View previous topic :: View next topic |
Author |
Message |
jmglov Retired Dev
Joined: 03 Aug 2002 Posts: 23 Location: Yokohama, Japan
|
Posted: Tue Apr 27, 2004 12:41 pm Post subject: Faketoo |
|
|
I just finished setting up a "fake" Gentoo installation inside a chroot jail. Seems to work pretty well for development, I can experiment with no fear of sodding up my actual workstation. In case anyone is interested, here is my "Captain's Log" that details the commands that I ran to build my "Faketoo" instance.
You should run these commands from a working Gentoo installation. Do not reboot off of the Gentoo install CD or anything.
My Faketoo host (i.e. my actual workstation) is a Dell PowerEdge 400SC with a Pentium 4 2.4GHz CPU (hyperthreading enabled) and 512MB of RAM, running a 2.6.3-gentoo-r1 SMP kernel (hyperthreading makes the kernel think it has two processors) and Gentoo 2004.0.
And now, without further ado, here is the Captain's Log:
Code: |
# ==========================================================
# Faketoo: Building a development Gentoo install inside a chroot jail
#
# Version: 1.0.2
#
# Changelog:
# 1.0.2
# - Mounting /etc/init.d as loop,noexec
# - Mounting /usr/portage as bind
# - Creating PORTDIR_OVERLAY /usr/local/portage
# - Stuff proxy-related environment variables into ~juser/.bashrc
# 1.0.1
# - Preserving permissions when creating virgin tarball
# 1.0.0
# - Initial revision
# ==========================================================
# Insert Gentoo i686 LiveCD (Disc 1)
mount /mnt/cdrom
# Create chroot jail
mkdir ~/faketoo
# Create loopback filesystems that we will need for the jail
mkdir ~/faketoo/loopbacks
dd if=/dev/zero of=~/faketoo/loopbacks/etc-init.d seek=5K count=16 bs=1
mkreiserfs -f ~/faketoo/loopbacks/etc-init.d
# Install Gentoo in jail
cd ~/faketoo
mkdir -p etc/init.d
sudo mount -o loop,noexec loopbacks/etc-init.d etc/init.d
sudo tar xvjpf /mnt/cdrom/stages/stage3-pentium4-20040218.tar.bz2
sudo tar xvjf /mnt/cdrom/snapshots/portage-20040223.tar.bz2 -C usr/
sudo mkdir usr/portage/distfiles/
sudo cp /mnt/cdrom/distfiles/* usr/portage/distfiles/
sudo cp -ar /lib/modules ~/faketoo/lib/modules
sudo rm -rf ~/faketoo/dev
sudo mkdir ~/faketoo/dev
sudo chown root:root ~/faketoo/dev
sudo chmod 755 ~/faketoo/dev
sudo rm -rf ~/faketoo/usr/portage
sudo mkdir ~/faketoo/usr/portage
sudo chown root:root ~/faketoo/usr/portage
sudo chmod 755 ~/faketoo/usr/portage
# Swap Gentoo Pentium4 Package CD into CDROM drive
umount /mnt/cdrom
# Enter jail
sudo mount -o bind -t devfs /dev ~/faketoo/dev
sudo mount -t proc none ~/faketoo/proc
sudo mount -o bind /usr/portage ~/faketoo/usr/portage
sudo cp /etc/resolv.conf ~/faketoo/etc/
sudo chroot ~/faketoo /bin/bash
env-update
source /etc/profile
export PS1=': \u@FAKETOO; '
# Set localtime
ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime
# Create /etc/fstab
cat >/etc/fstab <<EOF
/loopbacks/etc-init.d /etc/init.d reiserfs loop,noexec 0 0
/dev/cdroms/cdrom0 /mnt/cdrom iso9660 noauto,ro,user 0 0
EOF
# Setup networking
echo faketoo >/etc/hostname
echo domain.tld >/etc/dnsdomainname
# Configure rc.conf
sed -i -e 's/^EDITOR/#EDITOR/' -e 's/^#\(EDITOR=.\+vim"\)$/\1/' /etc/rc.conf
# Fix USE flags
sed -i -e 's/^USE="\(.\+\)"$/USE="\1 -gpm"/' /etc/make.conf
# Setup Portage to use binary packages when available
mount /mnt/cdrom
export PKGDIR=/mnt/cdrom
# Install system logger and cron daemon
emerge -k syslog-ng
emerge -k vixie-cron
# Setup root's environment
passwd
cat >~/.bashrc <<EOF
export PS1=': \u@FAKETOO; '
export PS2=': ; '
mount -a &>/dev/null
EOF
# Accounts management
groupadd juser
useradd juser -m -g juser -G users,wheel,audio,games,portage -s /bin/bash
passwd juser
cat >~juser/.bashrc <<EOF
export PS1=': \u@FAKETOO; '
export PS2=': ; '
EOF
for i in `env |grep -i proxy`; do echo "export $i" >>~juser/.bashrc; done
# Install a decent editor
emerge vim
# Setup sudo
emerge -k sudo
sed -i -e 's/^# \(%wheel\tALL=(ALL)\tALL\)$/\1/' /etc/sudoers
cat >>/etc/sudoers <<EOF
Defaults !lecture,timestamp_timeout=60
EOF
# Setup Portage overlay (for ebuild development)
mkdir /usr/local/portage
chown root:root /usr/local/portage
chmod 755 /usr/local/portage
cat >>/etc/make.conf <<EOF
## For ebuild development
#PORTDIR_OVERLAY=/usr/local/portage
#ACCEPT_KEYWORDS='~x86 ~amd64 ~sparc ~ppc ~alpha ~mips ~hppa ~ia64 ~ppc64'
## Debug options
#CFLAGS="-march=pentium4 -pipe -g"
#CXXFLAGS=""
#USE=" debug"
#FEATURES=" nostrip keeptemp keepwork noclean"
EOF
# Leave jail
umount /mnt/cdrom
exit
# Create virgin image
cd
sudo umount ~/faketoo/dev
sudo umount ~/faketoo/proc
sudo tar cvjpf ~/faketoo.tbz2 faketoo
|
And here is a script that can be used to enter the jail:
faketoo.sh
Code: |
#!/bin/bash
# ==========================================================
# faketoo.sh: Enter the Faketoo jail
#
# Version: 1.0.1
#
# Changelog:
# 1.0.1
# - Fixing the erroneous $HOME environment variable for root
# 1.0.0
# - Initial revision
# ==========================================================
if [ $UID -ne 0 ]; then
echo You must be root!
exit 1
fi # if (not root)
# Are /dev and /proc mounted inside the jail?
mounted=`mount`
# Mount /dev if it is not already
echo "${mounted}" | grep $HOME/faketoo/dev &>/dev/null
if [ $? -ne 0 ]; then
echo mount -o bind -t devfs /dev $HOME/faketoo/dev
mount -o bind -t devfs /dev $HOME/faketoo/dev
fi # if (mounting /dev)
# Mount /proc if it is not already
echo "${mounted}" | grep $HOME/faketoo/proc &>/dev/null
if [ $? -ne 0 ]; then
echo mount -t proc none $HOME/faketoo/proc
mount -t proc none $HOME/faketoo/proc
fi # if (mounting /proc)
# Mount /usr/portage if it is not already
echo "${mounted}" | grep $HOME/faketoo/usr/portage &>/dev/null
if [ $? -ne 0 ]; then
echo mount -o bind /usr/portage $HOME/faketoo/usr/portage
mount -o bind /usr/portage $HOME/faketoo/usr/portage
fi # if (mounting /usr/portage)
# Enter the jail
HOME=/root chroot ~/faketoo /bin/bash
|
_________________ Josh Glover <jmglov@gentoo.org>
Gentoo Developer (http://dev.gentoo.org/~jmglov/)
Last edited by jmglov on Thu Apr 29, 2004 9:31 pm; edited 5 times in total |
|
Back to top |
|
|
bmichaelsen Veteran
Joined: 17 Nov 2002 Posts: 1277 Location: Hamburg, Germany
|
Posted: Tue Apr 27, 2004 2:10 pm Post subject: |
|
|
How do you think about posting this to the
http://gentoo-wiki.com/
... things get lost in the gentoo forums way too fast ... |
|
Back to top |
|
|
jmglov Retired Dev
Joined: 03 Aug 2002 Posts: 23 Location: Yokohama, Japan
|
|
Back to top |
|
|
jjasghar Guru
Joined: 07 Mar 2004 Posts: 342 Location: $HOME=/usa/tx/austin
|
Posted: Wed Apr 28, 2004 9:35 pm Post subject: |
|
|
Quote: | I just finished setting up a "fake" Gentoo installation inside a chroot jail. Seems to work pretty well for development, I can experiment with no fear of sodding up my actual workstation. In case anyone is interested, here is my "Captain's Log" that details the commands that I ran to build my "Faketoo" instance.
|
i guess i must be slow...but this creates a "fake" workstation?
why would you want to do this? _________________ #include <LinuxUser #324070>
main()
{
printf("and i'm sorry my spellign sucs.");
} |
|
Back to top |
|
|
PowerFactor Veteran
Joined: 30 Jan 2003 Posts: 1693 Location: out of it
|
Posted: Wed Apr 28, 2004 9:55 pm Post subject: |
|
|
jjasghar wrote: | why would you want to do this? |
Like he said, for testing stuff that could screw up the system. It's kinda like a "lightweight" usermode linux. But not quite. |
|
Back to top |
|
|
jj11888 n00b
Joined: 28 Apr 2004 Posts: 36
|
Posted: Wed Apr 28, 2004 10:00 pm Post subject: |
|
|
jjasghar wrote: |
i guess i must be slow...but this creates a "fake" workstation?
why would you want to do this? |
To test various configurations and packages
but why would this be any better then using UML? |
|
Back to top |
|
|
jamesrt n00b
Joined: 09 Sep 2003 Posts: 47 Location: New Zealand
|
Posted: Wed Apr 28, 2004 10:29 pm Post subject: |
|
|
jj11888 wrote: | jjasghar wrote: | why would you want to do this? |
but why would this be any better then using UML? |
UML doesn't work (kernel won't compile, or just coredumps when run) if you have glibc compiled with NPTL support (he says, speaking from experience).
I have used a very similar technique to "clone" my live gentoo system into a chroot jail - I use LVM2 to grab and release the disk space on-the-fly. (I've got a large script, too long to post unless people are really keen)
I use this to do things like compile latest QT & KDE packages when not wanting to break my "real" desktop. Using "emerge -b" means binary packages are created, which I can then "emerge -k" onto my "real" machine once the full build is complete. |
|
Back to top |
|
|
arkane l33t
Joined: 30 Apr 2002 Posts: 918 Location: Phoenix, AZ
|
Posted: Thu Apr 29, 2004 12:57 am Post subject: |
|
|
jj11888 wrote: | jjasghar wrote: |
i guess i must be slow...but this creates a "fake" workstation?
why would you want to do this? |
To test various configurations and packages
but why would this be any better then using UML? |
Not better, just different. UML is for testing kernel interaction and such. chrooting is to isolate the filesystem. The kernel space is still in the same kernel. |
|
Back to top |
|
|
BudgetDedicated n00b
Joined: 26 Apr 2004 Posts: 12 Location: NL
|
Posted: Thu Apr 29, 2004 7:07 pm Post subject: |
|
|
Why not use a real usermode kernel as well... UML is very suitable for this job (see http://user-mode-linux.sf.net/ for more info).
This wil only be dangerous to experiment in for real... one wrong /etc/init.d/net.eth0 start from within the chrooted gentoo and you may be disconnected... or emerging incompatible GCC versions... I can imagine this could raise hell on a production system. Would never dare try it...
If you want an extra chroot for the UML kernel that's possible too (bind mount /proc/cpuinfo, /proc/mm, /dev/net/tun and preferably /tmp to tmpfs). But that's if you don't trust the UML kernel enough AND maybe don't trust the users inside.
Your script is very suitable for creating a UML root filesystem, though. Juist loop mount a freshly create filesystem...
Code: | dd if=/dev/zero of=./root_fs seek=5K count=0 bs=1M
mkreiserfs -f root_fs
mount -o loop root_fs mnt/fakegentoo/
|
[edit]typo[/edit] _________________ Grt, Erik
[ My commercial Ad.: Europe's top quality Gentoo VPS provider: BudgetDedicated (starting at 20 euro/month) ] |
|
Back to top |
|
|
jmglov Retired Dev
Joined: 03 Aug 2002 Posts: 23 Location: Yokohama, Japan
|
Posted: Thu Apr 29, 2004 7:37 pm Post subject: |
|
|
BudgetDedicated wrote: | Why not use a real usermode kernel as well... UML is very suitable for this job (see http://user-mode-linux.sf.net/ for more info). |
As noted above, my primary motivation for this is for ebuild testing. Yes, UML or VMware would also work, but a simple chroot jail is much more lightweight than both of them, and much more free as in beer than VMware.
BudgetDedicated wrote: | This wil only be dangerous to experiment in for real... one wrong /etc/init.d/net.eth0 start from within the chrooted gentoo and you may be disconnected... |
Agreed, the init scripts are problematic. See my Danger Will Robinson note above. I am looking for a work-around, maybe taking the Code: | chmod a-x /etc/init.d/* | would be a start. Another (better) idea would be to make /etc/init.d (inside the jail) a loopback filesystem and mount it with the 'noexec' option. I will try this out when I have some time and report back.
BudgetDedicated wrote: | or emerging incompatible GCC versions... |
And how would these GCC versions break out of jail?
BudgetDedicated wrote: | I can imagine this could raise hell on a production system. Would never dare try it... |
I do not really consider my workstation a "production" machine, and the worst thing that can happen is a spurious reboot (which is undesirable, but not fatal, and hopefully I will have a solution for this before long). I consider this safe enough for my needs. _________________ Josh Glover <jmglov@gentoo.org>
Gentoo Developer (http://dev.gentoo.org/~jmglov/) |
|
Back to top |
|
|
jmglov Retired Dev
Joined: 03 Aug 2002 Posts: 23 Location: Yokohama, Japan
|
Posted: Thu Apr 29, 2004 9:52 pm Post subject: |
|
|
jmglov wrote: |
BudgetDedicated wrote: | This wil only be dangerous to experiment in for real... one wrong /etc/init.d/net.eth0 start from within the chrooted gentoo and you may be disconnected... |
Agreed, the init scripts are problematic. See my Danger Will Robinson note above. I am looking for a work-around, maybe taking the Code: | chmod a-x /etc/init.d/* | would be a start. Another (better) idea would be to make /etc/init.d (inside the jail) a loopback filesystem and mount it with the 'noexec' option. I will try this out when I have some time and report back.
|
Yes, mounting /etc/init.d loop,noexec works. As you can see, I updated the Captain's Log to do this for safety's sake.
I will look into getting init scripts to actually work safely, but this will at least protect you in the time being. _________________ Josh Glover <jmglov@gentoo.org>
Gentoo Developer (http://dev.gentoo.org/~jmglov/) |
|
Back to top |
|
|
FarcePest n00b
Joined: 27 Jan 2003 Posts: 10 Location: Georgia, US
|
Posted: Tue May 04, 2004 1:44 pm Post subject: |
|
|
I've done this myself. All you need to start is some stage tarball. Unpack it in your filesystem. Then cd to that directory and run this:
Code: | #!/bin/bash -x
binds="/proc /dev /usr/portage /usr/local/portage /tmp"
for b in ${binds}; do mount --bind ${b} .${b}; done
env - TERM=${TERM} chroot . su -
for b in ${binds}; do umount .${b}; done
|
I never run init scripts while in the chroot. I used this primarily for developing an NFS read-only root system: The filesystem was NFS-mounted. |
|
Back to top |
|
|
rich0 Developer
Joined: 15 Sep 2002 Posts: 161
|
Posted: Tue May 04, 2004 2:35 pm Post subject: Similar technique used for AMD64 |
|
|
FYI - Many people use a similar technique with AMD64 as a temporary fix for stubborn 32-bit-only apps. My solution isn't too involved - I created a new root directory and installed an x86 stage1 tarball in it. I then do a mount --bind to map a few key key directories (/tmp for X11, /home for user files, /usr/portage/distfiles to go easy on the mirrors), but for the most part it is a complete installation. You do want to mount --bind /tmp otherwise you have to use TCP sockets for X apps and performance is much lower. Then again, for testing purposes it should be fine not to mount it - in the AMD world the 32-bit chroot is actually used for production.
I even use some init.d scripts to run daemons which are stubborn in the 64-bit world, and Java apps (the JVM's are pretty unstable in 64-bit-land, or at least they are for me...).
Check out the AMD forums for some tips - the same techniques would work for a 32-bit chroot jail.
Also, if you're back in the 2.4 world the grsecurity patches provide additional protection for chroot environments I believe (from my casual reading they seem to come close to real user-mode-linux). |
|
Back to top |
|
|
polto n00b
Joined: 02 Aug 2002 Posts: 3 Location: Geneva
|
Posted: Wed May 05, 2004 11:37 am Post subject: enforcing chroot security |
|
|
Grsecurity on your host kernel (nothing to have with UML) can deny disk mounting/unmounting from your chroot jail, some TCP/IP staff restrictions and more.
Grsecurity is easy to build in gentoo's kernel to only protect a jail. Not comparable to try to build a workstation with PAX or SElinux... |
|
Back to top |
|
|
zioponics n00b
Joined: 20 Nov 2003 Posts: 65 Location: ClockLand
|
Posted: Tue May 11, 2004 7:22 am Post subject: |
|
|
Quote: | UML doesn't work (kernel won't compile, or just coredumps when run) if you have glibc compiled with NPTL support (he says, speaking from experience). |
I was wondering, if glibc with PIC enabled on the host, can brake my UML??
Sometimes my UML die unexpectedly...
PS for POLTO: Try to build a DMZ with three different UMLs with SELinux I'm doing just that
Thanks to you POLTO, you made me discover Gentoo as you gave me the LPI101 courses.!!! Do you know who I am??? _________________ Linux nb that actually RTFM |
|
Back to top |
|
|
hadees Tux's lil' helper
Joined: 17 Dec 2003 Posts: 137
|
Posted: Wed May 19, 2004 4:16 am Post subject: |
|
|
replay to bookmark |
|
Back to top |
|
|
gralves Guru
Joined: 20 May 2003 Posts: 389 Location: Sao Paulo, Brazil
|
Posted: Wed May 19, 2004 8:54 pm Post subject: |
|
|
There's another use for this....
Imagine you have a dual optron workstation. And a 486 laptop how would you install a custoimized gentoo on the laptop? chroot it's harddrive on the workstation, compile everything and then just swap the hd... |
|
Back to top |
|
|
AllTom Tux's lil' helper
Joined: 26 Nov 2003 Posts: 147 Location: Wherever danger lies...
|
Posted: Fri Sep 10, 2004 12:02 am Post subject: |
|
|
gralves wrote: | There's another use for this....
Imagine you have a dual optron workstation. And a 486 laptop how would you install a custoimized gentoo on the laptop? chroot it's harddrive on the workstation, compile everything and then just swap the hd... |
I was going to say that I have used this method twice now to install an operating system onto computers that don't have CD-ROM drives, but can boot from floppy disks.
I create the chroot and basically follow the handbook for every step after chrooting into /mnt/gentoo. I can emerge and configure packages (but haven't dared running init scripts there) on my fast machine without setting up distcc or anything. Then I start an FTP server, share a zipped version of the filesystem, boot the client machine with a floppy that has wget, tar, and preferably bzip2. On the target machine I mount the partitions in the correct places and unload it all to the root partition, preserving permissions and such.
Actually, that is one of my favorite features of this operating system: I can install the whole thing on a completely isolated computer before copying! _________________ rtylershaw: "My computer doesn't even work and I love this distro. Weird." |
|
Back to top |
|
|
zdawg n00b
Joined: 06 Feb 2004 Posts: 25 Location: Canada
|
Posted: Fri Oct 08, 2004 7:11 am Post subject: |
|
|
Thanks for the guide, followed up to mkreiserfs -f ...etc. ;seems I have run into a snag though:
Code: | /root/faketoo/loopbacks/etc-init.d is not a block special device
Continue (y/n):y
Guessing about desired format.. Kernel 2.6.9-zdawg-rc3 is running.
reiserfs_create: can not create that small (1 blocks) filesystem
|
Hmmm ... _________________ Me, myself and I are fighting ... now none of US are speaking.. |
|
Back to top |
|
|
pfplawes n00b
Joined: 14 Oct 2004 Posts: 1 Location: UK
|
Posted: Thu Oct 14, 2004 2:24 pm Post subject: |
|
|
...in the same hole this AM and dug my way out by increasing the size of the file being created by dd and specifying a small reiser block size ....
Code: | dd if=/dev/zero of=~/faketoo/loopbacks/etc-init.d seek=10249K count=16 bs=1
mkreiserfs -b 512 -ff ~/faketoo/loopbacks/etc-init.d |
Though I must admit I am not sure what this loopbacked file is giving me except a headache.... |
|
Back to top |
|
|
Strowi l33t
Joined: 19 Aug 2003 Posts: 656 Location: Bonn
|
Posted: Sat Oct 30, 2004 12:37 pm Post subject: |
|
|
hi,
i was just gonna try it out, when i saw jamesrt's post:
Quote: |
UML doesn't work (kernel won't compile, or just coredumps when run) if you have glibc compiled with NPTL support (he says, speaking from experience).
|
Is there no way to get it working with NPTL?
Thx in advance... _________________ --
Linux & such ...
http://blog.hasnoname.de |
|
Back to top |
|
|
lothar Tux's lil' helper
Joined: 10 Mar 2004 Posts: 87 Location: Norway
|
Posted: Sun Oct 31, 2004 6:50 pm Post subject: |
|
|
Is it possible to have different network settings in the chroot jail? Can I have one ip and gateway in the usual shell and a different ip and gateway in the chroot jail? |
|
Back to top |
|
|
zrubi n00b
Joined: 04 Mar 2004 Posts: 40 Location: Budapest, Hungary
|
Posted: Mon Nov 15, 2004 6:36 pm Post subject: |
|
|
lothar wrote: | Is it possible to have different network settings in the chroot jail? Can I have one ip and gateway in the usual shell and a different ip and gateway in the chroot jail? |
I don't think so. These network settings are in the proc/sys filesystem and it can't be different. These settings are around the kernel wich is the same in the main system and a chroot jail.
The chroot jail is only a separated filesystem. So every settings wich lives in the filesystem level can be different only. |
|
Back to top |
|
|
rey4 n00b
Joined: 11 Jan 2005 Posts: 1
|
|
Back to top |
|
|
whitesouls Guru
Joined: 19 Nov 2004 Posts: 358 Location: In Front of My Laptop
|
Posted: Fri Feb 11, 2005 12:03 pm Post subject: |
|
|
guys..hold on a second...wat is faketoo?
wat's the purpose...i'm lost...please guide me in this wonderful world of gentoo... |
|
Back to top |
|
|
|