This article talks about the errors that you might face if you have a system that uses a jailed shell environment on OpenVZ or Virtuozzo virtual private server.
CentOS 6 and older supports only 256 jailshell users maximum on a system where the Apache mod_ruid2 module is used. Once reaching the limit, one should upgrade to a newer operating system. Reports of performances and connection issues have mount more than 4000 targets in a Virtuozzo environment. In case one encounters this limit and still has a requirement of large number of jailshelled users, one should consider a different virtualization platform.
You can set the Jailed /proc mount method under System in the Tweak Settings interface of WHM. Locate the option at WHM > Home > Server Configuration > Tweak Settings. Although the /proc option might be limited, the server users might have a full /proc mount. This error provides the jail shell users the ability to access the total process list present on the server.
You can check whether your server has the save problem. Run the following steps:
If you find that you can access the total process list using this command, it means that the user is using a full /proc mount.
This happens because the CLONE_NEWPID flag wasn’t accepted by the clone() system call. To enable the clone() system call to properly handle the flag, the sys_admin capability must be set to on.
You should not activate the sys_admin capability on production servers. You may face issues regarding stability with this setting, but it is required by namespace management. Namespace management within containers might result in crashed nodes. To improve stability, the related functions are limited in the kernel. cPanel, Inc will not take any responsibility for the problems that might arise because of this workaround.
You can activate the sys_admin capability using the following command:
vzctl set CTID –save –capability sys_admin:on
The system might display some errors when a user tries to gain access to the jailed shell environment:
|Unable to set uids|
This error arises as a result of a conflict with custom hard nproc settings found in the /etc/security/limits.conf file. You might also face some problems during account creation because of the custom values for these settings.
Reset the hard nproc settings to their original values to resolve this error.
If you activate the Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell setting in the Tweak Settings interface found in WHM, you will face MySQL connection errors.
The following steps will extend the loop device limit and solve this error:
|/sbin/MAKEDEV -v /dev/loop|
These steps mentioned above tell you how to deal with errors while using a jailed shell environment.