radioAe6rt

If you continue to have problems chrooting Tomcat, temporarily copy /usr/bin/strace into /usr/local/chroot so you can do

/usr/local/bin/jbchroot -U tomcat -- /usr/local/chroot /strace /usr/local/jdk1.5.0_06/bin/java -version > /tmp/strace.out 2>&1

Then, file by file, examine the output of

parsetrace.pl < /tmp/strace.out

where parsetrace.pl is here and looks like

#!/usr/bin/perl -w

use Uniq;  #  See http://search.cpan.org/~syamal/Uniq-0.01/Uniq.pm

while( ) {
   if( /^open\(\"(.*)\".*ENOENT/ ) {
     push @files, "$1";
   }
}

foreach $j (uniq (sort @files) ) {
   if ( -e $j ) {
      print "$j ";
      $r = `file $j`;
      chop($r);
      print $r . "\n";
   }
}

The script shows you what files could not be found running chroot that can be found on a non-chrooted system. It's a matter of working your way through the output found files to determine which ones whose absence chroot'd are killing the vm during startup.

Update 5/13/2006

Here is a scripted method of creating a chroot jail, and placing Tomcat and Java in it. The only external dependencies are a binary distribution of Tomcat and a binary distribution of Java (the shell-based install, not the RPM version).

With the binary Tomcat and Java distributions in the current working directory, do

$ sh makeChroot
$ /etc/init.d/tomcat start

If you end up running the script multiple times as you tune and tweak for your system, you will first find the need to do

$ umount $chroot/proc

where $chroot is the chroot prefix

Also included in the script are options to run with -security with or without Java security policy debugging.

One bothersome feature is the need to replicate /proc into the chroot jail. If anyone has a better way of dealing with the JVM's need for /proc, I would appreciate knowing.

[tags]tomcat,find_vma<webapps[/tags]