• "security" - http://it.slashdot.org/story/07/09/27/2256235/when-not-to-use-chroot
• 32 on 64bit
• run statically linked executables
• or even dynamically (if necessary libraries are provided)

NAME

schroot - securely enter a chroot environment

DESCRIPTION

schroot allows the user to run a command or a login shell in a chroot environment. If no command is specified, a login shell will be started in the user's current working directory inside the chroot.

OVERVIEW

There is often a need to run programs in a virtualised environment rather than on the host system directly. Unlike other virtualisation systems such as kvm or Xen, schroot does not virtualise the entire system; it only virtualises the filesystem, and some parts of the filesystem may still be shared with the host. It is therefore fast, lightweight and flexible.

However, it does not virtualise other aspects of the system, such as shared memory, networking, devices etc., and so may be less secure than other systems, depending upon its intended use.

Examples

• Running an untrusted program in a sandbox, so that it can't interfere with files on the host system; this may also be used to limit the damage a compromised service can inflict upon the host
• Using a defined or clean environment, to guarantee the reproducibility and integrity of a given task
• Using different versions of an operating system, or even different operating systems altogether, e.g. different GNU/Linux distributions
• Running 32-bit programs using a 32-bit chroot on a 64-bit host system
• Automatic building of Debian packages using sbuild(1), which builds each package in a pristine chroot snapshot when using LVM snapshots or unions
• Supporting multiple system images in a cluster setup, where modifying the base image is time-consuming and/or supporting all the required configurations needed by users is difficult: different chroots can support all the different configurations required, and cluster users may be given access to the chroots they need (which can include root access for trusted users to maintain their own images)

A Linux distribution is a kernel, some libraries, binaries, and a package manager. The kernel is the lowest level of abstraction over the hardware; everything else is fairly interchangeable. Apache running on Red Hat will make the same system calls as Apache running on Ubuntu. In theory, as long as shared library paths are managed correctly and the package managers don't trample on each other, you can have multiple distributions "running" under one kernel, no virtual machine needed.

Unix provides the chroot mechanism to keep all of the distribution files in order. There are some tools that build on chroot to support these virtual environments so that you don't have to do any bookkeeping or stupid shit with /dev or /proc. I am using Ubuntu as my "host" operating system, and a Debian tool called schroot to manage it all.

[sandbox]
directory=/var/schroot/sandbox
description=Sandbox
root-users=root,rupert
users=rupert
type=directory

├── buildd
│   ├── config
│   ├── copyfiles
│   ├── fstab
│   └── nssdatabases
├── chroot.d
├── copyfiles-defaults -> /etc/schroot/default/copyfiles
├── default
│   ├── config
│   ├── copyfiles
│   ├── fstab
│   └── nssdatabases
├── desktop
│   ├── config
│   ├── copyfiles
│   ├── fstab
│   └── nssdatabases
├── mount-defaults -> /etc/schroot/default/fstab
├── nssdatabases-defaults -> /etc/schroot/default/nssdatabases
├── schroot.conf
├── script-defaults -> /etc/schroot/default/config
└── setup.d
    ├── 00check
    ├── 05btrfs
    ├── 05file
    ├── 05lvm
    ├── 05union
    ├── 10mount
    ├── 15killprocs
    ├── 20copyfiles
    ├── 20nssdatabases
    ├── 50chrootname
    └── 99check -> 00check

/etc/schroot/mount-defaults

# Note that the mount point will be prefixed by the chroot path
# (CHROOT_PATH)
#
# <file system> <mount point>   <type>  <options>   <dump>  <pass>
/proc       /proc       none    rw,bind        0       0
/sys        /sys        none    rw,bind        0       0
/dev            /dev            none    rw,bind         0       0
/dev/pts    /dev/pts    none    rw,bind     0   0
/home       /home       none    rw,bind     0   0
/home/rupert    /home/rupert    none    rw,bind     0   0
/tmp        /tmp        none    rw,bind     0   0

/home/rupert is encrypted

Files copied from host to container

Fix nssdatabases-defaults

# System databases to copy into the chroot from the host system.
#
# <database name>
#passwd
#shadow
#group

Copy once when VM created:

/var/schroot/sandbox/etc > sudo cp /etc/gshadow gshadow
/var/schroot/sandbox/etc > sudo cp /etc/passwd passwd
/var/schroot/sandbox/etc > sudo cp /etc/group group
/var/schroot/sandbox/etc > sudo cp /etc/shadow shadow

/etc/network/interfaces

auto lo lo:sandbox
iface lo inet loopback

iface lo:sandbox inet static
        address 192.168.40.1
        netmask 255.255.255.0
        network 192.168.40.0

sudo ifup lo:sandbox

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:479 errors:0 dropped:0 overruns:0 frame:0
          TX packets:479 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:37228 (36.3 KiB)  TX bytes:37228 (36.3 KiB)

lo:sandbox Link encap:Local Loopback  
          inet addr:192.168.40.1  Mask:255.255.255.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1

/etc/hosts

192.168.30.1    localhost-pons
192.168.40.1    localhost-sandbox

# pons
192.168.30.1 trainer.pons.local login.pons.local

ruby-build 1.9.3-p194 ~/binary/ruby-1.9.3-p194

+

• share $HOME between host and VM
• easy to test soft running on VM with tools (ex. browsers) installed on host
• almost-networking-virtualization is easy to setup
• simple way of creating new containers
• mounted $HOME means that file changes made on host are instantly propagated to VM
• edit on host, run in VM - mode

-

• no kernel virtualization
• no windows/freebsd

• man files
• ted dziuba blog post removed from the web