Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Sunday, November 6, 2011

chroot guide

Best Practices for UNIX chroot() Operations
//////////////////
Basic chroot in ubuntu
A chroot is a way of isolating applications from the rest of your computer, by putting them in a jail. This is particularly useful if you are testing an application which could potentially alter important system files, or which may be insecure.
This document explains the basic concepts surrounding the use of a chroot and provides instructions for getting a basic chroot up and running.
Basic Concepts
A chroot is basically a special directory on your computer which prevents applications, if run from inside that directory, from accessing files outside the directory. In many ways, a chroot is like installing another operating system inside your existing operating system.
Technically-speaking, chroot temporarily changes the root directory (which is normally /) to the chroot directory (for example, /var/chroot). As the root directory is the top of the filesystem hierarchy, applications are unable to access directories higher up than the root directory, and so are isolated from the rest of the system. This prevents applications inside the chroot from interfering with files elsewhere on your computer.
Note that it is possible for software from outside the chroot to access files inside the chroot.
See Wikipedia - chroot for more information.
Uses of chroots
The following are some possible uses of chroots:
  • Isolating insecure and unstable applications
  • Running 32-bit applications on 64-bit systems
  • Testing new packages before installing them on the production system
  • Running older versions of applications on more modern versions of Ubuntu
  • Building new packages, allowing careful control over the dependency packages which are installed
Creating a chroot
This section provides instructions on creating a basic chroot. For more advanced chroots, see Debootstrap Chroot.
  1. Install the dchroot and debootstrap packages.
  2. As an administrator (i.e. using sudo), create a new directory for the chroot. In this procedure, the directory /var/chroot will be used. To do this, type sudo mkdir /var/chroot into a command line.
  3. As an administrator, open /etc/schroot/schroot.conf in a text editor. Type cd /etc/schroot, followed by gksu gedit schroot.conf. This will allow you to edit the file.
  4. Add the following lines into schroot.conf and then save and close the file. Replace your_username with your username.
    • [lucid]
      description=Ubuntu Lucid
      location=/var/chroot
      priority=3
      users=your_username
      groups=sbuild
      root-groups=root
  5. Open a terminal and type:
    • sudo debootstrap --variant=buildd --arch i386 lucid /var/chroot/ http://mirror.url.com/ubuntu/
    This will create a basic 'installation' of Ubuntu 10.04 (Lucid Lynx) in the chroot. It may take a while for the packages to be downloaded.
    Note: You can replace lucid with the Ubuntu version of your choice.
    Note: You must change the above mirror.url.com with the URL of a valid archive mirror local to you.
  6. A basic chroot should now have been created. Type sudo chroot /var/chroot to change to a root shell inside the chroot.
Setting-up the chroot
There are some basic steps you can take to set-up the chroot, providing facilities such as DNS resolution and access to /proc.
Note: Type these commands in a shell which is outside the chroot.
  1. Type the following to mount the /proc filesystem in the chroot (required for managing processes):
    • sudo mount -o bind /proc /var/chroot/proc
  2. Type the following to allow DNS resolution from within the chroot (required for Internet access):
    • sudo cp /etc/resolv.conf /var/chroot/etc/resolv.conf
Very few packages are installed by default in a chroot (even sudo isn't installed). Use apt-get install package_name to install packages.
See Debootstrap Chroot and Installing Mandriva Linux in a Chroot for more advanced set-up instructions.
Accessing graphical applications inside the chroot
You can run graphical applications within a chroot, but you need to provide an X server for them to run in first. The easiest way to do this is to set the display of the chroot system to be identical to the root display of your system's main X server.
In other words, in the chroot shell type
export DISPLAY=:0.0

Any X command you type will now get its own window as you're used to, but as it is running inside the chroot jail it will not be able to see your normal file system.
You don't have to enter the chroot shell to access its commands. Suppose you want to run Firefox in a chroot jail in order to avoid security problems with signed Java applets and other components which otherwise would have access to your personal files. You can do this by running the command
gksudo chroot /var/chroot firefox -DISPLAY=:0.0

This command can also be invoked from the menu, or a panel applet or desktop shortcut.
If you want the chroot to have its own display, you need to create this display with the Xnest command. Perform the following instructions outside the chroot:
  1. Install the xhost and xnest packages.
  2. Ensure that /proc is mounted and DNS resolution is set-up within the chroot (see above).
  3. Type the following into a Terminal:
    • Xnest -ac :1
    A blank Xnest window should appear.
  4. Open another Terminal and type the following to enter the chroot:
    • sudo chroot /var/chroot
  5. While in the chroot shell, type the following:
    • export DISPLAY=localhost:1
      If you have problems starting graphical applications, type the above command again, but replace localhost with 127.0.0.1
  6. Start a window manager inside the chroot. For example, install the metacity package and type:
    • metacity &
  7. Start a graphical application inside the chroot (making sure that you installed it in the chroot first). It should appear in the Xnest window.
You can install a complete Ubuntu desktop in the chroot by installing the ubuntu-desktop package. GNOME can be started from the command line by running the gnome-session command.
This section uses parts of the article Installing Mandriva Linux in a Chroot, which is distributed under the CC-BY-SA 2.5 license.
References and further information
Notes
It seems to advise installing and using schroot in lieu of dchroot would be more consistent. Additionally, (I don't have a reference at my fingertips) my memory is dchroot is being deprecated with schroot taking its place?
If there is agreement on using schroot, then in lieu of sudo chroot /var/chroot, use sudo schroot -c gutsy -d and this will still keep things basic by using schroot defaults.
In addition, by using schroot then all binds are engaged and removed automatically at chroot enter and exit. This is important to minimize accidental erasures of data. Thus, I think in a basic help page like this to warn users not to erase/delete/trash_can an entire chroot or entire chroot directories until chroot is exited (and all binds removed).
For schroot, all automatically created binds will be removed on exit and accidental erasure of entire /home (often heard about) can be minimized. (It seems either people forget or don't comprehend bi-directional nature of mount --bind.) 

No comments: