Plesk for Linux
kb: how-to
ABT: Group A
Applicable to:
- Plesk for Linux
Question
How to rebuild chroot template on a server with Plesk?
Answer
To rebuilt it, execute the script using the following steps:
- Connect to the server via SSH;
- Download chroot management script, unzip it and make executable:
# wget https://plesk.zendesk.com/hc/article_attachments/360023025260/update_chroot.zip
# unzip update_chroot.zip && chmod +x update_chroot.sh
- Run the script with
--rebuildoption to remove the chrooted template from all domains, create a new template and apply it:
# ./update_chroot.sh --rebuild
Note: If the type of shell access for system user of a subscription differs from
/bin/bash (chrooted), the old template will not be removed from its directory.
Comments
10 comments
Hello! I tried this method to rebuild the CHROOT that stopped working on our server (essentially /bin/bash (chrooted) connection method stopped working for all 60+ websites over SFTP). I thought this might be the ticket to fix but it didn't work. I did notice that when running through the process it said it couldn't find "bin". Could that possibly be causing my problem? I would very much appreciate any guidance you can provide! Thank you.
@Ultra Graphics could you please provide us with more details?
I'm afraid I don't know enough to provide more details. However, I can try to expand on what I found upon further investigation after Jan 12th. I ended up restoring a server backup of everything but the /var/ folder to try to bring back a working chrooted SFTP, then tried using the reinstall method again including removal, update, and apply. Then I tried switching the subsystem in sshd_config from the /usr/libexec/openssh/sftp-server to internal-sftp, restarting ssh, then switching back, then restarting again. Either all those things (or some combination of any) caused the chroot to work again.
Unfortunately, I don't know enough to know what actually fixed it, but I have an idea that it was the restored backup. After that, I tried to update plesk to 17.5.3, and got an error in the log that lead me to believe that it's the sftp-server that was causing the chroot issue (from the update log):
Trying to install sftp-server binary into chroot environment... cp: cannot stat '/usr/libexec/openssh/sftp-server\r': No such file or directory
done
/var/www/vhosts/chroot/usr/libexec/openssh/sftp-server
: cannot open (No such file or directory)
probably it will not work in chrooted accounts
Which led me down a completely different path of trying to figure out why. I'm now looking into the idea of using internal-sftp instead to see if I can get a more long-term reliable chroot for my customers, and I don't know that my issue was specifically related to the implementation of this support article. I appreciate you following up!
@Ultra Graphics
Hi!
As I can see the described symptoms are different from the article.
In case the further investigation is required, contact Plesk Technical Support.
Complex chrooted environments may broke after an update (for ex 17.8.11 Update #84 on Ubuntu 16.04). After that, chrooted users cannot log in via SSH (they are immediately disconnected by the server after a successful login). My environment was created using ONLY the script provided in this KB article (I added some executables, devices, locales, termcap) so there is a bug somewhere! For posterity, update symptoms in this article and fix the root cause.
Hi Marco Marsala,
Could you please explain if only Plesk was upgraded? Or was there a distro upgrade as well?
Just Plesk.
Hello @Marco Marsala
For further detailed investigation please submit a request to Plesk Technical Support.
Seems like the script is not compatible with Debian Buster, yet.
I had to add "application/x-pie-executable" in install_chroot_program() to prevent the warning "... is not a program", that caused files like "bash" not to be copied.
# file /usr/bin/bash
/usr/bin/bash: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=ffe165dc81a64aea2b05beda07aeda8ad71f1e7c, stripped
Hello Lars Doe,
The script is compatible with Debian 10 in general. However, there was no support for the PIE binary.
Such support has been added to the script. As of now, it should work properly for such cases.
Please sign in to leave a comment.