Jailkit: copy over ca-certificates

Discussion in 'Feature Requests' started by Hbod, Mar 21, 2017.

  1. Hbod

    Hbod Member

    When using Jailkit, wget/git commands under jail will fail due to missing ca-certificates.
    I had to copy over
    cp /etc/ssl/certs/ca-certificates.crt /var/www/clients/client1/etc/ssl/certs/
    to make HTTPS Request possible (without the use of --no-certificate-check). Could you guys consider automatically copying over the ca-file inside jails?
     
  2. Jesse Norell

    Jesse Norell Well-Known Member

    You sure that shouldn't be /var/www/clients/client1/web1/etc/ssl/certs/? On my system (debian jessie) the jailkit root dirs are the web*, not client*, directories. The correct way to add it to an existing jail is with jk_cp, rather than cp, though in this case the results are probably identical:
    Code:
    jk_cp -j /var/www/clients/client1/web1/ /etc/ssl/certs/ca-certificates.crt
    Leaving aside discussion of adding that to howto's or default ispconfig configuration, this is easy to do on your system. To include that in all new jails, edit /etc/jailkit/jk_init.ini and add that file into a section that is used by default; eg. the [netutils] section is what adds wget, so put it in there:
    Code:
    [netutils]
    comment = several internet utilities like wget, ftp, rsync, scp, ssh
    executables = /usr/bin/wget, /usr/bin/lynx, /usr/bin/ftp, /usr/bin/host, /usr/bin/rsync, /usr/bin/smbclient
    regularfiles = /etc/ssl/certs/ca-certificates.crt
    includesections = netbasics, ssh, sftp, scp
    
    To update all current jails, you can script the jk_cp:
    Code:
    grep /\\./home /etc/passwd | cut -d: -f6 | grep /\\./home | cut -d. -f1 | xargs -I @ -n 1 jk_cp -j @ /etc/ssl/certs/ca-certificates.crt
    And while you're at it, add a cronjob to keep all your jails updated (note that security updates for libc, wget, curl and such aren't propogated into your jails by default - something ispconfig definitely could/should do). Save this as /usr/local/sbin/jk_update_all (modify as needed):
    Code:
    #!/bin/bash
    
    PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    
    # Simple script to parse jailkit root directories from /etc/passwd
    # and run jk_update for each one.  Run periodically from cron and
    # manually after security updates.
    
    function update_jail() {
        jk_update --jail=${@} --skip=/opt | grep -v '^skip '
    }
    export -f update_jail
    
    grep /\\./home /etc/passwd | cut -d: -f6 | grep /\\./home | cut -d. -f1 | xargs -I @ -n 1 bash -c "update_jail @"
    
    Make that executable and run it from a cronjob:
    Code:
    chmod +x /usr/local/sbin/jk_update_all
    echo '24 3 * * *  root  /usr/local/sbin/jk_update_all' > /etc/cron.d/jk_update
    
     
    Last edited: Mar 23, 2017
  3. Hbod

    Hbod Member

    Thank you very much for this awesome notes. Of course, you are right, I forgot /web1/ (I just wrote down the lines from my mind, not a real copy from my terminal).

    I will use your stuff asap and report back my feedback. This should be added to ISPConfig (esp. the update-part, I thought they we're symlinked and up-to-date automatically)
     
  4. Jesse Norell

    Jesse Norell Well-Known Member

  5. Hbod

    Hbod Member

    Dear Jesse, thank you again 1000 times. It worked perfectly. (you just need to mention that jk_update_all needs execute permission:

    chmod +x jk_update_all

    Beside of that, it worked perfectly!
     
  6. Jesse Norell

    Jesse Norell Well-Known Member

    Heh, sorry, I did add that in a subsequent edit, you just opened my reply too fast. :)
     
  7. Jesse Norell

    Jesse Norell Well-Known Member

    minor update on the above update script (added PATH)
     
  8. Hbod

    Hbod Member

    @Jesse Norell I am getting a lot of Errors:
    ERROR: failed to remove deprecated file /var/www/clients/client1/web205/usr/lib/node_modules/npm/node_modules/JSONStream
    ERROR: failed to remove deprecated file /var/www/clients/client1/web205/usr/lib/node_modules/npm/lib/search
    ERROR: failed to remove deprecated file /var/www/clients/client1/web205/usr/lib/node_modules/npm/lib/doctor
    ERROR: failed to remove deprecated file /var/www/clients/client1/web205/usr/lib/node_modules/npm/test

    Can I ignore them?
     
  9. Jesse Norell

    Jesse Norell Well-Known Member

    I've not come across that before. A quick search finds this bug, with a patch if you want to try it. The error is the same, and apparently has to do with directories, not files, so may or may not be the exact issue you're seeing: http://savannah.nongnu.org/bugs/?48254
     

Share This Page