How to Troubleshoot Jailshell Problems on a Virtuozzo or OpenVZ VPS


Overview

This document explains common problems that occur on systems that use a jailed shell environment on a Virtuozzo or OpenVZ virtual private server (VPS).

User and mount limits

CentOS 6 and older support a maximum of only 256 jailshell users on a system that uses the Apache mod_ruid2 module. If you encounter this limit, you should consider an upgrade to a newer operating system.

Some customers have reported performance and connection issues when they attempt to mount more than 4000 targets in a Virtuozzo environment. If you encounter this limit and still require a large number of jailshelled users, you should consider a different virtualization platform.

Full /proc mount for jailed shell users

Users on a server may have a full, rather than limited, /proc mount, even though you select a limited /proc option for the Jailed /proc mount method in the System section of WHM’s Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings). This issue allows jailed shell users to view the complete process list on the server.

To verify whether this problem exists on your server, perform the following steps:

  1. SSH in to the server as a jailed shell user.
  2. Run the ps axu command.

If the command returns the complete process list for the server, the user has a full /proc mount.

This problem occurs because the clone() system call did not accept the CLONE_NEWPID flag. You must set the sys_admin capability to on for the clone() system call to handle this flag correctly.

Warning:
Parallels support does not recommend that you set the sys_admin capability to on on production servers. This setting may result in stability issues, but namespace management requires it. Namespace management in containers can lead to crashed nodes. Therefore, the related functionality is restricted in the kernel to improve stability. cPanel, L.L.C. is not responsible for problems that result from this workaround.

To set the sys_admin capability to on, run the following command:

vzctl set CTID --save --capability sys_admin:on

Unable to set uids error

The system may return the following error when users attempt to access the jailed shell environment:

Unable to set uids

This problem generally occurs due to a conflict with custom hard nproc settings in the /etc/security/limits.conf file. Custom values for these settings may also cause problems with account creation.

To resolve this issue, revert the hard nproc settings to their default values.

MySQL® connection errors

Sites may return MySQL connection errors when you enable the _Jail Apache Virtual Hosts using modruid2 and cPanel® jailshell setting in WHM’s Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings).

This problem generally occurs due to a restriction of the loop device limit within OpenVZ.

To resolve this issue, perform the following steps to increase the loop device limit:

  1. In the /etc/grub.conf file, add max_loop=256 as a kernel parameter.
  2. Reboot the server.
  3. Run the following command:

    /sbin/MAKEDEV -v /dev/loop
  4. Repeat these steps for the VPS node and VPS container.