sshd not automaticaly starting on jail startup - fresh TrueNAS-13.0-U4 install

[estragon]

Hi there,

On a TrueNAS-13.0-U4 fresh install, I've created a simple clone jail with these parameters:

Release: 13.2
Network: VNET
Vnet_default_interface: lagg1 (my main interface)
IPv4 address: 10.3.223.133
IPv4Netmask: 24
IPv4 default router: 10.3.223.1
Auto-start: yes

Once up I've runned through the shell window and edited /etc/ssh/sshd_config to change "#PermitRootLogin no" to "#PermitRootLogin yes" then:

root@sshd-test:~ # echo 'sshd_enable="YES"' > /etc/rc.conf
root@sshd-test:~ # service sshd start
Generating RSA host key.
3072 SHA256:Zg4E904eXEZMX3Z80PPLwK/QSNpe6ootuYe6dfe7G3o root@sshd-test (RSA)
Generating ECDSA host key.
256 SHA256:gb+l1/tLcPN5/77xHoNhylPlbSOKeqr6GR4F/h5wSKY root@sshd-test (ECDSA)
Generating ED25519 host key.
256 SHA256:o2TX5zkukH0QNvVmWdB9niIkM0EtYr0jUNexhDBLvKU root@sshd-test (ED25519)
Performing sanity check on sshd configuration.
Starting sshd.

And everytime I restart the jail I've got this

root@sshd-test:~ # sysrc sshd_enable="YES"
sshd_enable: YES -> YES
root@sshd-test:~ # service sshd status
sshd is not running.

Any Ideas?

 

[winnielinnie]

Code:

root@sshd-test:~ # echo 'sshd_enable="YES"' > /etc/rc.conf

You just blasted your entire rc.conf file with that command. I think you meant to use "append" with a double >> rather than a single >

Once up I've runned through the shell window and edited /etc/ssh/sshd_config to change "#PermitRootLogin no" to "#PermitRootLogin yes" then:

You have to "uncomment" it for the setting to apply.

To understand the question, are you saying that if you manually try to start the sshd service it works? But restarting the jail does not automatically start the service, which still requires manually starting the service?

 

[estragon]

Code:

root@sshd-test:~ # echo 'sshd_enable="YES"' > /etc/rc.conf

You just blasted your entire rc.conf file with that command. I think you meant to use "append" with a double >> rather than a single >


You have to "uncomment" it for the setting to apply.

To understand the question, are you saying that if you manually try to start the sshd service it works? But restarting the jail does not automatically start the service, which still requires manually starting the service?

I think you meant to use "append" with a double >> rather than a single >

You are right, here is the content of rc.conf

Code:

cron_flags="$cron_flags -J 15"

# Disable Sendmail by default
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

# Run secure syslog
syslogd_flags="-c -ss"

# Enable IPv6
ipv6_activate_all_interfaces="YES"
sshd_enable="YES"

"#PermitRootLogin no" to "#PermitRootLogin yes" then:

You have to "uncomment" it for the setting to apply.

You are right again

To understand the question, are you saying that if you manually try to start the sshd service it works? But restarting the jail does not automatically start the service, which still requires manually starting the service?

Absolutely, that is the behavior and the question.

 

[estragon]

Just because I’m an idiot, I didn’t mention in first place that jail_zfs was enabled and jail_zfs_dataset set the jail configuration.

As I understand this caused the jail to attempt to mount all sub-datasets within the dataset upon startup. However, in my case, these sub-datasets and volumes were not mountable as they were replicated encrypted block volumes from another Truenas. This resulted in an error being thrown, interrupting the startup process before reaching the starting up of sshd.


To achieve the desired outcome, I followed these steps:

- create a dataset myStore/myDataset and enable jailed
root@truenas[~]# zfs create myStore/myDataset
root@truenas[~]# zfs set jailed=on myStore/myDataset

create a jail with « advanced jail creation »

"Basic Propertie"

Code:

Name: myJail
Release:
Release: 13.2
IPv4 address: 10.3.223.133
IPv4Netmask: 24
Auto-start: yes

stop the jail and edit it.

« Jail Properties »

Code:

exec_poststart: zfs jail ioc-myJail store/myDataset
exec_prestop: zfs unjail ioc-myJail store/myDataset

note: ioc-myJail can be found when the jail is running in jls -n wich is not the hostname found in jls

start the jail

Code:

root@myJail:~ # zfs list
NAME              USED  AVAIL     REFER  MOUNTPOINT
store            3.53T   139T      120K  /mnt/store
store/myDataset    96K   139T       96K  /mnt/store/myDataset
root@myJail:~ # echo 'sshd_enable="YES"' >> /etc/rc.conf

finally edit /etc/ssh/ssd_config and change #PermitRootLogin no to PermitRootLogin prohibit-password

At this point I got a a jail starting and stoping flawlessly with a dataset attached but not mounted.