chroot pre/post requests

Wed 05 February 2014

[caption id="" align="alignright" width="350"]roots changed roots (Photo credit: Wikipedia)[/caption]

The chroot command is quite simple but I almost always forget all the prerequest and post-chroot checks that should be done to have a fully operational chrooted environment.

The, chroot operation consist in changing the apparent root of the whole filesystem. Chrooted environnement is usefull mainly for two usages

  • maintenance
  • isolation

maintenance

for maintenance operation, you typically boot on a live medium (live-USB, live-CD,...) and then chroot onto the usual root of your computer's OS. This operation is done when you cannot boot your normal OS.

prerequests

You must boot from a working linux and take care of the kernel architecture (amd64, i386, ...) that MUST be the same in both chrooted and non-chrooted environment. You also need to be root (the superuser).

Also note your the partition table (mount, /etc/mtab and /etc/fstab are some of your friends). Don't worry for the pseudo-filesystems /dev, /proc and /sys. These lines are ugly, but it is normal.

chroot operation

The recipe looks like:

  1. prepare your chrooted root filesystem
    • create a the directory that will contain the root
    • mount the partition in the root (`man mount <http://linux.die.net/man/8/mount>`__)
    • mount partition that will be mounted in the future root (e.g. a future /home). note that a partition can be mounted several times
    • check the mount options and correct them if necessary (`mount -o remount <http://linux.die.net/man/8/mount>`__)
  2. mount the pseudo filesystems
    • it easier if you chang directory to the futur root
    • procfs: mount -t proc proc proc/
    • sysfs: mount -t sysfs sys sys/
    • devfs: mount -o bind /dev dev/
    • /dev/pts: mount -t devfspts pts dev/pts/
  3. chroot
  4. make your maintenance stuff (mkinitramfs, grub-install, grub-update, ...)

post operations

Check that the needed commands work. If they can't, you probably have architecture problems. You should check that your pseudo-filesystem is mounted. Some operations cannot be done without mounting properly /dev, /proc and/or /sys. Most of the time, you won't have any problem without mounting pseudo-filesystem.

You should exit the chrooted environment properly. It is also OK if you only (soft-)reboot.

isolation

In this case, the goal is to present a limited filesystem to an application, so that the application cannot access the OS essential files. In short, you define a filesystem tree in which the application will be jailed. The recipe is the following

  1. create the, chrooted directory
  2. copy all needed files into it
    • create needed (empty) directories (/dev, /etc, /lib, /usr/sbin, /var/run)
    • copy the application-specific config files (should be in /etc/ or /usr/local/etc/)
    • copy specific needed binaries (e.g. /usr/sbin/httpd)
    • copy data directory (e.g. /var/www)
    • you may have trouble with special files (e.g. /dev/null). Use `mknod <http://linux.die.net/man/1/mknod>`__ in this case.
  3. launch the command into the newly created chrooted environment (chroot <new_root> <command>).

Note that some application (such as proftpd) automatically chroot to release some right. In this case, there is no need to copy needed files and to chroot manually

(Non-)Related articles

Enhanced by Zemanta

Related articles (or not):

Category: how to Tagged: Chroot Linux