comment 0

Jails in Open Suse. ‘chroot’

What is chroot?

A chroot is a way of isolating applications from the rest of your system by jailing them in a particular directory. The idea lies in changing the apparent root directory for the current running process and its children. A program running in such a modified environment cannot access files outside the designated directory tree. However, the reverse is possible.

Uses and Advantages.

  • A test environment can be set up in the chroot for software that would otherwise be too risky to deploy on a production system.
  • Software can be developed, built and tested in a chroot populated only with its expected dependencies. This can prevent some kinds of linkage skew that can result from developers building projects with different sets of program libraries installed.
  • Legacy software or software using a different ABI must sometimes be run in a chroot because their supporting libraries or data files may otherwise clash in name or linkage with those of the host system.
  • Should a system be rendered unbootable, a chroot can be used to move back into the damaged environment after bootstrapping from an alternate root file system.
  • Programs are allowed to carry open file descriptors (for files, pipelines and network connections) into the chroot, which can simplify jail design by making it unnecessary to leave working files inside the chroot directory. This also simplifies the common arrangement of running the potentially vulnerable parts of a privileged program in a sandbox, in order to pre-emptively contain a security breach.

Setting up chroot.

Setting up chroot in Debian based system like Ubuntu is pretty straightforward using the DebootstrapChroot package. I did not find any such tools for OpenSuse. It needs a bit of manual work as documented here.

1. Make a directory for your chroot apps

One can place it anywhere they like. I prefer creating a separate directory /chroot-apps

mkdir -p /chroot-apps/app1

where app1 will be my first chrooted environment.

2. Setup the basic file system.

This consists of the file skeleton required for a flavor of Linux to work. This includes the root directory together with a minimal set of subdirectories and files including /boot/dev/etc/bin/sbin and sometimes /tmp (for temporary files). You can run any flavour of Linux for this. Since we are working with SUSE, for simplicity, we will use SUSE to run from inside chroot.

use

zypper lr --uri

to locate the repository links. Copy the link for your open suse version ‘openSUSE:Leap:42.2’. Generally it is always ‘http://download.opensuse.org/distribution/leap/42.2/repo/oss/’

Now we will add this repo to our chroot environment using zypper

zypper --root /chroot-apps/apps1 ar http://download.opensuse.org/distribution/leap/42.2/repo/oss/ repo-oss

We will also add the packages repo so that we can install packages from inside the jailed environment

zypper --root /chroot-apps/apps1 ar http://download.opensuse.org/repositories/home:/darkhado:/openSUSE/openSUSE_Leap_42.3/ "openSUSE:Leap:42.3"

3. Installing basic apps

The jailed environment has nothing installed. Not even ping! We will use zypper to install some basic apps to make the jailed environment more usable. PS: We will also have to install zypper inside the jail.

zypper --root /chroot-apps/apps1/ install rpm zypper sudo wget vim ping

4. Making the Internet work. DNS resolution

So that domains can be resolved, we need to copy the /etc/resolv.conf from the root to the /etc of the jail

cp /etc/resolv.conf /chroot-apps/app1/etc/

5. Mounting /proc

At this point, you can chroot to your app1 jail and use it. Few programs need the visibility of /proc. /proc is very special in that it is also a virtual filesystem. It’s sometimes referred to as a process information pseudo-file system. It doesn’t contain ‘real’ files but runtime system information (e.g. system memory, devices mounted, hardware configuration, etc). For this reason it can be regarded as a control and information centre for the kernel. In fact, quite a lot of system utilities are simply calls to files in this directory.

We need to bind this to our jail

mount --bind /proc/ /chroot-apps/pandda/proc/

6. Extras

You might run out in some problem, if you do, these are mentioned in extras.

  1. zypper cannot get input from the keyboard. A dirty fix: From the jailed environment, run this ‘mknod /dev/tty c 5 0’. This will create a device to capture inputs.

Leave a Reply

Your email address will not be published. Required fields are marked *