How to build a chroot jail environment for CentOS

A chroot environment is simply a directory – inside which you can find a file system hierarchy exactly like your original operating system. You can then use the UNIX chroot command to open a shell in that directory so that command running under that shell see only the chroot environment and can’t mess up your system. This is very useful for many different reasons – for example if you want to build some software packages and you don’t want their build dependencies to pollute your real system.

Building a chroot environment is not difficult at all using the right tools, and YUM – the CentOS installation tool – has what you need.

To start, log into your CentOS system and create yourself a directory where you want to build your chroot jail. I usually choose something like /var/tmp/chroot, so I would run

mkdir -p /var/tmp/chroot

Next step is to initialize the RPM database so that we can install all of the software we need in the chroot jail: we will need to create the directory for the database because RPM expects it to exist, and then use the RPM “rebuilddb” command:

mkdir -p /var/tmp/chroot/var/lib/rpm
rpm --rebuilddb --root=/var/tmp/chroot

In order for YUM to manage to install software into our chroot system it needs to know which CentOS version to install – for this to work it needs the package centos-release to be installed in the root. Doing this properly will take a lot of time and require us to manually download and install many packages – and that is boring. What we will do instead is just to download the centos-release file from CentOS mirrors:

wget http://mirror.centos.org/centos/5/os/x86_64/CentOS/centos-release-5-4.el5.centos.1.x86_64.rpm

and just install it forcefully:

rpm -i --root=/var/tmp/chroot --nodeps centos-release-5-4.el5.centos.1.x86_64.rpm

Finally we can call on YUM to install the rest of our system:

yum --installroot=/var/tmp/chroot install -y rpm-build yum

The last step will take a bit of time to complete as YUM has to download all the software that goes into your chroot jail environment, but when its ready – you can run chroot /var/tmp/chroot to see how it looks inside.

Optional

It probably feels pretty bare inside, with a default bash prompt and no aliases. To make the chroot jail a bit more comfortable you can populate the chrooted root directory with the skeleton account files so it feels more like a proper system – before you chroot, copy the files from /etc/skel to the chroot /root home die:

cp /var/tmp/chroot/etc/skel/.??* /var/tmp/chroot/root

Then run the chroot command and tell it to start Bash as a login shell:

chroot /var/tmp/chroot /bin/bash -l

Now you should have a nice bash prompt just like in a real system.

The special file systems

If you try to run some stuff inside the chroot, for example – yum, you’ll see that some things are not really functional because they want access to /proc or /dev. In order to work with these you will want to mount the real /proc and /dev file systems into the chroot, like so (but get out of the chroot first):

mount --bind /proc /var/tmp/chroot/proc
mount --bind /dev /var/tmp/chroot/dev

As you can surely figure out – this will let processes from inside the chroot (especially if you’re running in the chroot as the root user) to see and tap into various parts of the real system even though they do not have access to the actual files – this is a security issue and if you plan to run software inside the chroot that you do not trust, then I suggest not doing a simple chroot, and instead using a virtual machine or something like User-Mode Linux.

Of course binding the /proc and /dev file systems is optional and if you don’t run any software inside the chroot that needs these, you can skip that part.

Network

Network access should work fine inside the chroot, but we didn’t setup name resolving – fortunately this is rather easy: just copy the nameserver file from your real system into the chroot:

cp /etc/resolv.conf /var/tmp/chroot/etc/resolv.conf

And now you can use YUM to install additional software from inside the chroot jail. Of course you can always exit the jail and install from outside using the yum --installroot switch.

Enhanced by Zemanta

19 Responses to “How to build a chroot jail environment for CentOS”

  1. Arik:

    Concise and to the point. Thanks1

  2. Igor Feghali:

    Just a little typo… where it reads:

    mount –bind /dev /var/tmp/chroot/proc

    should be:

    mount –bind /dev /var/tmp/chroot/dev

  3. someguy:

    Finally we can call on YUM to install the rest of our system:

    yum –installroot=/var/tmp/chroot install -y rpm-build yum

    [root@app3 chroot]# yum –installroot=/var/tmp/chroot install -y rpm-build yum
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    YumRepo Error: All mirror URLs are not using ftp, http[s] or file.
    Eg. $releasever is not a valid release or hasnt been released yet/
    removing mirrorlist with no valid mirrors: /var/tmp/chroot/var/cache/yum/addons/mirrorlist.txt
    Error: Cannot find a valid baseurl for repo: addons

    [root@app3 chroot]# yum –disablerepo=addons –installroot=/var/tmp/chroot install -y rpm-build yum
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    YumRepo Error: All mirror URLs are not using ftp, http[s] or file.
    Eg. $releasever is not a valid release or hasnt been released yet/
    removing mirrorlist with no valid mirrors: /var/tmp/chroot/var/cache/yum/base/mirrorlist.txt

    Cannot find a valid baseurl for repo: base

  4. otherguy:

    Someguy,
    I ran into the problem i copied my my mirrorlists to the chrooted directory and it worked fine.

  5. Oded:

    Or, alternatively, you can just delete it – then YUM will regenerate the mirror list file.

    A precaution that might have solved this problem from the start would be to run ‘yum clean all’ inside the chroot. This will also remove the mirror list and a subsequent call to YUM will regenerate it.

  6. TomasZon:

    JFYI if someone needs archive version of CentOS use:
    http://vault.centos.org/

  7. Curtis:

    In the Network section copy destination should be:
    cp /etc/resolv.conf /var/tmp/chroot/etc/resolv.conf

  8. Loshmi:

    Nice and simple!!!

  9. Gentledevil:

    Concise, clear and efficient, just what I needed.

    Worked fine to create a CentOS 5.6 chroot in Fedora 15, just had to change CentOS version (the 5.4 rpm doesn’t seem to be available at the mentionned URL by the way) and add –nogpgcheck to yum options.

  10. Yauhen:

    Not cp /etc/resolv.conf /var/tmp/chroot/resolv.conf
    But cp /etc/resolv.conf /var/tmp/chroot/etc/resolv.conf

    JFYI, I make script for making chroot environment.
    https://github.com/qwertydzen/Chroot-Installer

  11. WebArchitectures: first useful post « Dacav's trick:

    […] chroot sandbox for the mysql daemon (I like to separate stuff, and a chroot jails are just […]

  12. Josif:

    Hi There and Thanks for the useful article.

    How about if i`ll like to just lock the users and their home directories.
    The users that have a ssh access.

    I`ve several users using Rsync on Mac and ofcourse they`ve ssh. The problem is that they are not locked into their home directories and they can do damage to my system if someone decides to ssh and than cd /.

    I appritiate your comments.

  13. MK:

    Following the guide, I did:
    chroot /var/tmp/chroot
    and now my root user got chrooted 🙂 How do I get it out? And you should have put some note on this just before the command) 🙂

  14. RajeshRS:

    hi MK, I think just typing an “exit” will do the trick…

  15. Totara:

    Hi ,

    [root@www chroot]# chroot /var/tmp/chroot
    bash: chroot: command not found
    [root@www chroot]# ls -al /usr/bin/ | grep chroot
    [root@www chroot]# which chroot
    /usr/bin/which: no chroot in (/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/bn:/bin:/usr/bin)

    What should I do to install chroot (this is a CentOS 5.4) ?

    Thanks

  16. So…containers. Why? How? What? Start here if you haven’t. | Standalone Sysadmin:

    […] things that need to exist for a system to work properly. There’s a good instruction set on geek.co.il, but it’s a bit outdated (from 2010), so here’s a quick set of updated […]

Leave a Reply