chroot pre/post requests
Wed 05 February 2014
The chroot command is quite simple but I almost always forget all the prerequest and post-chroot checks that should be done to have a fully operational chrooted environment.
The, chroot operation consist in changing the apparent root of the whole filesystem. Chrooted environnement is usefull mainly for two usages
for maintenance operation, you typically boot on a live medium (live-USB, live-CD,...) and then chroot onto the usual root of your computer's OS. This operation is done when you cannot boot your normal OS.
You must boot from a working linux and take care of the kernel architecture (amd64, i386, ...) that MUST be the same in both chrooted and non-chrooted environment. You also need to be root (the superuser).
Also note your the partition table (mount, /etc/mtab and /etc/fstab are some of your friends). Don't worry for the pseudo-filesystems /dev, /proc and /sys. These lines are ugly, but it is normal.
The recipe looks like:
- prepare your chrooted root filesystem
- create a the directory that will contain the root
- mount the partition in the root (`man mount <http://linux.die.net/man/8/mount>`__)
- mount partition that will be mounted in the future root (e.g. a future /home). note that a partition can be mounted several times
- check the mount options and correct them if necessary (`mount -o remount <http://linux.die.net/man/8/mount>`__)
- mount the pseudo filesystems
- it easier if you chang directory to the futur root
- procfs: mount -t proc proc proc/
- sysfs: mount -t sysfs sys sys/
- devfs: mount -o bind /dev dev/
- /dev/pts: mount -t devfspts pts dev/pts/
- `chroot <newroot> <http://linux.die.net/man/1/chroot>`__
- make your maintenance stuff (mkinitramfs, grub-install, grub-update, ...)
Check that the needed commands work. If they can't, you probably have architecture problems. You should check that your pseudo-filesystem is mounted. Some operations cannot be done without mounting properly /dev, /proc and/or /sys. Most of the time, you won't have any problem without mounting pseudo-filesystem.
You should exit the chrooted environment properly. It is also OK if you only (soft-)reboot.
In this case, the goal is to present a limited filesystem to an application, so that the application cannot access the OS essential files. In short, you define a filesystem tree in which the application will be jailed. The recipe is the following
- create the, chrooted directory
- copy all needed files into it
- create needed (empty) directories (/dev, /etc, /lib, /usr/sbin, /var/run)
- copy the application-specific config files (should be in /etc/ or /usr/local/etc/)
- copy specific needed binaries (e.g. /usr/sbin/httpd)
- copy data directory (e.g. /var/www)
- you may have trouble with special files (e.g. /dev/null). Use `mknod <http://linux.die.net/man/1/mknod>`__ in this case.
- launch the command into the newly created chrooted environment (chroot <new_root> <command>).
Note that some application (such as proftpd) automatically chroot to release some right. In this case, there is no need to copy needed files and to chroot manually