schroot - securely enter a chroot environment
schroot allows the user to run a command or a login shell in a chroot environment. If no command is specified, a login shell will be started in the user's current working directory inside the chroot.
There is often a need to run programs in a virtualised environment rather than on the host system directly. Unlike other virtualisation systems such as kvm or Xen, schroot does not virtualise the entire system; it only virtualises the filesystem, and some parts of the filesystem may still be shared with the host. It is therefore fast, lightweight and flexible.
However, it does not virtualise other aspects of the system, such as shared memory, networking, devices etc., and so may be less secure than other systems, depending upon its intended use.
A Linux distribution is a kernel, some libraries, binaries, and a package manager. The kernel is the lowest level of abstraction over the hardware; everything else is fairly interchangeable. Apache running on Red Hat will make the same system calls as Apache running on Ubuntu. In theory, as long as shared library paths are managed correctly and the package managers don't trample on each other, you can have multiple distributions "running" under one kernel, no virtual machine needed.
Unix provides the chroot mechanism to keep all of the distribution files in order. There are some tools that build on chroot to support these virtual environments so that you don't have to do any bookkeeping or stupid shit with /dev or /proc. I am using Ubuntu as my "host" operating system, and a Debian tool called schroot to manage it all.
1 sudo apt-get install debootstrap schroot
2 sudo mkdir -p /var/schroot/sandbox
1 sudo debootstrap --variant=buildd --arch amd64 lucid /var/chroot/sandbox http://archive.ubuntu.com/ubuntu/
[sandbox]
directory=/var/schroot/sandbox
description=Sandbox
root-users=root,rupert
users=rupert
type=directory
1 schroot -c sandbox ls
1 schroot -p --begin-session -c sandbox --session-name sandbox-session-root -u root
2 schroot -p --run-session -c sandbox-session-root -u root
1 apt-get install git build-essential zlib1g-dev libssl-dev \
2 libxslt1-dev libxml2-dev libmysqlclient-dev libpq-dev \
3 curl wget libpcre3-dev libcurl4-openssl-dev build-essential \
4 openssl libreadline6 libreadline6-dev curl git-core zlib1g \
5 zlib1g-dev libssl-dev libyaml-dev libsqlite3-0 \
6 libsqlite3-dev sqlite3 libxml2-dev libxslt-dev autoconf \
7 libc6-dev ncurses-dev automake libtool bison strace \
8 autotools-dev aptitude nmap vim exuberant-ctags locales \
9 iputils-ping uuid-dev bash-completion adduser apt-utils \
10 procps devscripts mc openjdk-7-jdk uuid-runtime dialog
1 apt-get install nginx mysql
2 /etc/init.d/mysql start; /etc/init.d/nginx start
1 schroot -p --begin-session -c sandbox --session-name sandbox-session
1 schroot -p --run-session -c sandbox-session
1 schroot --end-session -c sandbox-session
├── buildd
│ ├── config
│ ├── copyfiles
│ ├── fstab
│ └── nssdatabases
├── chroot.d
├── copyfiles-defaults -> /etc/schroot/default/copyfiles
├── default
│ ├── config
│ ├── copyfiles
│ ├── fstab
│ └── nssdatabases
├── desktop
│ ├── config
│ ├── copyfiles
│ ├── fstab
│ └── nssdatabases
├── mount-defaults -> /etc/schroot/default/fstab
├── nssdatabases-defaults -> /etc/schroot/default/nssdatabases
├── schroot.conf
├── script-defaults -> /etc/schroot/default/config
└── setup.d
├── 00check
├── 05btrfs
├── 05file
├── 05lvm
├── 05union
├── 10mount
├── 15killprocs
├── 20copyfiles
├── 20nssdatabases
├── 50chrootname
└── 99check -> 00check
# Note that the mount point will be prefixed by the chroot path
# (CHROOT_PATH)
#
# <file system> <mount point> <type> <options> <dump> <pass>
/proc /proc none rw,bind 0 0
/sys /sys none rw,bind 0 0
/dev /dev none rw,bind 0 0
/dev/pts /dev/pts none rw,bind 0 0
/home /home none rw,bind 0 0
/home/rupert /home/rupert none rw,bind 0 0
/tmp /tmp none rw,bind 0 0
# System databases to copy into the chroot from the host system.
#
# <database name>
#passwd
#shadow
#group
/var/schroot/sandbox/etc > sudo cp /etc/gshadow gshadow
/var/schroot/sandbox/etc > sudo cp /etc/passwd passwd
/var/schroot/sandbox/etc > sudo cp /etc/group group
/var/schroot/sandbox/etc > sudo cp /etc/shadow shadow
auto lo lo:sandbox
iface lo inet loopback
iface lo:sandbox inet static
address 192.168.40.1
netmask 255.255.255.0
network 192.168.40.0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:479 errors:0 dropped:0 overruns:0 frame:0
TX packets:479 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:37228 (36.3 KiB) TX bytes:37228 (36.3 KiB)
lo:sandbox Link encap:Local Loopback
inet addr:192.168.40.1 Mask:255.255.255.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
192.168.30.1 localhost-pons
192.168.40.1 localhost-sandbox
# pons
192.168.30.1 trainer.pons.local login.pons.local
1 select user,host from mysql.user;
2 GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION;
3 IDENTIFIED BY ''
1 sudo vim /etc/network/interfaces
2 sudo ifup lo:sandbox
3 ifconfig -a
1 mysql stop
2 vim /etc/mysql/my.cnf => change bind address
3 mysql start
1 require 'socket'
2 namespace :db do
3 def local_database?(config, &block)
4 if config['host'].in?(['127.0.0.1', 'localhost', '192.168.40.1']) || config['host'].blank?
5 yield
6 else
7 $stderr.puts "This task only modifies local databases. #{config['database']} is on a remote host."
8 end
9 end
10 end if Socket.gethostname == "rupert-ThinkPad-T420"
1 schroot -p --run-session -c sandbox-session
SSH_AGENT_PID=2480
SSH_AUTH_SOCK=/tmp/keyring-fS3MML/ssh
1 ArgumentError: invalid byte sequence in US-ASCII
1 localedef -i en_US -c -f UTF-8 en_US.UTF-8
1 if [ "$SCHROOT_CHROOT_NAME" = "sandbox" ]; then
2 export PATH=/home/rupert/binary/ruby-1.9.3-p194/bin:$PATH
3 fi
Table of Contents | t |
---|---|
Exposé | ESC |
Full screen slides | e |
Presenter View | p |
Source Files | s |
Slide Numbers | n |
Toggle screen blanking | b |
Show/hide slide context | c |
Notes | 2 |
Help | h |