BuycPanel Blog

BuycPanel Blog

Latest news and updates

Troubleshooting Jailshell Problems on a Virtuozzo or OpenVZ VPS

Posted by Allura on 02 08 2018.

A Brief Introduction

This article talks about the errors that you might face if you have a system that uses a jailed shell environment on OpenVZ or Virtuozzo virtual private server.

Full /proc mount for jailed shell users

You can set the Jailed /proc mount method under System in the Tweak Settings interface of WHM. Locate the option at WHM > Home > Server Configuration > Tweak Settings. Although the /proc option might be limited, the server users might have a full /proc mount. This error provides the jail shell users the ability to access the total process list present on the server.

You can check whether your server has the save problem. Run the following steps:

  1. SSH as a jailed shell user in to the server.
  2. Execute the ps axu command.  

If you find that you can access the total process list using this command, it means that the user is using a full /proc mount.

This happens because the CLONE_NEWPID flag wasn’t accepted by the clone() system call. To enable the clone() system call to properly handle the flag, the sys_admin capability must be set to on.

Caution:

You should not activate the sys_admin capability on production servers. You may face issues regarding stability with this setting, but it is required by namespace management. Namespace management within containers might result in crashed nodes. To improve stability, the related functions are limited in the kernel. cPanel, Inc will not take any responsibility for the problems that might arise because of this workaround.

You can activate the sys_admin capability using the following command:

vzctl set CTID –save –capability sys_admin:on

 

Unable to set uids error

The system might display some errors when a user tries to gain access to the jailed shell environment:

Unable to set uids

This error arises as a result of a conflict with custom hard nproc settings found in the /etc/security/limits.conf file. You might also face some problems during account creation because of the custom values for these settings.

Reset the hard nproc settings to their original values to resolve this error.

MySQL® connection errors

If you activate the Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell setting in the Tweak Settings interface found in WHM, you will face MySQL connection errors.

The following steps will extend the loop device limit and solve this error:

 

  1. Enter max_loop=256 as a kernel parameter in the /etc/grub.conf
  2. Reboot your server.
  3. Run this command:
/sbin/MAKEDEV -v /dev/loop
  1. Do the same for the VPS container and VPS node.

Conclusion

These steps mentioned above tell you how to deal with errors while using a jailed shell environment.