[ale] Using a namespace to manage a chroot.
Jim Kinney
jim.kinney at gmail.com
Sun May 9 19:05:49 EDT 2021
Wow. Really cool stuff. Jchroot looks like a way to solve some real bozo uses of containers and perhaps a non-cgroup way of isolating processes for HPC work.
Why still centos 5? Specific hardware issues with later stuff?
On May 9, 2021 4:47:50 PM EDT, Chris Fowler via Ale <ale at ale.org> wrote:
>For years I've been running SSH via chroot inside Linux installs on my
>workstation regardless of the version of Ubuntu the workstation
>currently runs. This allows me to upgrade my workstation, while still
>compiling code inside a CentOS distribution.
>
>At boot I'll do something like this to prepare each chroot.
>
>START_PORT=55;
>for ii in CentOS-5-1 CentOS5-2 LFS-7.7; do
> for iii in dev dev/pts proc sys; do
> TEMPLATE="/opt/devel/${ii}"
> mount -o bind /${iii} ${TEMPLATE}/${ii}
>sed -i 's#^Port 22.*$#Port '${START_PORT}'#g'
>${TEMPLATE}/etc/ssh/sshd_config
> chroot ${TEMPLATE}/${ii} /etc/init.d/sshd start
> START_PORT=$(( ${START_PORT} + 1 ))
> done
>done
>
>After boot, My Ubuntu 18.04 workstation will be running 3 other
>distributions. I'll use SSH to access them as a regular user. Tmux
>automatically runs on first login, other logins will attach to that
>session.
>
>I am thinking I can use unshare to create a namespace and a control
>group attached to the SSHD start. On death of the SSHD, all processes
>would automatically be killed, and all mounts be unmount. I'm not 100%
>sure how to change over to this. Docker is a no-go because
>containers are not designed to run a whole disti that requires
>persistent storage on its /. My workstation supports KVM and I
>considered this, but when I compile in these system I need all the
>power the workstation can give in CPU and I/O.
>
>If I need to run 'ssh -D' in each one instead for the unshare, I could
>use daemon to do it. On the host, I could just use 'daemon
>--name=sshd-1 --stop' to tear down the chroot?
>
>I found this last night https://github.com/vincentbernat/jchroot
>
>It is interesting and works fine under a running 2.6.38 kernel.
>Creates mounts, runs /bin/bash, on exit the mounts do not exist. On
>4.15.0 it does not tear down the mounts on exit. I don't see any
>errors during strace either. I could use that as the program daemon
>runs to start the SSD. daemon --name=devel-sshd01 -- /sbin/jchroot
>-f /opt/devel/CentOS-5-1/etc/fstab /opt/devel/CentOS-5-1
>/usr/sbin/sshd -D -p 55
>
>To tear it all up: daemon --name=devel-sshd01 --stop
>
>
>
>[https://avatars1.githubusercontent.com/u/631446?s=400&v=4]<https://github.com/vincentbernat/jchroot>
>GitHub - vincentbernat/jchroot: a chroot with more
>isolation<https://github.com/vincentbernat/jchroot>
>jchroot: a chroot with more isolation. Recent Linux kernels are now
>able to provide a new PID namespace to a newly created process. The
>process becomes PID 1 in its own namespace and all processes created in
>this namespace will be killed when the first process terminates.
>github.com
--
Computers amplify human error
Super computers are really cool
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20210509/94bc46a7/attachment.htm>
More information about the Ale
mailing list