How to Use chroot for Testing on Ubuntu
Traducciones al EspañolEstamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
The Linux chroot
command enables you to run applications or shells within a separate, secure environment. Because a chroot
environment is walled off from the rest of your system, it can be an ideal space for testing. This guide discusses the primary use cases for chroot and shows you how to create your own chroot environment.
Before You Begin
Familiarize yourself with our Getting Started with Linode guide and complete the steps for setting your Linode’s hostname and timezone.
This guide uses
sudo
wherever possible. Complete the sections of our How to Secure Your Server guide to create a standard user account, harden SSH access, and remove unnecessary network services.Update your system:
sudo apt update && sudo apt upgrade
Replace all instances of
example-user
in this guide with the username of the limited Linux user you are using to execute the commands in this guide.
NoteThe steps in this guide are written for non-root users. Commands that require elevated privileges are prefixed withsudo
. If you’re not familiar with thesudo
command, see the Linux Users and Groups guide.
What is chroot?
The chroot
command allows you to create a separate environment for running processes in isolation. The command creates a distinct file system with its own root directory that is completely walled off from access to the rest of your system. For this reason, the chroot
environment is often referred to as chroot jail.
What is chroot Jail?
As described above, the chroot
command creates an isolated environment, known as chroot jail. Processes running in this environment have a distinct root directory and file system. These processes are prevented from accessing anything on the system outside of the chroot jail.
To create a chroot jail, you create a directory to act as the root for your chroot
environment. Then, you add the programs and system components you need to run any processes you intend to test in the chroot
environment.
When you run chroot
command against the directory you created, you can then use it as its own functioning system. The directory you created acts as the root directory, so anything operating inside of it is restricted to the chroot
directory.
The chroot
environment gives you a clean and separate space for running processes. It ensures that anything running in chroot jail is not affected by the primary file system. Similarly, the chroot jail cannot affect the primary file system.
What is the Purpose of a chroot Jail?
The primary reason for creating a chroot
environment is to test processes in isolation. There are two main scenarios in which you may want to test in isolation:
- The first scenario is to test an untrusted application. Running it in chroot jail allows you to run the application without allowing it to access the rest of your file system.
- Another reason is to test an application, command, or series of commands in a secluded environment. With a
chroot
environment, you guarantee that the processes or commands run in a clean and easily reproducible file system.
When to Use chroot
Use chroot
when you have an application or a shell process that you may not trust. Keeping any processes you are unsure of in chroot jail allows you to test them out prior to running them on your system.
You may be thinking chroot
sounds like a virtual machine, and you would be right. However, chroot
has the advantage of being much lighter and easier to set up than a virtual machine. You can quickly install a minimal OS in a chroot
environment to test small processes, commands, or compile packages.
How to Use chroot
The following sections show you how to set up and start using chroot
environments on your Ubuntu system.
Create a Test Environment
To create a chroot
environment for testing, this guide has you install a minimal Debian or Ubuntu distribution in the chroot
directory. Doing so gives you a full operating system in your chroot
environment, where you can install programs and run processes in an isolated space.
Create a directory for your
chroot
environment. In this guide, achroot-jail
directory is created in the user’s home directory.mkdir ~/chroot-jail
At this point, you need to install the system files to be used in the
chroot
environment. You can do so easily with thedebootstrap
tool, which you can install using your system’s package manager:sudo apt install debootstrap
Use
debootstrap
to install the desired Debian or Ubuntu distribution to yourchroot
directory. This guide uses Ubuntu 20.04 (Focal).sudo debootstrap focal ~/chroot-jail
Alternatively, you can install a different Ubuntu release, or a Debian release. The example below installs Debian 10 Buster:
sudo debootstrap buster ~/chroot-jail
Run Bash through
chroot
to verify the environment setup.sudo chroot ~/chroot-jail /bin/bash
root@localhost:/#
You can even use the
ls
command to confirm that things in thechroot
environment only have access to thechroot
directory.Exit the
chroot
environment’s Bash shell.exit
Configure the Test Environment
This section shows some basics for setting up a chroot
environment for testing. You are likely to need additional steps to set up the environment for your specific testing scenarios. However, these basics are meant to cover commonly needed configurations regardless of the testing scenario.
Run Bash in the
chroot
environment, as shown in the section above, and create a limited user using the command below. Theexample-user
username used in this example needs to match the limited user you are using to access thechroot
environment.adduser example-user
If you require your user to have
sudo
access forchroot
testing, use the following command to give that access to the user.adduser example-user sudo
Depending on the Debian or Ubuntu distribution you installed, you may have to install
sudo
from the package manager.apt install sudo
This may also be a good time to install any other programs you need for your testing purposes.
Exit the
chroot
environment’s shell.exit
Mount the drives shown below to their respective
chroot
directories. This allows you to usesudo
as your limited user in thechroot
environment:sudo mount --bind /proc ~/chroot-jail/proc/ sudo mount --bind /sys ~/chroot-jail/sys/ sudo mount --bind /dev ~/chroot-jail/dev/
Install and Configure schroot
The schroot
tool allows you to use a chroot
environment as a limited user, rather than as root
. If you are familiar with dchroot
, schroot
replaces it as the standard tool for working with chroot
environments.
Install
schroot
.sudo apt install schroot
Open the
schroot
configuration file —/etc/schroot/schroot.conf
— and add a configuration for yourchroot
environment.The file comes with several configuration examples. The file below is a simple example used for this guide.
- File: /etc/schroot/schroot.conf
1 2 3 4 5 6 7 8 9 10 11 12
[...] [focal-env] description=Ubuntu Focal directory=/home/example-user/chroot-jail users=example-user groups=sbuild root-groups=root aliases=focal [...]
Access the
chroot
environment throughschroot
.schroot -c focal
You are now logged into the chroot
environment as your limited user. There, you can run programs and commands and install packages just as you would on a usual operating system.
Exit and Remove a chroot Environment
To exit the chroot
environment, simply use the exit
command. This takes you out of the chroot
shell and back to the main Linux system’s shell.
Once you are done with your tests, you may be ready to remove the environment altogether. You can achieve this with the following steps.
Unmount each of the drives you mounted previously.
sudo umount ~/chroot-jail/dev sudo umount ~/chroot-jail/sys sudo umount ~/chroot-jail/proc
Delete the
chroot
directory along with its contents.sudo rm -R ~/chroot-jail
More Information
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
This page was originally published on