Faketoo

[jmglov]

I just finished setting up a "fake" Gentoo installation inside a chroot jail. Seems to work pretty well for development, I can experiment with no fear of sodding up my actual workstation. In case anyone is interested, here is my "Captain's Log" that details the commands that I ran to build my "Faketoo" instance.

You should run these commands from a working Gentoo installation. Do not reboot off of the Gentoo install CD or anything.

My Faketoo host (i.e. my actual workstation) is a Dell PowerEdge 400SC with a Pentium 4 2.4GHz CPU (hyperthreading enabled) and 512MB of RAM, running a 2.6.3-gentoo-r1 SMP kernel (hyperthreading makes the kernel think it has two processors) and Gentoo 2004.0.

And now, without further ado, here is the Captain's Log:

Code: Select all

# ==========================================================
# Faketoo: Building a development Gentoo install inside a chroot jail
#
# Version: 1.0.2
#
# Changelog:
#   1.0.2
#     - Mounting /etc/init.d as loop,noexec
#     - Mounting /usr/portage as bind
#     - Creating PORTDIR_OVERLAY /usr/local/portage
#     - Stuff proxy-related environment variables into ~juser/.bashrc
#   1.0.1
#     - Preserving permissions when creating virgin tarball
#   1.0.0
#     - Initial revision
# ==========================================================

# Insert Gentoo i686 LiveCD (Disc 1)
mount /mnt/cdrom

# Create chroot jail
mkdir ~/faketoo

# Create loopback filesystems that we will need for the jail
mkdir ~/faketoo/loopbacks
dd if=/dev/zero of=~/faketoo/loopbacks/etc-init.d seek=5K count=16 bs=1
mkreiserfs -f ~/faketoo/loopbacks/etc-init.d

# Install Gentoo in jail
cd ~/faketoo
mkdir -p etc/init.d
sudo mount -o loop,noexec loopbacks/etc-init.d etc/init.d
sudo tar xvjpf /mnt/cdrom/stages/stage3-pentium4-20040218.tar.bz2
sudo tar xvjf /mnt/cdrom/snapshots/portage-20040223.tar.bz2 -C usr/
sudo mkdir usr/portage/distfiles/
sudo cp /mnt/cdrom/distfiles/* usr/portage/distfiles/
sudo cp -ar /lib/modules ~/faketoo/lib/modules
sudo rm -rf ~/faketoo/dev
sudo mkdir ~/faketoo/dev
sudo chown root:root ~/faketoo/dev
sudo chmod 755 ~/faketoo/dev
sudo rm -rf ~/faketoo/usr/portage
sudo mkdir ~/faketoo/usr/portage
sudo chown root:root ~/faketoo/usr/portage
sudo chmod 755 ~/faketoo/usr/portage

# Swap Gentoo Pentium4 Package CD into CDROM drive
umount /mnt/cdrom

# Enter jail
sudo mount -o bind -t devfs /dev ~/faketoo/dev
sudo mount -t proc none ~/faketoo/proc
sudo mount -o bind /usr/portage ~/faketoo/usr/portage
sudo cp /etc/resolv.conf ~/faketoo/etc/
sudo chroot ~/faketoo /bin/bash
env-update
source /etc/profile
export PS1=': \u@FAKETOO; '

# Set localtime
ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime

# Create /etc/fstab
cat >/etc/fstab <<EOF
/loopbacks/etc-init.d   /etc/init.d     reiserfs        loop,noexec     0 0
/dev/cdroms/cdrom0      /mnt/cdrom      iso9660         noauto,ro,user  0 0
EOF

# Setup networking
echo faketoo >/etc/hostname
echo domain.tld >/etc/dnsdomainname

# Configure rc.conf
sed -i -e 's/^EDITOR/#EDITOR/' -e 's/^#\(EDITOR=.\+vim"\)$/\1/' /etc/rc.conf 

# Fix USE flags
sed -i -e 's/^USE="\(.\+\)"$/USE="\1 -gpm"/' /etc/make.conf

# Setup Portage to use binary packages when available
mount /mnt/cdrom
export PKGDIR=/mnt/cdrom

# Install system logger and cron daemon
emerge -k syslog-ng
emerge -k vixie-cron

# Setup root's environment
passwd
cat >~/.bashrc <<EOF
export PS1=': \u@FAKETOO; '
export PS2=': ; '

mount -a &>/dev/null
EOF

# Accounts management
groupadd juser
useradd juser -m -g juser -G users,wheel,audio,games,portage -s /bin/bash
passwd juser
cat >~juser/.bashrc <<EOF
export PS1=': \u@FAKETOO; '
export PS2=': ; '
EOF
for i in `env |grep -i proxy`; do echo "export $i" >>~juser/.bashrc; done

# Install a decent editor
emerge vim

# Setup sudo
emerge -k sudo
sed -i -e 's/^# \(%wheel\tALL=(ALL)\tALL\)$/\1/' /etc/sudoers
cat >>/etc/sudoers <<EOF
Defaults        !lecture,timestamp_timeout=60
EOF

# Setup Portage overlay (for ebuild development)
mkdir /usr/local/portage
chown root:root /usr/local/portage
chmod 755 /usr/local/portage
cat >>/etc/make.conf <<EOF

## For ebuild development
#PORTDIR_OVERLAY=/usr/local/portage
#ACCEPT_KEYWORDS='~x86 ~amd64 ~sparc ~ppc ~alpha ~mips ~hppa ~ia64 ~ppc64'

## Debug options
#CFLAGS="-march=pentium4 -pipe -g"
#CXXFLAGS=""
#USE=" debug"
#FEATURES=" nostrip keeptemp keepwork noclean"
EOF

# Leave jail
umount /mnt/cdrom
exit

# Create virgin image
cd
sudo umount ~/faketoo/dev
sudo umount ~/faketoo/proc
sudo tar cvjpf ~/faketoo.tbz2 faketoo

And here is a script that can be used to enter the jail:

faketoo.sh

Code: Select all

#!/bin/bash
# ==========================================================
# faketoo.sh: Enter the Faketoo jail
#
# Version: 1.0.1
#
# Changelog:
#   1.0.1
#     - Fixing the erroneous $HOME environment variable for root
#   1.0.0
#     - Initial revision
# ==========================================================

if [ $UID -ne 0 ]; then

  echo You must be root!
  exit 1

fi # if (not root)

# Are /dev and /proc mounted inside the jail?
mounted=`mount`

# Mount /dev if it is not already
echo "${mounted}" | grep $HOME/faketoo/dev &>/dev/null
if [ $? -ne 0 ]; then

  echo mount -o bind -t devfs /dev $HOME/faketoo/dev
  mount -o bind -t devfs /dev $HOME/faketoo/dev

fi # if (mounting /dev)

# Mount /proc if it is not already
echo "${mounted}" | grep $HOME/faketoo/proc &>/dev/null
if [ $? -ne 0 ]; then

  echo mount -t proc none $HOME/faketoo/proc
  mount -t proc none $HOME/faketoo/proc

fi # if (mounting /proc)

# Mount /usr/portage if it is not already
echo "${mounted}" | grep $HOME/faketoo/usr/portage &>/dev/null
if [ $? -ne 0 ]; then

  echo mount -o bind /usr/portage $HOME/faketoo/usr/portage
  mount -o bind /usr/portage $HOME/faketoo/usr/portage

fi # if (mounting /usr/portage)

# Enter the jail
HOME=/root chroot ~/faketoo /bin/bash

[bmichaelsen]

How do you think about posting this to the
http://gentoo-wiki.com/
... things get lost in the gentoo forums way too fast ...

[jmglov]

How do you think about posting this to the
http://gentoo-wiki.com/
... things get lost in the gentoo forums way too fast ...

http://gentoo-wiki.com/TIP_Faketoo

OK, twist my arm! ;)

[jjasghar]

I just finished setting up a "fake" Gentoo installation inside a chroot jail. Seems to work pretty well for development, I can experiment with no fear of sodding up my actual workstation. In case anyone is interested, here is my "Captain's Log" that details the commands that I ran to build my "Faketoo" instance.

i guess i must be slow...but this creates a "fake" workstation?
why would you want to do this?

[PowerFactor]

why would you want to do this?

Like he said, for testing stuff that could screw up the system. It's kinda like a "lightweight" usermode linux. But not quite.

[jj11888]

i guess i must be slow...but this creates a "fake" workstation?
why would you want to do this?

To test various configurations and packages


but why would this be any better then using UML?

[jamesrt]

why would you want to do this?

but why would this be any better then using UML?

UML doesn't work (kernel won't compile, or just coredumps when run) if you have glibc compiled with NPTL support (he says, speaking from experience).

I have used a very similar technique to "clone" my live gentoo system into a chroot jail - I use LVM2 to grab and release the disk space on-the-fly. (I've got a large script, too long to post unless people are really keen)

I use this to do things like compile latest QT & KDE packages when not wanting to break my "real" desktop. Using "emerge -b" means binary packages are created, which I can then "emerge -k" onto my "real" machine once the full build is complete.

[arkane]

i guess i must be slow...but this creates a "fake" workstation?
why would you want to do this?

To test various configurations and packages


but why would this be any better then using UML?

Not better, just different. UML is for testing kernel interaction and such. chrooting is to isolate the filesystem. The kernel space is still in the same kernel.

[BudgetDedicated]

Why not use a real usermode kernel as well... UML is very suitable for this job (see http://user-mode-linux.sf.net/ for more info).

This wil only be dangerous to experiment in for real... one wrong /etc/init.d/net.eth0 start from within the chrooted gentoo and you may be disconnected... or emerging incompatible GCC versions... I can imagine this could raise hell on a production system. Would never dare try it...

If you want an extra chroot for the UML kernel that's possible too (bind mount /proc/cpuinfo, /proc/mm, /dev/net/tun and preferably /tmp to tmpfs). But that's if you don't trust the UML kernel enough AND maybe don't trust the users inside.

Your script is very suitable for creating a UML root filesystem, though. Juist loop mount a freshly create filesystem...

Code: Select all

dd if=/dev/zero of=./root_fs seek=5K count=0 bs=1M
mkreiserfs -f root_fs
mount -o loop root_fs mnt/fakegentoo/

[edit]typo[/edit]

[jmglov]

Why not use a real usermode kernel as well... UML is very suitable for this job (see http://user-mode-linux.sf.net/ for more info).

As noted above, my primary motivation for this is for ebuild testing. Yes, UML or VMware would also work, but a simple chroot jail is much more lightweight than both of them, and much more free as in beer than VMware.

This wil only be dangerous to experiment in for real... one wrong /etc/init.d/net.eth0 start from within the chrooted gentoo and you may be disconnected...

Agreed, the init scripts are problematic. See my Danger Will Robinson note above. I am looking for a work-around, maybe taking the

Code: Select all

chmod a-x /etc/init.d/*

would be a start. Another (better) idea would be to make /etc/init.d (inside the jail) a loopback filesystem and mount it with the 'noexec' option. I will try this out when I have some time and report back.

or emerging incompatible GCC versions...

And how would these GCC versions break out of jail?

I can imagine this could raise hell on a production system. Would never dare try it...

I do not really consider my workstation a "production" machine, and the worst thing that can happen is a spurious reboot (which is undesirable, but not fatal, and hopefully I will have a solution for this before long). I consider this safe enough for my needs.

[jmglov]

This wil only be dangerous to experiment in for real... one wrong /etc/init.d/net.eth0 start from within the chrooted gentoo and you may be disconnected...

Agreed, the init scripts are problematic. See my Danger Will Robinson note above. I am looking for a work-around, maybe taking the

Code: Select all

chmod a-x /etc/init.d/*

would be a start. Another (better) idea would be to make /etc/init.d (inside the jail) a loopback filesystem and mount it with the 'noexec' option. I will try this out when I have some time and report back.

Yes, mounting /etc/init.d loop,noexec works. As you can see, I updated the Captain's Log to do this for safety's sake.

I will look into getting init scripts to actually work safely, but this will at least protect you in the time being.

[FarcePest]

I've done this myself. All you need to start is some stage tarball. Unpack it in your filesystem. Then cd to that directory and run this:

Code: Select all

#!/bin/bash -x
binds="/proc /dev /usr/portage /usr/local/portage /tmp"
for b in ${binds}; do mount --bind ${b} .${b}; done
env - TERM=${TERM} chroot . su -
for b in ${binds}; do umount .${b}; done

I never run init scripts while in the chroot. I used this primarily for developing an NFS read-only root system: The filesystem was NFS-mounted.

[rich0]

FYI - Many people use a similar technique with AMD64 as a temporary fix for stubborn 32-bit-only apps. My solution isn't too involved - I created a new root directory and installed an x86 stage1 tarball in it. I then do a mount --bind to map a few key key directories (/tmp for X11, /home for user files, /usr/portage/distfiles to go easy on the mirrors), but for the most part it is a complete installation. You do want to mount --bind /tmp otherwise you have to use TCP sockets for X apps and performance is much lower. Then again, for testing purposes it should be fine not to mount it - in the AMD world the 32-bit chroot is actually used for production.

I even use some init.d scripts to run daemons which are stubborn in the 64-bit world, and Java apps (the JVM's are pretty unstable in 64-bit-land, or at least they are for me...).

Check out the AMD forums for some tips - the same techniques would work for a 32-bit chroot jail.

Also, if you're back in the 2.4 world the grsecurity patches provide additional protection for chroot environments I believe (from my casual reading they seem to come close to real user-mode-linux).

[polto]

Grsecurity on your host kernel (nothing to have with UML) can deny disk mounting/unmounting from your chroot jail, some TCP/IP staff restrictions and more.

Grsecurity is easy to build in gentoo's kernel to only protect a jail. Not comparable to try to build a workstation with PAX or SElinux...

[zioponics]

UML doesn't work (kernel won't compile, or just coredumps when run) if you have glibc compiled with NPTL support (he says, speaking from experience).

I was wondering, if glibc with PIC enabled on the host, can brake my UML??
Sometimes my UML die unexpectedly...


PS for POLTO: Try to build a DMZ with three different UMLs with SELinux I'm doing just that
Thanks to you POLTO, you made me discover Gentoo as you gave me the LPI101 courses.!!! Do you know who I am???

[hadees]

replay to bookmark

[gralves]

There's another use for this....

Imagine you have a dual optron workstation. And a 486 laptop how would you install a custoimized gentoo on the laptop? chroot it's harddrive on the workstation, compile everything and then just swap the hd...

[AllTom]

There's another use for this....

Imagine you have a dual optron workstation. And a 486 laptop how would you install a custoimized gentoo on the laptop? chroot it's harddrive on the workstation, compile everything and then just swap the hd...

I was going to say that I have used this method twice now to install an operating system onto computers that don't have CD-ROM drives, but can boot from floppy disks.

I create the chroot and basically follow the handbook for every step after chrooting into /mnt/gentoo. I can emerge and configure packages (but haven't dared running init scripts there) on my fast machine without setting up distcc or anything. Then I start an FTP server, share a zipped version of the filesystem, boot the client machine with a floppy that has wget, tar, and preferably bzip2. On the target machine I mount the partitions in the correct places and unload it all to the root partition, preserving permissions and such.

Actually, that is one of my favorite features of this operating system: I can install the whole thing on a completely isolated computer before copying!

[zdawg]

Thanks for the guide, followed up to mkreiserfs -f ...etc. ;seems I have run into a snag though:

Code: Select all

/root/faketoo/loopbacks/etc-init.d is not a block special device
Continue (y/n):y
Guessing about desired format.. Kernel 2.6.9-zdawg-rc3 is running.
reiserfs_create: can not create that small (1 blocks) filesystem

Hmmm ...

[pfplawes]

...in the same hole this AM and dug my way out by increasing the size of the file being created by dd and specifying a small reiser block size ....

Code: Select all

dd if=/dev/zero of=~/faketoo/loopbacks/etc-init.d seek=10249K count=16 bs=1
mkreiserfs -b 512 -ff ~/faketoo/loopbacks/etc-init.d

Though I must admit I am not sure what this loopbacked file is giving me except a headache....

[Strowi]

hi,

i was just gonna try it out, when i saw jamesrt's post:

UML doesn't work (kernel won't compile, or just coredumps when run) if you have glibc compiled with NPTL support (he says, speaking from experience).

Is there no way to get it working with NPTL?

Thx in advance...

[lothar]

Is it possible to have different network settings in the chroot jail? Can I have one ip and gateway in the usual shell and a different ip and gateway in the chroot jail?

[zrubi]

Is it possible to have different network settings in the chroot jail? Can I have one ip and gateway in the usual shell and a different ip and gateway in the chroot jail?

I don't think so. These network settings are in the proc/sys filesystem and it can't be different. These settings are around the kernel wich is the same in the main system and a chroot jail.

The chroot jail is only a separated filesystem. So every settings wich lives in the filesystem level can be different only.

[rey4]

There's a similar howto posted at http://kapcoweb.com/p/static/docs/jc-ge ... howto.html on running gentoo in a chroot within another distro (redhat). The process is very much the same. Plus it seems to have init scripts working.

[whitesouls]

guys..hold on a second...wat is faketoo?
wat's the purpose...i'm lost...please guide me in this wonderful world of gentoo...