Jailkit: copy over ca-certificates

Discussion in 'Feature Requests' started by Hbod, Mar 21, 2017.

  1. Hbod

    Hbod Member

    When using Jailkit, wget/git commands under jail will fail due to missing ca-certificates.
    I had to copy over
    cp /etc/ssl/certs/ca-certificates.crt /var/www/clients/client1/etc/ssl/certs/
    to make HTTPS Request possible (without the use of --no-certificate-check). Could you guys consider automatically copying over the ca-file inside jails?
     
  2. Jesse Norell

    Jesse Norell Well-Known Member

    You sure that shouldn't be /var/www/clients/client1/web1/etc/ssl/certs/? On my system (debian jessie) the jailkit root dirs are the web*, not client*, directories. The correct way to add it to an existing jail is with jk_cp, rather than cp, though in this case the results are probably identical:
    Code:
    jk_cp -j /var/www/clients/client1/web1/ /etc/ssl/certs/ca-certificates.crt
    Leaving aside discussion of adding that to howto's or default ispconfig configuration, this is easy to do on your system. To include that in all new jails, edit /etc/jailkit/jk_init.ini and add that file into a section that is used by default; eg. the [netutils] section is what adds wget, so put it in there:
    Code:
    [netutils]
    comment = several internet utilities like wget, ftp, rsync, scp, ssh
    executables = /usr/bin/wget, /usr/bin/lynx, /usr/bin/ftp, /usr/bin/host, /usr/bin/rsync, /usr/bin/smbclient
    regularfiles = /etc/ssl/certs/ca-certificates.crt
    includesections = netbasics, ssh, sftp, scp
    
    To update all current jails, you can script the jk_cp:
    Code:
    grep /\\./home /etc/passwd | cut -d: -f6 | grep /\\./home | cut -d. -f1 | xargs -I @ -n 1 jk_cp -j @ /etc/ssl/certs/ca-certificates.crt
    And while you're at it, add a cronjob to keep all your jails updated (note that security updates for libc, wget, curl and such aren't propogated into your jails by default - something ispconfig definitely could/should do). Save this as /usr/local/sbin/jk_update_all (modify as needed):
    Code:
    #!/bin/bash
    
    PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    
    # Simple script to parse jailkit root directories from /etc/passwd
    # and run jk_update for each one.  Run periodically from cron and
    # manually after security updates.
    
    function update_jail() {
        jk_update --jail=${@} --skip=/opt | grep -v '^skip '
    }
    export -f update_jail
    
    grep /\\./home /etc/passwd | cut -d: -f6 | grep /\\./home | cut -d. -f1 | xargs -I @ -n 1 bash -c "update_jail @"
    
    Make that executable and run it from a cronjob:
    Code:
    chmod +x /usr/local/sbin/jk_update_all
    echo '24 3 * * *  root  /usr/local/sbin/jk_update_all' > /etc/cron.d/jk_update
    
     
    Last edited: Mar 23, 2017
  3. Hbod

    Hbod Member

    Thank you very much for this awesome notes. Of course, you are right, I forgot /web1/ (I just wrote down the lines from my mind, not a real copy from my terminal).

    I will use your stuff asap and report back my feedback. This should be added to ISPConfig (esp. the update-part, I thought they we're symlinked and up-to-date automatically)
     
  4. Jesse Norell

    Jesse Norell Well-Known Member

  5. Hbod

    Hbod Member

    Dear Jesse, thank you again 1000 times. It worked perfectly. (you just need to mention that jk_update_all needs execute permission:

    chmod +x jk_update_all

    Beside of that, it worked perfectly!
     
  6. Jesse Norell

    Jesse Norell Well-Known Member

    Heh, sorry, I did add that in a subsequent edit, you just opened my reply too fast. :)
     
  7. Jesse Norell

    Jesse Norell Well-Known Member

    minor update on the above update script (added PATH)
     
  8. Hbod

    Hbod Member

    @Jesse Norell I am getting a lot of Errors:
    ERROR: failed to remove deprecated file /var/www/clients/client1/web205/usr/lib/node_modules/npm/node_modules/JSONStream
    ERROR: failed to remove deprecated file /var/www/clients/client1/web205/usr/lib/node_modules/npm/lib/search
    ERROR: failed to remove deprecated file /var/www/clients/client1/web205/usr/lib/node_modules/npm/lib/doctor
    ERROR: failed to remove deprecated file /var/www/clients/client1/web205/usr/lib/node_modules/npm/test

    Can I ignore them?
     
  9. Jesse Norell

    Jesse Norell Well-Known Member

    I've not come across that before. A quick search finds this bug, with a patch if you want to try it. The error is the same, and apparently has to do with directories, not files, so may or may not be the exact issue you're seeing: http://savannah.nongnu.org/bugs/?48254
     
  10. manyk

    manyk New Member

    better use the following netutils section or the https connections will fail inside the jail:
    Code:
    [netutils]
    comment = several internet utilities like wget, ftp, rsync, scp, ssh
    executables = /usr/bin/wget, /usr/bin/lynx, /usr/bin/ftp, /usr/bin/host, /usr/bin/rsync, /usr/bin/smbclient
    directories = /etc/ssl/certs/
    regularfiles = /usr/lib/ssl/certs
    includesections = netbasics, ssh, sftp, scp
    # the following line is optional - it may be removed or commented
    hardlinks = 1
    
     
  11. Jesse Norell

    Jesse Norell Well-Known Member

    ** I posted an improved version of the above jk_update_all script ** - anyone using the above (and I will assert that everyone using jailkit should be doing something similar to keep security updates flowing to their jail environments) should take note.

    I upgraded a web server OS (debian 8 -> 9), and all existing jails were broken once jk_update ran on them (there is a note in the jk_update man page that it doesn't handle things like an OS upgrade so well). There were a few changes needed in jk_init.ini for debian 9 (missing libraries/paths), but the main issue was jk_update (and jk_init) removes some files (libraries), but does not clean up symlinks pointing to them. I posted a replacement for the above jk_update_all script in the issue 2140 which does some cleanup in the jail for these dangling symlinks, and also allows completely reinitializing jails using the jailkit sections/applications specified in ispconfig.
     
    till likes this.

Share This Page