Chrooted Debian Server

This document is part of the System Administration Wiki.

We decided to use a chroot because it's handy. Disk space is cheap nowadays (cheaper than your time), and you can make a backup of the chroot directory before trying changes so that you can roll back to the previous version if an update goes wrong.

We will use the latest stable release of Debian GNU/Linux as our guest OS. You don't need to be running Debian as your host OS. Note that a CHROOT is not as secure as a virtual server. The /proc filesystem is actually shared.

1. Authors and license
2. Prepare the environment
3. Download the root filesystem
4. Configure the chroot
5. Commands to configure the chroot
   1. Configure a SSH server
6. References

Edit Link Top

Authors and license

This guide was initially written by Nelson Castillo.

Please help us improve it and add yourself to the credits.

Copyright © 2007. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2.

Edit Link Top

Prepare the environment

You need to be root to perform this step. First, create the directory that you will use for the chroot. We will refer to it as $CHROOTDIR.

  mkdir /mnt/emqbit1/oe-chroot
  export CHROOTDIR=/mnt/emqbit1/oe-chroot

Now install debootstrap. If you are using Debian or a derivative distribution, run aptitude install debootstrap. Otherwise download the debootstrap sources and compile them. You might want to get it installed in the default location.

Edit Link Top

Download the root filesystem

We used the i386 arch. You might want to use another one. Perhaps amd64, ia64 or powerpc. The latest stable release to date is etch.

  debootstrap --arch i386 etch $CHROOTDIR http://ftp.us.debian.org/debian

This is the expected what output should look like:

: Retrieving Release
I: Retrieving Packages
I: Validating Packages
I: Resolving dependencies of required packages...
I: Resolving dependencies of base packages...
I: Checking component main on http://ftp.us.debian.org/debian...
I: Retrieving adduser
I: Validating adduser
I: Retrieving apt
I: Validating apt
 
(lots of output)
 
I: Configuring tasksel-data...
I: Configuring sysklogd...
I: Configuring tasksel...
I: Base system installed successfully.

It will take a while, depending of your bandwidth and your processor. It took about 15 minutes in our server.

Once we get the unconfigured Debian rootfs in $CHROOTDIR we need to configure it.

Edit Link Top

Configure the chroot

First, mount the /proc filesystem.

  mount -t proc proc $CHROOTDIR/proc
  mount -t devpts devpts $CHROOTDIR/dev/pts # Don't worry if this doesn't work for you.

You might want to unmount these filesystems when you no longer need the chroot environment. You should also unmount them when making backups, or exclude $CHROOTDIR/dev/pts and $CHROOTDIR/proc from your backups.

Now let's chroot. Note that we will configure it to allow SSH connections. We also change the prompt in the chroot so that we don't confuse it with our host. It's a good habit. You will should the following command whenever you need to access the chroot directly (not with SSH).

 chroot oe-chroot/ /bin/bash --login
 export PS1="CHROOT:\w# "

From now on, all the commands should be run inside of the chroot, unless specified otherwise.

Edit Link Top

Commands to configure the chroot

You only run them once.

 cd /dev; /sbin/MAKEDEV generic; cd -

Configure the package repository. Edit the file /etc/apt/sources.list using vim or nano. We left ours like this:

deb http://ftp.us.debian.org/debian etch main contrib
deb http://security.debian.org/ etch/updates main contrib

Then run:

# aptitude update

This is the expected output:

Get:1 http://ftp.us.debian.org etch Release.gpg [378B]
Get:2 http://security.debian.org etch/updates Release.gpg [189B]
Hit http://ftp.us.debian.org etch Release          
Get:3 http://security.debian.org etch/updates Release [22.5kB]
Ign http://ftp.us.debian.org etch/main Packages/DiffIndex
Get:4 http://ftp.us.debian.org etch/contrib Packages [72.6kB]
Get:5 http://security.debian.org etch/updates/main Packages [135kB]
Hit http://ftp.us.debian.org etch/main Packages                           
Get:6 http://security.debian.org etch/updates/contrib Packages [20B]
Fetched 230kB in 4s (50.5kB/s)
Reading package lists... Done

Now let's install the locales. We generated the following locales and used the first one as the default locale (en_US).

• en_US ISO-8859-1
• en_US.UTF-8 UTF-8

 aptitude install locales
 dpkg-reconfigure locales

If it went well, executing "echo | perl" should print no output.

Now you can install a good editor such as emacs or vim.

aptitude install vim

Edit Link Top

Configure a SSH server

We will also install a ssh server, that will allow us to log in and run GNU screen. You might prefer to do something else to log into the chroot system.

  aptitude install openssh-server

You will have to edit /etc/ssh/sshd_config and change it to suit your needs. We edited it to allow only local logins and left the other lines intact

# What ports, IPs and protocols we listen for
Port 2200
ListenAddress 127.0.0.1

Now you can start the SSH server inside the chroot.

 /etc/init.d/ssh start

 #change the root password

 CHROOT:~# passwd 
 Enter new UNIX password: 
 Retype new UNIX password: 
 passwd: password updated successfully

We advise you to set PS1 (your shell prompt) to something meaningful so that you don't confuse your chrooted environment with your host.

And now you can try to login from the host.

$ ssh localhost -l root -p 2200
root@localhost's password: 
Last login: Wed Aug  8 06:32:10 2007 from 127.0.0.1

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
OECHROOT:~# 

If you want to initialize the chroot at boot so that you can ssh, you can do it like this:

In the host machine, create a file /etc/init.d/chroot-ssh-init.sh (the initialization process might be a little different in your distribution), the idea is to have the system bootup scrips start the chrooted ssh server for us.

In Debian, the default run-level is 2. So, we added the following contents to the file /etc/init.d/chroot-ssh-init.sh:

 export CHROOTDIR=/mnt/emqbit1/oe-chroot # change
 mount -t devpts devpts $CHROOTDIR/dev/pts
 mount -t proc proc $CHROOTDIR/proc
 chroot  $CHROOTDIR /etc/init.d/ssh start

Then test the script:

 /etc/init.d/chroot-ssh-init.sh 
 Starting OpenBSD Secure Shell server: sshd.

It should start ssh server in the guest installation. Note that we could have used also telned if we only allow connections from 127.0.0.1, but having a ssh server allows us to scale later if you want to access the chroot from another location, perhaps using an unprivileged account.

Now we make it permanent, the script will be run whenever we boot. (Note that the following instructions are Debian-specific).

 ln -s  /etc/init.d/chroot-ssh-init.sh /etc/rc2.d/S99chroot-oe-ss

Edit Link Top

References

• http://en.wikipedia.org/wiki/Chroot
• http://www.openembedded.org/wiki/FirstProject
• http://www.debian.org/doc/manuals/reference/ch-tips.en.html#s-chroot

• chroot(2)

• debian(29)