Wiki source for chroot


Show raw source

Running Apps in a Chroot Jail.

Definition: A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name (and therefore normally cannot access) files outside the designated directory tree. The term "chroot" may refer to the chroot(2) system call or the chroot(8) wrapper program. The modified environment is called a chroot jail.

A chroot jail is a way to isolate a process and its children from the rest of the system.

The idea is that you create a directory tree where you copy or link in all the system files needed for a process to run. You then use the chroot() system call to change the root directory to be at the base of this new tree and start the process running in that chroot'd environment. Since it can't actually reference paths outside the modified root, it can't perform operations (read/write etc.) maliciously on those locations.

On Linux, using a bind mounts is a great way to populate the chroot tree. Using that, you can pull in folders like /lib and /usr/lib while not pulling in /usr, for example. Just bind the directory trees you want to directories you create in the jail directory.

https://unix.stackexchange.com/questions/105/chroot-jail-what-is-it-and-how-do-i-use-it


Example running a modern Browser in an old Pup which won't run natively.





A fairly recent Chromium-based browser, running in 431! In fact it's my Chrome 48 replacement; Iron 69, only a few releases old. And all made possible through the magic of a 'chrooted jail'.....

---------------------------------------------

I got to thinking, earlier today. Watchdog let me have his 'chrooted' version of Palemoon 28.6.1 to try out here in 431, and it runs well, if a bit slower than I would have perhaps expected, given how lightweight Palemoon is.

I've wanted to get a 'modern' Chromium-based browser running in several of my older Pups for some time. Accordingly, I unpacked his SFS of Palemoon, to see how he did it. It essentially uses a pristine copy of Precise, sitting inside a container, with Palemoon manually installed to the appropriate locations, and a bunch of scripts tying it all together, with a .desktop entry outside the 'jail' to start it.

I knew I'd need something a bit newer than Precise to run Iron 69; from experimentation, Tahrpup is the oldest that doesn't bitch & complain about stuff missing. So; I unpacked the Tahr ISO. I unpacked, and copied over, the main SFS. I also copied over the contents of the z_drv, since Tahrpup was one of the first Puppies to make kernel swaps easy by doing so.

Iron was then manually installed, along with the required up-to-date GTK-3.0 stuff. I'd already assembled an Iron package a while back, which uses an extra directory containing all the up-to-date libNSS stuff from the then current Palemoon, called via 'LD_PRELOAD'.....so I used this one. Last but not least, the current version of PepperFlash.

I packed all this up into an SFS, fired up Precise 571, loaded the SFS, and hit the 'Go' button. Damn me if it didn't work, too.....!!

---------------------------------------------------------------------

I then hit on the bright idea of 'installing' the 'virtual' Tahr install in its directory to one of my large, external data partitions, and knocked up a .pet to sym-link it into '/', along with installing the scripts and .desktop entry. Naturally enough, if it worked OK, once again I could do the same as with other browsers; share a single browser between multiple Pups.

It worked.....so I thought, 'I've got to give it a try, haven't I?' I re-booted into 4.3.11, installed the sym-link/scripts .pet, and fired it up from the terminal for the first run to see what (if any) error messages I got. After a few seconds of all the guff that Chromium-based browsers always spit out, well; you could have knocked me down with a feather.....

In the words of Dr. Frankenstein....."It's ALIVE!!!" A-maz-ing. I'm still gobsmacked. I wouldn't have thought it possible for a Pup of this vintage to run a browser built nearly a decade after its release, but there ya go, mate.

(And the astonishing thing is, that where the chrooted Palemoon actually seems slower than usual, the chrooted Iron is so fast in 4.3.11 it's almost unreal..! Very surprising for what is essentially a big, heavyweight browser.)

Watchdog tells me that he runs quite a number of apps in this way, and in fact he does the same as I've done.....put the entire thing on an external partition and runs it from there. The advantage of this is that you simply add programs manually, & generate new scripts, as you do so. If you're running from an SFS, you'd have to tear it down and do a re-pack every time you added something new.

Thread Post: http://murga-linux.com/puppy/viewtopic.php?p=1035264#1035264
Download example: https://drive.google.com/file/d/12FfIx4Ea2xK3XK371n9ewKHxpuswkw-S/view?usp=sharing
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki