Cron job (and API)

Discussion in 'Installation/Configuration' started by francoisPE, Jan 27, 2021.

  1. francoisPE

    francoisPE Member HowtoForge Supporter

    Hello,
    My config is ISPC perfect server ubuntu 20.04.
    I am working on my 1st installed site (client0/web1)
    I have few questions on cron job.
    I set up a cron job in ISPConfig and try 'sudo -u web1 crontab -e' There is no job in crontab.
    I find my cronjob nowhere! Is that normal ? How can I ensure that my cronjob will be executed with the correct user... (web1) ?
    I also run API, sites_cron_add function. I wonder what cronjob type means : 'url', 'full', 'chrooted'.
    thanks to API, I set up a cronjob with type 'url'. In fact, it is a sh command '/usr/bin/php ...' When I run sites_cron_get function, the recorded type is 'full' !
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Cronjobs are added under /etc/cron.d/, not using crontab(1).
    Have your cronjob run /bin/id and see what it says.
    Surely this is in the manual, but 'url' will request a url on a schedule, 'chrooted' will run a command inside the website chroot jail (you must have jailkit installed), and 'full' will run a command outside the chroot jail. For security, prefer the first two and avoid 'full'.
    No idea what's wrong offhand. Try creating cronjobs via the ui and "get" those and see what they show. Generally you can take the exact same structure, make a change, and send it back in an update function - if so, and that "update" works, compare the data you're sending in your current "add" vs. the "update". If still needed, put it into a very simple example script showing the behavior and post here.
     
  3. francoisPE

    francoisPE Member HowtoForge Supporter

    Thanks a lot for all these detailled explanations.
    Regarding cron in API, I send to API 'url' type. It turns to 'full' when you give an bash command. That's good, now, I put chrooted.
    :)
     
  4. TonyG

    TonyG Active Member

    Rather than 'sudo -u web1 crontab -e', do you see the cron info with this? 'sudo crontab -e -u web1'
    The difference might be related to the environment under web1. You'll also notice that with your method you get the editor for the user web1, which might be nano, while with the second method you'll get your preferred editor, which might be vi.
    I'm not saying I know what the issue might be, just that the two commands do have different results, and if you're not seeing anything one way, try the other. HTH
     
  5. francoisPE

    francoisPE Member HowtoForge Supporter

    Thanks a lot.
    It helps me learn cron and crontab !
     
  6. francoisPE

    francoisPE Member HowtoForge Supporter

    Regarding cron turning from chrooted to full, I clarify :
    I set up chrooted for "admin" cron job through API.
    Obviously, admin with chrooted doesn't work...
    I open the job in web interface and when I save it it turns to "full" and works !
    It comes a question :
    The type of cronjob is not requested by ispc web interface. I imagine that it is driven by :
    - full for admin
    for client
    - url if url in cronjob command line
    - chrooted or full depending 'limit_cron_type' value
    Am I coorect ?
     
  7. francoisPE

    francoisPE Member HowtoForge Supporter

    I am back because I am not able to run chrooted cron job...
    for my client : SSH-Chroot Options --> both None & Jailkit
    for my server : Jailkit cron chrooted applications --> /usr/bin/php /usr/bin/perl /usr/share/perl /usr/share/php
    My cron job looks like :
    Code:
    #more /etc/cron.d/ispc_chrooted_web27
    MAILTO=''
    SHELL='/usr/sbin/jk_chrootsh'
    
    */5     *       *       *       *       web27   /usr/bin/php -f /var/www/myvhost/web/cron.php >>/private/cron.log 2>>/private/cron_error.log #myvhost
    
    It seems to be /usr/sbin/jk_chrootsh, which is red when I run 'ls /usr/sbin/jk_chrootsh'
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

  9. francoisPE

    francoisPE Member HowtoForge Supporter

    You are fully right. I am learning at the same time : trying to see how it works !
    I understood my mistake : I need a shell user to run a chrooted cronjob. That is obvious... ;)
    I create one, it works much better ...
    Just a query : shell user as '[clientname]web27' username, when cronjob is web27 !?
    :):):)
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    No, a shell user is not required. A chroot env gets created automatically when a chrooted cronjob gets created, but it might be that you configured additional programs in the jail for shell users. Also the website and all its processes like shell users and cronjob always run as the same user, no matter which username you pick for a shell user. Buta s mentioned before, the better and more secure way is that you just enter the URL in the command field.
     
  11. francoisPE

    francoisPE Member HowtoForge Supporter

    I had a log : "Could not open input file:", that helps me to find out that thread
    https://www.howtoforge.com/communit...ron-jobs-not-working.63208/page-3#post-305274

    I changed my code :
    Code:
    #more /etc/cron.d/ispc_chrooted_web27
    MAILTO=''
    SHELL='/usr/sbin/jk_chrootsh'
    
    */5     *       *       *       *       web27   /usr/bin/php -f /web/cron.php >>/private/cron.log 2>>/private/cron_error.log #myvhost
    
    removing /var/www/myvhost

    Now, I can run chrooted cron !
    The one above can be url, but the 2 below can't :
    /usr/bin/php -d memory_limit=512M /web/occ preview:\pre-generate
    /usr/bin/php -d memory_limit=512M /web/occ app:update --all

    thanks a lot for your help :):):)
     
  12. francoisPE

    francoisPE Member HowtoForge Supporter

    It brings few questions :
    - user became chrooted when
    a chrooted cronjob gets created ("A chroot env gets created automatically when a chrooted cronjob gets created")
    a chrooted shelluser is created
    is there other situation ?
    - My user "web27" is chrooted in jail /var/www/clients/clientx/web27 : that's clear
    - My webserver is using same user : web27... It is chrooted also ?
    If yes, can it still acces all directories in OpenBaseDir such as /tmp for example ?
    If yes, should I adapt access directories I give to my website, going to /var/www/myvhost/web/rightpath to /web/rightpath ?
    Many thanks.
    My website seems completely "destroyed" since I have chrooted user !
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    The web user does not become chrooted, what happens is that a chroot environment gets created, but this has no direct effect on the web user.
     
  14. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Some of the behavior noted in #6024 could come into play here, depending on what things (eg. shell user settings) were changed when playing around with the behavior. I also thought the web# user was supposed to change to a chroot login if you add a shell user, so ssh logins as that web# would be chroot as well, but perhaps that is just related (to #6024) behavior.

    The web server does not run chroot, but you can run php-fpm chroot'd, which is where open_basedir would matter. No, you do not need to change paths in open_basedir, in my testing (some months ago) the paths were correctly rewritten. You do of course have to update all your php code and .htaccess files.
     
  15. francoisPE

    francoisPE Member HowtoForge Supporter

    @Jesse Norell and @till : Thanks a lot :)
    Now, I face timezone issue (see : https://www.howtoforge.com/community/threads/solved-timezone-database-is-corrupt.84843/)
    But, I didn't find out any solution... running jk_ini, verifying localtime symlink !
    Additionnally, my website (nextcloud + collaboraCode) is using a /proc/ outside the jail !
    My conclusion is that Nextcloud is not really compatible with a jailkit, or, if yes, I am too webi to run it in a jail ...
    So, I forgive that option and run "url" when possible and "full" cronjob in other cases, I don't create jailled shell user, etc... (and give no ssh access to anyone on that server)
    My conclusion of all that is jailkit is very complex to manage because of all possible combinations it creates ! :eek:
     

Share This Page