Differences between revisions 28 and 65 (spanning 37 versions)
Revision 28 as of 2012-10-20 21:58:26
Size: 3373
Editor: ?MartinLeben
Comment: Removed yet another space. This time fixed a broken "mount --bind"
Revision 65 as of 2020-04-21 04:13:55
Size: 6964
Editor: ?VinceMcIntyre
Comment: extra bind mounts
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: [[de/chroot|Deutsch]] - English - [[fr/Chroot|Français]] - [[it/chroot|Italiano]]  - [[es/chroot|Español]] -~
----
'''chroot''' on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children.''([[WikiPedia: en: chroot | Read more ...]])''

 
<<TableOfContents(3)>>
~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: [[de/chroot|Deutsch]] - English - [[es/chroot|Español]] - [[fr/Chroot|Français]] - [[it/chroot|Italiano]]-~
----

 . '''[[WikiPedia:Chroot|chroot]]
''' on Unix-like operating systems is an operation that changes the apparent root directory for the current running process and its children.

<<TableOfContents(3)>>

----
Line 9: Line 12:
Build a "chroot" is very easy in Debian. Building a "chroot" is very easy in Debian.
Line 14: Line 17:
 aptitude install binutils debootstrap apt-get install binutils debootstrap
Line 19: Line 22:
 mkdir-p /var/chroot/etch mkdir -p /srv/chroot/stretch
Line 23: Line 26:
{{{
 debootstrap - arch i386 etch /var/chroot/etch
}}}

 * Recovery of an "image", decompression and installation of required packages

 * To enter:
{{{
  chroot /var/chroot/etch
}}}

Either select a close network mirror manually, use one of the dns based mirrors such as ftp.XX.debian.org where XX is your geographic country code, or use the deb.debian.org CDN which will do this for you automatically. The deb.debian.org is easier to document and becoming the generally preferred method and is therefore recommended if you don't have your own fast preferred local mirror. See http://deb.debian.org/ for documentation and details.
{{{
debootstrap --arch i386 stretch /srv/chroot/stretch http://deb.debian.org/debian
}}}

 * To enter (see below for configuration that may be required within the chroot):
{{{
chroot /srv/chroot/stretch
}}}

(!) A more convenient way to enter the chroot is provided by the [[Schroot|schroot]] package. This wrapper allows unprivileged users to have access to one or more chroot environments. schroot handles the chroot(2) call as well as dropping privileges inside the chroot, setting up `/etc/resolv.conf` and bind mounting resources into the chroot (like home directories, `/dev`, `/sys`, `/proc`).
Line 35: Line 41:
In general, it is necessary to create/edit key configuration points
In general, it is necessary to create/edit key configuration points.

Create a /usr/sbin/policy-rc.d file IN THE CHROOT so that dpkg won't start daemons unless desired. This example prevents all daemons from being started in the chroot.

{{{
chroot /srv/chroot/stretch
cat > ./usr/sbin/policy-rc.d <<EOF
#!/bin/sh
exit 101
EOF
chmod a+x ./usr/sbin/policy-rc.d
}}}

The {{{ischroot}}} command is buggy and does not detect that it is running in a chroot (DebianBug:685034). Several packages depend upon {{{ischroot}}} for determining correct behavior in a chroot and will operate incorrectly during upgrades if it is not fixed. The easiest way to fix it is to replace ischroot with the /bin/true command.

{{{
dpkg-divert --divert /usr/bin/ischroot.debianutils --rename /usr/bin/ischroot
ln -s /bin/true /usr/bin/ischroot
}}}
Line 41: Line 66:
  /etc/passwd
  /etc/groups
}}}

 * Settings network settings
{{{
  /etc/hosts
  
/etc/resolv.conf
}}}

 * Mounts filesystems
{{{
  
/etc/fstab
}}}
/etc/passwd
/etc/group
}}}

 * Settings network settings in the chroot
{{{
/etc/hosts
/etc/resolv.conf
}}}

 * Mounts filesystems from the underlying host (NOT in the chroot)
{{{
/etc/fstab
}}}

 * To edit the bash prompt, add an identifier to /etc/debian_chroot. It's contents get added to $PS1
Line 59: Line 86:
 * Check the chrooted system the presence of /proc if the chroot is not likely to be fully operational. A priori, since version debootstrap Debian/Etch integrates natively mount /proc and /sys
{{{
 proc on /proc type proc (rw)
 sysfs on /sys sysfs kind (rw)
 * Check the chrooted system the presence of /proc if the chroot is not likely to be fully operational. A priori, since version debootstrap Debian/Wheezy integrates natively mount /proc and /sys
{{{
proc on /proc type proc (rw)
sysfs on /sys sysfs kind (rw)
Line 67: Line 94:
 * It is also advisable to do a "bind" /dev/pts. This prevents error messages like {{{Must be connected to a terminal}}} or {{{Can not access '/dev/pts/0': No such file or directory of this type}}} with using the control debpkg: screen.  * It is also advisable to do a "bind" /dev/pts. This prevents error messages like {{{Must be connected to a terminal}}} or {{{Can not access '/dev/pts/0': No such file or directory of this type}}} with using the control [[DebianPkg:screen]].
Line 71: Line 98:
 mount --bind /dev/pts /var/chroot/etch/dev/pts mount --bind /dev/pts /srv/chroot/stretch/dev/pts
Line 79: Line 106:
# cat /etc/fstab | grep chroot
/dev /var/chroot/etch/dev auto bind 0 0
/dev/pts /var/chroot/etch/dev/pts auto bind 0 0
/proc /var/chroot/etch/proc auto bind 0 0
# grep chroot /etc/fstab
/dev /srv/chroot/stretch/dev auto bind 0 0
/dev/pts /srv/chroot/stretch/dev/pts auto bind 0 0
/proc /srv/chroot/stretch/proc auto bind 0 0
Line 88: Line 115:
/dev on /var/chroot/etch/dev -type none (rw, bind)
/dev/pts on /var/chroot/etch/dev/pts kind none (rw, bind)
/proc on /var/chroot/etch/proc type none (rw, bind)
/dev on /srv/chroot/stretch/dev -type none (rw, bind)
/dev/pts on /srv/chroot/stretch/dev/pts kind none (rw, bind)
/proc on /srv/chroot/stretch/proc type none (rw, bind)
Line 97: Line 124:
  aptitude install deborphan
}}}
{{{
  deborphan-a
apt-get install deborphan
}}}
{{{
deborphan -a
Line 105: Line 132:
  aptitude remove - purge telnet manpages pppconfig ipchains ... apt-get remove --purge telnet manpages pppconfig ipchains ...
Line 112: Line 139:
  sudo aptitude install emacs21 local mc apt-get install emacs23 local mc
Line 124: Line 151:
----
ToDo - Clean up from French translation.

 CategorySystemAdministration

== Copy and Paste ==

The above ready for ''copy and paste''.

First the part where we set shell variables.
{{{
export MCHRMIRROR=http://deb.debian.org/debian
export MCHRARCH=i386
export MCHRREL=buster
export MCHRDIR=/srv/chroot/${MCHRREL}-${MCHRARCH}
echo My chroot dir is ${MCHRDIR}
}}}

From here the further copy and paste stuff, preferable careful.

{{{
mkdir -p ${MCHRDIR}
# next step takes much more time
debootstrap --variant=buildd --arch=${MCHRARCH} ${MCHRREL} ${MCHRDIR} ${MCHRMIRROR}

# prevent that dpkg starts deamons in the chroot environment
cat > ${MCHRDIR}/usr/sbin/policy-rc.d <<EOF
#!/bin/sh
exit 101
EOF
chmod a+x ${MCHRDIR}/usr/sbin/policy-rc.d

# in the chroot "hard code" ischroot to true
cp ${MCHRDIR}/bin/true ${MCHRDIR}/usr/bin/ischroot

#
cp /etc/hosts ${MCHRDIR}/etc/hosts
cp /etc/resolv.conf ${MCHRDIR}/etc/resolv.conf

# that was what needs be done only once

# mount stuff, you will need more often
mount --bind /dev ${MCHRDIR}/dev
mount --bind /dev/pts ${MCHRDIR}/dev/pts
mount --bind /proc ${MCHRDIR}/proc

# you may also need (e.g. in Rescue mode of DebianInstaller)
mount --bind /sys ${MCHRDIR}/sys
mount --bind /run ${MCHRDIR}/run

# Okay
}}}

# Entering the chroot, leave it with `exit`
{{{
chroot ${MCHRDIR}
# enjoy your new environment
# apt install what you need
# do the thing you have in mind
}}}

Unmount
{{{
[ ! -z ${MCHRDIR} ] && echo my chroot dir is ${MCHRDIR}
[ ! -z ${MCHRDIR} ] && umount ${MCHRDIR}/proc
[ ! -z ${MCHRDIR} ] && umount ${MCHRDIR}/dev/pts
[ ! -z ${MCHRDIR} ] && umount ${MCHRDIR}/dev

# if you mounted these above
[ ! -z ${MCHRDIR} ] && umount ${MCHRDIR}/sys
[ ! -z ${MCHRDIR} ] && umount ${MCHRDIR}/run
}}}

----

CategorySystemAdministration | CategoryVirtualization

----

'''TODO''' - Clean up from French translation.

Translation(s): Deutsch - English - Español - Français - Italiano


  • chroot on Unix-like operating systems is an operation that changes the apparent root directory for the current running process and its children.


Basic Installation

Building a "chroot" is very easy in Debian.

You will need:

  • Install the required packages

apt-get install binutils debootstrap
  • Choose a location

mkdir -p /srv/chroot/stretch
  • Build the chroot

Either select a close network mirror manually, use one of the dns based mirrors such as ftp.XX.debian.org where XX is your geographic country code, or use the deb.debian.org CDN which will do this for you automatically. The deb.debian.org is easier to document and becoming the generally preferred method and is therefore recommended if you don't have your own fast preferred local mirror. See http://deb.debian.org/ for documentation and details.

debootstrap --arch i386 stretch /srv/chroot/stretch http://deb.debian.org/debian
  • To enter (see below for configuration that may be required within the chroot):

chroot /srv/chroot/stretch

(!) A more convenient way to enter the chroot is provided by the schroot package. This wrapper allows unprivileged users to have access to one or more chroot environments. schroot handles the chroot(2) call as well as dropping privileges inside the chroot, setting up /etc/resolv.conf and bind mounting resources into the chroot (like home directories, /dev, /sys, /proc).

Configuration

In general, it is necessary to create/edit key configuration points.

Create a /usr/sbin/policy-rc.d file IN THE CHROOT so that dpkg won't start daemons unless desired. This example prevents all daemons from being started in the chroot.

chroot /srv/chroot/stretch
cat > ./usr/sbin/policy-rc.d <<EOF
#!/bin/sh
exit 101
EOF
chmod a+x ./usr/sbin/policy-rc.d

The ischroot command is buggy and does not detect that it is running in a chroot (685034). Several packages depend upon ischroot for determining correct behavior in a chroot and will operate incorrectly during upgrades if it is not fixed. The easiest way to fix it is to replace ischroot with the /bin/true command.

dpkg-divert --divert /usr/bin/ischroot.debianutils --rename /usr/bin/ischroot
ln -s /bin/true /usr/bin/ischroot

Configuring a chroot is relatively static and very specific, it may be possible to dispense with the command "top-level" and directly edit files.

  • Users defined in the chroot

/etc/passwd
/etc/group
  • Settings network settings in the chroot

/etc/hosts
/etc/resolv.conf
  • Mounts filesystems from the underlying host (NOT in the chroot)

/etc/fstab
  • To edit the bash prompt, add an identifier to /etc/debian_chroot. It's contents get added to $PS1

Mounting pseudo filesystems

/proc

  • Check the chrooted system the presence of /proc if the chroot is not likely to be fully operational. A priori, since version debootstrap Debian/Wheezy integrates natively mount /proc and /sys

proc on /proc type proc (rw)
sysfs on /sys sysfs kind (rw)

/dev/pts

  • It is also advisable to do a "bind" /dev/pts. This prevents error messages like Must be connected to a terminal or Can not access '/dev/pts/0': No such file or directory of this type with using the control screen.

In this case, the primary system, run the command:

mount --bind /dev/pts /srv/chroot/stretch/dev/pts

Default Configurations

Generally the file /etc/fstab might look like this:

# grep chroot /etc/fstab
/dev /srv/chroot/stretch/dev auto bind 0 0
/dev/pts /srv/chroot/stretch/dev/pts auto bind 0 0
/proc /srv/chroot/stretch/proc auto bind 0 0

Therefore mount on the primary system would be:

# mount | grep chroot
/dev on /srv/chroot/stretch/dev -type none (rw, bind)
/dev/pts on /srv/chroot/stretch/dev/pts kind none (rw, bind)
/proc on /srv/chroot/stretch/proc type none (rw, bind)

Adding / removing packages

  • Eliminate unnecessary packages (all depends on the purpose of the chroot)

apt-get install deborphan

deborphan -a
  • And for example

apt-get remove --purge telnet manpages pppconfig ipchains ...

Complementary list svgalibg1 whiptail

  • Add a little comfort

apt-get install emacs23 local mc

Usage

Common examples of chroot usage:

  • Recompiling application in a context other than the machine that hosts the chroot (backport, cross-compiling, ...)

  • Update service production by tilting the old service (host machine) to the new (installed in the chroot)
  • Securing a service "chrooted" from the host machine (and vice versa)

Copy and Paste

The above ready for copy and paste.

First the part where we set shell variables.

export MCHRMIRROR=http://deb.debian.org/debian
export MCHRARCH=i386
export MCHRREL=buster
export MCHRDIR=/srv/chroot/${MCHRREL}-${MCHRARCH}
echo My chroot dir is ${MCHRDIR}

From here the further copy and paste stuff, preferable careful.

mkdir -p ${MCHRDIR}
# next step takes much more time
debootstrap --variant=buildd --arch=${MCHRARCH} ${MCHRREL} ${MCHRDIR} ${MCHRMIRROR}

# prevent that dpkg starts deamons in the chroot environment
cat > ${MCHRDIR}/usr/sbin/policy-rc.d <<EOF
#!/bin/sh
exit 101
EOF
chmod a+x ${MCHRDIR}/usr/sbin/policy-rc.d

# in the chroot "hard code" ischroot to true
cp  ${MCHRDIR}/bin/true ${MCHRDIR}/usr/bin/ischroot

#
cp /etc/hosts ${MCHRDIR}/etc/hosts
cp /etc/resolv.conf ${MCHRDIR}/etc/resolv.conf

# that was what needs be done only once

# mount stuff, you will need more often
mount --bind /dev ${MCHRDIR}/dev
mount --bind /dev/pts ${MCHRDIR}/dev/pts
mount --bind /proc  ${MCHRDIR}/proc

# you may also need (e.g. in Rescue mode of DebianInstaller)
mount --bind /sys  ${MCHRDIR}/sys
mount --bind /run  ${MCHRDIR}/run

# Okay

# Entering the chroot, leave it with exit

chroot ${MCHRDIR}
# enjoy your new environment
# apt install what you need
# do the thing you have in mind

Unmount

[ ! -z ${MCHRDIR} ] && echo my chroot dir is ${MCHRDIR}
[ ! -z ${MCHRDIR} ] && umount ${MCHRDIR}/proc
[ ! -z ${MCHRDIR} ] && umount ${MCHRDIR}/dev/pts
[ ! -z ${MCHRDIR} ] && umount ${MCHRDIR}/dev

# if you mounted these above
[ ! -z ${MCHRDIR} ] && umount ${MCHRDIR}/sys
[ ! -z ${MCHRDIR} ] && umount ${MCHRDIR}/run


CategorySystemAdministration | CategoryVirtualization


TODO - Clean up from French translation.