[ale] Using a namespace to manage a chroot.

Chris Fowler cfowler at outpostsentinel.com
Sun May 9 16:47:50 EDT 2021 

For years I've been running SSH via chroot inside Linux installs on my workstation regardless of the version of Ubuntu the workstation currently runs.  This allows me to upgrade my workstation, while still compiling code inside a CentOS distribution.

At boot I'll do something like this to prepare each chroot.

START_PORT=55;
for ii in CentOS-5-1 CentOS5-2 LFS-7.7; do
  for iii in dev dev/pts proc sys; do
    TEMPLATE="/opt/devel/${ii}"
     mount -o bind /${iii} ${TEMPLATE}/${ii}
     sed -i 's#^Port 22.*$#Port '${START_PORT}'#g' ${TEMPLATE}/etc/ssh/sshd_config
     chroot ${TEMPLATE}/${ii} /etc/init.d/sshd start
     START_PORT=$(( ${START_PORT} + 1 ))
  done
done

After boot,  My Ubuntu 18.04 workstation will be running 3 other distributions.  I'll use SSH to access them as a regular user.  Tmux automatically runs on first login, other logins will attach to that session.

I am thinking I can use unshare to create a namespace and a control group attached to the SSHD start.   On death of the SSHD, all processes would automatically be killed, and all mounts be unmount.  I'm not 100% sure how to change over to this.    Docker is a no-go because containers are not designed to run a whole disti that requires persistent storage on its /.   My workstation supports KVM and I considered this, but when I compile in these system I need all the power the workstation can give in CPU and I/O.

If I need to run 'ssh -D' in each one instead for the unshare, I could use daemon to do it.  On the host, I could just use 'daemon --name=sshd-1 --stop' to tear down the chroot?

I found this last night https://github.com/vincentbernat/jchroot

It is interesting and works fine under a running 2.6.38 kernel.  Creates mounts, runs /bin/bash, on exit the mounts do not exist.   On 4.15.0 it does not tear down the mounts on exit.   I don't see any errors during strace either.   I could use that as the program daemon runs to start the SSD.  daemon  --name=devel-sshd01  -- /sbin/jchroot -f /opt/devel/CentOS-5-1/etc/fstab  /opt/devel/CentOS-5-1 /usr/sbin/sshd -D -p 55

To tear it all up: daemon --name=devel-sshd01 --stop



[https://avatars1.githubusercontent.com/u/631446?s=400&v=4]<https://github.com/vincentbernat/jchroot>
GitHub - vincentbernat/jchroot: a chroot with more isolation<https://github.com/vincentbernat/jchroot>
jchroot: a chroot with more isolation. Recent Linux kernels are now able to provide a new PID namespace to a newly created process. The process becomes PID 1 in its own namespace and all processes created in this namespace will be killed when the first process terminates.
github.com



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20210509/7486310a/attachment.htm>

More information about the Ale mailing list