I have seen quite some postings indicating errors when issuing a
squid -k reconfigure or squid -k rotate from within a chroot jail.
I am running squid V2.7 Stable 2 in a chroot jail: /chroot/squid as
user.group = squid.squid This is configured as such in the config file.
In the chroot jail i have a Squid and a SquidGuard directory (containing
the respective installs) besides the jail ./etc, ./lib and ./dev dirs.
The first error i encountered was when doing a squid -k rotate.
This should rotate the log files. The following error was seen:
"FATAL: Unable to open configuration file:
/chroot/squid/Squid/etc/squid.conf: (2) No such file or directory"
After this squid exits and if you are lucky then starts automagically.
It might also crash your system completely.
The reason in my case for this was that the config file is read as root.root
at start time from outside the chroot jail i.e.
/chroot/squid/Squid/etc/squid.conf
However, when rotating, squid runs as squid.squid and inside the jail:
/chroot/squid. When it restarts now it looks for the file using the full path
in the chroot jail i.e. it looks for:
/chroot/squid/chroot/squid/Squid/etc/squid.conf.
And this file does not exist there !
Note that restarting automagically (from scratch) works fine as you
run root.root
from outside the jail again !
This is easily solved by creating the dirs ./chroot/squid/ again within the
/chroot/squid jail and placing there again a link to the Squid directory:
i.e. in Chroot jail /chroot/squid/:
-) Mkdir ./chroot/squid ; i.e. we make a directory /chroot/squid/chroot/squid
-) Cd ./chroot/squid/
-) Ln -s ../../Squid ./Squid ; i.e. this is looping back to the entry point
just after the original chroot jail.
This becomes the new entry point when restarting after a rotation.
Make also sure the permissions are OK for both root and squid: i used root.squid
Note that this is safe to do so as we are staying within the chroot jail.
This solved the rotate problem but next the following error was seen:
"FATAL: getgrnam failed to find groupid for effective group 'squid'"
Now this is an easy one: using strace i found that it is due to the
fact that squid
cannot retrieve groupid info within the chroot jail. This is easily
solved by creating
a passwd and group (or shadow versions) within the jail i.e.
/chroot/squid/etc/passwd
and /chroot/squid/etc/group. In my case i took a copy from the normal
passwd and group
file and stripped everything away just leaving the squid user and group in it.
Note that you might need also a copy of the /etc/services into
/chroot/squid/etc/services
After these changes everything works fine.
Hope it is useful for you !
Rudi Vankemmel
Received on Fri Nov 14 2008 - 15:41:46 MST
This archive was generated by hypermail 2.2.0 : Tue Nov 18 2008 - 12:00:03 MST