[ale] Using a namespace to manage a chroot.

Jim Kinney jim.kinney at gmail.com
Sun May 9 19:05:49 EDT 2021


Wow. Really cool stuff. Jchroot looks like a way to solve some real bozo uses of containers and perhaps a non-cgroup way of isolating processes for HPC work.

Why still centos 5? Specific hardware issues with later stuff?

On May 9, 2021 4:47:50 PM EDT, Chris Fowler via Ale <ale at ale.org> wrote:
>For years I've been running SSH via chroot inside Linux installs on my
>workstation regardless of the version of Ubuntu the workstation
>currently runs.  This allows me to upgrade my workstation, while still
>compiling code inside a CentOS distribution.
>
>At boot I'll do something like this to prepare each chroot.
>
>START_PORT=55;
>for ii in CentOS-5-1 CentOS5-2 LFS-7.7; do
>  for iii in dev dev/pts proc sys; do
>    TEMPLATE="/opt/devel/${ii}"
>     mount -o bind /${iii} ${TEMPLATE}/${ii}
>sed -i 's#^Port 22.*$#Port '${START_PORT}'#g'
>${TEMPLATE}/etc/ssh/sshd_config
>     chroot ${TEMPLATE}/${ii} /etc/init.d/sshd start
>     START_PORT=$(( ${START_PORT} + 1 ))
>  done
>done
>
>After boot,  My Ubuntu 18.04 workstation will be running 3 other
>distributions.  I'll use SSH to access them as a regular user.  Tmux
>automatically runs on first login, other logins will attach to that
>session.
>
>I am thinking I can use unshare to create a namespace and a control
>group attached to the SSHD start.   On death of the SSHD, all processes
>would automatically be killed, and all mounts be unmount.  I'm not 100%
>sure how to change over to this.    Docker is a no-go because
>containers are not designed to run a whole disti that requires
>persistent storage on its /.   My workstation supports KVM and I
>considered this, but when I compile in these system I need all the
>power the workstation can give in CPU and I/O.
>
>If I need to run 'ssh -D' in each one instead for the unshare, I could
>use daemon to do it.  On the host, I could just use 'daemon
>--name=sshd-1 --stop' to tear down the chroot?
>
>I found this last night https://github.com/vincentbernat/jchroot
>
>It is interesting and works fine under a running 2.6.38 kernel. 
>Creates mounts, runs /bin/bash, on exit the mounts do not exist.   On
>4.15.0 it does not tear down the mounts on exit.   I don't see any
>errors during strace either.   I could use that as the program daemon
>runs to start the SSD.  daemon  --name=devel-sshd01  -- /sbin/jchroot
>-f /opt/devel/CentOS-5-1/etc/fstab  /opt/devel/CentOS-5-1
>/usr/sbin/sshd -D -p 55
>
>To tear it all up: daemon --name=devel-sshd01 --stop
>
>
>
>[https://avatars1.githubusercontent.com/u/631446?s=400&v=4]<https://github.com/vincentbernat/jchroot>
>GitHub - vincentbernat/jchroot: a chroot with more
>isolation<https://github.com/vincentbernat/jchroot>
>jchroot: a chroot with more isolation. Recent Linux kernels are now
>able to provide a new PID namespace to a newly created process. The
>process becomes PID 1 in its own namespace and all processes created in
>this namespace will be killed when the first process terminates.
>github.com

-- 
Computers amplify human error
Super computers are really cool
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20210509/94bc46a7/attachment.htm>


More information about the Ale mailing list