chroot & java -version not working

adilturbo · 08-29-2008, 02:57 AM

hi people,

i installed jdk1.6.0 in chroot directory (/home/me/chroot).
the command

Quote:

/home/me/chroot/usr/local/jdk1.6.0/bin/java -version

works; but when runing it using chroot command

Quote:

chroot /home/me/chroot /usr/local/jdk1.6.0/bin/java -version

id does not work.
here is the error:

Quote:

An unexpected error has been detected by Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x285b79a3, pid=1200, tid=0x28201200
#
# Java VM: Java HotSpot(TM) Client VM (1.6.0_03-p4-root_05_apr_2008_04_58-b00 mixed mode, sharing)
# Problematic frame:
#
[error occurred during error reporting, step 60, id 0xb]

......

i tried to mount the proc fs in the chroot directory like this:

Quote:

mount -t procfs /proc proc

then running the chroot command, i still get the same error.

am i missing somthing?

thanks in advance for the help.

anomie · 08-29-2008, 03:09 PM

May I ask why you're trying to chroot a java application?

adilturbo · 08-29-2008, 04:32 PM

hello,

because i want to chroot tomcat (tomcat uses java), so i put all in chrooted directory.

rocket357 · 08-29-2008, 07:26 PM

run "ldd /path/to/program" and it'll tell you what libraries the jdk depends on (perhaps you've overlooked putting a required lib in the chroot?)

If there are missing libs, you need to copy them into the same directory listed, only within the chroot. In other words, if my program depends on /path/to/some/lib.so.0, and my chroot is /home/chroot/, then I need to copy /path/to/some/lib.so.0 to /home/chroot/path/to/some/lib.so.0.

Hope this helps.

adilturbo · 08-30-2008, 08:06 AM

hi,

thanks for you reply. i tried what you said, but unfortunatly the error still persists.

anay other suggestion?

Thanks

rocket357 · 08-30-2008, 03:02 PM

What's the output of
ldd /home/me/chroot/usr/local/jdk1.6.0/bin/java

What's the output of
ls -lh `ldd /home/me/chroot/usr/local/jdk1.6.0/bin/java | cut -d'/' -f2-20 | sed -e '1,2d' -e 's@^@/home/me/chroot/@'`

adilturbo · 08-30-2008, 04:16 PM

hi,

the output of
ldd /home/me/chroot/usr/local/jdk1.6.0/bin/java is

Quote:

libthr.so.3 => /lib/libthr.so.3 (0x2808d000)
libc.so.7 => /lib/libc.so.7 (0x280a0000)

but i copied the required libs to /home/me/chroot/lib/ and the output is the same.

for the second command i coud not write the character "`" but i did this (i think is equivalent to yours):

Quote:

ldd /home/me/chroot/usr/local/jdk1.6.0/bin/java | cut -d'/' -f2-20 | sed -e '1,2d' -e 's@^@/home/me/chroot/@'| ls -lh

the output was:

Quote:

drwxr-xr-x 2 root wheel 512B Aug 30 14:24 dev
drwxr-xr-x 2 root wheel 512B Aug 30 14:25 etc
-rw-r--r-- 1 root wheel 3.7K Aug 30 14:44 hs_err_pid1886.log
-rw-r--r-- 1 root wheel 3.7K Aug 30 14:44 hs_err_pid1888.log
-rw-r--r-- 1 root wheel 3.7K Aug 30 14:54 hs_err_pid1901.log
-rw------- 1 root wheel 6.5M Aug 30 14:54 java.core
-rwxr-xr-x 1 root wheel 59M Aug 30 14:26 jdk-1.6.0.3p4.tbz
drwxr-xr-x 2 root wheel 512B Aug 30 14:54 lib
drwxr-xr-x 2 root wheel 512B Aug 30 14:42 libexec
-rw-r--r-- 1 root wheel 0B Aug 30 17:02 msg.txt
dr-xr-xr-x 1 root wheel 0B Aug 30 17:02 proc
drwxrwxrwt 2 root wheel 512B Aug 30 14:23 tmp
drwxr-xr-x 4 root wheel 512B Aug 30 14:42 usr

thanks for you effort

anomie · 08-30-2008, 09:03 PM

I don't want to torpedo the discussion, but IMO a more proper way to isolate / secure the tomcat service in this instance is using a Jail. This is FBSD, right? If so, take advantage of that fact.

adilturbo · 08-30-2008, 10:37 PM

hi

thanks for the reply; in fact i am trying to set up tomcat in jail using the chroot command. what wonders me is why the comand java -version executed with chroot does not work?

thanks

rocket357 · 08-30-2008, 11:08 PM

Quote:

Originally Posted by adilturbo

for the second command i coud not write the character "`" but i did this (i think is equivalent to yours):

No, it's not equivalent. The " ` " char is the key to the left of the '1' key. It's used for command substitution. If you do this:

echo "/bin/sh" | ls -lh

you don't get this:

-r-xr-xr-x 3 root bin 317k Aug 30 04:12 /bin/sh

rather, you get the output of "ls -lh" in whatever directory you happen to be in. Using the backtick (" ` ") is equivalent of "ls -lh `(the results of this command)`", which in this instance would do ls -lh on all of the required libs for the executable you're ldd'ing (java), only it'll list those required libs as they need to be in the chroot (because of the sed portion prepending /home/me/chroot/ to each line).

If the command java -version works outside of chroot and NOT within chroot, it stands to assume that the chroot (or something pertaining to the chroot) is the cause of the problem here.

adilturbo · 08-31-2008, 09:21 AM

really i am blocked, i can not write a backtick character with french keyborad.is there any solution to execute your command in other way

adilturbo · 08-31-2008, 04:27 PM

hi again,

here is the output of your commad assuming the chrooted directory is /usr/local/me:

Quote:

ls: (0x280a0000): No such file or directory
-r--r--r-- 1 root wheel 1.0M Feb 24 2008 /usr/local/me/lib/libc.so.7

thanks

jlliagre · 08-31-2008, 04:41 PM

I'm not sure to understand why you are unable to enter the back-tick character with your French keyboard (it's AltGr-è with mine) and I'm missing why you just don't cut and paste the command suggested to you but anyway, there is an alternative: use $(...) instead.

Eg:

Code:

ls -lh $(ldd /home/me/chroot/usr/local/jdk1.6.0/bin/java | cut -d'/' -f2-20 | sed -e '1,2d' -e 's@^@/home/me/chroot/@')

anomie · 08-31-2008, 06:17 PM

Quote:

Originally Posted by adilturbo

in fact i am trying to set up tomcat in jail using the chroot command.

A FBSD Jail is different than a chroot jail (ambiguous). Please follow the URL I pointed to if you're interested.

adilturbo · 09-01-2008, 02:02 AM

hi,

jlliagre, thanks, in fact it is exactly on è character i m dumb.

anomie, thanks for your url, it is so i,portant; in case the problem is not solved, i am trying your solution.

any other suggestion for the chroot command.

many thanks beautifull minds.