Jan 232010
Problems starting a jail with ezjail
Over the weekend I was setting up a few FreeBSD jails to do some regression testing for the Bacula project. I had two already configured and running from my earlier work. My goal was to create a couple more and test multiple versions of databases etc. I found I could create a jail, but not login. When I checked in via the console, I saw that the initial startup script which did the jail setup was not running. I fixed it with a simple mv command. The rest of this article outlines the symptoms and how I fixed it.The symptoms
I started the jail:# ezjail-admin start mysql51.example.org Configuring jails:. Starting jails: mysql51.example.org.Then I tried to login into them:
$ ssh -A mysql51.example.org Password: Password: Password: Received disconnect from 10.55.0.102: 2: Too many authentication failures for danThis stumped me. I knew the password.
The investigation
Why didn’t it let me in? Let me try the console:
# ezjail-admin console mysql51.example.org
Copyright (c) 1992-2009 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 8.0-STABLE (PHENOM) #1: Fri Dec 18 02:04:40 EST 2009
Welcome to FreeBSD!
Before seeking technical support, please use the following resources:
o Security advisories and updated errata information for all releases are
at http://www.FreeBSD.org/releases/ - always consult the ERRATA section
for your release first as it's updated frequently.
o The Handbook and FAQ documents are at http://www.FreeBSD.org/ and,
along with the mailing lists, can be searched by going to
http://www.FreeBSD.org/search/. If the doc distribution has
been installed, they're also available formatted in /usr/share/doc.
If you still have a question or problem, please take the output of
`uname -a', along with any relevant error messages, and email it
as a question to the questions@FreeBSD.org mailing list. If you are
unfamiliar with FreeBSD's directory layout, please refer to the hier(7)
manual page. If you are not familiar with manual pages, type `man man'.
You may also use sysinstall(8) to re-enter the installation and
configuration utility. Edit /etc/motd to change this login announcement.
mysql51#
This dumped me right into the jail. So I got started:
mysql51# bash bash: Command not found.No bash? There should be bash. That’s one of the first things my jails install. Is my account there?
mysql51# grep dan /etc/passwd mysql51#No, no account. OK, so the jail isn’t being properly set up. What’s in messages:
mysql51 root: /etc/rc: WARNING: Ignoring old-style startup script /etc/rc.d/ezjail-config.sh mysql51 sshd[40673]: error: PAM: authentication error for illegal user dan from 10.55.0.1 mysql51 last message repeated 2 timesOld style? What’s up with that?
# ls -l /etc/rc.d/ezjail-config.sh lrwxr-xr-x 1 root wheel 15 Jan 22 16:14 /etc/rc.d/ezjail-config.sh -> /ezjail.flavour/ezjail.flavour is the startup script executed once when the jail is first run. It can do most setup that you might require. Failure to start is the cause of these problems. But why? Google to the rescue: http://www.mail-archive.com/freebsd-jail@freebsd.org/msg01080.html. In short, the file name needs to change from ezjail-config.sh to ezjail-config. More precisely, the symlink needs to be renamed.
The fix
I stopped the jail:# ezjail-admin stop mysql51.example.org Stopping jails: mysql51.example.org.I renamed the culprit file:
# cd /usr/jails/mysql51.example.org/etc/rc.d # mv ezjail-config.sh ezjail-config # cd /usr/jailsAnd I restarted the jail. This time it took a bit longer to start, which is good. That meant it was running all the startup scripts (installing packages, creating users, etc.
# ezjail-admin start mysql51.example.org Configuring jails:. Starting jails: mysql51.example.org.I was then able to connect to the jail without issue.