schroot - chroot for any users

Posted by amadeu on Tue 27 Nov 2007 at 15:06

From manpages: schroot allows the user to run a command or a login shell in a chroot environment. If no command is specified, a login shell will be started in the user current working directory inside the chroot.

I've been trying some virtual machines solutions to execute some programs 32bits in my machine. But it's take very time, start a xen VM or virtualbox. Often this solutions needs some maintain additional costs to setup a X server to run any X-based program.

My initial motivation was that wengophone wasn't in Debian lenny for amd64 until some days ago. Thus I did want to run a x-based program in a single chroot as normal user.

The schroot makes a chroot's use easy! Very easy for end users.

  1. install into your original installation:
     # aptitude install schroot 
  2. configure the /etc/schroot/schroot.conf like:
    [sid]
    description=Debian sid (unstable)
    type=directory
    location=/srv/chroot/sid
    priority=3
    users=YOUR_USER
    groups=SOME_GROUP_LIKE_users
    root-groups=YOUR_ADMIN_USER
    run-setup-scripts=true
    run-exec-scripts=true
    
  3. creating a chroot:
     # debootstrap --arch i386 sid /srv/chroot/sid http://ftp.br.debian.org/debian 
  4. installing 32bit programs in the chroot:
     # schroot -c sid -p aptitude install wengophone 
  5. to run X programs make sure that your X session accept it and execute the schroot:
    $ xhost +
    $ schroot -c sid -p wengophone
  6. there is a more safer way to run X programs like comments below and a example of wengophone_wrapper script
  7. it isn't need mount /proc on fstab or other because run-setup-scripts and run-exec-scripts take care of this, but you should look the /etc/schroot/mount-defaults to set your specific directories
Shortcuts:
  1. create a wrapper script /usr/local/bin/wengophone_wrapper:
    #!/bin/bash
    ## UPDATED after the comment #16 to reduce security risk ;-)
    # right way for export Xauthority file
    xauth extract /srv/chroot/sid$HOME/.Xauthority $DISPLAY
    # run your command
    schroot -c sid -p wengophone
    # remove the Xauthority
    rm -f /srv/chroot/sid$HOME/.Xauthority
    
  2. permissions :
     # chmod +x /usr/local/bin/wengophone_wrapper 
  3. now you could create some wengo.desktop for your users :-)
PS: maybe wengophone example it's trivial, but try it with others programs only 32bit like the non-free skype

 

 


Posted by dreynolds (212.140.xx.xx) on Tue 27 Nov 2007 at 16:25
You spelt debootstrap wrong, which I wouldn't have noticed had I not copied and pasted it ;)

Cheers

--
Dave

[ Parent | Reply to this comment ]

Posted by Steve (80.68.xx.xx) on Tue 27 Nov 2007 at 16:28
[ View Steve's Scratchpad | View Weblogs ]

Fixed now, thanks. I didn't test all the steps myself on this one - I'll be more careful in the future.

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (209.104.xx.xx) on Tue 27 Nov 2007 at 19:34
Why do xhost + when your x session could (potentially) be compromised? You can do something more secure like:
xhost localhost


Even though the chances of someone exploiting your explicit allow of x clients is unlikely, it isn't impossible.

---
Jeff Schroeder
http://www.digitalprognosis.com

[ Parent | Reply to this comment ]

Posted by ajt (85.211.xx.xx) on Tue 27 Nov 2007 at 20:52
[ View Weblogs ]
I can't remember doing any messing with xhost to get apps to work when I used a chroot to run 32-bit apps on my 64-bit Sarge systems.

Back when I used a chroot I followed the guide on Alioth:
https://alioth.debian.org/docman/view.php/30192/21/debian-amd64-h owto.html

--
"It's Not Magic, It's Work"
Adam

[ Parent | Reply to this comment ]

Posted by amadeu (139.82.xx.xx) on Tue 27 Nov 2007 at 23:55
ohh Adam, really very nice how-to I didn't known that. Thanks for the great reference. Amadeu :)

[ Parent | Reply to this comment ]

Posted by ajt (204.193.xx.xx) on Wed 28 Nov 2007 at 12:11
[ View Weblogs ]
While a chroot has it's use, normally you don't need one to run most x86 32-bit applications on an AMD64 64-bit Debian system. See: http://www.debian-administration.org/articles/534 for details on how.

--
"It's Not Magic, It's Work"
Adam

[ Parent | Reply to this comment ]

Posted by amadeu (139.82.xx.xx) on Tue 27 Nov 2007 at 23:51
Really it's a very dangerous thing (xhost +), but when I tried xhost localhost I get a "connection refused" like:
amadeu@sarang:~$ xhost
access control enabled, only authorized clients can connect
amadeu@sarang:~$ xhost localhost
localhost being added to access control list
amadeu@sarang:~$ schroot -c sid -p skype
I: [sid chroot] Running command: "skype"
Xlib: connection to ":0.0" refused by server
Xlib: No protocol specified

But when I try xhost + works.. then I recommend xhost + before the schroot and xhost - after. Really I didn't understand why xhost localhost don't work with me.. ;) Amadeu

[ Parent | Reply to this comment ]

Posted by Anonymous (86.32.xx.xx) on Tue 4 Dec 2007 at 18:48
"xhost localhost" would only work, if you connect to your XServer via tcp(e.g. DISPLAY=localhost:0.0).

If you want to enable local connections (as in DISPLAY=:0.0), "xhost +local:" is your command.

Cheers,
Johannes

[ Parent | Reply to this comment ]

Posted by Anonymous (89.228.xx.xx) on Tue 4 Mar 2014 at 17:21
Hi, according to xhost and Xsecurity manpages You can specify the family:
> xhost + local:
this results in allowing "non-network local connections".
It's is safe and it's working.

Regards
tomazzi

[ Parent | Reply to this comment ]

Posted by Anonymous (89.228.xx.xx) on Tue 4 Mar 2014 at 20:26
Hi,
I forgot to mention, that in this way we have full hw 3D acceleration, provided that necessary 32-bit GL libraries are installed (most important is libGL.so for NV or ATI)

Regards
tomazzi

[ Parent | Reply to this comment ]

Posted by yarikoptic (69.125.xx.xx) on Wed 28 Nov 2007 at 06:04
To avoid messing with xhost I decided to rely on ssh X forwarding -- I setup sshd to be started in chroot on some port like 2222, and then made a host alias like node22chr (instead of plain node22), adjusted .ssh/config to use port 2222 whenever sshing to any node*chr, and thus effectively running any app in a chroot on another node in the cluster was a plain
ssh -Y node22chr matlab
indeed it requers to setup chroot in a bit fuller way -- user accounts, restart on boot, etc; but it had its benefit: I had fully functional chrooted environment which looked the same as the original host (but of different architecture) for any user who logged in into node22chr instead of node22 ;-)

[ Parent | Reply to this comment ]

Posted by lpenz (201.21.xx.xx) on Wed 28 Nov 2007 at 19:26
One can also mount --rbind the home dirs, so that any application can get to .Xauthority. Don't know if it works with different arches, though.

[ Parent | Reply to this comment ]

Posted by ajt (85.211.xx.xx) on Wed 28 Nov 2007 at 21:02
[ View Weblogs ]
Which is probably how I use to do it. I know the Alioth guide talked about "remounting" various file systems into the chroot.

--
"It's Not Magic, It's Work"
Adam

[ Parent | Reply to this comment ]

Posted by superbrose (87.196.xx.xx) on Sun 2 Dec 2007 at 13:14

From the Debian AMD64 Howto (Site currently down):

To run an application inside the chroot you will need some parts of your 64bit system tree inside the chroot. This can be achieved with a bind mount. In this example we will bind /tmp to the chroot for the X11 sockets which are in /tmp, and bind /home to access the home directories from within the chroot. You may also want to mount the /dev, /proc and /sys filesystems within the chroot. Edit your fstab and add the required paths:

# sid32 chroot
/home /var/chroot/sid-ia32/home none bind 0 0
/tmp /var/chroot/sid-ia32/tmp none bind 0 0
/dev /var/chroot/sid-ia32/dev none bind 0 0
/proc /var/chroot/sid-ia32/proc none bind 0 0

Then mount them:

mount /var/chroot/sid-ia32/home
mount /var/chroot/sid-ia32/tmp
mount /var/chroot/sid-ia32/dev
mount /var/chroot/sid-ia32/proc

I use this to run 32-bit programs on my 64-bit system, which works very well, since I can just work in my normal home directory.

A word of caution though: schroot generates sessions that are stored in /var/lib/schroot/session/ and if you don't end these sessions then they accumulate. Each time you do a reboot your system will power up more slowly, because it starts recovering those schroot sessions. For some reason my sessions did not get ended, despite using the --automatic-session option.

So one night late I did something that I later on deeply regretted: I wanted to delete the accumulated schroot sessions, and for some reason could not get them removed using the schroot -e command. So I uninstalled schroot, but the /var/lib/schroot/session directory was still present. Using the power of root I deleted this directory. This was not a good idea! My entire home partition was deleted, along with the other partitions that were bound!

I should have unmounted the bound directories first and everything would have been fine.

[ Parent | Reply to this comment ]

Posted by Anonymous (216.224.xx.xx) on Wed 12 Dec 2007 at 13:20
That's a horrifically accurate description of how I lost a week worth
of mad tweaking on a new system. I learned to backup more frequently
and to selectively bind mount.

Here's a basic recipe for X.


[/etc/fstab additions]
/tmp/.X11-unix /srv/chroot/sid_i386/tmp/.X11-unix none rbind,user,noauto 0 0
/home/joe/.Xauthority /srv/chroot/sid_i386/home/joe/.Xauthority none rbind,user,noauto 0 0

[commands]
# sudo touch /srv/chroot/sid_i386/home/joe/.Xauthority
# mount /srv/chroot/sid_i386/home/joe/.Xauthority
# mount /srv/chroot/sid_i386/tmp/.X11-unix
# schroot -p -c sid_i386 -- ls -l .Xauthority
I: [sid_i386-b53b5f82-46d0-4e15-b95e-8129e22f9dc9 chroot] Running command: "ls -l .Xauthority"
-rw------- 1 joe joe 171 2007-12-12 00:03 .Xauthority
# schroot -p -c xterm

[ Parent | Reply to this comment ]

Posted by Anonymous (24.23.xx.xx) on Fri 7 Dec 2007 at 01:19
Which Unix are you running this schroot on? Thanks.

[ Parent | Reply to this comment ]

Posted by Anonymous (77.121.xx.xx) on Sun 9 Dec 2007 at 10:59
Don't do mounts by yourself.
Please read manpage (look for "startup scripts", "exec scripts")

[ Parent | Reply to this comment ]

Posted by amadeu (139.82.xx.xx) on Fri 28 Mar 2008 at 23:20
Yeah! Thanks a lot for your comment I reconfigure my chroot.conf for this and it's much more nice now !! eheheheh nothing of mount -o bind on hand, the schroot now create a session and I just enjoy it ! ehehhe

Thanks again.. :)
PS: I updated the article because this ;-)

[ Parent | Reply to this comment ]

Posted by Anonymous (93.95.xx.xx) on Sun 8 Feb 2009 at 10:56
Can you show schroot.conf for automount ?

[ Parent | Reply to this comment ]

Posted by amadeu (201.53.xx.xx) on Sun 8 Feb 2009 at 19:30
What you did mean with 'automount'? If you did mean mount some devices/other_directories it's easy:
1. use the file /etc/schroot/mount-defaults (in debian works) and add there lines like in /etc/fstab
2. example, to mount a directory from my main installation:
/home /home none rw,bind 0 0
/dev/hda /media/cdrom udf,iso9660 user,noauto 0 0

If you want usb devices and others.. I think the right way is to install hal/dbus in your chroot installation. If you want 'automount' feature from autofs, you need just put some line in mount-defaults as in /etc/fstab (tips: http://www.linuxfocus.org/Turkce/January2001/article141.meta.shtm l).

Regards, Amadeu.

[ Parent | Reply to this comment ]

Posted by andmalc (69.159.xx.xx) on Thu 7 Jan 2010 at 21:55
For anyone still following this:

For auto-mounting from /etc/schroot/mount-defaults to work, you must have a 'type=' in schroot.conf set to one of the types other than 'plain'. If type is 'plain' or is omitted, auto-mounting is disabled. See 'man schroot.conf' for details.

[ Parent | Reply to this comment ]

Posted by Anonymous (134.158.xx.xx) on Fri 28 Mar 2008 at 16:18
You should use:

'xhost +local:'

instead of

'xhost +'

which is muuuuuuuuuuuch safer

[ Parent | Reply to this comment ]

Posted by amadeu (139.82.xx.xx) on Fri 28 Mar 2008 at 23:17
It isn't need (reread this tuto because I changed it now ;-)).. it's safer use the xauth features to extract the session ids to a new .Xauthority of your $DISPLAY, after just execute your command and remove the .Xauthority cloned on chroot. It's nice for a wrapper script ;-).

Thanks a lot.

[ Parent | Reply to this comment ]

Posted by Anonymous (85.178.xx.xx) on Wed 25 Jun 2008 at 02:16
If you get:

schroot -p xterm
I: [my_system chroot] Running command: "xterm"
Warning: Tried to connect to session manager, Authentication Rejected, reason : None of the authentication protocols specified are supported and host-based authentication failed
xterm: Error 32, errno 2: No such file or directory
Reason: get_pty: not enough ptys

try adding:

/dev/pts /path_to_chroot/dev/pts devpts bind,defaults 0 0

in /etc/fstab

and executing

mount -a

[ Parent | Reply to this comment ]

Posted by Anonymous (91.114.xx.xx) on Sun 17 Jan 2010 at 12:33
chroot and schroot do not allow X11 access of GUI programs.
Use openroot for this: http://www.elstel.com/openroot/
other features: auto-mounting of /dev, /proc, /media, ...
other features: chroot to read-only partition with temporary changes

[ Parent | Reply to this comment ]

Posted by andmalc (204.50.xx.xx) on Mon 3 May 2010 at 13:23
'schroot -p' sure works for me.

[ Parent | Reply to this comment ]

Posted by lindi (81.17.xx.xx) on Sat 5 Jun 2010 at 10:13
Here's what I've been using for several years on etch and lenny. Currently the largest problem is that passwords are not synced. I do not want to just overwrite chroot's passwd periodically since the chroot could have system users that are not outside it. Any hints on how to solve this?

1) sudo apt-get install debootstrap schroot
2) sudo mkdir /sid
3) sudo debootstrap sid /sid MIRROR
4) Add the following to /etc/schroot/schroot.conf

[sid]
description=Debian sid (unstable)
location=/sid
aliases=unstable,default
users=user1,user2

where user1 and user2 are users that are allowed to use the chroot
(change them!).

5) Add the following to /etc/fstab

/home /sid/home none bind 0 0
/dev /sid/dev none bind 0 0
/dev/pts /sid/dev/pts none bind 0 0
/dev/shm /sid/dev/shm none bind 0 0
/proc /sid/proc none bind 0 0
/sys /sid/sys none bind 0 0
/tmp /sid/tmp none bind 0 0
/var/run/dbus /sid/var/run/dbus none bind 0 0

5.1) sudo mkdir /sid/var/run/dbus

6) sudo mount -a

7) sudo cp /etc/sudoers /etc/hosts /etc/hostname /etc/passwd /etc/shadow /etc/group /sid/etc

8) Create /usr/local/bin/sid with the following lines

#!/bin/sh
schroot -c sid -p -q -- "$@"

8.1) sudo chmod a+x /usr/local/bin/sid

9) Create /sid/usr/sbin/policy-rc.d to prevent daemons from starting
accidentally inside the chroot with the following lines

#!/bin/sh
logger "sid $0 invoked with $@"
exit 101

9.1) sudo chmod a+x /sid/usr/bin/policy-rc.d

10) (just an example) sudo sid apt-get install openoffice.org

11) (just an example) sid openoffice.org



[ Parent | Reply to this comment ]

Posted by Anonymous (78.27.xx.xx) on Fri 17 Dec 2010 at 10:21
This is a very nice setup lindi, however on squeeze it can only launch terminal based apps, it cannot connect to the X window system so no kde or gnome apps. Also no direct video so no games as well. Lastly "location=" still works but has been depreciated. Could somebody please modernize this setup instruction for installing as su sid and launching as sid of apps for Debian Squeeze Schroot?

[ Parent | Reply to this comment ]

Posted by lindi (81.17.xx.xx) on Fri 17 Dec 2010 at 11:13
Hmm. I can launch X11 applications with this setup in squeeze too. The X11 unix socket is in /tmp which is shared so there should be no problem.

I keep an up-to-date version at http://iki.fi/lindi/schroot.txt -- I don't want to replace "location" with "directory" just yet for compatibility. Maybe I'll do that when squeeze becomes stable.

[ Parent | Reply to this comment ]

Posted by Anonymous (78.27.xx.xx) on Fri 17 Dec 2010 at 18:52
I double checked if everything went as described. I tried it on a fresh x86 net-install of squeeze and it gave me:

No protocol specified
parley: cannot connect to X server :0.0


Tried a gnome based thingie, installed mousepad text editor, starting it:
sid mousepad
W: line 25 [sid]: Deprecated key 'location' used
I: This option will be removed in the future; please update your configuration

(process:3539): Gtk-WARNING **: Locale not supported by C library.
Using the fallback 'C' locale.
Gtk-Message: Failed to load module "canberra-gtk-module": libcanberra-gtk-module.so: cannot open shared object file: No such file or directory
No protocol specified

(mousepad:3539): Gtk-WARNING **: cannot open display: :0.0

[ Parent | Reply to this comment ]

Posted by Anonymous (193.166.xx.xx) on Fri 17 Dec 2010 at 21:24
Debugging this over the forum is bit tedious, can you run

sid strace -o xclock.strace -s4096 -f xclock

and send xclock.strace to me at timo.lindfors@iki.fi?

[ Parent | Reply to this comment ]

Posted by rleigh (144.32.xx.xx) on Mon 6 Sep 2010 at 19:06
Hi,

This article is very useful, thanks! Have you considered updating it so that it will work with current versions of schroot? The 1.4.x releases current in squeeze and sid at this time have removed/renamed a number of the options in your examples.

For example:
location=/path is now directory=/path
run-exec-scripts and run-setup-scripts are no longer required
priority=num is deprecated and will be removed in the future
/etc/schroot/mount-defaults is now /etc/schroot/default/fstab (and there's an /etc/schroot/desktop/fstab to go with the "desktop" profile).
Just set script-config=desktop/config. This will solve some of the X11 issues mentioned in the comments.

Regards,
Roger

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 845 votes ~ 10 comments )

 

 

Related Links