_update (and jk_init) removes some files (libraries), but does not clean up symlinks pointing to them. I posted a replacement for the above jk_update_all script in the issue 2140 which does some cleanup in the jail for these dangling symlinks, and also allows completely reinitializing jails using the jailkit sections/applications specified in ispconfig.
     
  12. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    I just posted a minor update to jk_update_all so it works on pae architecture.
     
    till likes this.
  13. Hbod

    Hbod Member

    @till Would be nice to see this as core feature.
     
  14. OptimBro

    OptimBro Member

    +1
     
  15. elmacus

    elmacus Active Member

    New Buster install for me with backports of Jailkit 2.21 is broken, jk_init and jk_update stops. https://lists.libreplanet.org/archive/html/jailkit-dev/2020-01/msg00001.html
    2 files need fix:

    /etc/jailkit/jk_init.ini
    [openvpn]
    #includesections = netbasics
    and
    /usr/sbin/jk_update
    #if (not config.has_key('hardlink') and cfg.has_option(configsection,'hardlink')):
    if ('hardlink' not in config and cfg.has_option(configsection,'hardlink')):
    #if (not config.has_key('hardlink')):
    if ('hardlink' not in config):
    After fixing these, jk_updater_ispc worked.
     
    Taleman likes this.
  16. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Nice, I didn't realize debian had any jailkit packages. I'm running 2.21 compiled from source on multiple debian buster servers right now and haven't seen those problems offhand.

    Note that ispconfig has a jk_init.ini config template, so you will have either debian's or ispconfig's depending on if you reconfigured services in the ISPconfig updater since your installed jailkit or not. Mind sharing your jk_ini.ini here? (or is it simply this one with that single change?)

    If code changes are needed, definitely submit that against the debian package and/or upstream source. I've not had a problem here, and if it helps, I have hardlinks disabled (do not use hardlinks in your jails, it's a major security issue):
    Code:
    # grep hardlink /etc/jailkit/*
    /etc/jailkit/jk_update.ini:hardlinks = 0
    
     
    elmacus likes this.
  17. elmacus

    elmacus Active Member

    @Jesse Norell
    Sorry to report but on third server i tested, the script deleted alot of systemfiles. Had to restore from disaster recovery.
    More info in git.
     
  18. elmacus

    elmacus Active Member

    Becouse /etc/jailkit/jk_init.ini has two rows of those. There must be only one.

    Code:
    [openvpn]
    comment = jail for the openvpn daemon
    paths = /usr/sbin/openvpn
    users = root,nobody
    groups = root,nogroup
    includesections = netbasics
    devices = /dev/urandom, /dev/random, /dev/net/tun
    includesections = netbasics, uidbasics
    need_logsocket = 1
    
    I copied from upstream Olivier Sessink for /usr/sbin/jk_update , see link in former post.
     
  19. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Looks like the ISPConfig template has this problem, I'll submit an updated jk_init.ini in a merge request.
     
  20. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    To clarify, you mean inside the jail, or actual system files (outside any jail)? You can specify a jail to update on the command line, and it probably doesn't check to see if you specified "/" as the jail by mistake; I don't know what would happen if you were to do that, but it could be bad. I'll add a note to add that check.
     

Share This Page