How to build a chroot jail environment for CentOS
A chroot environment is simply a directory – inside which you can find a file system hierarchy exactly like your original operating system. You can then use the UNIX chroot
command to open a shell in that directory so that command running under that shell see only the chroot environment and can’t mess up your system. This is very useful for many different reasons – for example if you want to build some software packages and you don’t want their build dependencies to pollute your real system.
Building a chroot environment is not difficult at all using the right tools, and YUM – the CentOS installation tool – has what you need.
To start, log into your CentOS system and create yourself a directory where you want to build your chroot jail. I usually choose something like /var/tmp/chroot
, so I would run
mkdir -p /var/tmp/chroot
Next step is to initialize the RPM database so that we can install all of the software we need in the chroot jail: we will need to create the directory for the database because RPM expects it to exist, and then use the RPM “rebuilddb” command:
mkdir -p /var/tmp/chroot/var/lib/rpm
rpm --rebuilddb --root=/var/tmp/chroot
In order for YUM to manage to install software into our chroot system it needs to know which CentOS version to install – for this to work it needs the package centos-release
to be installed in the root. Doing this properly will take a lot of time and require us to manually download and install many packages – and that is boring. What we will do instead is just to download the centos-release
file from CentOS mirrors:
wget http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-5-4.el5.centos.1.x86_64.rpm
and just install it forcefully:
rpm -i --root=/var/tmp/chroot --nodeps centos-release-5-4.el5.centos.1.x86_64.rpm
Finally we can call on YUM to install the rest of our system:
yum --installroot=/var/tmp/chroot install -y rpm-build yum
The last step will take a bit of time to complete as YUM has to download all the software that goes into your chroot jail environment, but when its ready – you can run chroot /var/tmp/chroot
to see how it looks inside.
Optional
It probably feels pretty bare inside, with a default bash prompt and no aliases. To make the chroot jail a bit more comfortable you can populate the chrooted root directory with the skeleton account files so it feels more like a proper system – before you chroot, copy the files from /etc/skel to the chroot /root home die:
cp /var/tmp/chroot/etc/skel/.??* /var/tmp/chroot/root
Then run the chroot command and tell it to start Bash as a login shell:
chroot /var/tmp/chroot /bin/bash -l
Now you should have a nice bash prompt just like in a real system.
The special file systems
If you try to run some stuff inside the chroot, for example – yum, you’ll see that some things are not really functional because they want access to /proc
or /dev
. In order to work with these you will want to mount the real /proc
and /dev
file systems into the chroot, like so (but get out of the chroot first):
mount --bind /proc /var/tmp/chroot/proc
mount --bind /dev /var/tmp/chroot/dev
As you can surely figure out – this will let processes from inside the chroot (especially if you’re running in the chroot as the root user) to see and tap into various parts of the real system even though they do not have access to the actual files – this is a security issue and if you plan to run software inside the chroot that you do not trust, then I suggest not doing a simple chroot, and instead using a virtual machine or something like User-Mode Linux.
Of course binding the /proc
and /dev
file systems is optional and if you don’t run any software inside the chroot that needs these, you can skip that part.
Network
Network access should work fine inside the chroot, but we didn’t setup name resolving – fortunately this is rather easy: just copy the nameserver file from your real system into the chroot:
cp /etc/resolv.conf /var/tmp/chroot/etc/resolv.conf
And now you can use YUM to install additional software from inside the chroot jail. Of course you can always exit the jail and install from outside using the yum --installroot
switch.
Concise and to the point. Thanks1
Just a little typo… where it reads:
mount –bind /dev /var/tmp/chroot/proc
should be:
mount –bind /dev /var/tmp/chroot/dev
Oh, oops 🙂 Thanks for noticing, I fixed.
Finally we can call on YUM to install the rest of our system:
yum –installroot=/var/tmp/chroot install -y rpm-build yum
[root@app3 chroot]# yum –installroot=/var/tmp/chroot install -y rpm-build yum
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
YumRepo Error: All mirror URLs are not using ftp, http[s] or file.
Eg. $releasever is not a valid release or hasnt been released yet/
removing mirrorlist with no valid mirrors: /var/tmp/chroot/var/cache/yum/addons/mirrorlist.txt
Error: Cannot find a valid baseurl for repo: addons
[root@app3 chroot]# yum –disablerepo=addons –installroot=/var/tmp/chroot install -y rpm-build yum
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
YumRepo Error: All mirror URLs are not using ftp, http[s] or file.
Eg. $releasever is not a valid release or hasnt been released yet/
removing mirrorlist with no valid mirrors: /var/tmp/chroot/var/cache/yum/base/mirrorlist.txt
Cannot find a valid baseurl for repo: base
Someguy,
I ran into the problem i copied my my mirrorlists to the chrooted directory and it worked fine.
Or, alternatively, you can just delete it – then YUM will regenerate the mirror list file.
A precaution that might have solved this problem from the start would be to run ‘yum clean all’ inside the chroot. This will also remove the mirror list and a subsequent call to YUM will regenerate it.
JFYI if someone needs archive version of CentOS use:
http://vault.centos.org/
In the Network section copy destination should be:
cp /etc/resolv.conf /var/tmp/chroot/etc/resolv.conf
Nice and simple!!!
Concise, clear and efficient, just what I needed.
Worked fine to create a CentOS 5.6 chroot in Fedora 15, just had to change CentOS version (the 5.4 rpm doesn’t seem to be available at the mentionned URL by the way) and add –nogpgcheck to yum options.
Not cp /etc/resolv.conf /var/tmp/chroot/resolv.conf
But cp /etc/resolv.conf /var/tmp/chroot/etc/resolv.conf
JFYI, I make script for making chroot environment.
https://github.com/qwertydzen/Chroot-Installer
Awesome. Thanks for the fix.
[…] chroot sandbox for the mysql daemon (I like to separate stuff, and a chroot jails are just […]
Hi There and Thanks for the useful article.
How about if i`ll like to just lock the users and their home directories.
The users that have a ssh access.
I`ve several users using Rsync on Mac and ofcourse they`ve ssh. The problem is that they are not locked into their home directories and they can do damage to my system if someone decides to ssh and than cd /.
I appritiate your comments.
Following the guide, I did:
chroot /var/tmp/chroot
and now my root user got chrooted 🙂 How do I get it out? And you should have put some note on this just before the command) 🙂
hi MK, I think just typing an “exit” will do the trick…
Hi ,
[root@www chroot]# chroot /var/tmp/chroot
bash: chroot: command not found
[root@www chroot]# ls -al /usr/bin/ | grep chroot
[root@www chroot]# which chroot
/usr/bin/which: no chroot in (/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/bn:/bin:/usr/bin)
What should I do to install chroot (this is a CentOS 5.4) ?
Thanks
look in /usr/sbin (not in your path)
[…] things that need to exist for a system to work properly. There’s a good instruction set on geek.co.il, but it’s a bit outdated (from 2010), so here’s a quick set of updated […]