chroot pre/post requests
Wed 05 February 2014
[caption id="" align="alignright" width="350"] changed roots (Photo credit: Wikipedia)[/caption]
The chroot command is quite simple but I almost always forget all the prerequest and post-chroot checks that should be done to have a fully operational chrooted environment.
The, chroot operation consist in changing the apparent root of the whole filesystem. Chrooted environnement is usefull mainly for two usages
- maintenance
- isolation
maintenance
for maintenance operation, you typically boot on a live medium (live-USB, live-CD,...) and then chroot onto the usual root of your computer's OS. This operation is done when you cannot boot your normal OS.
prerequests
You must boot from a working linux and take care of the kernel architecture (amd64, i386, ...) that MUST be the same in both chrooted and non-chrooted environment. You also need to be root (the superuser).
Also note your the partition table (mount, /etc/mtab and /etc/fstab are some of your friends). Don't worry for the pseudo-filesystems /dev, /proc and /sys. These lines are ugly, but it is normal.
chroot operation
The recipe looks like:
- prepare your chrooted root filesystem
- create a the directory that will contain the root
- mount the partition in the root (`man mount <http://linux.die.net/man/8/mount>`__)
- mount partition that will be mounted in the future root (e.g. a future /home). note that a partition can be mounted several times
- check the mount options and correct them if necessary (`mount -o remount <http://linux.die.net/man/8/mount>`__)
- mount the pseudo filesystems
- it easier if you chang directory to the futur root
- procfs: mount -t proc proc proc/
- sysfs: mount -t sysfs sys sys/
- devfs: mount -o bind /dev dev/
- /dev/pts: mount -t devfspts pts dev/pts/
- chroot
- `chroot <newroot> <http://linux.die.net/man/1/chroot>`__
- make your maintenance stuff (mkinitramfs, grub-install, grub-update, ...)
post operations
Check that the needed commands work. If they can't, you probably have architecture problems. You should check that your pseudo-filesystem is mounted. Some operations cannot be done without mounting properly /dev, /proc and/or /sys. Most of the time, you won't have any problem without mounting pseudo-filesystem.
You should exit the chrooted environment properly. It is also OK if you only (soft-)reboot.
isolation
In this case, the goal is to present a limited filesystem to an application, so that the application cannot access the OS essential files. In short, you define a filesystem tree in which the application will be jailed. The recipe is the following
- create the, chrooted directory
- copy all needed files into it
- create needed (empty) directories (/dev, /etc, /lib, /usr/sbin, /var/run)
- copy the application-specific config files (should be in /etc/ or /usr/local/etc/)
- copy specific needed binaries (e.g. /usr/sbin/httpd)
- copy data directory (e.g. /var/www)
- you may have trouble with special files (e.g. /dev/null). Use `mknod <http://linux.die.net/man/1/mknod>`__ in this case.
- launch the command into the newly created chrooted environment (chroot <new_root> <command>).
Note that some application (such as proftpd) automatically chroot to release some right. In this case, there is no need to copy needed files and to chroot manually
(Non-)Related articles
- Change Root (wiki.archlinux.org)
- Chroot (wiki.debian.org)
- Debian Virtualization: Back to the Basics (l3net.wordpress.com)