Problems starting a jail with ezjail
Over the weekend I was setting up a few FreeBSD jails to do some regression testing
for the Bacula project. I had two already configured and running from my earlier work.
My goal was to create a couple more and test multiple versions of databases etc.
I found I could create a jail, but not login. When I checked in via the console,
I saw that the initial startup script which did the jail setup was not running.
I fixed it with a simple mv command. The rest of this article outlines the
symptoms and how I fixed it.
The symptoms
I started the jail:
# ezjail-admin start mysql51.example.org Configuring jails:. Starting jails: mysql51.example.org.
Then I tried to login into them:
$ ssh -A mysql51.example.org Password: Password: Password: Received disconnect from 10.55.0.102: 2: Too many authentication failures for dan
This stumped me. I knew the password.
The investigation
Why didn’t it let me in? Let me try the console:
# ezjail-admin console mysql51.example.org Copyright (c) 1992-2009 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 8.0-STABLE (PHENOM) #1: Fri Dec 18 02:04:40 EST 2009 Welcome to FreeBSD! Before seeking technical support, please use the following resources: o Security advisories and updated errata information for all releases are at http://www.FreeBSD.org/releases/ - always consult the ERRATA section for your release first as it's updated frequently. o The Handbook and FAQ documents are at http://www.FreeBSD.org/ and, along with the mailing lists, can be searched by going to http://www.FreeBSD.org/search/. If the doc distribution has been installed, they're also available formatted in /usr/share/doc. If you still have a question or problem, please take the output of `uname -a', along with any relevant error messages, and email it as a question to the questions@FreeBSD.org mailing list. If you are unfamiliar with FreeBSD's directory layout, please refer to the hier(7) manual page. If you are not familiar with manual pages, type `man man'. You may also use sysinstall(8) to re-enter the installation and configuration utility. Edit /etc/motd to change this login announcement. mysql51#
This dumped me right into the jail. So I got started:
mysql51# bash bash: Command not found.
No bash? There should be bash. That’s one of the first things my jails install.
Is my account there?
mysql51# grep dan /etc/passwd mysql51#
No, no account. OK, so the jail isn’t being properly set up. What’s in messages:
mysql51 root: /etc/rc: WARNING: Ignoring old-style startup script /etc/rc.d/ezjail-config.sh mysql51 sshd[40673]: error: PAM: authentication error for illegal user dan from 10.55.0.1 mysql51 last message repeated 2 times
Old style? What’s up with that?
# ls -l /etc/rc.d/ezjail-config.sh lrwxr-xr-x 1 root wheel 15 Jan 22 16:14 /etc/rc.d/ezjail-config.sh -> /ezjail.flavour
/ezjail.flavour is the startup script executed once when the jail is first run. It can do
most setup that you might require. Failure to start is the cause of these problems. But why?
Google to the rescue: http://www.mail-archive.com/freebsd-jail@freebsd.org/msg01080.html.
In short, the file name needs to change from ezjail-config.sh to ezjail-config. More
precisely, the symlink needs to be renamed.
The fix
I stopped the jail:
# ezjail-admin stop mysql51.example.org Stopping jails: mysql51.example.org.
I renamed the culprit file:
# cd /usr/jails/mysql51.example.org/etc/rc.d # mv ezjail-config.sh ezjail-config # cd /usr/jails
And I restarted the jail. This time it took a bit longer to start, which is good. That meant
it was running all the startup scripts (installing packages, creating users, etc.
# ezjail-admin start mysql51.example.org Configuring jails:. Starting jails: mysql51.example.org.
I was then able to connect to the jail without issue.
The longterm fix
The long term fix is at the URL post above. It needs to be incorporated into
the port. I plan to create a patch and test tomorrow night.
Ahh, after writing the above, I heard this fix is already in the
ezjail repo, but not yet released. Still. I’ll see about the patch.
Hmm, I’ve tested the patch. Works fine. It’s been
submitted.
And the port skeleton can be
downloaded here