Jan 232010

Problems starting a jail with ezjail

Over the weekend I was setting up a few FreeBSD jails to do some regression testing for the Bacula project. I had two already configured and running from my earlier work. My goal was to create a couple more and test multiple versions of databases etc. I found I could create a jail, but not login. When I checked in via the console, I saw that the initial startup script which did the jail setup was not running. I fixed it with a simple mv command. The rest of this article outlines the symptoms and how I fixed it.

The symptoms

I started the jail:
# ezjail-admin start mysql51.example.org
Configuring jails:.
Starting jails: mysql51.example.org.
Then I tried to login into them:
$ ssh -A mysql51.example.org
Received disconnect from 2: Too many authentication failures for dan
This stumped me. I knew the password.

The investigation

Why didn’t it let me in? Let me try the console:
# ezjail-admin console mysql51.example.org
Copyright (c) 1992-2009 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.

FreeBSD 8.0-STABLE (PHENOM) #1: Fri Dec 18 02:04:40 EST 2009

Welcome to FreeBSD!

Before seeking technical support, please use the following resources:

o  Security advisories and updated errata information for all releases are
   at http://www.FreeBSD.org/releases/ - always consult the ERRATA section
   for your release first as it's updated frequently.

o  The Handbook and FAQ documents are at http://www.FreeBSD.org/ and,
   along with the mailing lists, can be searched by going to
   http://www.FreeBSD.org/search/.  If the doc distribution has
   been installed, they're also available formatted in /usr/share/doc.

If you still have a question or problem, please take the output of
`uname -a', along with any relevant error messages, and email it
as a question to the questions@FreeBSD.org mailing list.  If you are
unfamiliar with FreeBSD's directory layout, please refer to the hier(7)
manual page.  If you are not familiar with manual pages, type `man man'.

You may also use sysinstall(8) to re-enter the installation and
configuration utility.  Edit /etc/motd to change this login announcement.
This dumped me right into the jail. So I got started:
mysql51# bash
bash: Command not found.
No bash? There should be bash. That’s one of the first things my jails install. Is my account there?
mysql51# grep dan /etc/passwd
No, no account. OK, so the jail isn’t being properly set up. What’s in messages:
mysql51 root: /etc/rc: WARNING: Ignoring old-style startup script /etc/rc.d/ezjail-config.sh
mysql51 sshd[40673]: error: PAM: authentication error for illegal user dan from
mysql51 last message repeated 2 times
Old style? What’s up with that?
# ls -l /etc/rc.d/ezjail-config.sh
lrwxr-xr-x  1 root  wheel  15 Jan 22 16:14 /etc/rc.d/ezjail-config.sh -> /ezjail.flavour
/ezjail.flavour is the startup script executed once when the jail is first run. It can do most setup that you might require. Failure to start is the cause of these problems. But why? Google to the rescue: http://www.mail-archive.com/freebsd-jail@freebsd.org/msg01080.html. In short, the file name needs to change from ezjail-config.sh to ezjail-config. More precisely, the symlink needs to be renamed.

The fix

I stopped the jail:
# ezjail-admin stop mysql51.example.org
Stopping jails: mysql51.example.org.
I renamed the culprit file:
# cd /usr/jails/mysql51.example.org/etc/rc.d
# mv ezjail-config.sh ezjail-config
# cd /usr/jails
And I restarted the jail. This time it took a bit longer to start, which is good. That meant it was running all the startup scripts (installing packages, creating users, etc.
# ezjail-admin start mysql51.example.org
Configuring jails:.
Starting jails: mysql51.example.org.
I was then able to connect to the jail without issue.

The longterm fix

The long term fix is at the URL post above. It needs to be incorporated into the port. I plan to create a patch and test tomorrow night. Ahh, after writing the above, I heard this fix is already in the ezjail repo, but not yet released. Still. I’ll see about the patch. Hmm, I’ve tested the patch. Works fine. It’s been submitted. And the port skeleton can be downloaded here