[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Permissions problem starting jail



Hi,

I've just installed a new machine as a home server, and was trying to migrate over my existing jails when I ran into an error which I have not been able to solve. I am getting a permission denied error when starting the jail from ezjail-admin, and as far as I know all permissions are set correctly.

The problem happens on both newly created jails and working jails copied over from my old server, so there must be some difference on the new host or the basejail, but I have been unable to find it. I have been using the same notes and references to set up both systems.
Ezjail was installed from ports with portmaster. The basejail was created with ezjail-admin install. I have also attempted to rsync over the basejail from my old system to no effect.

I have been running FreeBSD and ezjail for a few months, but I am definately a 'hobbyist', so it is quite possible I am missing something. I have just run out of straws to grasp. I am running 10.0-ALPHA, as was my previous install. I don't mind having to pick up the pieces from time to time, I just have too little to go on at this point.

I ran across https://elektropost.org/ezjail/msg00465.html in my google search, but none of the suggestions in that thread seem to fix my problem. I have attempted to include all relevant information based on that thread. My apologies for the huge wall of text below.

Sincerely,

Hidde Brugmans

The problem:

atlas# zfs destroy zroot/usr/jails/testjail && rmdir testjail

atlas# ezjail-admin create -f example testjail 192.168.1.1
/usr/jails/testjail/.
/usr/jails/testjail/./etc
/usr/jails/testjail/./etc/rc.d
/usr/jails/testjail/./etc/rc.d/ezjail.flavour.example
/usr/jails/testjail/./etc/make.conf
/usr/jails/testjail/./etc/periodic.conf
/usr/jails/testjail/./etc/rc.conf
/usr/jails/testjail/./usr
/usr/jails/testjail/./usr/local
/usr/jails/testjail/./usr/local/etc
/usr/jails/testjail/./usr/local/etc/sudoers
7 blocks
find: /usr/jails/testjail/pkg/: No such file or directory
Warning: IP 192.168.1.1 not configured on a local interface.

atlas# whoami
root

atlas# ezjail-admin start testjail
/usr/local/bin/ezjail-admin: /usr/local/etc/rc.d/ezjail: Permission denied
Error: Could not start testjail.
You need to start it by hand.


The configuration:
uname -a
FreeBSD atlas 10.0-ALPHA5 FreeBSD 10.0-ALPHA5 #0 r256092: Sun Oct 6 22:30:23 UTC 2013root AT snap.freebsd DOT org (mailto:root AT snap.freebsd DOT org):/usr/obj/usr/src/sys/GENERIC amd64

atlas# cat /etc/rc.conf | grep ezjail
ezjail_enable="YES" # Enable ezjail

atlas# cat /etc/sysctl.conf
## /etc/sysctl.conf
## Security
security.bsd.see_other_uids=0 # Prevent visibility of other uids' processes
security.jail.allow_raw_sockets=1 # Allow raw sockets to jails
## NAT
net.inet.ip.forwarding=1 # Allow IPv4 NAT
net.inet6.ip6.forwarding=1 # Allow IPv6 NAT

atlas# cat /usr/local/etc/ezjail.conf
# ezjail.conf - Example file, see ezjail.conf(5)

# Location of jail root directories
ezjail_jaildir=/usr/jails

# Location of the tiny skeleton jail template
# ezjail_jailtemplate=${ezjail_jaildir}/newjail

# Location of the huge base jail
ezjail_jailbase=${ezjail_jaildir}/basejail

# Location of your copy of FreeBSD's source tree
# ezjail_sourcetree=/usr/src

# This is where the install sub command defaults to fetch its packages from
ezjail_ftphost=ftp.nl.freebsd.org (http://ftp.nl.freebsd.org)

# This is the command that is being executed by the console subcommand
# ezjail_default_execute="/usr/bin/login -f root"

# This is the flavour used by default when setting up a new jail
# ezjail_default_flavour=""

# This is the default location where ezjail archives its jails to
# ezjail_archivedir="${ezjail_jaildir}/ezjail_archives"

# base jail will provide a soft link from /usr/bin/perl to /usr/local/bin/perl
# to accomodate all scripts using '#!/usr/bin/perl'...
ezjail_uglyperlhack="YES"

# Default options for newly created jails
#
# Note: Be VERY careful about disabling ezjail_mount_enable. Mounting
# basejail via nullfs depends on this. You will have to find other
# ways to provide your jail with essential system files
# ezjail_mount_enable="YES"
# ezjail_devfs_enable="YES"
# ezjail_devfs_ruleset="devfsrules_jail"
# ezjail_procfs_enable="YES"
# ezjail_fdescfs_enable="YES"

# ZFS options
# Setting this to YES will start to manage the basejail and newjail in ZFS
ezjail_use_zfs="YES"

# Setting this to YES will manage ALL new jails in their own zfs
ezjail_use_zfs_for_jails="YES"

# The name of the ZFS ezjail should create jails on, it will be mounted at the ezjail_jaildir
ezjail_jailzfs="zroot/usr/jails"

# ADVANCED, be very careful!
# ezjail_zfs_properties="-o compression=lzjb -o atime=off"
# ezjail_zfs_jail_properties="-o dedup=on"

atlas# cat /etc/fstab.testjail
/usr/jails/basejail /usr/jails/testjail/basejail nullfs ro 0 0
Permissions:

atlas# ls -l /usr/jails | grep jail
drwxr-xr-x 8 root wheel 8 Oct 14 09:52 jails

atlas# ls -l /usr/jails/*
drwxr-xr-x 9 root wheel 9 Oct 14 09:22 basejail
drwxr-xr-x 4 root wheel 4 Oct 14 09:25 flavours
drwxr-xr-x 12 root wheel 20 Oct 14 09:27 newjail
drwxr-xr-x 12 root wheel 20 Oct 14 09:27 testjail

atlas# ls -l basejail/ | grep usr
drwxr-xr-x 11 root wheel 11 Oct 6 02:26 usr

atlas# ls -l basejail/usr
total 150
drwxr-xr-x 2 root wheel 493 Oct 6 02:26 bin
drwxr-xr-x 55 root wheel 313 Oct 6 02:26 include
drwxr-xr-x 8 root wheel 581 Oct 6 02:26 lib
drwxr-xr-x 5 root wheel 596 Oct 6 02:26 lib32
drwxr-xr-x 6 root wheel 6 Oct 6 02:26 libdata
drwxr-xr-x 7 root wheel 66 Oct 6 02:26 libexec
drwxr-xr-x 2 root wheel 279 Oct 6 02:26 sbin
drwxr-xr-x 33 root wheel 33 Oct 6 02:26 share
drwxr-xr-x 2 root wheel 2 Oct 6 02:26 src

atlas# ls -l testjail/ |grep usr
lrwxr-xr-x 1 root wheel 11 Sep 29 04:59 sys -> usr/src/sys
drwxr-xr-x 7 root wheel 16 Oct 6 23:25 usr

atlas# ls -l testjail/usr |grep local
drwxr-xr-x 3 root wheel 3 Oct 14 09:52 local

Filesystems:
mount | grep jail
zroot/usr/jails on /usr/jails (zfs, local, noatime, nfsv4acls)
zroot/usr/jails/basejail on /usr/jails/basejail (zfs, local, noatime, nfsv4acls)
zroot/usr/jails/newjail on /usr/jails/newjail (zfs, local, noatime, nfsv4acls)
zroot/usr/jails/flavours on /usr/jails/flavours (zfs, local, noatime, nfsv4acls)
zroot/usr/jails/testjail on /usr/jails/testjail (zfs, local, noatime, nfsv4acls)